Attend XDA's Second Annual Developer Conference, XDA:DevCon 2014!
5,780,891 Members 49,852 Now Online
XDA Developers Android and Mobile Development Forum

Remove DigiNotar Certificate Authority from a rooted phone

Tip us?
 
vzontini
Old
#1  
vzontini's Avatar
Senior Member - OP
Thanks Meter 17
Posts: 175
Join Date: Jan 2010
Exclamation Remove DigiNotar Certificate Authority from a rooted phone

With recent successful DNS attacks and hacked certificates in the wild I decided to remove the DigiNotar Certificate authority from the list of trusted CA's on my device. If you know what you are doing the steps are pretty easy. YMMV.

I performed this work on my Windows 64-bit PC with Java and the Android SDK tools (which I have in C:\android-sdk-windows\).

Download the BouncyCastle jar from:
http://bouncycastle.org/download/bcprov-jdk16-141.jar

Move the jar into the $JAVA_HOME\lib\ext folder. On my computer that is:

C:\Program Files (x86)\Java\jre6\lib\ext\

Connect your USB cable to your phone and verify with adb that it is seen as attached.

C:\android-sdk-windows\tools>adb devices

Pull the cacert.bks file from your phone:

C:\android-sdk-windows\tools>adb pull /system/etc/security/cacerts.bks cacerts.bks

Dump the list of CA's out of the cacerts.bks file:

C:\android-sdk-windows\tools>"\Program Files (x86)\Java\jre6\bin\keytool.exe" -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list > calist.txt

Open the calist.txt file in a text editor, find the DigiNotar CA in the list and note the alias name number. Using the alias name number, delete the DigiNotar CA from the cacert.bks file:

C:\android-sdk-windows\tools>"\Program Files (x86)\Java\jre6\bin\keytool.exe" -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -delete -alias <alias name number from your list>

For example:

C:\android-sdk-windows\tools>"\Program Files (x86)\Java\jre6\bin\keytool.exe" -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -delete -alias 81

Then put the updated cacert.bks file back on your phone:

C:\android-sdk-windows\tools>adb remount

C:\android-sdk-windows\tools>adb push cacert.bks /system/etc/security/

Finally, reboot your phone so it reloads the CA list.

NOTE: This helper is based on Tim Strazzere's post on:
http://blog.mylookout.com/2011/08/fo...roid-ca-store/ which I found on the CyanogenMod dev forums at http://code.google.com/p/cyanogenmod...detail?id=4260
 
md303
Old
#2  
Member
Thanks Meter 36
Posts: 75
Join Date: Aug 2010
Now there's an App for that. CaCertMan
https://guardianproject.info/2011/09...other-bad-cas/
 
remzicavdar
Old
#3  
remzicavdar's Avatar
Member
Thanks Meter 3
Posts: 48
Join Date: Jun 2011
Location: Amsterdam

 
DONATE TO ME
Quote:
Originally Posted by md303 View Post
Now there's an App for that. CaCertMan
https://guardianproject.info/2011/09...other-bad-cas/
It's now on the Market !!!!!
 
khaytsus
Old
#4  
Senior Member
Thanks Meter 1,072
Posts: 6,895
Join Date: Apr 2008
Location: Central Kentucky
I don't see it on my Nexus One (Rom in signature) or my stock Dell Streak 7. Haven't looked at my Nook Color running CM7 yet, but I'd have to guess it's still there to to their refusal to remove the CA from CM7. At least people have a choice with CACertMan.
AT&T LG G2 - 4.4.4, AOKP
Nexus 7 Wifi 2012 - 4.4.4, AOKP (m-kernel)
Samsung Note i717 - 4.2.2, Unofficial AOKP
Try my Alternative XDA CSS Themes (including 2010!)

--
http://theblackmoor.net
http://unlimitedphoto.com
Tags
certificate authority, diginotar, security
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes