Please enable JavaScript.

Coggle requires JavaScript to display documents.

(Credential storage (System credential storage (Public API since Android 4…

- - - - KeyChain
  - - - /data/misc/keystore
        
        The master key (stored in .masterkey) is encrypted with a 128-bit AES key derived from the screen unlock password by applying the PBKDF2 key derivation function with 8192 iterations and a randomly generated 128-bit salt. The salt is stored in the .masterkey file’s info header.
        
        metadata || Enc(MD5(data) || data)
        
        Key blob version and types
      - Access Restriction
        
        Root user cannot unlock/lock keystore, but can access system keys
        
        System user can perform keystore management operations, but cannot use or retrieve other users' keys
        
        Normal user can access, insert, delete there own keys
    - - Keystore
        
        New 4.1, keymaster Hardware Abstraction Layer - HAL
        
        Decouple keystore service from underlying asymmetric key operations implementation and to allow easier integration of device-specific hardware-backed implementation
        
        All asymmetric key operations exposed by the keystore service are imple-mented by calling the system keymaster module.
        
        generate_keypair
        
        import_keypair
        
        sign_data
        
        verify_data
        
        get_keypair_public
        
        delete_keypair
        
        delete_all
        
        Aside from asymmetric key operations, all other credential storage operations are implemented by keystore service and does not depends on HAL
  - - - When you want system-wide credential. It will pop-up system UI to end user
    - - Provide individual app credential store and only app itself can access it
  - - - PKCS#12
- - - - ssl client and server sockets
      - SSLEngine
      - Factories for creating sockets
      - SSLContext
      - PKI managers
      - HttpsURLConnection
    - - SSLContext
        
        SSLSocket
        
        SSLEngine
    - - A KeyStore represents a storage facility for cryptographic keys and certificates and can be
        
        used to store both trust anchors certificates, and end entity keys along with their associated certificates.
      - A KeyManager determines which authentication credentials to send to the remote host. In the context of PKIX, this means selecting the client authenti-cation certificate to send to an SSL server
      - A TrustManager determines whether the presented peer authentication credentials should be trusted. If they are, the connection is established; if not, the connection is terminated.
  - - - Deprecated
      - AndroidOpenSSL
        
        Certificate Management and Validation
        
        System Trust Stores
        
        From Android 4.0
        
        /system/etc/security
        
        /data/misc/keychain/
        
        Settings UI
        
        KeyStore API
        
        // Certificate chain including the end entity (server) certificate
        
        // and any intermediate issuers. X509Certificate[] chain = { endEntityCert }; TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); tmf.init((KeyStore) null); TrustManager[] tms = tmf.getTrustManagers(); X509TrustManager xtm = (X509TrustManager) tms[0]; Log.d(TAG, "checking chain with " + xtm.getClass().getName()); xtm.checkServerTrusted(chain, "RSA"); Log.d(TAG, "chain is valid");
        
        Certificate Blacklisting
        
        CA keys compromises
        
        OTA, update, patches...
        
        Blacklist
        
        EE keys compromises
        
        CRL
        
        OCSP
        
        OCSP stapling
        
        Certificate blacklist
        
        No need OS update
        
        Public key blacklist - CAs
        
        /data/misc/keychain/pubkey_blacklist.txt
        
        Serial numbers blacklist - EEs
        
        /data/misc/keychain/serial_blacklist.txt
        
        Content provider
        
        Trust problems in today's PKI
        
        DNSSEC
        
        Certificate pinning
        
        Whitelist public keys
        
        Android Certificate pinning
        
        /data/misc/keychain/pins
        
        X509TrustManagerExtensions
        
        android.intent.action.UPDATE_PINS