Java – Are there any system certificate stores on Android?

Are there any system certificate stores on Android?… here is a solution to the problem.

Are there any system certificate stores on Android?

In desktop Java, there is a sun.security.mscapi.SunMSCAPI cryptographic provider that we can use with KeyStore to access the Windows system certificate store.

I

know there are similar stores on Android, but I can’t find a way to manage those stores (list, add, remove certificates).

What I found is:

1) Use KeyChain, but this requires additional interaction with the user through the activity;
2) Use the KeyStore as you would on your desktop and load the storage files directly, but the paths to these files are not fixed on all devices.

Is there anything else I don’t know about?

Solution

KeyChain is a relatively new addition. It is only available for API 14 (Ice Cream Sandwich) and later. Nicolay Elenkov has a great blog post on using the ICS KeyChain API

KeyStore is an updated addition. It only works with API 18 (Jelly Bean MR2) and later. Nicolay Elenkov in Credential storage Enhancements in Android 4.3 has another good blog entry

You may also be interested in Unifying Key Store Access in ICS Interested from Android developer blogs. It tells us that KeyStore has been around since API 4 (Donut), but only the system can use it, and that it is only used for VPN secrets (Wifi was later added).

The user certificate store failed until recently. To remove a certificate from a store, you must delete the entire store (even the certificate and private key that you want to keep). See also User key/cert management in ICS .

The system’s certificate store used to be stored in ROM. In Diginotar failure After that, it changed because Android had to build a new image to remove the compromised Diginotar root. Given that so many carriers don’t support their devices, there are actually millions (perhaps billions) of defective devices still there.

If you want

products that appeal to the most Android devices, then you might want to use your own store. Perhaps a Java keystore or SQLciper would be a good choice. Just make sure that the database is encrypted with a key derived from user input, such as a secret. Combine the user’s secret with a random value stored on the file system in the sandbox or KeyStore for maximum effect.

If you don’t accept user input, you’ll encounter an “unattended key store” issue. This is a problem with no solution. See, for example, Peter Guttman’s Engineering Security

Related Problems and Solutions

  1. native crash : JNI DETECTED ERROR IN APPLICATION: [thread] using JNIEnv* from [thread]
  2. How to properly debug Java (Android) using Eclipse?
  3. Read-only spinner
  4. NullPointerException when sending a StringArray using Parcelable
  5. Where is Java – r8.jar located in the Android SDK?
  6. Java GUI redraw error?
  7. Declare a class to implement OnClickListener or declare it yourself?
  8. The gradle build failed with an unknown host exception