update for trusted system CA certificates
Added by My Self about 9 years ago
An excellent overview about the 'root certificates on mobile devices' (and it's problems) topic can be found here:
https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/
Because I have to live with the basic problems of this chain-of-trust technique, at least I decided to update my (system) CA certificates, for security reasons.
I've found the current AOSP CAs here: https://android.googlesource.com/platform/libcore/+/master/luni/src/main/files/cacerts/
But in my case, I extracted the cacerts-folder from the latest nightly build of CM 12.1 (based on AOSP 5.1.1), Android 6.0 'Marshmallow' Developer Preview 3 (https://developer.android.com/preview/download.html) and compared:- Replicant 4.2 (current) has 142 certificates, (two of them are the separately added CAcert.org 'Root CA' & 'Class 3 Root' certificates).
- CyanogenMod 12.1 (nightly) has 162 certificates, (without CAcert.org certificates).
- Android 6.0 'Marshmallow' Developer Preview 3 has 158 certificates, (without CAcert.org certificates).
So I took the (assumed) most current source of Android CA certificates (from Android 6.0), merged the two CAcert.org certificates, (so we have exactly 160) and made a flashable .zip to replace my whole system CA certificates with it.
I called it 'cacerts_replacements.zip' (attached). The single installation-steps (of that .zip) are the following:- delete (recursive) the /system/etc/security/cacerts/ folder,
- put the current 160 CA certificates to /system/etc/security/cacerts/ again, and
- set the right permissions again: owner/group: root, 0755 to the folder, 0644 (recursive) to the files inside the folder /system/etc/security/cacerts.
For me it works great, (applied through the recovery mode of Replicant 4.2). I can see the new certificate dataset over Settings -> Security -> Trusted credentials -> [SYSTEM]
Feel free to use the .zip, or just use it as a template to merge your own collected CA certificates.If you want to bring your own certificates in the right (Android) format, this two links could be helpful:
- http://forum.xda-developers.com/google-nexus-5/help/howto-install-custom-cert-network-t2533550
- http://wiki.pcprobleemloos.nl/android/cacert
The certificate files (/system/etc/security/cacerts/xxxxxxxx.0) are readable in any text editor of your choice. The updater-script (META-INF/com/google/android/updater-script), too.
So you don't have to trust me シ
[UPDATE]:
The updated pack is called: replace_cacerts_6.0.0.zip (which is attached on post: http://redmine.replicant.us/boards/39/topics/10575?r=11409#message-11409)
Replies (5)
RE: update for trusted system CA certificates - Added by christina d about 9 years ago
thank you for this, but i am new, is it possible to give a bit more of details how to do it?
RE: update for trusted system CA certificates - Added by My Self about 9 years ago
Sure. You can:thank you for this, but i am new, is it possible to give a bit more of details how to do it?
- just replace (some or all) certificates you have with a (root compatible) file manager (e. g. https://f-droid.org/repository/browse/?fdid=com.amaze.filemanager) under the path:
/system/etc/security/cacerts/... - or flash (optionally modify it first) the attached flashable .zip over the Recovery mode (or ADB). I personally using the Recovery mode.
- Just copy the .zip on your device.
- Hint: If your device is encrypted, you should copy the file to an unencrypted partition, e. g. your external microSD card, because CWM Recovery can't handle encrypted partitions, yet.
- After that, boot into the Recovery mode:
- if you have enabled the Developer options (as shown here: https://www.youtube.com/watch?v=XcFVRDZ5Z9Q), activate 'Advanced reboot' inside of that options.
So you could press and hold your power button -> Reboot -> Recovery [OK] - or just use your device specific key-combo, as shown here: https://www.youtube.com/watch?v=3JHr2TVVoNk#t=1m12s
- if you have enabled the Developer options (as shown here: https://www.youtube.com/watch?v=XcFVRDZ5Z9Q), activate 'Advanced reboot' inside of that options.
The last link also shows, how to flash the zip inside the Recovery mode [time: 1:25 - 2:15].
Credits to the guys, made this clips, and so saved me from writing some more details.
Hope that helps. Otherwise, I'm at your service.
RE: update for trusted system CA certificates - Added by christina d about 9 years ago
thank you! i think i did it, can't tell for sure though, but there was no error in the recovery process and phone works good :D
RE: update for trusted system CA certificates - Added by My Self about 9 years ago
Well, a fast (and of course superficial) way to check if the new CA certificates-set is in place, is just to take a look at the accumulated number of files, which should be 160 (after the update):[...] can't tell for sure though
- [File Manager]
- Three-dot-menu -> Settings -> General settings -> Access mode -> [Promt User mode]
- go to /system/etc/security/cacerts -> eight-dot-menu -> Select all -> {look at the number of selected files on the buttom}
- [Amaze]
- go to /system/etc/security/cacerts -> {look at the number of files on the headline}
RE: update for trusted system CA certificates - Added by My Self almost 9 years ago
I made an updated pack called: 'replace_cacerts_6.0.0.zip' (attached) which is based on the released Android 6.0 Marshmallow.
Exactly, I used these AOSP certificates: https://android.googlesource.com/platform/libcore/+/android-cts-6.0_r1/luni/src/main/files/cacerts/
(The number of resulting certificates should be 160 again).
Have fun.