In response to growing concerns about the less-than trustworthy state of the global Certificate Authority ecosystem, we have decided to began curating our own CACert keystore for use on Android devices.
This certificate bundle contains all the CAs from the Mozilla CA Certificate Store as obtained through Debian's ca-certificates package.
TODO: How to use the pinned certificate store?
- NetCipher - strong TLS verification and proxy library for Android
We rely on Debian's tool to parse the Mozilla trust database and output PEM encoded certificates, which we then combine into a keystore ready for inclusion in Android.
git submodule update --init --recursive
makeThe resulting keystore will be in stores/debiancacerts.bks ready to be
imported into an Android project.
Add it as a raw resource to your project, then use something like the following to load it:
mTrustStore = KeyStore.getInstance("BKS");
in = mContext.getResources().openRawResource(R.raw.cacerts);
mTrustStore.load(in, new String("changeit").toCharArray());- DigiNotar Debacle
- Your app shouldn't suffer SSL's problems
- Unifying Key Store Access in ICS
- ICS Trust Store Implementation
We would like to ack Open WhisperSystems as an inspiration for this, as they were able to push out a small patch through their WhisperCore update tool in order to modify the keystore to remove DigiNotar.
