如何在未经用户同意的情况下在ICS上安装(x509 / pk12)证书?
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了如何在未经用户同意的情况下在ICS上安装(x509 / pk12)证书?相关的知识,希望对你有一定的参考价值。
对于我正在开发的应用程序,我需要能够在未经他或她同意的情况下安装CA和用户证书以及私钥。
我将拥有完整的系统权限,并假设用户在此之前将拥有密码。如果是CA证书,我将拥有x509;如果是用户证书+私钥文件,我将拥有pk12,如果是USer证书+私钥,我将拥有密码。我需要这样做才能够自动设置WPA-EAP wifi配置,并且我希望在没有员工注意任何事情的情况下实现这一点。
如果有人也知道如何列出已安装的所有证书,我将非常感激。
我已经全天检查过,并且使用keystore_cli进行了一些测试但没有成功,我也读过了CertInstaller代码而没有得到任何明智。那里的所有东西都是全包的,所以我不能直接调用这些方法,+它似乎把东西发送到com.android.settings“,”com.android.settings.CredentialStorage“。
任何建议都会很棒。
编辑对于那些想知道,这是我如何使用CA证书。应用程序需要能够以系统用户身份运行(android清单中的android:sharedUserId="android.uid.system")。
// Android...why do you enjoy doing my life so difficult...
try {
Class<?> keyStoreClass = WifiConfiguration.class.getClassLoader().loadClass("android.security.KeyStore");
Method getInstanceMethod = keyStoreClass.getMethod("getInstance");
Object keyStore = getInstanceMethod.invoke(null);
Log.d("DeviceManager", "Got keystore" + keyStore.toString());
// Put(Key, Value)
Method putCertificateMethod = keyStoreClass.getMethod("put", String.class, byte[].class);
Log.d("DeviceManager", "Putting...");
RandomAccessFile file = new RandomAccessFile("/data/ca.crt", "r");
byte[] b = new byte[(int)file.length()];
file.read(b);
byte[] cacert = b;
Log.d("DeviceManager", "Certificate is bytes long: " + b.length);
putCertificateMethod.invoke(keyStore, "CACERT_name", cacert);
} catch (ClassNotFoundException e) {
e.printStackTrace();
} catch (IllegalArgumentException e) {
e.printStackTrace();
} catch (IllegalAccessException e) {
e.printStackTrace();
} catch (InvocationTargetException e) {
e.printStackTrace();
} catch (NoSuchMethodException e) {
e.printStackTrace();
} catch (FileNotFoundException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
答案
幸运的是,这在库存设备上是不可能的。否则,任何流氓应用程序都可以在未经用户同意的情况下安装CA证书。如果您拥有一小组设备,则可能需要预先配置它们。至于PKCS#12文件,它们受密码保护,因此有人需要输入密码。
不确定“完整系统权限”的含义,但如果您可以将应用程序与平台代码链接并使用系统证书进行签名,则可以直接调用KeyChainService方法。这将允许您安装证书。此外,CA证书只是存储为文件,因此您可以将它们复制到正确的位置。这里有一些细节:http://nelenkov.blogspot.jp/2011/11/ics-credential-storage-implementation.html
另一答案
以下方法将使用CA证书和用户证书配置WPA / EAP-TLS wifi配置。您也可以将其用于其他EAP配置。
public static void createEapConfig(Context context, String ssid, String password, boolean connectAutomatically, boolean hiddenNetwork,
Integer eapMethod, Integer phase2, String identity, String anonymousIdentity, String caCertificateData,
String clientCertificateData, String clientCertPass) {
if (ssid == null || eapMethod == null) {
return;
}
WifiManager wifiManager = (WifiManager) context.getSystemService(Context.WIFI_SERVICE);
boolean connect = connectAutomatically;
boolean isWifiReceiverRegistered = false;
try {
Logger.logEnteringOld();
WifiConfiguration config = new WifiConfiguration();
config.SSID = """ + ssid + """;
config.hiddenSSID = hiddenNetwork;//false; //hidden network is always set to false.
config.status = WifiConfiguration.Status.ENABLED;
config.priority = 40;
try {
wifiManager.getClass().getMethod("setWifiApEnabled", WifiConfiguration.class, boolean.class).invoke(wifiManager, config, false);
} catch (Exception e) {
Logger.logError(e);
}
Settings.isWifiHotspotEnabled(false);
if (!wifiManager.isWifiEnabled()) {
wifiManager.setWifiEnabled(true);
Thread.sleep(5000);
}
if (connect) {
lastActNetId = wifiManager.getConnectionInfo().getNetworkId();
wifiManager.disableNetwork(lastActNetId);
wifiManager.disconnect();
}
config.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.WPA_EAP);
config.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.IEEE8021X);
// Set defaults
if (phase2 == null) phase2 = WifiEnterpriseConfig.Phase2.NONE;
if (identity == null) identity = "";
if (anonymousIdentity == null) anonymousIdentity = "";
if (caCertificateData == null) caCertificateData = "";
if (clientCertificateData == null) clientCertificateData = "";
if (Build.VERSION.SDK_INT >= 18) {
if (Util.isNullOrEmpty(password)) {
config.enterpriseConfig.setPassword(password);
}
config.enterpriseConfig.setEapMethod(eapMethod);
if (phase2 != null) {
config.enterpriseConfig.setPhase2Method(phase2);
}
if (!Util.isNullOrEmpty(identity)) {
config.enterpriseConfig.setIdentity(identity);
}
if (!Util.isNullOrEmpty(anonymousIdentity)) {
config.enterpriseConfig.setAnonymousIdentity(anonymousIdentity);
}
InputStream is = null;
if (!Util.isNullOrEmpty(caCertificateData)) {
try {
byte[] decodedCaCert = Base64.decode(caCertificateData);
//is = new FileInputStream(Environment.getExternalStorageDirectory()+"/local-root(1).cer" );
CertificateFactory cf = CertificateFactory.getInstance("X.509");
try {
is = new ByteArrayInputStream(decodedCaCert);
X509Certificate caCert = (X509Certificate) cf.generateCertificate(is);
config.enterpriseConfig.setCaCertificate(caCert);
} catch (CertificateException ex) {
Logger.logError(ex);
} finally {
if (is != null) {
is.close();
}
}
} catch (Throwable t) {
Logger.logError(t);
}
}
if (!Util.isNullOrEmpty(clientCertificateData) && !Util.isNullOrEmpty(clientCertPass)) {
try {
byte[] decodedClientCert = Base64.decode(clientCertificateData);
KeyStore p12 = KeyStore.getInstance("pkcs12");
is = new ByteArrayInputStream(decodedClientCert);
//is = new FileInputStream(Environment.getExternalStorageDirectory()+"/createdDERCert(1).pfx");
p12.load(is, clientCertPass.toCharArray());
Enumeration aliases = p12.aliases();
for (String alias : Collections.list(aliases)) {
if (alias == null) {
continue;
}
PrivateKey privateKey = (PrivateKey) p12.getKey(alias, clientCertPass.toCharArray());
if (privateKey == null) {
continue;
}
X509Certificate clientCert = (X509Certificate) p12.getCertificate(alias);
if (clientCert != null) {
config.enterpriseConfig.setClientKeyEntry(privateKey, clientCert);
}
}
} catch (Throwable t) {
Logger.logError(t);
} finally {
if (is != null) {
try {
is.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
}
int networkId = -1;
networkId = wifiManager.addNetwork(config);
wifiManager.enableNetwork(networkId, true);
wifiManager.saveConfiguration();
if (connect) {
wifiManager.reconnect();
IntentFilter filter = new IntentFilter();
filter.addAction(ConnectivityManager.CONNECTIVITY_ACTION);
Settings.cntxt.registerReceiver(wifiReceiver, filter);
isWifiReceiverRegistered = true;
Thread.sleep(15000);
}
} catch (InterruptedException ie) {
if (NetworkStateReceiver.activeConnection(Settings.cntxt)) {
lastActNetId = wifiManager.getConnectionInfo().getNetworkId();
}
} catch (Exception ex) {
Logger.logError(ex);
} finally {
// unregister wifi state receiver
if (connect && isWifiReceiverRegistered) {
isWifiReceiverRegistered = false;
Settings.cntxt.unregisterReceiver(wifiReceiver);
}
}
Logger.logEnteringOld();
}
以上是关于如何在未经用户同意的情况下在ICS上安装(x509 / pk12)证书?的主要内容,如果未能解决你的问题,请参考以下文章
应该打字吗?如果不是,如何在不破坏用户的情况下在 npm install 上触发类型安装?
DocuSign 集成。是不是可以在未经用户同意的情况下获得身份验证令牌。我想使用我的凭据在内部发送 docusign 信封电子邮件 [关闭]