03 September 2010

Android embeded certificates

Testing an application I wanted to verify the Root CAs embedded in an Android phone. After some searches the procedure has been easier than suspected. (For this test I used a WinXP SP3 with Java version 1.6.0_13). This what you should do to repeat it:

1) Install the Android USB Driver:
Download the Android SDK Starter package at http://developer.android.com/sdk/index.html, execute it, uncheck al components and mark the "USB Drives". Now you should have a new folder called "usb_driver"

2) In your Android phone go to Settings => Applications => Development and check "USB Debugging"

3) Connect the phone to the computer and when requested to install the required drivers choose the folder "usb_driver"

4) Go to the folder tools and in a console run
adb devices
That should display the serial number of the device you have connected. If that fails unplug and plug the device (you are in a Windows box my friend!)
5) Run
adb pull /system/etc/security/cacerts.bks cacerts.bks
to get the Root CA keystore in your computer
6) To be able to deal with that keystore you need the jar http://bouncycastle.org/download/bcprov-jdk16-141.jar on $JAVA_HOME/jre/lib/ext/
Now you can just run:
keytool -keystore cacerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass changeit -list -v
to display the installed Root CAs

If you want to skip it I copy below the ones I found in the Nexus One and Magic:

Nexus One Root CAs:
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority
Issuer: C=US,O=Equifax Secure Inc.,CN=Equifax Secure Global eBusiness CA-1
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority - G2,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network
Issuer: C=IL,O=StartCom Ltd.,OU=StartCom Certification Authority,CN=StartCom Extended Validation Server CA
Issuer: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Assured ID Root CA
Issuer: C=HU,L=Budapest,O=NetLock Halozatbiztonsagi Kft.,OU=Tanusitvanykiadok,CN=NetLock Expressz (Class C) Tanusitvanykiado
Issuer: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Issuer: C=BM,O=QuoVadis Limited,OU=Root Certification Authority,CN=QuoVadis Root Certification Authority
Issuer: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=(c) 2006 VeriSign\, Inc. - For authorized use only,CN=VeriSign Class 3 Public Primary Certification Authority - G5
Issuer: C=HU,L=Budapest,O=NetLock Halozatbiztonsagi Kft.,OU=Tanusitvanykiadok,CN=NetLock Uzleti (Class B) Tanusitvanykiado
Issuer: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 1 Policy Validation Authority,CN=http://www.valicert.com/,E=info@valicert.com
Issuer: C=US,O=Equifax,OU=Equifax Secure Certificate Authority
Issuer: C=EU,O=AC Camerfirma SA CIF A82743287,OU=http://www.chambersign.org,CN=Chambers of Commerce Root
Issuer: C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority
Issuer: C=US,O=Equifax Secure Inc.,CN=Equifax Secure eBusiness CA-1
Issuer: C=DE,ST=Hamburg,L=Hamburg,O=TC TrustCenter for Security in Data Networks GmbH,OU=TC TrustCenter Class 2 CA,E=certificate@trustcenter.de
Issuer: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Issuer: C=DE,ST=Hamburg,L=Hamburg,O=TC TrustCenter for Security in Data Networks GmbH,OU=TC TrustCenter Class 3 CA,E=certificate@trustcenter.de
Issuer: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority
Issuer: C=DE,O=TC TrustCenter GmbH,OU=TC TrustCenter Universal CA,CN=TC TrustCenter Universal CA I
Issuer: C=TW,O=Government Root Certification Authority
Issuer: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN - DATACorp SGC
Issuer: C=ch,O=Swisscom,OU=Digital Certificate Services,CN=Swisscom Root CA 1
Issuer: C=ES,O=FNMT,OU=FNMT Clase 2 CA
Issuer: C=DE,O=Deutsche Telekom AG,OU=T-TeleSec Trust Center,CN=Deutsche Telekom Root CA 2
Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Server CA,E=server-certs@thawte.com
Issuer: C=US,O=Digital Signature Trust,OU=DST ACES,CN=DST ACES CA X6
Issuer: C=US,O=GTE Corporation,OU=GTE CyberTrust Solutions\, Inc.,CN=GTE CyberTrust Global Root
Issuer: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Network Applications
Issuer: C=FR,O=Certplus,CN=Class 2 Primary CA
Issuer: O=Entrust.net,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Certification Authority (2048)
Issuer: C=JP,O=Japan Certification Services\, Inc.,CN=SecureSign RootCA1
Issuer: C=DK,O=TDC Internet,OU=TDC Internet Root CA
Issuer: C=ES,L=C/ Muntaner 244 Barcelona,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,E=ca@firmaprofesional.com
Issuer: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA
Issuer: OU=GlobalSign Root CA - R2,O=GlobalSign,CN=GlobalSign
Issuer: C=NL,O=Staat der Nederlanden,CN=Staat der Nederlanden Root CA
Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,E=premium-server@thawte.com
Issuer: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority
Issuer: C=IL,O=StartCom Ltd.,OU=Secure Digital Certificate Signing,CN=StartCom Certification Authority
Issuer: C=US,O=Entrust\, Inc.,OU=www.entrust.net/CPS is incorporated by reference,OU=(c) 2006 Entrust\, Inc.,CN=Entrust Root Certification Authority
Issuer: C=DE,O=TC TrustCenter GmbH,OU=TC TrustCenter Class 2 CA,CN=TC TrustCenter Class 2 CA II
Issuer: C=US,O=America Online Inc.,CN=America Online Root Certification Authority 1
Issuer: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,E=info@valicert.com
Issuer: C=US,O=VeriSign\, Inc.,OU=VeriSign Trust Network,OU=Terms of use at https://www.verisign.com/rpa (c)06,CN=VeriSign Class 3 Extended Validation SSL SGC CA
Issuer: C=BE,O=GlobalSign nv-sa,OU=Root CA,CN=GlobalSign Root CA
Issuer: C=HU,ST=Hungary,L=Budapest,O=NetLock Halozatbiztonsagi Kft.,OU=Tanusitvanykiadok,CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado
Issuer: C=US,O=Entrust\, Inc.,OU=AND ADDITIONAL TERMS GOVERNING USE AND RELIANCE,OU=CPS CONTAINS IMPORTANT LIMITATIONS OF WARRANTIES AND LIABILITY,OU=www.entrust.net/CPS is incorporated by reference,OU=(c) 2008 Entrust\, Inc.,CN=Entrust Certification Authority - L1B
Issuer: C=FI,O=Sonera,CN=Sonera Class2 CA
Issuer: C=JP,O=SECOM Trust.net,OU=Security Communication RootCA1
Issuer: C=BM,O=QuoVadis Limited,CN=QuoVadis Root CA 3
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA
Issuer: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 3 Policy Validation Authority,CN=http://www.valicert.com/,E=info@valicert.com
Issuer: C=BM,O=QuoVadis Limited,CN=QuoVadis Root CA 2

Magic:
Issuer: C=HU,ST=Hungary,L=Budapest,O=NetLock Halozatbiztonsagi Kft.,OU=Tanusitvanykiadok,CN=NetLock Kozjegyzoi (Class A) Tanusitvanykiado
Issuer: C=FI,O=Sonera,CN=Sonera Class2 CA
Issuer: C=JP,O=SECOM Trust.net,OU=Security Communication RootCA1
Issuer: C=US,O=GTE Corporation,CN=GTE CyberTrust Root
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert High Assurance EV Root CA
Issuer: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 3 Policy Validation Authority,CN=http://www.valicert.com/,E=info@valicert.com
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority
Issuer: C=US,O=Equifax Secure Inc.,CN=Equifax Secure Global eBusiness CA-1
Issuer: C=US,O=VeriSign\, Inc.,OU=Class 3 Public Primary Certification Authority - G2,OU=(c) 1998 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network
Issuer: C=PL,O=Unizeto Sp. z o.o.,CN=Certum CA
Issuer: C=DE,ST=Hamburg,L=Hamburg,O=TC TrustCenter for Security in Data Networks GmbH,OU=TC TrustCenter Class 2 CA,E=certificate@trustcenter.de
Issuer: C=US,O=Starfield Technologies\, Inc.,OU=Starfield Class 2 Certification Authority
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Assured ID Root CA
Issuer: C=US,O=The Go Daddy Group\, Inc.,OU=Go Daddy Class 2 Certification Authority
Issuer: C=HU,L=Budapest,O=NetLock Halozatbiztonsagi Kft.,OU=Tanusitvanykiadok,CN=NetLock Expressz (Class C) Tanusitvanykiado
Issuer: C=TW,O=Government Root Certification Authority
Issuer: C=HU,L=Budapest,O=NetLock Halozatbiztonsagi Kft.,OU=Tanusitvanykiadok,CN=NetLock Uzleti (Class B) Tanusitvanykiado
Issuer: C=ES,O=FNMT,OU=FNMT Clase 2 CA
Issuer: C=US,O=Equifax,OU=Equifax Secure Certificate Authority
Issuer: C=US,O=Digital Signature Trust,OU=DST ACES,CN=DST ACES CA X6
Issuer: C=DE,ST=Hamburg,L=Hamburg,O=TC TrustCenter for Security in Data Networks GmbH,OU=TC TrustCenter Class 3 CA,E=certificate@trustcenter.de
Issuer: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Hardware
Issuer: C=FR,O=Certplus,CN=Class 2 Primary CA
Issuer: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN - DATACorp SGC
Issuer: C=US,O=RSA Data Security\, Inc.,OU=Secure Server Certification Authority
Issuer: C=ES,L=C/ Muntaner 244 Barcelona,CN=Autoridad de Certificacion Firmaprofesional CIF A62634068,E=ca@firmaprofesional.com
Issuer: C=DE,O=Deutsche Telekom AG,OU=T-TeleSec Trust Center,CN=Deutsche Telekom Root CA 2
Issuer: C=ES,ST=BARCELONA,L=BARCELONA,O=IPS Seguridad CA,OU=Certificaciones,CN=IPS SERVIDORES,E=ips@mail.ips.es
Issuer: OU=GlobalSign Root CA - R2,O=GlobalSign,CN=GlobalSign
Issuer: C=US,O=GTE Corporation,OU=GTE CyberTrust Solutions\, Inc.,CN=GTE CyberTrust Global Root
Issuer: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 1 Policy Validation Authority,CN=http://www.valicert.com/,E=info@valicert.com
Issuer: OU=Copyright (c) 1997 Microsoft Corp.,OU=Microsoft Corporation,CN=Microsoft Root Authority
Issuer: C=SE,O=AddTrust AB,OU=AddTrust External TTP Network,CN=AddTrust External CA Root
Issuer: C=EU,O=AC Camerfirma SA CIF A82743287,OU=http://www.chambersign.org,CN=Chambers of Commerce Root
Issuer: C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority
Issuer: C=US,O=DigiCert Inc,OU=www.digicert.com,CN=DigiCert Global Root CA
Issuer: C=US,O=Equifax Secure Inc.,CN=Equifax Secure eBusiness CA-1
Issuer: C=ch,O=Swisscom,OU=Digital Certificate Services,CN=Swisscom Root CA 1
Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Server CA,E=server-certs@thawte.com
Issuer: C=US,ST=UT,L=Salt Lake City,O=The USERTRUST Network,OU=http://www.usertrust.com,CN=UTN-USERFirst-Network Applications
Issuer: C=JP,O=Japan Certification Services\, Inc.,CN=SecureSign RootCA1
Issuer: C=DK,O=TDC Internet,OU=TDC Internet Root CA
Issuer: C=NL,O=Staat der Nederlanden,CN=Staat der Nederlanden Root CA
Issuer: C=IL,ST=Israel,L=Eilat,O=StartCom Ltd.,OU=CA Authority Dep.,CN=Free SSL Certification Authority,E=admin@startcom.org
Issuer: C=ZA,ST=Western Cape,L=Cape Town,O=Thawte Consulting cc,OU=Certification Services Division,CN=Thawte Premium Server CA,E=premium-server@thawte.com
Issuer: C=US,O=America Online Inc.,CN=America Online Root Certification Authority 1
Issuer: L=ValiCert Validation Network,O=ValiCert\, Inc.,OU=ValiCert Class 2 Policy Validation Authority,CN=http://www.valicert.com/,E=info@valicert.com
Issuer: C=BE,O=GlobalSign nv-sa,OU=Root CA,CN=GlobalSign Root CA


Main sources:
http://wiki.cacert.org/ImportRootCert#Android_Phones
http://developer.android.com/sdk/index.html

3 comments:

  1. Anonymous17/9/10 23:27

    You can now use the application pkeye from the Android Market for this. It lets you list the available Root CAs and soon export them to the SD Card too.

    ReplyDelete
  2. This is an interesting post, thankyou for the information. I am a small business owner and I have found that setting up SSl has been troublesome, it's good to see someone is in the same boat.

    ReplyDelete
  3. Amazing ! You gave me a quick idea by sharing this detail. I will definitely try to perform the same thing. I am so excited about it. Thanks.
    digital certificate

    ReplyDelete