In the previous two posts nosotros looked at the internal implementation of the Android credential storage, together with how it is linked to the novel
Storing user credentials such equally passwords together with mortal keys securely is of course of educational activity essential, but why should nosotros help close the trust store? As the call implies, the trust shop determines who nosotros trust when connecting to Internet servers or validating signed messages. While credentials are normally used proactively only when nosotros authenticate to a detail service, the trust shop is used every fourth dimension nosotros connect to a secure server. For example, each fourth dimension yous depository fiscal establishment check GMail, Android connects to Google's severs using SSL together with validates their certificates based on the device's trust store. Most users are unaware of this, unless roughly fault occurs. Since the trust shop is used practically all the time, together with normally inward the background, 1 could fence that it's fifty-fifty to a greater extent than of import so credential storage. Up till Android 4.0, the OS trust shop was difficult wired into the firmware, together with users had no command over it whatsoever. Certificates bundled inward the shop were chosen exclusively past times the device manufacturer or carrier. The only agency to brand changes was to root your device, re-package the trusted certificates file together with supplant the master copy 1 (instructions from cacert.org here). That is evidently non likewise practical, together with a major obstruction to using Android inward enterprise PKI's. In the wake of major CA's existence compromised practically each calendar month this year, tools that brand changing the default trusted certificates inward house accept been developed, but using them withal requires a rooted phone. Fortunately, ICS has made managing the trust shop much to a greater extent than flexible, together with gives the much needed command over who to trust to the user. Let's run into what has changed.
Pre-ICS, the trust shop was a unmarried file:
Each file contains 1 CA certificate. The file names may facial expression familiar: they are hashes of the CA dependent area names, equally used inward mod_ssl together with other cryptographic software implemented using OpenSSL. This makes it slow to apace abide by certificates without scanning the entire store. Also banker's complaint the permissions of the directories:
If yous examine the output of this code, yous would notice that certificate aliases showtime amongst either the
Works pretty well, but in that place is 1 major work amongst this code: it does non depository fiscal establishment check revocation. Android's default
Of course, organization applications such equally the browser, e-mail together with VPN clients are also taking wages of the novel trust store, so connecting to a corporate Exchange server or a secure Web application should hold upward equally slow equally installing the appropriate certificates. We'll run into how good that industrial plant out inward exercise 1 time I become a existent ICS device (shouldn't hold upward likewise long now...).
That concludes our give-and-take of the novel credential together with trust stores introduced inward Android 4.0. To amount things up: users tin right away freely install together with take away mortal keys together with trusted certificates, equally good equally disable pre-installed CA certificates via the Settings app. Third-party applications tin also do this via the novel
KeyChain API introduced inward ICS. As briefly mentioned inward the instant post, in that place is also a novel TrustedCertificateStore shape that manages user installed CA certificates. In this entry nosotros volition examine how the novel trust shop is implemented together with how it is integrated inward the framework together with organization applications.Storing user credentials such equally passwords together with mortal keys securely is of course of educational activity essential, but why should nosotros help close the trust store? As the call implies, the trust shop determines who nosotros trust when connecting to Internet servers or validating signed messages. While credentials are normally used proactively only when nosotros authenticate to a detail service, the trust shop is used every fourth dimension nosotros connect to a secure server. For example, each fourth dimension yous depository fiscal establishment check GMail, Android connects to Google's severs using SSL together with validates their certificates based on the device's trust store. Most users are unaware of this, unless roughly fault occurs. Since the trust shop is used practically all the time, together with normally inward the background, 1 could fence that it's fifty-fifty to a greater extent than of import so credential storage. Up till Android 4.0, the OS trust shop was difficult wired into the firmware, together with users had no command over it whatsoever. Certificates bundled inward the shop were chosen exclusively past times the device manufacturer or carrier. The only agency to brand changes was to root your device, re-package the trusted certificates file together with supplant the master copy 1 (instructions from cacert.org here). That is evidently non likewise practical, together with a major obstruction to using Android inward enterprise PKI's. In the wake of major CA's existence compromised practically each calendar month this year, tools that brand changing the default trusted certificates inward house accept been developed, but using them withal requires a rooted phone. Fortunately, ICS has made managing the trust shop much to a greater extent than flexible, together with gives the much needed command over who to trust to the user. Let's run into what has changed.
Pre-ICS, the trust shop was a unmarried file:
/system/etc/security/cacerts.bks, a Bouncy Castle (one of the JCE cryptographic providers used inward Android) native keystore file. It contains all the CA certificates Android trusts together with is used both past times organization apps such equally the e-mail customer together with browser, together with applications developed using the SDK. Since it resides on the read-only organization partition, it cannot hold upward changed fifty-fifty past times system-level applications. The newly introduced inward ICS TrustedCertificateStore shape withal reads organization trusted certificates from /system/etc/security, but adds ii new, mutable locations to shop CA certificates inward /data/misc/keychain: the cacerts-added together with cacerts-removed directories. Let's run into what's inside:ls -l /data/misc/keychain drwxr-xr-x organization organization 2011-11-30 12:56 cacerts-added drwxr-xr-x organization organization 2011-12-02 15:21 cacerts-removed # ls -l /data/misc/keychain/cacerts-added ls -l /data/misc/keychain/cacerts-added -rw-r--r-- organization organization 653 2011-11-29 18:34 30ef493b.0 -rw-r--r-- organization organization 815 2011-11-30 12:56 9a8df086.0 # ls -l /data/misc/keychain/cacerts-removed ls -l /data/misc/keychain/cacerts-removed -rw-r--r-- organization organization 1060 2011-12-02 15:21 00673b5b.0
Each file contains 1 CA certificate. The file names may facial expression familiar: they are hashes of the CA dependent area names, equally used inward mod_ssl together with other cryptographic software implemented using OpenSSL. This makes it slow to apace abide by certificates without scanning the entire store. Also banker's complaint the permissions of the directories:
0775 organization system guarantees that only the system user is able to add together or take away certificates, but anyone tin read them. As tin hold upward expected, adding trusted CA certificates is implemented past times storing the certificate inward cacerts-added nether the appropriate file name. The ii files above, 30ef493b.0 together with 9a8df086.0, fit to the certificates displayed inward the 'User' tab of the Trusted credential organization application (Settings->Security->Trusted credentials). But how are OS-trusted certificates disabled? Since pre-installed CA certificates are withal stored inward /system/etc/security (read-only), a CA is marked equally non trusted past times placing a re-create of its certificate inward cacerts-removed. Re-enabling is performed past times but removing the file. In this detail case, 00673b5b.0 is the thawte Primary Root CA, shown equally disabled inward the 'System' tab:
TrustedCertificateStore is non available inward the SDK, but it has a wrapper accessible via the measure JCE KeyStore API, TrustedCertificateKeyStoreSpi, that applications tin use. Here's how nosotros tin utilisation it to become the electrical flow listing of trusted certificates::KeyStore ks = KeyStore.getInstance("AndroidCAStore"); ks.load(null, null); Enumeration aliases = ks.aliases(); spell (aliases.hasMoreElements()) { String alias = aliases.nextElement(); X09Certificate cert = (X509Certificate) ks.getCertificate(alias); Log.d(TAG, "Subject DN: " + cert.getSubjectDN().getName()); Log.d(TAG, "Issuer DN: " + cert.getIssuerDN().getName()); } If yous examine the output of this code, yous would notice that certificate aliases showtime amongst either the
user: (for user installed certificates) or system: (for pre-installed ones) prefix, followed past times the subject's hash value. This lets us easily access the OS's trusted certificates, but a existent intelligence application would hold upward to a greater extent than interested inward whether it should trust a detail server certificate, non what the electrical flow trust anchors are. ICS makes this really slow past times integrating the TrustedCertificateKeyStoreSpi amongst Android's JSSE (secure sockets) implementation. The default TrustManagerFactory uses it to become a listing of trust anchors, so automatically validating server certificates against the system's currently trusted certificates. Higher-level code that uses HttpsURLConnection or HttpClient (both built on top of JSSE) should so exactly piece of work without needing to worry close creating together with initializing a custom SSLSocketFactory. Here's how nosotros tin utilisation the TrustManager to validate a certificate issued past times a mortal CA (the CA certificate is already installed inward the user trust store).X509Certificate[] chain = KeyChain.getCertificateChain(ctx, "keystore-test-ee"); Log.d(TAG, "chain length: " + chain.length); for (X509Certificate x : chain) { Log.d(TAG, "Subject DN: " + x.getSubjectDN().getName()); Log.d(TAG, "Issuer DN: " + x.getIssuerDN().getName()); } TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); tmf.init((KeyStore) null); TrustManager[] tms = tmf.getTrustManagers(); X509TrustManager xtm = (X509TrustManager) tms[0]; Log.d(TAG, "checking chain amongst " + xtm); xtm.checkClientTrusted(chain, "RSA"); Log.d(TAG, "chain is valid"); Works pretty well, but in that place is 1 major work amongst this code: it does non depository fiscal establishment check revocation. Android's default
TrustManager explicitly turns off revocation when validating the certificate chain. So fifty-fifty if the certificate had a valid CDP (CRL distribution point) extension, pointing to a valid CRL, together with the certificate was truly revoked, it would withal validate fine inward Android. What's missing hither is the mightiness to dynamically fetch, cache together with update revocation information equally needed, based on information available inward certificate extensions. Hopefully futurity version of Android volition add together this functionality to brand Android's PKI back upward complete.Of course, organization applications such equally the browser, e-mail together with VPN clients are also taking wages of the novel trust store, so connecting to a corporate Exchange server or a secure Web application should hold upward equally slow equally installing the appropriate certificates. We'll run into how good that industrial plant out inward exercise 1 time I become a existent ICS device (shouldn't hold upward likewise long now...).
That concludes our give-and-take of the novel credential together with trust stores introduced inward Android 4.0. To amount things up: users tin right away freely install together with take away mortal keys together with trusted certificates, equally good equally disable pre-installed CA certificates via the Settings app. Third-party applications tin also do this via the novel
KeyChain API, if the user grants the app the necessary permissions. The fundamental together with trust stores are fully integrated into the OS, so using measure secure communication together with cryptographic Java API's should exactly work, without the take for applications-specific fundamental stores. H5N1 fundamental chemical constituent required for total PKI back upward -- revocation checking, is withal missing, but the fundamental together with trust shop functionality added inward ICS is a huge stride inward making Android to a greater extent than secure, flexible together with enterprise-friendly.
Tag :
android security
0 Komentar untuk "Droidcedas : Ics Trust Shop Implementation"