Java – is there any system certificate store on Android?
In the desktop Java, there is sun.security.mscapi.sunmscapi cryptoprovider. We can use it and keystore to access the windows system certificate store
I know there are similar stores on Android, but I can't find a way to manage these stores (list, add, delete certificates)
What I found was:
1) Use keychain, but this requires additional interaction with users through activities; 2) Use keystore on the desktop and load the stored files directly, but the paths of these files are not constant on all devices
Is there any other way I don't know?
resolvent:
Keychain is a relatively new supplement. It is only applicable to API 14 (ice cream sandwich) and higher. Nicolay elenkov has a good blog post on using the ICs Keychain API
Keystore is an updated supplement. It is only applicable to API 18 (Jerry bean MR2) and later. Nicolay elenkov also has a good blog post on credential storage enhancements in Android 4.3
You may also be interested in unifying key store access in ICs in Android Developer's blog. It tells us that keystore has existed since API 4 (donut), but only the system can use it. It is only used for VPN Secrets (WiFi was added later)
Until recently, the user certificate store was a little broken. To delete a certificate from the store, you must delete the whole store (even the certificate and private key you want to keep). See user key / cert management in ICs
The system's certificate store was once stored in ROM. this changed after diginotar failure, because Android had to build a new image to delete the damaged diginotar root. Given that so many operators do not support their devices, there are still millions (possibly billions) of defective devices
If you want something that attracts Android devices most, you may need to use your own store. Maybe Java keystore or sqlciper will be a good choice. Just make sure that the database is encrypted with a key derived from the content entered by the user (such as a secret). Combine the user's secret with random values stored on the file system in the sandbox or keystore, For maximum effect
If you do not accept user input, you will encounter the problem of "unattended key storage". This is a problem without a solution. For example, see Peter Guttman's engineering security