Android證書安裝過程介紹
一.證書在源碼中的路徑
5.1系統證書(命名是 openssl x509 -subject_hash_old -in filename)
libcore/luni/src/main/files/cacerts
7.1及以後系統證書
/system/ca-certificates/files
二.證書在固件中的路徑
/system/etc/security/cacerts
三.手動安裝流程
設置–>安全–>從SD卡安裝證書:
在AndroidManif.xml裡
<Preference android:key="credentials_install"
android:title="@string/credentials_install"
android:summary="@string/credentials_install_summary"
android:persistent="false">
<intent android:action="android.credentials.INSTALL"
android:targetPackage="com.android.certinstaller"
android:targetClass="com.android.certinstaller.CertInstallerMain"/>
</Preference>
packages/apps/CertInstaller
CertInstallerMain打開Document,選擇證書文件,選擇好後。啟動CerInstaller
然後根據證書類型區分createPkcs12PasswordDialog和createNameCredentialDialog,看個簡單的createNameCredentialDialog
try {
startActivityForResult(
mCredentials.createSystemInstallIntent(), //Intent intent = new Intent("com.android.credentials.INSTALL");
REQUEST_SYSTEM_INSTALL_CODE);
} catch (ActivityNotFoundException e) {
Log.w(TAG, "systemInstall(): " + e);
toastErrorAndFinish(R.string.cert_not_saved);
}
看intent,又到瞭Settings的CredentialStorage
Settings/src/com/android/settings/CredentialStorage.java installIfAvailable
添加證書:Settings/src/com/android/settings/CredentialStorage.java installIfAvailable()
刪除證書:Settings/src/com/android/settings/TrustedCredentialsSettings.java AliasOperation#doInBackground
顯示證書:Settings/src/com/android/settings/TrustedCredentialsSettings.java AdapterData#AliasLoader#doInBackground
證書內容:Settings/src/com/android/settings/TrustedCredentialsSettings.java CertHolder SslCertificate
安裝類型兩種: userKey和Ca證書(pk12要處理密碼)
CertInstaller\src\com\android\certinstaller\CredentialHelper.java
異常碼:
機器未設置密碼鎖
機器未解鎖
鎖屏方式不符合要求還是packages/apps/CertInstaller/CertInstallerMain,startActivityForResult結果回調
if (requestCode == REQUEST_SYSTEM_INSTALL_CODE) {
if (resultCode == RESULT_OK) {
Log.d(TAG, "credential is added: " + mCredentials.getName());
Toast.makeText(this, getString(R.string.cert_is_added,
mCredentials.getName()), Toast.LENGTH_LONG).show();
if (mCredentials.hasCaCerts()) {
// more work to do, don't finish just yet
new InstallCaCertsToKeyChainTask().execute();
return;
}
setResult(RESULT_OK);
} else {
Log.d(TAG, "credential not saved, err: " + resultCode);
toastErrorAndFinish(R.string.cert_not_saved);
}
}
如果是CaCerts,還要進行 new InstallCaCertsToKeyChainTask().execute() –> mCredentials.installCaCertsToKeyChain –> keyChainService.installCaCertificate
keyChainService實現在packages/apps/KeyChain mTrustedCertificateStore.installCertificate
external/conscrypt/src/platform/java/org/conscrypt/TrustedCertificateStore installCertificate –> writeCertificate
四.c層
system/security/keystore/keystore.cpp
添加證書 installIfAvailable -> mKeyStore.put -> mBinder.insert (這裡還是java層)
-> KeyStoreProxy::insert -> KeyStore::put (這裡getEncryptionKey用到一個AESkey,哪裡來的?)
五.為什麼要鎖屏密碼
以設置密碼為例
Settings/src/com/android/settings/ChooseLockPassword.java mLockPatternUtils.saveLockPassword
frameworks/base/core/java/com/android/internal/widget/LockPatternUtils.java getLockSettings().setLockPassword
frameworks/base/services/core/java/com/android/server/LockSettingsService.java setLockPassword -> maybeUpdateKeystore -> ks.passwordUid
-> 到keystore.cpp的password_uid
password_uid 有三種狀態,其中STATE_UNINITIALIZED和STATE_LOCKED都會調用setupMasterKeys,經鎖屏密碼設置AESkey
這裡就解答瞭添加證書時的AESKey是哪來的
這個是基於Android5.1分析的,高版本可能文件名不同,但是知道大概位置,搜索下,應該沒什麼難度
到此這篇關於Android證書安裝過程介紹的文章就介紹到這瞭,更多相關Android證書安裝內容請搜索WalkonNet以前的文章或繼續瀏覽下面的相關文章希望大傢以後多多支持WalkonNet!
推薦閱讀:
- Java制作證書的工具keytool用法詳解
- 獲取Android簽名MD5的方式實例詳解
- Android調用應用安裝界面方法
- Android進程間使用Intent進行通信
- 詳解Android的四大應用程序組件