一.證書在源碼中的路徑

5.1系統(tǒng)證書(命名是 openssl x509 -subject_hash_old -in filename)

libcore/luni/src/main/files/cacerts

7.1及以后系統(tǒng)證書

/system/ca-certificates/files

二.證書在固件中的路徑

/system/etc/security/cacerts

三.手動安裝流程

設(shè)置-->安全-->從SD卡安裝證書：

在AndroidManif.xml里

<Preference android:key="credentials_install"
        android:title="@string/credentials_install"
        android:summary="@string/credentials_install_summary"
        android:persistent="false">
    <intent android:action="android.credentials.INSTALL"
            android:targetPackage="com.android.certinstaller"
            android:targetClass="com.android.certinstaller.CertInstallerMain"/>
</Preference>

packages/apps/CertInstaller

CertInstallerMain打開Document，選擇證書文件，選擇好后。啟動CerInstaller

然后根據(jù)證書類型區(qū)分createPkcs12PasswordDialog和createNameCredentialDialog，看個簡單的createNameCredentialDialog

try {
    startActivityForResult(
            mCredentials.createSystemInstallIntent(),   //Intent intent = new Intent("com.android.credentials.INSTALL");
            REQUEST_SYSTEM_INSTALL_CODE);
} catch (ActivityNotFoundException e) {
    Log.w(TAG, "systemInstall(): " + e);
    toastErrorAndFinish(R.string.cert_not_saved);
}

看intent，又到了Settings的CredentialStorage

Settings/src/com/android/settings/CredentialStorage.java ? ?installIfAvailable

添加證書：Settings/src/com/android/settings/CredentialStorage.java ? ?installIfAvailable()

刪除證書：Settings/src/com/android/settings/TrustedCredentialsSettings.java ? AliasOperation#doInBackground

顯示證書：Settings/src/com/android/settings/TrustedCredentialsSettings.java ? AdapterData#AliasLoader#doInBackground ??

證書內(nèi)容：Settings/src/com/android/settings/TrustedCredentialsSettings.java ?CertHolder ?SslCertificate

安裝類型兩種： userKey和Ca證書(pk12要處理密碼)

CertInstaller\src\com\android\certinstaller\CredentialHelper.java

異常碼：

機器未設(shè)置密碼鎖

機器未解鎖

鎖屏方式不符合要求還是packages/apps/CertInstaller/CertInstallerMain，startActivityForResult結(jié)果回調(diào)

if (requestCode == REQUEST_SYSTEM_INSTALL_CODE) {
    if (resultCode == RESULT_OK) {
        Log.d(TAG, "credential is added: " + mCredentials.getName());
        Toast.makeText(this, getString(R.string.cert_is_added,
                mCredentials.getName()), Toast.LENGTH_LONG).show();
 
        if (mCredentials.hasCaCerts()) {
            // more work to do, don't finish just yet
            new InstallCaCertsToKeyChainTask().execute();
            return;
        }
        setResult(RESULT_OK);
    } else {
        Log.d(TAG, "credential not saved, err: " + resultCode);
        toastErrorAndFinish(R.string.cert_not_saved);
    }
}

如果是CaCerts，還要進行 new InstallCaCertsToKeyChainTask().execute() --> mCredentials.installCaCertsToKeyChain --> keyChainService.installCaCertificate

keyChainService實現(xiàn)在packages/apps/KeyChain ?mTrustedCertificateStore.installCertificate

external/conscrypt/src/platform/java/org/conscrypt/TrustedCertificateStore ? installCertificate --> writeCertificate

四.c層

system/security/keystore/keystore.cpp

添加證書 ?installIfAvailable -> mKeyStore.put -> mBinder.insert （這里還是java層）
-> KeyStoreProxy::insert -> KeyStore::put ?(這里getEncryptionKey用到一個AESkey，哪里來的？)

五.為什么要鎖屏密碼

以設(shè)置密碼為例
Settings/src/com/android/settings/ChooseLockPassword.java ?mLockPatternUtils.saveLockPassword
frameworks/base/core/java/com/android/internal/widget/LockPatternUtils.java ?getLockSettings().setLockPassword
frameworks/base/services/core/java/com/android/server/LockSettingsService.java ?setLockPassword -> maybeUpdateKeystore ?-> ks.passwordUid
-> 到keystore.cpp的password_uid?

password_uid 有三種狀態(tài)，其中STATE_UNINITIALIZED和STATE_LOCKED都會調(diào)用setupMasterKeys，經(jīng)鎖屏密碼設(shè)置AESkey
這里就解答了添加證書時的AESKey是哪來的

這個是基于Android5.1分析的，高版本可能文件名不同，但是知道大概位置，搜索下，應(yīng)該沒什么難度? ? ? ??

到此這篇關(guān)于Android證書安裝過程介紹的文章就介紹到這了,更多相關(guān)Android證書安裝內(nèi)容請搜索腳本之家以前的文章或繼續(xù)瀏覽下面的相關(guān)文章希望大家以后多多支持腳本之家！

最新評論