[移动开发]Android 证书安装流程分析

一.证书在源码中的路径

5.1系统证书(命名是 openssl x509 -subject_hash_old -in filename)
libcore/luni/src/main/files/cacerts

7.1及以后系统证书
/system/ca-certificates/files

二.证书在固件中的路径

/system/etc/security/cacerts

三.手动安装流程

设置-->安全-->从SD卡安装证书：
在AndroidManif.xml里

<Preference android:key="credentials_install"
? ? ? ? android:title="@string/credentials_install"
? ? ? ? android:summary="@string/credentials_install_summary"
? ? ? ? android:persistent="false">
? ? <intent android:action="android.credentials.INSTALL"
? ? ? ? ? ? android:targetPackage="com.android.certinstaller"
? ? ? ? ? ? android:targetClass="com.android.certinstaller.CertInstallerMain"/>
</Preference>

packages/apps/CertInstaller
CertInstallerMain打开Document，选择证书文件，选择好后。启动CerInstaller
然后根据证书类型区分createPkcs12PasswordDialog和createNameCredentialDialog，看个简单的createNameCredentialDialog

try {
? ? startActivityForResult(
? ? ? ? ? ? mCredentials.createSystemInstallIntent(), ? //Intent intent = new Intent("com.android.credentials.INSTALL");
? ? ? ? ? ? REQUEST_SYSTEM_INSTALL_CODE);
} catch (ActivityNotFoundException e) {
? ? Log.w(TAG, "systemInstall(): " + e);
? ? toastErrorAndFinish(R.string.cert_not_saved);
}

看intent，又到了Settings的CredentialStorage

Settings/src/com/android/settings/CredentialStorage.java ? ?installIfAvailable
添加证书：Settings/src/com/android/settings/CredentialStorage.java ? ?installIfAvailable()
删除证书：Settings/src/com/android/settings/TrustedCredentialsSettings.java ? AliasOperation#doInBackground
显示证书：Settings/src/com/android/settings/TrustedCredentialsSettings.java ? AdapterData#AliasLoader#doInBackground ??
证书内容：Settings/src/com/android/settings/TrustedCredentialsSettings.java ?CertHolder ?SslCertificate

安装类型两种： userKey和Ca证书(pk12要处理密码)
CertInstaller\src\com\android\certinstaller\CredentialHelper.java

异常码：
机器未设置密码锁
机器未解锁
锁屏方式不符合要求还是packages/apps/CertInstaller/CertInstallerMain，startActivityForResult结果回调

if (requestCode == REQUEST_SYSTEM_INSTALL_CODE) {
? ? if (resultCode == RESULT_OK) {
? ? ? ? Log.d(TAG, "credential is added: " + mCredentials.getName());
? ? ? ? Toast.makeText(this, getString(R.string.cert_is_added,
? ? ? ? ? ? ? ? mCredentials.getName()), Toast.LENGTH_LONG).show();

? ? ? ? if (mCredentials.hasCaCerts()) {
? ? ? ? ? ? // more work to do, don't finish just yet
? ? ? ? ? ? new InstallCaCertsToKeyChainTask().execute();
? ? ? ? ? ? return;
? ? ? ? }
? ? ? ? setResult(RESULT_OK);
? ? } else {
? ? ? ? Log.d(TAG, "credential not saved, err: " + resultCode);
? ? ? ? toastErrorAndFinish(R.string.cert_not_saved);
? ? }
}

如果是CaCerts，还要进行 new InstallCaCertsToKeyChainTask().execute() --> mCredentials.installCaCertsToKeyChain --> keyChainService.installCaCertificate
keyChainService实现在packages/apps/KeyChain ?mTrustedCertificateStore.installCertificate
external/conscrypt/src/platform/java/org/conscrypt/TrustedCertificateStore ? installCertificate --> writeCertificate

四.c层
system/security/keystore/keystore.cpp

添加证书 ?installIfAvailable -> mKeyStore.put -> mBinder.insert （这里还是java层）
? ? ? ? ? ? ? ? ? ? -> KeyStoreProxy::insert -> KeyStore::put ?(这里getEncryptionKey用到一个AESkey，哪里来的？)

五.为什么要锁屏密码
以设置密码为例
Settings/src/com/android/settings/ChooseLockPassword.java ?mLockPatternUtils.saveLockPassword
frameworks/base/core/java/com/android/internal/widget/LockPatternUtils.java ?getLockSettings().setLockPassword
frameworks/base/services/core/java/com/android/server/LockSettingsService.java ?setLockPassword -> maybeUpdateKeystore ?-> ks.passwordUid
? ? -> 到keystore.cpp的password_uid?
? ??
password_uid 有三种状态，其中STATE_UNINITIALIZED和STATE_LOCKED都会调用setupMasterKeys，经锁屏密码设置AESkey
这里就解答了添加证书时的AESKey是哪来的

这个是基于Android5.1分析的，高版本可能文件名不同，但是知道大概位置，搜索下，应该没什么难度
? ? ? ??

?