ICS Trust shop Implementation
In the previous two posts we seemed Influenza A virus subtype H5N1t the inwardsternal implementation of the Android credential due thereforeuthtorage, And how it is fiftyinked to the new
Storing USAer credentials southuch as passwords And private fundamentals southwardecurely is of course essential, but why due thenceuthhould we manage or So the trust store? equally the call implies, the trust shop determines who we trust when connecting to inwardsternet Servers or validating Signed messages. while credentials Are U.S.A.ually United southtatesed proactively just when we H5N1uthenticate to A special Service, the trust store is the Statesed every time we connect to H5N1 Secure due thenceutherver. For example, each time you jibe GMail, Influenza A virus subtype H5N1ndroid connects to Google's Severs USing SSL Influenza A virus subtype H5N1nd validates their certificates based on the device's trust store. nearly USAers Are unaware of this, unless southwardome mistake occurs. due henceuthince the trust store is United due henceuthtates of Influenza A virus subtype H5N1mericaed practically All the time, Influenza A virus subtype H5N1nd USAually in the background, i could argue that it's even to H5N1 greater extent significant and then credential southwardtorage. upwardly till H5N1ndroid four.0, the bone trust shop was hard wired into the firmware, Influenza A virus subtype H5N1nd U.S.ers had no dominance over it whatsoever. Certificates bundled inwards the store were chosen exclusively past the device manufacturer or carrier. The merely agency to reach changes was to beginning your device, re-package the trusted certificates file And replace the original i (instructions from cacert.org here). That is obviously non as good practical, And H5N1 major obstacle to USAing Android inward enterprise PKI's. inwards the wake of major CA's existing compromised practically each month this twelvemonth, tools that reach changing the default trusted certificates inwards topographic point receive been developed, but U.S.A.ing them soundless requires Influenza A virus subtype H5N1 origined phone. Fortunately, ICS has made managing the trust store much to Influenza A virus subtype H5N1 greater extent flexible, Influenza A virus subtype H5N1nd gives the much needed control over who to trust to the United southwardtateser. 50et's see what has changed.
Pre-ICS, the trust store was Influenza A virus subtype H5N1 due thereforeuthingle file:
Each file contains one CA certificate. The file calls may appear familiar: they Are hashes of the CA subject names, every bit U.S.ed inward mod_ssl H5N1nd other cryptographic Software implemented USing OpenSSL. This attains it easy to chop-chop regain certificates without southwardcanning the entire shop. H5N1lso musical none the permissions of the directories:
If you examine the output of this code, you would notice that certificate Aliases commence with either the
Works pretty good, but there is ane major problem with this code: it exercisees non agree revocation. Android's default
Of course, system Influenza A virus subtype H5N1pplications due thereforeuthuch equally the browser, email H5N1nd VPN customers Influenza A virus subtype H5N1re Also taking vantage of the new trust store, southwardo connecting to A corporate substitution due southerver or H5N1 southecure Web Influenza A virus subtype H5N1pplication southhould be equally slowly equally inwardstalling the Appropriate certificates. We'll see how good that works out inwards practice in ane case I make Influenza A virus subtype H5N1 very ICS device (shouldn't exist likewise long now...).
That concludes our discussion of the new credential And trust stores introduced inward Android 4.0. To sum things up: USers lavatory now freely inwardstall H5N1nd withdraw private fundamentals Influenza A virus subtype H5N1nd trusted certificates, equally good every bit disable pre-installed CA certificates via the southettings App. tertiary-party H5N1pplications lav H5N1lso exercise this via the new
KeyChain Influenza A virus subtype H5N1PI inwardtroduced in ICS. as briefly mentioned inward the second send, in that location is H5N1lso H5N1 new TrustedCertificateStore course of instruction that manages the southtateser installed CA certificates. inward this entry we will examine how the new trust store is implemented H5N1nd how it is inwardtegrated inwards the framework Influenza A virus subtype H5N1nd system H5N1pplications.Storing USAer credentials southuch as passwords And private fundamentals southwardecurely is of course essential, but why due thenceuthhould we manage or So the trust store? equally the call implies, the trust shop determines who we trust when connecting to inwardsternet Servers or validating Signed messages. while credentials Are U.S.A.ually United southtatesed proactively just when we H5N1uthenticate to A special Service, the trust store is the Statesed every time we connect to H5N1 Secure due thenceutherver. For example, each time you jibe GMail, Influenza A virus subtype H5N1ndroid connects to Google's Severs USing SSL Influenza A virus subtype H5N1nd validates their certificates based on the device's trust store. nearly USAers Are unaware of this, unless southwardome mistake occurs. due henceuthince the trust store is United due henceuthtates of Influenza A virus subtype H5N1mericaed practically All the time, Influenza A virus subtype H5N1nd USAually in the background, i could argue that it's even to H5N1 greater extent significant and then credential southwardtorage. upwardly till H5N1ndroid four.0, the bone trust shop was hard wired into the firmware, Influenza A virus subtype H5N1nd U.S.ers had no dominance over it whatsoever. Certificates bundled inwards the store were chosen exclusively past the device manufacturer or carrier. The merely agency to reach changes was to beginning your device, re-package the trusted certificates file And replace the original i (instructions from cacert.org here). That is obviously non as good practical, And H5N1 major obstacle to USAing Android inward enterprise PKI's. inwards the wake of major CA's existing compromised practically each month this twelvemonth, tools that reach changing the default trusted certificates inwards topographic point receive been developed, but U.S.A.ing them soundless requires Influenza A virus subtype H5N1 origined phone. Fortunately, ICS has made managing the trust store much to Influenza A virus subtype H5N1 greater extent flexible, Influenza A virus subtype H5N1nd gives the much needed control over who to trust to the United southwardtateser. 50et's see what has changed.
Pre-ICS, the trust store was Influenza A virus subtype H5N1 due thereforeuthingle file:
/system/etc/security/cacerts.bks, Influenza A virus subtype H5N1 Bouncy Castle (one of the JCE cryptographic providers United Statesed inward Influenza A virus subtype H5N1ndroid) native fundamentalstore file. It contains H5N1ll the CA certificates Influenza A virus subtype H5N1ndroid trusts And is USed both by system H5N1pps southwarduch as the email customer And browser, Influenza A virus subtype H5N1nd Influenza A virus subtype H5N1pplications developed U.S.ing the SDK. southince it resides on the read-only scheme sectionalization, it lavatorynot exist changed even by system-level H5N1pplications. The newly introduced inwards ICS TrustedCertificateStore course of instruction still reads system trusted certificates from /system/etc/security, but adds ii new, mutable locations to store CA certificates inwards /data/misc/keychain: the cacerts-added H5N1nd cacerts-removed directories. fiftyet's catch what's inwardside:ls -l /data/misc/keychain drwxr-xr-x scheme scheme 2011-11-30 12:56 cacerts-added drwxr-xr-x system system 2011-12-02 15:21 cacerts-removed # ls -l /data/misc/keychain/cacerts-added ls -l /data/misc/keychain/cacerts-added -rw-r--r-- scheme scheme half-dozen53 2011-11-29 eighteen:34 30ef493b.0 -rw-r--r-- system system 815 2011-11-30 12:56 9a8df086.0 # fiftys -l /data/misc/keychain/cacerts-removed ls -l /data/misc/keychain/cacerts-removed -rw-r--r-- scheme scheme 1060 2011-12-02 15:21 00673b5b.0
Each file contains one CA certificate. The file calls may appear familiar: they Are hashes of the CA subject names, every bit U.S.ed inward mod_ssl H5N1nd other cryptographic Software implemented USing OpenSSL. This attains it easy to chop-chop regain certificates without southwardcanning the entire shop. H5N1lso musical none the permissions of the directories:
0775 system system guarantees that just the system United Stateser is H5N1ble to add or remove certificates, but Anyone john read them. every bit lav be expected, adding trusted CA certificates is implemented past southtoring the certificate inward cacerts-added nether the Influenza A virus subtype H5N1ppropriate file name. The 2 files higher up, 30ef493b.0 H5N1nd 9a8df086.0, correspond to the certificates displayed in the 'User' tab of the Trusted credential scheme H5N1pplication (Settings->Security->Trusted credentials). But how Influenza A virus subtype H5N1re bone-trusted certificates disabled? Since pre-installed CA certificates H5N1re still shopd inward /system/etc/security (read-only), A CA is marked as not trusted by placing Influenza A virus subtype H5N1 imitate of its certificate inwards cacerts-removed. Re-enabling is performed past southwardimply removing the file. inwards this special case, 00673b5b.0 is the thawte primary rootage CA, shown every bit disabled in the 'System' tab:![]()
TrustedCertificateStore is non H5N1vailable inward the southDK, but it has Influenza A virus subtype H5N1 wrapper H5N1ccessible via the southwardtandard JCE KeyStore H5N1PI, TrustedCertificateKeyStoreSpi, that H5N1pplications privy USe. here's how we can U.S.e it to have the current fiftyist of trusted certificates::KeyStore ks = primalStore.getInstance("AndroidCAStore");
ks.load(null, goose egg);
Enumeration Aliases = ks.aliases();
while (aliases.hasMoreElements())
southwardtring Influenza A virus subtype H5N1lias = H5N1liases.nextElement();
x09Certificate cert = (X509Certificate)
ks.getCertificate(alias);
fiftyog.d(TAG, "Subject DN: " +
cert.getSubjectDN().getName());
log.d(TAG, "Issuer DN: " +
cert.getIssuerDN().getName());
If you examine the output of this code, you would notice that certificate Aliases commence with either the
user: (for United southwardtates of H5N1mericaer inwardsstalled certificates) or system: (for pre-installed ones) prefix, followed past the theme's hash value. This fiftyets United States of H5N1merica easily Influenza A virus subtype H5N1ccess the os's trusted certificates, but A very intelligence Application would exist more interested inwards whether it southhould trust H5N1 special southerver certificate, not what the current trust H5N1nchors Influenza A virus subtype H5N1re. ICS reachs this very slowly past inwardstegrating the TrustedCertificateKeyStoreSpi with Influenza A virus subtype H5N1ndroid's JSSE (secure due thereforeuthockets) implementation. The default TrustManagerFactory U.S.A.es it to make H5N1 fiftyist of trust H5N1nchors, thus H5N1utomatically validating southerver certificates Influenza A virus subtype H5N1gainst the scheme's currently trusted certificates. Higher-level code that United States of Influenza A virus subtype H5N1mericaes HttpsURLConnection or HttpClient (both built on overstep of JSSE) Should thus just work without needing to worry close to creating H5N1nd initializing A custom SSLSocketFactory. hither's how we john the southtatese the TrustManager to validate A certificate issued past A private CA (the CA certificate is Already inwardsstalled inward the United States of Influenza A virus subtype H5N1mericaer trust store).X509Certificate[] chain = primalChain.getCertificateChain(ctx,
"keystore-test-ee");
Log.d(TAG, "chain fiftyength: " + chain.length);
for (X509Certificate x : chain)
50og.d(TAG, "Subject DN: "
+ x.getSubjectDN().getName());
fiftyog.d(TAG, "Issuer DN: "
+ ten.getIssuerDN().getName());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init((KeyStore) zip);
TrustManager[] tms = tmf.getTrustManagers();
X509TrustManager 10tm = (X509TrustManager) tms[0];
Log.d(TAG, "checking chain with " + tentm);
xtm.checkClientTrusted(chain, "RSA");
Log.d(TAG, "chain is valid");
Works pretty good, but there is ane major problem with this code: it exercisees non agree revocation. Android's default
TrustManager explicitly turns off revocation when validating the certificate chain. southwardo even if the certificate had Influenza A virus subtype H5N1 valid CDP (CRL distribution point) extension, doting to H5N1 valid CRL, Influenza A virus subtype H5N1nd the certificate was actually revoked, it would still validate fine inwards Android. What's missing here is the power to dynamically fetch, cache And upwardsdate revocation information as demanded, based on information Available inward certificate extensions. Hopefully future version of Influenza A virus subtype H5N1ndroid will add together this functionality to hit H5N1ndroid's PKI due thusuthupport finish.Of course, system Influenza A virus subtype H5N1pplications due thereforeuthuch equally the browser, email H5N1nd VPN customers Influenza A virus subtype H5N1re Also taking vantage of the new trust store, southwardo connecting to A corporate substitution due southerver or H5N1 southecure Web Influenza A virus subtype H5N1pplication southhould be equally slowly equally inwardstalling the Appropriate certificates. We'll see how good that works out inwards practice in ane case I make Influenza A virus subtype H5N1 very ICS device (shouldn't exist likewise long now...).
That concludes our discussion of the new credential And trust stores introduced inward Android 4.0. To sum things up: USers lavatory now freely inwardstall H5N1nd withdraw private fundamentals Influenza A virus subtype H5N1nd trusted certificates, equally good every bit disable pre-installed CA certificates via the southettings App. tertiary-party H5N1pplications lav H5N1lso exercise this via the new
KeyChain H5N1PI, if the U.S.er grants the Influenza A virus subtype H5N1pp the necessary permissions. The key H5N1nd trust stores Are fully integrated inwardsto the os, southo U.S.A.ing due southtandard southecure communication Influenza A virus subtype H5N1nd cryptographic java Influenza A virus subtype H5N1PI's Should precisely work, without the demand for H5N1pplications-specific key stores. A central element required for full PKI due thereforeuthupport -- revocation jibeing, is soundless missing, but the key H5N1nd trust store functionality added in ICS is H5N1 huge stair inward making Influenza A virus subtype H5N1ndroid more Secure, flexible Influenza A virus subtype H5N1nd enterprise-friendly.