update for trusted system CA certificates
Added by My Self almost 10 years ago
An excellent overview about the 'root certificates on mobile devices' (and it's problems) topic can be found here:
https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/
Because I have to live with the basic problems of this chain-of-trust technique, at least I decided to update my (system) CA certificates, for security reasons.
I've found the current AOSP CAs here: https://android.googlesource.com/platform/libcore/+/master/luni/src/main/files/cacerts/
But in my case, I extracted the cacerts-folder from the latest nightly build of CM 12.1 (based on AOSP 5.1.1), Android 6.0 'Marshmallow' Developer Preview 3 (https://developer.android.com/preview/download.html) and compared:- Replicant 4.2 (current) has 142 certificates, (two of them are the separately added CAcert.org 'Root CA' & 'Class 3 Root' certificates).
- CyanogenMod 12.1 (nightly) has 162 certificates, (without CAcert.org certificates).
- Android 6.0 'Marshmallow' Developer Preview 3 has 158 certificates, (without CAcert.org certificates).
So I took the (assumed) most current source of Android CA certificates (from Android 6.0), merged the two CAcert.org certificates, (so we have exactly 160) and made a flashable .zip to replace my whole system CA certificates with it.
I called it 'cacerts_replacements.zip' (attached). The single installation-steps (of that .zip) are the following:- delete (recursive) the /system/etc/security/cacerts/ folder,
- put the current 160 CA certificates to /system/etc/security/cacerts/ again, and
- set the right permissions again: owner/group: root, 0755 to the folder, 0644 (recursive) to the files inside the folder /system/etc/security/cacerts.
For me it works great, (applied through the recovery mode of Replicant 4.2). I can see the new certificate dataset over Settings -> Security -> Trusted credentials -> [SYSTEM]
Feel free to use the .zip, or just use it as a template to merge your own collected CA certificates.If you want to bring your own certificates in the right (Android) format, this two links could be helpful:
- http://forum.xda-developers.com/google-nexus-5/help/howto-install-custom-cert-network-t2533550
- http://wiki.pcprobleemloos.nl/android/cacert
The certificate files (/system/etc/security/cacerts/xxxxxxxx.0) are readable in any text editor of your choice. The updater-script (META-INF/com/google/android/updater-script), too.
So you don't have to trust me シ
[UPDATE]:
The updated pack is called: replace_cacerts_6.0.0.zip (which is attached on post: http://redmine.replicant.us/boards/39/topics/10575?r=11409#message-11409)
Replies (5)
RE: update for trusted system CA certificates - Added by christina d almost 10 years ago
thank you for this, but i am new, is it possible to give a bit more of details how to do it?
RE: update for trusted system CA certificates - Added by My Self almost 10 years ago
Sure. You can:thank you for this, but i am new, is it possible to give a bit more of details how to do it?
- just replace (some or all) certificates you have with a (root compatible) file manager (e. g. https://f-droid.org/repository/browse/?fdid=com.amaze.filemanager) under the path:
/system/etc/security/cacerts/... - or flash (optionally modify it first) the attached flashable .zip over the Recovery mode (or ADB). I personally using the Recovery mode.
- Just copy the .zip on your device.
- Hint: If your device is encrypted, you should copy the file to an unencrypted partition, e. g. your external microSD card, because CWM Recovery can't handle encrypted partitions, yet.
- After that, boot into the Recovery mode:
- if you have enabled the Developer options (as shown here: https://www.youtube.com/watch?v=XcFVRDZ5Z9Q), activate 'Advanced reboot' inside of that options.
So you could press and hold your power button -> Reboot -> Recovery [OK] - or just use your device specific key-combo, as shown here: https://www.youtube.com/watch?v=3JHr2TVVoNk#t=1m12s
- if you have enabled the Developer options (as shown here: https://www.youtube.com/watch?v=XcFVRDZ5Z9Q), activate 'Advanced reboot' inside of that options.
The last link also shows, how to flash the zip inside the Recovery mode [time: 1:25 - 2:15].
Credits to the guys, made this clips, and so saved me from writing some more details.
Hope that helps. Otherwise, I'm at your service.
RE: update for trusted system CA certificates - Added by christina d almost 10 years ago
thank you! i think i did it, can't tell for sure though, but there was no error in the recovery process and phone works good :D
RE: update for trusted system CA certificates - Added by My Self almost 10 years ago
Well, a fast (and of course superficial) way to check if the new CA certificates-set is in place, is just to take a look at the accumulated number of files, which should be 160 (after the update):[...] can't tell for sure though
- [File Manager]
- Three-dot-menu -> Settings -> General settings -> Access mode -> [Promt User mode]
- go to /system/etc/security/cacerts -> eight-dot-menu -> Select all -> {look at the number of selected files on the buttom}
- [Amaze]
- go to /system/etc/security/cacerts -> {look at the number of files on the headline}
RE: update for trusted system CA certificates - Added by My Self over 9 years ago
I made an updated pack called: 'replace_cacerts_6.0.0.zip' (attached) which is based on the released Android 6.0 Marshmallow.
Exactly, I used these AOSP certificates: https://android.googlesource.com/platform/libcore/+/android-cts-6.0_r1/luni/src/main/files/cacerts/
(The number of resulting certificates should be 160 again).
Have fun.