Android证书安装过程介绍
一.证书在源码中的路径
5.1系统证书(命名是 openssl x509 -subject_hash_old -in filename)
libcore/luni/class="lazy" data-src/main/files/cacerts
7.1及以后系统证书
/system/ca-certificates/files
二.证书在固件中的路径
/system/etc/security/cacerts
三.手动安装流程
设置-->安全-->从SD卡安装证书:
在AndroidManif.xml里
<Preference android:key="credentials_install"
android:title="@string/credentials_install"
android:summary="@string/credentials_install_summary"
android:persistent="false">
<intent android:action="android.credentials.INSTALL"
android:targetPackage="com.android.certinstaller"
android:targetClass="com.android.certinstaller.CertInstallerMain"/>
</Preference>packages/apps/CertInstaller
CertInstallerMain打开Document,选择证书文件,选择好后。启动CerInstaller
然后根据证书类型区分createPkcs12PasswordDialog和createNameCredentialDialog,看个简单的createNameCredentialDialog
try {
startActivityForResult(
mCredentials.createSystemInstallIntent(), //Intent intent = new Intent("com.android.credentials.INSTALL");
REQUEST_SYSTEM_INSTALL_CODE);
} catch (ActivityNotFoundException e) {
Log.w(TAG, "systemInstall(): " + e);
toastErrorAndFinish(R.string.cert_not_saved);
}看intent,又到了Settings的CredentialStorage
Settings/class="lazy" data-src/com/android/settings/CredentialStorage.java installIfAvailable
添加证书:Settings/class="lazy" data-src/com/android/settings/CredentialStorage.java installIfAvailable()
删除证书:Settings/class="lazy" data-src/com/android/settings/TrustedCredentialsSettings.java AliasOperation#doInBackground
显示证书:Settings/class="lazy" data-src/com/android/settings/TrustedCredentialsSettings.java AdapterData#AliasLoader#doInBackground
证书内容:Settings/class="lazy" data-src/com/android/settings/TrustedCredentialsSettings.java CertHolder SslCertificate
安装类型两种: userKey和Ca证书(pk12要处理密码)
CertInstaller\class="lazy" data-src\com\android\certinstaller\CredentialHelper.java
异常码:
机器未设置密码锁
机器未解锁
锁屏方式不符合要求还是packages/apps/CertInstaller/CertInstallerMain,startActivityForResult结果回调
if (requestCode == REQUEST_SYSTEM_INSTALL_CODE) {
if (resultCode == RESULT_OK) {
Log.d(TAG, "credential is added: " + mCredentials.getName());
Toast.makeText(this, getString(R.string.cert_is_added,
mCredentials.getName()), Toast.LENGTH_LONG).show();
if (mCredentials.hasCaCerts()) {
// more work to do, don't finish just yet
new InstallCaCertsToKeyChainTask().execute();
return;
}
setResult(RESULT_OK);
} else {
Log.d(TAG, "credential not saved, err: " + resultCode);
toastErrorAndFinish(R.string.cert_not_saved);
}
}如果是CaCerts,还要进行 new InstallCaCertsToKeyChainTask().execute() --> mCredentials.installCaCertsToKeyChain --> keyChainService.installCaCertificate
keyChainService实现在packages/apps/KeyChain mTrustedCertificateStore.installCertificate
external/conscrypt/class="lazy" data-src/platform/java/org/conscrypt/TrustedCertificateStore installCertificate --> writeCertificate
四.c层
system/security/keystore/keystore.cpp
添加证书 installIfAvailable -> mKeyStore.put -> mBinder.insert (这里还是java层)
-> KeyStoreProxy::insert -> KeyStore::put (这里getEncryptionKey用到一个AESkey,哪里来的?)
五.为什么要锁屏密码
以设置密码为例
Settings/class="lazy" data-src/com/android/settings/ChooseLockPassword.java mLockPatternUtils.saveLockPassword
frameworks/base/core/java/com/android/internal/widget/LockPatternUtils.java getLockSettings().setLockPassword
frameworks/base/services/core/java/com/android/server/LockSettingsService.java setLockPassword -> maybeUpdateKeystore -> ks.passwordUid
-> 到keystore.cpp的password_uid
password_uid 有三种状态,其中STATE_UNINITIALIZED和STATE_LOCKED都会调用setupMasterKeys,经锁屏密码设置AESkey
这里就解答了添加证书时的AESKey是哪来的
这个是基于Android5.1分析的,高版本可能文件名不同,但是知道大概位置,搜索下,应该没什么难度
到此这篇关于Android证书安装过程介绍的文章就介绍到这了,更多相关Android证书安装内容请搜索编程网以前的文章或继续浏览下面的相关文章希望大家以后多多支持编程网!
免责声明:
① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。
② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341
