Post Reply

Remove DigiNotar Certificate Authority from a rooted phone

7th September 2011, 01:25 AM   |  #1  
vzontini's Avatar
OP Senior Member
Thanks Meter: 17
 
175 posts
Join Date:Joined: Jan 2010
More
With recent successful DNS attacks and hacked certificates in the wild I decided to remove the DigiNotar Certificate authority from the list of trusted CA's on my device. If you know what you are doing the steps are pretty easy. YMMV.

I performed this work on my Windows 64-bit PC with Java and the Android SDK tools (which I have in C:\android-sdk-windows\).

Download the BouncyCastle jar from:
http://bouncycastle.org/download/bcprov-jdk16-141.jar

Move the jar into the $JAVA_HOME\lib\ext folder. On my computer that is:

C:\Program Files (x86)\Java\jre6\lib\ext\

Connect your USB cable to your phone and verify with adb that it is seen as attached.

C:\android-sdk-windows\tools>adb devices

Pull the cacert.bks file from your phone:

C:\android-sdk-windows\tools>adb pull /system/etc/security/cacerts.bks cacerts.bks

Dump the list of CA's out of the cacerts.bks file:

C:\android-sdk-windows\tools>"\Program Files (x86)\Java\jre6\bin\keytool.exe" -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list > calist.txt

Open the calist.txt file in a text editor, find the DigiNotar CA in the list and note the alias name number. Using the alias name number, delete the DigiNotar CA from the cacert.bks file:

C:\android-sdk-windows\tools>"\Program Files (x86)\Java\jre6\bin\keytool.exe" -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -delete -alias <alias name number from your list>

For example:

C:\android-sdk-windows\tools>"\Program Files (x86)\Java\jre6\bin\keytool.exe" -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -delete -alias 81

Then put the updated cacert.bks file back on your phone:

C:\android-sdk-windows\tools>adb remount

C:\android-sdk-windows\tools>adb push cacert.bks /system/etc/security/

Finally, reboot your phone so it reloads the CA list.

NOTE: This helper is based on Tim Strazzere's post on:
http://blog.mylookout.com/2011/08/fo...roid-ca-store/ which I found on the CyanogenMod dev forums at http://code.google.com/p/cyanogenmod...detail?id=4260
8th September 2011, 04:57 PM   |  #2  
Member
Thanks Meter: 36
 
76 posts
Join Date:Joined: Aug 2010
Now there's an App for that. CaCertMan
https://guardianproject.info/2011/09...other-bad-cas/
10th September 2011, 09:04 PM   |  #3  
remzicavdar's Avatar
Member
Flag Amsterdam
Thanks Meter: 3
 
48 posts
Join Date:Joined: Jun 2011
Donate to Me
More
Quote:
Originally Posted by md303

Now there's an App for that. CaCertMan
https://guardianproject.info/2011/09...other-bad-cas/

It's now on the Market !!!!!
12th September 2011, 01:50 PM   |  #4  
Senior Member
Flag Central Kentucky
Thanks Meter: 1,084
 
6,940 posts
Join Date:Joined: Apr 2008
More
I don't see it on my Nexus One (Rom in signature) or my stock Dell Streak 7. Haven't looked at my Nook Color running CM7 yet, but I'd have to guess it's still there to to their refusal to remove the CA from CM7. At least people have a choice with CACertMan.
Post Reply Subscribe to Thread

Tags
certificate authority, diginotar, security
Previous Thread Next Thread
Thread Tools
Display Modes