Project

General

Profile

update for trusted system CA certificates

Added by My Self about 7 years ago

An excellent overview about the 'root certificates on mobile devices' (and it's problems) topic can be found here:
https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/

Because I have to live with the basic problems of this chain-of-trust technique, at least I decided to update my (system) CA certificates, for security reasons.

I've found the current AOSP CAs here: https://android.googlesource.com/platform/libcore/+/master/luni/src/main/files/cacerts/

But in my case, I extracted the cacerts-folder from the latest nightly build of CM 12.1 (based on AOSP 5.1.1), Android 6.0 'Marshmallow' Developer Preview 3 (https://developer.android.com/preview/download.html) and compared:
  • Replicant 4.2 (current) has 142 certificates, (two of them are the separately added CAcert.org 'Root CA' & 'Class 3 Root' certificates).
  • CyanogenMod 12.1 (nightly) has 162 certificates, (without CAcert.org certificates).
  • Android 6.0 'Marshmallow' Developer Preview 3 has 158 certificates, (without CAcert.org certificates).

So I took the (assumed) most current source of Android CA certificates (from Android 6.0), merged the two CAcert.org certificates, (so we have exactly 160) and made a flashable .zip to replace my whole system CA certificates with it.

I called it 'cacerts_replacements.zip' (attached). The single installation-steps (of that .zip) are the following:
  • delete (recursive) the /system/etc/security/cacerts/ folder,
  • put the current 160 CA certificates to /system/etc/security/cacerts/ again, and
  • set the right permissions again: owner/group: root, 0755 to the folder, 0644 (recursive) to the files inside the folder /system/etc/security/cacerts.

For me it works great, (applied through the recovery mode of Replicant 4.2). I can see the new certificate dataset over Settings -> Security -> Trusted credentials -> [SYSTEM]

Feel free to use the .zip, or just use it as a template to merge your own collected CA certificates.
If you want to bring your own certificates in the right (Android) format, this two links could be helpful:

The certificate files (/system/etc/security/cacerts/xxxxxxxx.0) are readable in any text editor of your choice. The updater-script (META-INF/com/google/android/updater-script), too.

So you don't have to trust me シ


[UPDATE]:
The updated pack is called: replace_cacerts_6.0.0.zip (which is attached on post: http://redmine.replicant.us/boards/39/topics/10575?r=11409#message-11409)


Replies (5)

RE: update for trusted system CA certificates - Added by christina d about 7 years ago

thank you for this, but i am new, is it possible to give a bit more of details how to do it?

RE: update for trusted system CA certificates - Added by My Self about 7 years ago

thank you for this, but i am new, is it possible to give a bit more of details how to do it?

Sure. You can:
  1. just replace (some or all) certificates you have with a (root compatible) file manager (e. g. https://f-droid.org/repository/browse/?fdid=com.amaze.filemanager) under the path:
    /system/etc/security/cacerts/...
  2. or flash (optionally modify it first) the attached flashable .zip over the Recovery mode (or ADB). I personally using the Recovery mode.
    • Just copy the .zip on your device.
    • Hint: If your device is encrypted, you should copy the file to an unencrypted partition, e. g. your external microSD card, because CWM Recovery can't handle encrypted partitions, yet.
    • After that, boot into the Recovery mode:

The last link also shows, how to flash the zip inside the Recovery mode [time: 1:25 - 2:15].

Credits to the guys, made this clips, and so saved me from writing some more details.

Hope that helps. Otherwise, I'm at your service.

RE: update for trusted system CA certificates - Added by christina d about 7 years ago

thank you! i think i did it, can't tell for sure though, but there was no error in the recovery process and phone works good :D

RE: update for trusted system CA certificates - Added by My Self about 7 years ago

[...] can't tell for sure though

Well, a fast (and of course superficial) way to check if the new CA certificates-set is in place, is just to take a look at the accumulated number of files, which should be 160 (after the update):
  • [File Manager]
    • Three-dot-menu -> Settings -> General settings -> Access mode -> [Promt User mode]
    • go to /system/etc/security/cacerts -> eight-dot-menu -> Select all -> {look at the number of selected files on the buttom}
  • [Amaze]
    • go to /system/etc/security/cacerts -> {look at the number of files on the headline}

RE: update for trusted system CA certificates - Added by My Self almost 7 years ago

I made an updated pack called: 'replace_cacerts_6.0.0.zip' (attached) which is based on the released Android 6.0 Marshmallow.
Exactly, I used these AOSP certificates: https://android.googlesource.com/platform/libcore/+/android-cts-6.0_r1/luni/src/main/files/cacerts/

(The number of resulting certificates should be 160 again).

Have fun.

    (1-5/5)