CACertMan app to address DigiNotar & other bad CA’s

As I expect many of you are aware, there was a major compromise to a Dutch Certificate Authority named “DigiNotar” recently, where they allowed SSL certs for domains like *.google.com, *.torproject.org and even *.cia.gov as well as *.*.com to be issued.

It was brought up to the contribs of CyanogenMOD that they should probably remove the DigiNotar CA cert from the built-in Android OS keystore (located at /system/etc/security/cacerts.bks). Since they have 500k+ users, and can be more nimble than other ROM/device distributors, it was seen as a way to quickly address the problem, at least within their community. It turns out that it wasn’t as easy to convince them to do this (even though Mozilla, Google Chrome, IE, etc already had). You can read the thread, but it is still an open issue:
http://code.google.com/p/cyanogenmod/issues/detail?id=4260

In the meantime, I decided to do something proactive about this, and took two approaches:

1) Create our own curated cacerts.bks file which rooted users could install using ‘adb’ from their desktop and/or the ‘Root Explorer’ app available in the market and elsewhere. Our version of the CACert file removes DigiNotar, as well as CNNIC, a Chinese gov’t-managed cert authority who we have reason not to trust. Our goal is to continue to audit, update and distribute our own cacerts file for users who trust us.

Install info: https://raw.github.com/guardianproject/cacert/master/INSTALLATION

Guardian’s CACert: https://github.com/downloads/guardianproject/cacert/cacerts.bks


2) We also wanted to create an app that let the user decided which certs they wanted available, and which they didn’t. Beyond this one CA problem, there are potentially many more, and every handset manufacturer or carrier can also place their own CA certs into the system. We need an app to address today’s and future CA threats.

I have been hacking away on a solution to address this, and an initial test release is available for you. ‘CACertMan’ is a simple app that loads up the system cacert store, allows you to back it up, search for certs, delete them, and then save it back to the system. You can always restore from your initial backup, as well. In the future we may allow for a cert to just be disabled, but for now it is delete and/or restore.

Here is the first alpha build for testing. This does require root, as well as a device that has the ‘grep’ command on it. This is basically CyanogenMOD, but most likely any other custom ROM. If the ‘save’ doesn’t work, then you will need to use ‘RootExplorer’ to make you /system partition read-write.

Download CACertMan v0.0.1-Alpha: https://github.com/guardianproject/cacert/CACertMan-0.0.1-alpha.apk/qr_code

You can find the source project here: https://github.com/guardianproject/cacert

Once we get confirmation that the app works for most people, we’ll place it in the market, and on or site for wider distribution.

Through these two approaches, we hope to mitigate the threats facing Android users who might encounter man-in-the-middle attacks enabled through the DigiNotar exploit. While many of you are presumably in ”free” countries, we do know that may of our users of Orbot, Gibberbot and other software are not, and we hope this message can reach them.

Tagged with: , , , ,
Posted in Development
26 comments on “CACertMan app to address DigiNotar & other bad CA’s
  1. Santiago. says:

    Great work.

  2. Dave says:

    on the certs do they redownload when you go to a website or they have to be on your phone allready to be able to connect to the site? If so would it be safe to delete all of them? I’m a noob at this situation at hand thanks.

    • n8fr8 says:

      If you delete them all, you will get warnings at very https site. Many apps would also break. I don’t recommend you do that for now, until there is a more sophistaced “trust this cert” type feature.

  3. asksven says:

    I wanted to report a positive test on samsung sgs2 using vr2.4.2 (obviously rooted). Tested: backup, delete, save to original place.

  4. Desean says:

    The APK works for me. Thanks.

  5. Aphex13 says:

    Works like a champ on Samsung Captivate running CM7. Thanks for looking out for us.

  6. arcane613 says:

    apk installs fine..appears like it working on my Samsung GS2 but it does not. It backs up fine. If I choose save, it then says error reading… (permission denied) then it won’t load CA store anymore.

    Reboot phone, get gapp force close issues….that google apps error force close pops up every 30 seconds or so…

    Before and after reboot cannot save or restore it gives permissions denied error. this happens ONLY after hitting save the first time.

    ROM is Cognition S2 1.5.1 with Ninphetamine 2.1.3 kernal. If there are logs you need, or further testing feel free to contact me at my email….

    good idea on this app though…

    • arcane613 says:

      i actually couldn’t restore via the app either had to adb push cacerts.bks /system/etc/security/

      someone else with this phone works fine so it’s clearly rom or kernel related, but I couldn’t tell you which

      • Derek says:

        since you’re getting a permissions problem, does your ROM provide root access? do you have the superuser apk installed to manage application root permissions?

        • arcane613 says:

          i’m rooted for sure.

          setcpu running, overclocked and undervolted…but i don’t think that would cause the issue…

          just retried again, took screen shots..

          seems any time i choose restore or save…it gives the error…if I try save a second time it says it failed to load the KeyStore or something like that..for some reason I took ss of everything but the last error…

          http://imgur.com/a/dxR7o

          basically it seems to be issues with google app framework and gmail…so cointacts/email..which is annoying…try clear data of both gmail, google framework services, delete and rebuild sync accounts, clear data on calender, contacts, manually sync each item that syncs with push…all items sync, no error…but after syncing errors start popping up in random orders…lol..

          only thing to fix it is restoring original file…

          cognition is samsung 2.3.4 based, so not AOSP which I would guess might be the main source of the issue.

          i could still be overlooking something, i am relatively new to the android os….

          • Derek says:

            thanks for documenting! similar to Michael’s question (see below), this could potentially be a write issue with the /system partition on your ROM. please try mounting /system from Recovery and then pushing the updated certs.bks file to the appropriate location.

  7. Phil says:

    Works for me.
    s-off desire on LeeDroid 3.3.3

  8. Michael says:

    Does this work on devices where you have root, but no access to the /system partition as it is locked other than in recovery (e.g HTC Desire)?

    Cheers.

    • n8fr8 says:

      No it requires the ability to mount the /system partition in read/write mode. We will update our readme and check code to verify that.

      • Michael says:

        OK, thanks. I used the ‘manual’ method described above and it worked a treat. Cacertman can still be used to check it worked though. Cheers.

        • n8fr8 says:

          Actually, if the manual method worked, then it means we CAN mount your /system read-write, but you must not have the ‘busybox’ binary installed on your ROM. We use that to look up the proper device for mounting. We can actually update our app to try the same command in the manual operation in case busybox doesn’t exist. Look for this in the 0.0.3 update!

          • Michael says:

            Ahh, I should have explained it better. I booted into Clockwork recovery and then mounted the /system partition for write access from the menu. Then I used adb to push the update.

  9. Chad says:

    Works like a champ: HTC Incredible, CM7 nightly 180. Only problem I had was a little user error. :-)

  10. Chad says:

    Works like a champ: HTC Incredible, CM7 nightly 180. No errors; just installed and deleted the diginotar certificate. Only problem I ran into was a little user error. :-)

  11. Franck says:

    Diginotar removed from my desire
    Xj miui 1.9.9 & Manu 2.0 kernel

  12. Kbt says:

    It’s great.

    An extra function, to versio 0.2 could be the “add CA certificate”.

  13. Pog says:

    Hello,
    works fine on an Alcatel OT-990 Orange (non rooted). Waiting for a UserCertMan for .p12 files.
    Best Regards

  14. Natanael L says:

    This works great on my SGS!

    Can you port it to the Nokia N9 too?

    As you might know, it uses Qt for the interface, has Busybox and you can get root on it by something as easy as enabling developer mode (it’s in the settings; devel-su is used to run things as root, “rootme” is default password, but I have changed it, as everybody should).

    CA certs are stored in /etc/ssl/certs as individual .pem files, and there’s .0 files too (don’t know what they do). All with hexadecimal names. I want to be able to disable CNNIC and some others (I suggest doing it by just moving the files to /etc/ssl/certs/.disabled or /etc/ssl/disabledcerts).

    • n8fr8 says:

      We actually have two members of our team who are Nokia N9 fans and users. However, we unfortunately have limited time and resources, and for now, we must focus on Android, because it is the most widely used open-source mobile platform. Our goal is to reach as many people as possible, even though there are some better and more truly open mobile platforms out there.

  15. Johannes says:

    It doesn’t seem to work on recent android. True?

    • Hans-Christoph Steiner says:

      yes, it is no longer needed in Android 4.x since Android now has the same functionality built-in.

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Important Links

You can always get the latest information on our blog. Also, track our activity on our Project Site; and request features or file bugs on our Issue Tracker.

Free and Free!

All of our software is free/libre and open-source. You can find our app downloads, code repos and issue trackers on Github.

Get Apps

Featuring Recent Posts WordPress Widget development by YD