On Wed, Oct 27, 2010 at 1:26 PM, sjschultze <[email protected]> wrote:
> The cert store system on Android seems sub-optimal. I see that there > is an active bug discussing some aspects of this: > http://code.google.com/p/android/issues/detail?id=11231 > It seems that it would be ideal to have a single OS-wide cert store that is > easily customizable by users -- similar to what you get with NSS or OS X (I > won't use Windows as an example given its misleading cert-auto-update > service). I think that is the goal of 11231. I'll note that there are some advantages of Windows Vista and later's ability to not ship with 100s of CAs on the device but dynamically add them, but I consider that separate from 11231 for most purposes. > As it stands, I don't believe that there is even a way to browse what is in > the Keystore-service cert store, let alone disable certs. The only thing > that seems possible is to add additional certs, but based on the discussion > in bug 11231 it doesn't seem like that store is used by the browser or > email. Is that right? > yes, its just for VPN. the certs might be manageable under VPN settings, but I've never confirmed that. I believe I've seen in the the Nexus One user guide. > On a possibly relevant note, it seems like the Kestore-service certs live in > /system/etc/security/. On my G2, this memory is write-protected. Does this > have an effect on the ability to install custom certs? (I will not digress > into my extreme distaste for the G2 write-protect regime, which I imagine > you can appreciate). > The /system partition is read-only. This doesn't have anything to do with the G2. /system/etc/security contains a readonly cacerts.bks which contains the system CA certs and otacerts.zip, which from the name I assume is for certs specifically for validating OTA (Over The Air) updates. The keystore process seems to be using /data/misc/keystore for storage. /data is where rw state is kept. that directory is only rw by the keystore app. I think I tried to describe the basic call paths from a java app to that process in 11231, but its mainly based on looking at the code, not from having worked on it. -bri -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
