15

I feel like I cracked the atom when I successfully was able to add my custom SSL certificate to Android 6 emulator (I made persistent change to system.img file). But the browser is not recognizing it any way. I followed this awesome tutorial, and I think I did something wrong with the hashing. Here are the full steps of what I did, and what I got so far.

My System

Windows 10, 64 BIT
Pre built emulator

  • name: Nexus_64
  • API: 23
  • Target: Android 6 (Android API)
  • CPU/ABI x86/64
  • Size on disk 3 GB

Advanced emulator settings

  • RAM: 512 MB
  • VM heap: 128 MB
  • Internal storage 2 GB (select from drop down at the right)
  • SD card: Studio-managed 2 GB

System files

  • Obtain certificate file from tutorial: 890c6016.0
  • Create empty folder for storing the system file at c:\device_tmp

Utilities:

  • emulator from /android_sdk/tools/emulator.exe
  • adb from /android_sdk/platform-tools/adb.exe

What I did

Starting the emulator: 

 emulator -avd Nexus_64 -no-snapshot-load

Now it starts and I open command line window

Find the name of external storage as sdcard does not have enough storage space for the image file.

adb shell df

In my case /storage/13E4-1F02/ got 2GB space

Installing certificate

adb shell "rm /sdcard/"
adb push 890c6016.0 /sdcard/
adb shell "mount -o remount,rw /system"
adb shell "cp /sdcard/890c6016.0 /system/etc/security/cacerts/"
adb shell "chmod 644 /system/etc/security/cacerts/890c6016.0"
adb shell "dd if=/dev/block/vda of=/storage/13E4-1F02/system.img"
adb pull /storage/13E4-1F02/system.img c:/device_tmp

It takes about 5 min for each of the last lines. After that I kill the device by closing all the shell windows and start it from the system.img file

emulator -http-proxy my.ip:8888 -system c:/device_tmp/system.img

When the device is starting it has that certificate in its system.

Building the certificate file

This is how I built the certificate file. I am using Charles and openssl, so I downloaded Charles certificate from help->SSL-Proxing->export Charles root certificate: go.p12.

Make crt 

openssl pkcs12 -in go.p12 -clcerts -nokeys -out go.crt

Make PEM

openssl pkcs12 -in go.p12 -out go.pem

Get hash code to be used as file name with .0 extension

openssl x509 -inform PEM -subject_hash_old -in go.crt

Copy go.crt and change its name to the hash we just got(890c6016.0)

type go.crt > 890c6016.0

*type is windows command for cat(Mac)

Append all the signature info to the file

openssl x509 -inform PEM -text -fingerprint -in go.crt -out /dev/null >> 890c6016.0

Done!

Certificate result 890c6016.0

Here is the content of the result certificate: 890c6016.0 It also what you will get when running:
openssl x509 -in 890c6016.0 -text -noout

890c6016.0:

-----BEGIN CERTIFICATE-----
MIIFhjCCBG6gAwIBAgIGAVThome6MA0GCSqGSIb3DQEBCwUAMIHHMVkwVwYDVQQD
DFBDaGFybGVzIFByb3h5IEN1c3RvbSBSb290IENlcnRpZmljYXRlIChidWlsdCBv
biBERVNLVE9QLTU1U01DOTMsIDI0INee15DXmSAyMDE2KTEkMCIGA1UECwwbaHR0
cDovL2NoYXJsZXNwcm94eS5jb20vc3NsMREwDwYDVQQKDAhYSzcyIEx0ZDERMA8G
A1UEBwwIQXVja2xhbmQxETAPBgNVBAgMCEF1Y2tsYW5kMQswCQYDVQQGEwJOWjAe
Fw0wMDAxMDEwMDAwMDBaFw00NTA3MjEwNzE5NTdaMIHHMVkwVwYDVQQDDFBDaGFy
bGVzIFByb3h5IEN1c3RvbSBSb290IENlcnRpZmljYXRlIChidWlsdCBvbiBERVNL
VE9QLTU1U01DOTMsIDI0INee15DXmSAyMDE2KTEkMCIGA1UECwwbaHR0cDovL2No
YXJsZXNwcm94eS5jb20vc3NsMREwDwYDVQQKDAhYSzcyIEx0ZDERMA8GA1UEBwwI
QXVja2xhbmQxETAPBgNVBAgMCEF1Y2tsYW5kMQswCQYDVQQGEwJOWjCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBALzSQjJpi+WVtoWNjFZh/jArpBMoXNfa
Y5MMuRvnMhMmt+hGnL6v5C5gSmDBwU5YZOhudbAs30J46i2Pft1CZW94AbIwCClu
P1wBjUKZVpt/izY8HfuuiLet0Mup+mU/x8iWwqs4MhJ/DJ4srzho6wKSB/jhZqdt
HbHHdu7+I7XVkk/lP3nMikmhkxQAd6o+zr/dudHTqBaW60PhvsO4tbWec4rSZot7
QXwwaUVAcUD0dNDoLeK6iaiQ5jpZDSL+/0VTRXH639MMLzZYl+sr0qm7y5Bt+RfX
eYV3lI8/H9O9dfdkseY0nbF8GL54dA+BzWZokzUvb9Stb8eMERzCWW0CAwEAAaOC
AXQwggFwMA8GA1UdEwEB/wQFMAMBAf8wggEsBglghkgBhvhCAQ0EggEdE4IBGVRo
aXMgUm9vdCBjZXJ0aWZpY2F0ZSB3YXMgZ2VuZXJhdGVkIGJ5IENoYXJsZXMgUHJv
eHkgZm9yIFNTTCBQcm94eWluZy4gSWYgdGhpcyBjZXJ0aWZpY2F0ZSBpcyBwYXJ0
IG9mIGEgY2VydGlmaWNhdGUgY2hhaW4sIHRoaXMgbWVhbnMgdGhhdCB5b3UncmUg
YnJvd3NpbmcgdGhyb3VnaCBDaGFybGVzIFByb3h5IHdpdGggU1NMIFByb3h5aW5n
IGVuYWJsZWQgZm9yIHRoaXMgd2Vic2l0ZS4gUGxlYXNlIHNlZSBodHRwOi8vY2hh
cmxlc3Byb3h5LmNvbS9zc2wgZm9yIG1vcmUgaW5mb3JtYXRpb24uMA4GA1UdDwEB
/wQEAwICBDAdBgNVHQ4EFgQU0rNPibkiS4JXRyiYSiPfAICMUg8wDQYJKoZIhvcN
AQELBQADggEBAEPUi8eDyNGYl/e20t8ScPeMM3U35FSYv7qnG2Gac2bLhkh6C14e
ucy011Tanj9x1kc3MXATZ8P9fLzCWQotjNlDUjfSXCoQZs2wAtq+V58S0IUyWnnv
4/sJLOI6qCVDoLsE8B6m1Yznb77V+4bq1A31G14nHDks73MWPPY5fKE6QhXFjRoI
Tzex9wjkQoHr8yywwEmTEmmoUvXqT8RRy2cy96I0msp0TUWCFHb2+0eYix7C7Ubw
mHLjOA41MZ9BNlZJBEPS7G35rLMSPFWsj0pa3tZtouk7SxbiIbO/6kk6o/pZdkHf
N2RX07Snk+cQepwiBIpI8YFs9hvxf4V+yLc=
-----END CERTIFICATE-----
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            01:54:e1:a2:67:ba
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=Charles Proxy Custom Root Certificate (built on DESKTOP-55SMC93, 24 \xD7\x9E\xD7\x90\xD7\x99 2016), OU=http://charlesproxy.com/ssl, O=XK72 Ltd, L=Auckland, ST=Auckland, C=NZ
        Validity
            Not Before: Jan  1 00:00:00 2000 GMT
            Not After : Jul 21 07:19:57 2045 GMT
        Subject: CN=Charles Proxy Custom Root Certificate (built on DESKTOP-55SMC93, 24 \xD7\x9E\xD7\x90\xD7\x99 2016), OU=http://charlesproxy.com/ssl, O=XK72 Ltd, L=Auckland, ST=Auckland, C=NZ
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bc:d2:42:32:69:8b:e5:95:b6:85:8d:8c:56:61:
                    fe:30:2b:a4:13:28:5c:d7:da:63:93:0c:b9:1b:e7:
                    32:13:26:b7:e8:46:9c:be:af:e4:2e:60:4a:60:c1:
                    c1:4e:58:64:e8:6e:75:b0:2c:df:42:78:ea:2d:8f:
                    7e:dd:42:65:6f:78:01:b2:30:08:29:6e:3f:5c:01:
                    8d:42:99:56:9b:7f:8b:36:3c:1d:fb:ae:88:b7:ad:
                    d0:cb:a9:fa:65:3f:c7:c8:96:c2:ab:38:32:12:7f:
                    0c:9e:2c:af:38:68:eb:02:92:07:f8:e1:66:a7:6d:
                    1d:b1:c7:76:ee:fe:23:b5:d5:92:4f:e5:3f:79:cc:
                    8a:49:a1:93:14:00:77:aa:3e:ce:bf:dd:b9:d1:d3:
                    a8:16:96:eb:43:e1:be:c3:b8:b5:b5:9e:73:8a:d2:
                    66:8b:7b:41:7c:30:69:45:40:71:40:f4:74:d0:e8:
                    2d:e2:ba:89:a8:90:e6:3a:59:0d:22:fe:ff:45:53:
                    45:71:fa:df:d3:0c:2f:36:58:97:eb:2b:d2:a9:bb:
                    cb:90:6d:f9:17:d7:79:85:77:94:8f:3f:1f:d3:bd:
                    75:f7:64:b1:e6:34:9d:b1:7c:18:be:78:74:0f:81:
                    cd:66:68:93:35:2f:6f:d4:ad:6f:c7:8c:11:1c:c2:
                    59:6d
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            Netscape Comment: 
                ....This Root certificate was generated by Charles Proxy for SSL Proxying. If this certificate is part of a certificate chain, this means that you're browsing through Charles Proxy with SSL Proxying enabled for this website. Please see http://charlesproxy.com/ssl for more information.
            X509v3 Key Usage: critical
                Certificate Sign
            X509v3 Subject Key Identifier: 
                D2:B3:4F:89:B9:22:4B:82:57:47:28:98:4A:23:DF:00:80:8C:52:0F
    Signature Algorithm: sha256WithRSAEncryption
         43:d4:8b:c7:83:c8:d1:98:97:f7:b6:d2:df:12:70:f7:8c:33:
         75:37:e4:54:98:bf:ba:a7:1b:61:9a:73:66:cb:86:48:7a:0b:
         5e:1e:b9:cc:b4:d7:54:da:9e:3f:71:d6:47:37:31:70:13:67:
         c3:fd:7c:bc:c2:59:0a:2d:8c:d9:43:52:37:d2:5c:2a:10:66:
         cd:b0:02:da:be:57:9f:12:d0:85:32:5a:79:ef:e3:fb:09:2c:
         e2:3a:a8:25:43:a0:bb:04:f0:1e:a6:d5:8c:e7:6f:be:d5:fb:
         86:ea:d4:0d:f5:1b:5e:27:1c:39:2c:ef:73:16:3c:f6:39:7c:
         a1:3a:42:15:c5:8d:1a:08:4f:37:b1:f7:08:e4:42:81:eb:f3:
         2c:b0:c0:49:93:12:69:a8:52:f5:ea:4f:c4:51:cb:67:32:f7:
         a2:34:9a:ca:74:4d:45:82:14:76:f6:fb:47:98:8b:1e:c2:ed:
         46:f0:98:72:e3:38:0e:35:31:9f:41:36:56:49:04:43:d2:ec:
         6d:f9:ac:b3:12:3c:55:ac:8f:4a:5a:de:d6:6d:a2:e9:3b:4b:
         16:e2:21:b3:bf:ea:49:3a:a3:fa:59:76:41:df:37:64:57:d3:
         b4:a7:93:e7:10:7a:9c:22:04:8a:48:f1:81:6c:f6:1b:f1:7f:
         85:7e:c8:b7

My problem

When I run the default android browser from the emulator, it says it can't trust the SSL and similar problem when I run my app. This indicates that the proxying is working but the certificate I built is not accepted. I also checked the file system to make sure. It is there!
So what do I miss here?

Edit

I tested this approach on Genymotion emulator and it works!!! Why Android emulators are different?

Ilya Gazman
  • 31,250
  • 24
  • 137
  • 216
  • 1
    When you look at the final certificate 890c6016.0 using openssl, do you get a valid output? For example, `openssl x509 -in 890c6016.0 -text -noout` Also, what browser is being used by the emulator, and how is the trust configured on it? – Byob Jun 15 '16 at 16:16
  • @Byob I added the content of the certificate. When running the command you suggested it shows similar result. I use the default android emulator browser, with default settings. – Ilya Gazman Jun 16 '16 at 07:20
  • @Ilya_Gazman did you try it using emulators with android versions earlier than Android 6.0 – Calvin Dec 16 '16 at 11:44
  • That's a self-signed certificate belonging to a CA. Installing this as the web server certificate will certainly fail. This CA certificate would be used to issue signed certificates to your test domain and you would need to install the CA certificate as a trusted root for it to be accepted by a browser. – Andy Brown Mar 15 '17 at 09:14

1 Answers1

0

So the certificate that you have is a self-signed certificate i.e., the Issue to and Issued by of the certificate have the same values. It is expected for a client to throw the error that it doesn't trust the certificate as it doesn't know the issuer in this case. I am not sure why it works on Genymotion though. :)

I would recommend you to refer this: https://android.stackexchange.com/questions/61540/self-signed-certificate-install-claims-success-but-android-acts-as-if-cert-isn

Kaushal Kumar Panday
  • 2,329
  • 13
  • 22