1. The path of the certificate in the source code
5.1 system certificate (named openssl x509 -subject_hash_old -in filename)
libcore/luni/src/main/files/cacerts
7.1 and later system certificates
/system/ca-certificates/files
2. The path of the certificate in the firmware
/system/etc/security/cacerts
3. Manual installation process
Settings --> Security --> Installing certificate from SD card:
In
<Preference android:key="credentials_install"
android:title="@string/credentials_install"
android:summary="@string/credentials_install_summary"
android:persistent="false">
<intent android:action=""
android:targetPackage=""
android:targetClass=""/>
</Preference>
packages/apps/CertInstaller
CertInstallerMain Open Document, select the certificate file, and after selection. Start CerInstaller
Then distinguish createPkcs12PasswordDialog and createNameCredentialDialog according to the certificate type, and see a simple createNameCredentialDialog
try {
startActivityForResult(
(), //Intent intent = new Intent("");
REQUEST_SYSTEM_INSTALL_CODE);
} catch (ActivityNotFoundException e) {
(TAG, "systemInstall(): " + e);
toastErrorAndFinish(.cert_not_saved);
}
Look at the intent, and we are at the CredentialStorage of Settings again
Settings/src/com/android/settings/ installIfAvailable
Add certificate: Settings/src/com/android/settings/ installIfAvailable()
Delete the certificate: Settings/src/com/android/settings/ AliasOperation#doInBackground
Display certificate: Settings/src/com/android/settings/ AdapterData#AliasLoader#doInBackground
Certificate content: Settings/src/com/android/settings/ CertHolder SslCertificate
There are two types of installation: userKey and Ca certificates (pk12 needs to process password)
CertInstaller\src\com\android\certinstaller\
Exception code:
The machine has no password lock set
The machine is not unlocked
The lock screen method does not meet the requirements or packages/apps/CertInstaller/CertInstallerMain, startActivityForResult result callback
if (requestCode == REQUEST_SYSTEM_INSTALL_CODE) {
if (resultCode == RESULT_OK) {
(TAG, "credential is added: " + ());
(this, getString(.cert_is_added,
()), Toast.LENGTH_LONG).show();
if (()) {
// more work to do, don't finish just yet
new InstallCaCertsToKeyChainTask().execute();
return;
}
setResult(RESULT_OK);
} else {
(TAG, "credential not saved, err: " + resultCode);
toastErrorAndFinish(.cert_not_saved);
}
}
If it is CaCerts, you must also perform new InstallCaCertsToKeyChainTask().execute() --> -->
keyChainService is implemented in packages/apps/KeyChain
external/conscrypt/src/platform/java/org/conscrypt/TrustedCertificateStore installCertificate --> writeCertificate
Four.c layer
system/security/keystore/
Add certificate installIfAvailable -> -> (This is still the java layer)
-> KeyStoreProxy::insert -> KeyStore::put (Where does getEncryptionKey use an AESkey?)
5. Why do you need to lock the screen password?
Take setting password as an example
Settings/src/com/android/settings/
frameworks/base/core/java/com/android/internal/widget/ getLockSettings().setLockPassword
frameworks/base/services/core/java/com/android/server/ setLockPassword -> maybeUpdateKeystore ->
-> Password_uid
password_uid has three states, where STATE_UNINITIALIZED and STATE_LOCKED both call setupMasterKeys, and set AESkey through the lock screen password.
Here is an answer to where the AESKey comes from when adding a certificate
This is based on Android 5.1 analysis. The file names of the higher versions may be different, but you know the approximate location. If you search, it should not be difficult.
This is the end of this article about the Android certificate installation process. For more related Android certificate installation content, please search for my previous articles or continue browsing the related articles below. I hope everyone will support me in the future!