wyzz.log

AOS 인증서 세팅 (14 이상)

3 min read

Android 14 이상 버전에서는 인증서 저장소가 변경 되었다

ASIS : /system/etc/security/cacerts/
TOBE : /apex/com.android.conscrypt/cacerts

/apex/com.android.conscrypt/cacerts 위 경로는 remount가 불가능하여 root 권한이 있어도 직접적으로 인증서 세팅이 불가능하다

따라서, 기존과 같은 방식으로는 세팅이 불가능하고, remount가 불가능한 부분에서 mount를 새로 생성하여야 한다 즉, 현재 cacerts에 있는 인증서들을 복사해두고, 그 복사된 경로에 내 인증서를 넣은 후 그 경로를 apex 경로와 mount 한다

위 과정을 쉘 스크립트로 작성하여 adb 환경에서 구동하면 된다 ※ CERTIFICATE_PATH 는 자신의 0파일 경로로 꼭 변경해주어야 한다

# Define tte a separate temp directory, to hold the current certificates
# Otherwise, when we add the mount we can't read the current certs anymore.
mkdir -p -m 700 /data/local/tmp/tmp-ca-copy
 
# Copy out the existing certificates
cp /apex/com.android.conscrypt/cacerts/* /data/local/tmp/tmp-ca-copy/
 
# Create the in-memory mount on top of the system certs folder
mount -t tmpfs tmpfs /system/etc/security/cacerts
 
# Copy the existing certs back into the tmpfs, so we keep trusting them
mv /data/local/tmp/tmp-ca-copy/* /system/etc/security/cacerts/
 
# Copy our new cert in, so we trust that too
# Have to change cert
CERTIFICATE_PATH=/data/local/tmp/mac_cert/9a5ba575.0
cp $CERTIFICATE_PATH /system/etc/security/cacerts/
 
# Update the perms & selinux context labels
chown root:root /system/etc/security/cacerts/*
chmod 644 /system/etc/security/cacerts/*
chcon u:object_r:system_file:s0 /system/etc/security/cacerts/*
 
# Deal with the APEX overrides, which need injecting into each namespace:
 
# First we get the Zygote process(es), which launch each app
ZYGOTE_PID=$(pidof zygote || true)
ZYGOTE64_PID=$(pidof zygote64 || true)
# N.b. some devices appear to have both!
 
# Apps inherit the Zygote's mounts at startup, so we inject here to ensure
# all newly started apps will see these certs straight away:
for Z_PID in "$ZYGOTE_PID" "$ZYGOTE64_PID"; do
    if [ -n "$Z_PID" ]; then
        nsenter --mount=/proc/$Z_PID/ns/mnt -- \
            /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts
    fi
done
 
# Then we inject the mount into all already running apps, so they
# too see these CA certs immediately:
 
# Get the PID of every process whose parent is one of the Zygotes:
APP_PIDS=$(
    echo "$ZYGOTE_PID $ZYGOTE64_PID" | \
    xargs -n1 ps -o 'PID' -P | \
    grep -v PID
)
 
# Inject into the mount namespace of each of those apps:
for PID in $APP_PIDS; do
    nsenter --mount=/proc/$PID/ns/mnt -- \
        /bin/mount --bind /system/etc/security/cacerts /apex/com.android.conscrypt/cacerts &
done