Remove DigiNotar Certificate Authority from a rooted phone

vzontini · 7th September 2011, 01:25 AM

Remove DigiNotar Certificate Authority from a rooted phone

With recent successful DNS attacks and hacked certificates in the wild I decided to remove the DigiNotar Certificate authority from the list of trusted CA's on my device. If you know what you are doing the steps are pretty easy. YMMV.

I performed this work on my Windows 64-bit PC with Java and the Android SDK tools (which I have in C:\android-sdk-windows\).

Download the BouncyCastle jar from:
http://bouncycastle.org/download/bcprov-jdk16-141.jar

Move the jar into the $JAVA_HOME\lib\ext folder. On my computer that is:

C:\Program Files (x86)\Java\jre6\lib\ext\

Connect your USB cable to your phone and verify with adb that it is seen as attached.

C:\android-sdk-windows\tools>adb devices

Pull the cacert.bks file from your phone:

C:\android-sdk-windows\tools>adb pull /system/etc/security/cacerts.bks cacerts.bks

Dump the list of CA's out of the cacerts.bks file:

C:\android-sdk-windows\tools>"\Program Files (x86)\Java\jre6\bin\keytool.exe" -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -list > calist.txt

Open the calist.txt file in a text editor, find the DigiNotar CA in the list and note the alias name number. Using the alias name number, delete the DigiNotar CA from the cacert.bks file:

C:\android-sdk-windows\tools>"\Program Files (x86)\Java\jre6\bin\keytool.exe" -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -delete -alias <alias name number from your list>

For example:

C:\android-sdk-windows\tools>"\Program Files (x86)\Java\jre6\bin\keytool.exe" -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -v -delete -alias 81

Then put the updated cacert.bks file back on your phone:

C:\android-sdk-windows\tools>adb remount

C:\android-sdk-windows\tools>adb push cacert.bks /system/etc/security/

Finally, reboot your phone so it reloads the CA list.

NOTE: This helper is based on Tim Strazzere's post on:
http://blog.mylookout.com/2011/08/fo...roid-ca-store/ which I found on the CyanogenMod dev forums at http://code.google.com/p/cyanogenmod...detail?id=4260

md303 · 8th September 2011, 04:57 PM

Now there's an App for that. CaCertMan
https://guardianproject.info/2011/09...other-bad-cas/

remzicavdar · 10th September 2011, 09:04 PM

Quote:

Originally Posted by md303

Now there's an App for that. CaCertMan
https://guardianproject.info/2011/09...other-bad-cas/

It's now on the Market !!!!!

khaytsus · 12th September 2011, 01:50 PM

I don't see it on my Nexus One (Rom in signature) or my stock Dell Streak 7. Haven't looked at my Nook Color running CM7 yet, but I'd have to guess it's still there to to their refusal to remove the CA from CM7. At least people have a choice with CACertMan.

Remove DigiNotar Certificate Authority from a rooted phone

XDA PORTAL POSTS

Boot Animation Paradise for your Android Device

Flash Custom ROM and Recovery to Samsung Galaxy S 4

Windows-Based Multi-Tool for the Sony Xperia U

XDA University: Crafting Recovery-Flashable Packages

Download the XDA Android App

More Info

Be Social