Android 14(UpsideDownCake)无法在/system/etc/security/cacert中找到已安装的证书。

huangapple go评论84阅读模式
英文:

Android 14 (UpsideDownCake) doesn't see certificate installed in /system/etc/security/cacert

问题

以下是翻译好的内容:

对于我们的Android模拟器自动化测试平台,我们能够使用以下经过尝试和测试的命令将Proxyman证书推送到/system/etc/security/cacerts

  1. 使用-writable-system标志启动模拟器:emulator -avd emulator_name -writable-system

  2. 准备Proxyman证书:

    • openssl x509 -inform PEM -subject_hash_old -in proxyman-ssl-proxying-certificate.pem | head -1 - 它返回证书的哈希值,例如30eb732c

    • 将其保存到文件中:cat proxyman-ssl-proxying-certificate.pem > 30eb732c.0

    • openssl x509 -inform PEM -text -in proxyman-ssl-proxying-certificate.pem -out /dev/null >> 30eb732c.0

  3. 将创建的30eb732c.0推送到模拟器:

    • adb root
    • adb remount
    • adb root
    • adb shell avbctl disable-verification
    • adb reboot
    • adb root
    • adb remount
    • adb push 30eb732c.0 /system/etc/security/cacerts
  4. 我可以通过列出所有证书来验证该文件是否存在,使用adb shell ls /system/etc/security/cacert,并在列表中看到我的证书。

通过这些步骤,我们能够在我们的应用程序发布版本上(最多到API 33)在Proxyman中查看流量,我可以在模拟器设置/安全性/加密和凭据/受信任的凭据中看到安装在系统分区上的证书。

使用相同的步骤对Android模拟器UpsideDownCake进行操作,我可以看到证书文件确实位于/system/etc/security/cacert,但UI没有显示它,并且Proxyman也无法捕获流量(出现SSL握手失败)。

安装证书的方法受到了以下链接的启发:

我觉得我可能遗漏了某些内容,但同时也在思考API 33和UpsideDownCake模拟器之间的区别。有人成功在Android 14(UpsideDownCake)模拟器上安装/system/etc/security/cacert中的证书吗?

英文:

For our automated testing platform for Android emulator, we are able to push a Proxyman certificate to a /system/etc/security/cacerts with the tried and tested commands:

  1. Start emulator with -writable-system flag: emulator -avd emulator_name -writable-system

  2. Prepare Proxyman certificate:

    • openssl x509 -inform PEM -subject_hash_old -in proxyman-ssl-proxying-certificate.pem | head -1 - it returns a hash for the cert, eg. 30eb732c

    • save that to a file: cat proxyman-ssl-proxying-certificate.pem > 30eb732c.0

    • openssl x509 -inform PEM -text -in proxyman-ssl-proxying-certificate.pem -out /dev/null >> 30eb732c.0

  3. Push the created 30eb732c.0 to emulator:

    • adb root
    • adb remount
    • adb root
    • adb shell avbctl disable-verification
    • adb reboot
    • adb root
    • adb remount
    • adb push 30eb732c.0 /system/etc/security/cacerts
  4. I can verify that the file is there by listing all certs with adb shell ls /system/etc/security/cacert and seeing mine on the list.

With these, we are able to see the traffic in Proxyman on release builds of our apps, up to API 33, and I can see the certificate installed on system partition in the Emulator Settings/Security/Encryption & credentials/Trusted credentials.

Android 14(UpsideDownCake)无法在/system/etc/security/cacert中找到已安装的证书。

With the same steps for Android Emulator UpsideDownCake, I can see that the cert file is indeed in /system/etc/security/cacert, but the UI doesn't show it, and the traffic also fails to be captured by Proxyman (getting SSL Handshake Failed).

The method for installing cert has been informed by many of these:

I feel like I might be missing something here, but also wondering what's the difference between API 33 and UpsideDownCake emulators. Has anyone been successful in installing a certificate in /system/etc/security/cacert on Android 14 (UpsideDownCake) emulator?

答案1

得分: 2

Android 14现在从Conscrypt库的APEX文件系统/apex/com.android.conscrypt/cacerts中读取CA证书。

因此,你可以在此位置绑定挂载一个替代目录,然后使用nsenter将该挂载分别复制到每个应用程序的挂载命名空间和Zygote进程(启动未来的应用程序,以便新启动的应用程序默认复制此内容)。

关于此过程的完整步骤和背景情况相当复杂,但我已经记录下来并构建了一个完整的脚本来自动化这个过程,你可以在这里找到详细信息:https://httptoolkit.com/blog/android-14-install-system-ca-certificate/

你可以在HTTP Toolkit的这里查看用于自动化该过程的更改:https://github.com/httptoolkit/httptoolkit-server/commit/965fd8d9b287af0e4b305d828d5e8e1aa52dce36

英文:

Android 14 now reads CA certs from within the Conscrypt library's APEX filesystem, at /apex/com.android.conscrypt/cacerts.

That's an awkward problem for use cases like this, because that path is impossible to directly modify or remount. You can try all you like, but APEX modules are loaded using different mechanisms to the rest of the filesystem, and in general if you make simple changes via an ADB shell, apps on the device won't see them - they use isolated mount namespaces, so they'll continue using their original set of mounts independently.

I've done some digging here though, and found some working solutions: you can bind mount an alternative directory into this location, and then use nsenter to duplicate that mount individually into each app's mount namespace, and into the Zygote process (which starts future apps, so that newly launched apps copy this by default).

That's the essence of it. The full steps & background context are quite involved, but I've documented it and built a full script to automate this here: https://httptoolkit.com/blog/android-14-install-system-ca-certificate/

You can see the resulting changes to automate that process in HTTP Toolkit here: https://github.com/httptoolkit/httptoolkit-server/commit/965fd8d9b287af0e4b305d828d5e8e1aa52dce36

答案2

得分: 0

Android 14首先查找此位置:

/apex/com.android.conscrypt/cacerts
英文:

Android 14 looks in this location first:

/apex/com.android.conscrypt/cacerts

huangapple
  • 本文由 发表于 2023年4月13日 23:14:29
  • 转载请务必保留本文链接:https://go.coder-hub.com/76007110.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定