Merge pull request #20 from phoeagon/master

Adding Android version of automated tools.

Android/.gitignore

+flashable.zip
+flashable/data/misc/keychain/*_blacklist.txt

Android/README.md

+Android Certificates Blacklisting
+=====================================================
+
+This tool generates flashable zip to use with custom recovery on an 
+Android 4.1+ device.
+
+## Introduction
+
+This utility blacklists CA and EE certificates.
+
+## Usage
+
+First, use `git` to clone the whole repo. `cd` to this dir. Use `generate.sh`
+to generate the configuration files you need.
+
+        git clone [REPO_ADDRESS]
+        cd RevokeChinaCerts/Android
+        ./generate.sh extended
+
+By substituting `extended` with `restore`, `base` or `all` you can get
+corresponding configuration files.
+
+### If you have root
+
+If you have a rooted Android device and appropriate ADB drivers installed,
+use `rooted.sh` to transfer the configuration files to your device.
+
+        ./rooted.sh
+
+Then, reboot the device so that the new configuration applies.
+
+If the above method fails, please use the recovery-based approach described below.
+
+### Recovery-based approach
+
+After you run `generate.sh` you get a `flashable.zip` in the current folder,
+which can be flashed on to Android via a custom recovery.
+
+## Notes
+
+The utility changes configurations under `/data` partition of your Android device,
+which is wiped every time you do a factory reset or flash a factory image.
+
+This utility doesn't remove any certificates under `/system` and should not
+cause any trouble when doing OTAs. Still, this configuration overrides the certs
+installed on your system. (That's to say, if you remove trust of *Wosign* using
+this tool, manually installing the CA cert from *Wosign* *DOES NOT* cause
+the system to see certs issued by Wosign as valid.)
+
+On Android, each application can define its own policy of certificate validation.
+An application may define custom methods to accept only some specific certificates (aka
+pinning, which is also available system-wide), or accept whatever certificate regardless
+of its issuer (e.g., Twidere). Having certs removed with this tool does NOT guarantee that
+a particular app rejects certificates associated with those.
+
+Blacklisting in Android works as follows. The CA certs are blacklisted by the
+SHA1 checksum of their public keys and EE certs the serial number. Since serial
+numbers are only required to be unique for respective certificate authorities,
+blacklisting serial numbers may accidentally blacklist other *innocent* ones, especially
+when the serial number is small.
+
+The certificate blacklisting in Android is probably updated via the Play services,
+and installing this tool may interfere with future blacklistings from Google, which is probably
+done when setting up the first Google Account on a device and maybe sometime later. Although,
+Google didn't push much certificate revocation info through this channel. Up to now (Feb of 2015)
+the blacklists consists of only two respectively:
+
+        CA Public Key: 5f3ab33d55007054bc5e3e5553cd8d8465d77c61,
+                        783333c9687df63377efceddd82efa9101913e8e
+        Serial Number: 827,864 [These are hex values]
+
+Installing this tool may prevent you from getting an updated blacklist,
+should a next Diginotar occurs.
+
+For more detailed description on certificate blacklisting on Android, see
+[here](http://nelenkov.blogspot.hk/2012/07/certificate-blacklisting-in-jelly-bean.html). And
+[here](http://nelenkov.blogspot.hk/2012/12/certificate-pinning-in-android-42.html) for
+certificate pinning.

Android/ca-blacklist.sh

+#!/bin/sh
+# Generate CA-blacklist
+# Android blacklists CAs by their public key hash
+
+# Built-in blacklist (2015 Feb)
+echo "5f3ab33d55007054bc5e3e5553cd8d8465d77c61"
+echo "783333c9687df63377efceddd82efa9101913e8e"
+
+for file in "$@";do
+    openssl x509 -inform pem -in ${file} -pubkey -noout \
+        | sed '$d' | sed '1d' | base64 -d | sha1sum | awk '{print $1}'
+done

Android/ee-blacklist.sh

+#!/bin/sh
+# Android blacklists EE by serial number
+
+# Builtin Blacklist (2015 Feb)
+echo "827"
+echo "864"
+
+for file in "$@";do
+    keytool -printcert -file ${file} | grep Serial \
+        | awk -F ':' '{print $2}' | tr -d '[] ' 
+done

Android/flashable.sh

+#!/bin/sh
+# Generate flashable
+
+GEN_ZIP='flashable.zip'
+
+mkdir -p flashable/data/misc/keychain
+
+rm $GEN_ZIP
+
+cp pubkey_blacklist.txt flashable/data/misc/keychain
+cp serial_blacklist.txt flashable/data/misc/keychain
+(cd flashable; zip ../$GEN_ZIP -r *)

Android/flashable/META-INF/com/google/android/update-binary

+#!/sbin/sh
+
+OUTFD=$2
+ZIP=$3
+
+ui_print() {
+	echo -n -e "ui_print $1\n" > /proc/self/fd/$OUTFD
+	echo -n -e "ui_print\n" > /proc/self/fd/$OUTFD
+}
+
+
+ui_print "*********************"
+ui_print "RevokeChinaCerts"
+ui_print "*********************"
+
+ui_print "- Mounting /system, /data and rootfs"
+mount /system
+mount /data
+mount -o rw,remount /system
+mount -o rw,remount /system /system
+mount -o rw,remount /data
+mount -o rw,remount /data /data
+mount -o rw,remount /
+mount -o rw,remount / /
+
+
+ui_print "- Extracting files"
+cd /tmp
+mkdir revoke
+cd revoke
+unzip -o "$ZIP"
+
+FILESPATH=/tmp/revoke
+
+ui_print "- Installing files"
+cp $FILESPATH/data/misc/keychain/serial_blacklist.txt /data/misc/keychain/serial_blacklist.txt
+cp $FILESPATH/data/misc/keychain/pubkey_blacklist.txt /data/misc/keychain/pubkey_blacklist.txt
+
+ui_print "- Unmounting /system and /data"
+umount /system
+umount /data
+
+ui_print "- Done !"
+exit 0

Android/flashable/META-INF/com/google/android/updater-script

+# this is a dummy file, the magic is in update-binary, which is a shell script
\ No newline at end of file

Android/flashable/data/misc/keychain/pubkey_blacklist.txt

+5f3ab33d55007054bc5e3e5553cd8d8465d77c61,783333c9687df63377efceddd82efa9101913e8e,

Android/flashable/data/misc/keychain/serial_blacklist.txt

+827,864,

Android/generate.sh

+#!/bin/sh
+
+set -e
+
+if [ ${1:-extended} = 'all' ];then
+    echo "Generating ALL CRL set"
+    # TODO: Explicitly distinguish between CA & EE certificates.
+    CA_CERTS=`ls ../Windows/Certs/*.crt`
+    EE_CERTS=`ls ../Windows/Certs/\[Fake\]*.crt`
+    echo "all"
+elif [ ${1:-extended} = 'extended' ];then
+    echo "Generating EXTENDED CRL set"
+    CA_CERTS=`ls ../Windows/Certs/CNNIC_*.crt ../Windows/Certs/China_Internet_Network_Information_Center_EV_Certificates_Root.crt ../Windows/Certs/[Suspicious]WaccBaiduCom.crt ../Windows/Certs/GiantRootCA.crt ../Windows/Certs/CFCA_*.crt  ../Windows/Certs/UCA_*.crt  ../Windows/Certs/[Suspicious]GoAgent_CA.crt`
+    EE_CERTS=`ls ../Windows/Certs/\[Fake\]*.crt`
+elif [ ${1:-extended} = 'restore' ];then
+    echo "Generating RESTORE CRL set"
+    CA_CERTS=''
+    EE_CERTS=''
+else
+    echo "Generating Basic CRL set"
+    CA_CERTS=`ls ../Windows/Certs/CNNIC_*.crt ../Windows/Certs/China_Internet_Network_Information_Center_EV_Certificates_Root.crt ../Windows/Certs/[Suspicious]WaccBaiduCom.crt ../Windows/Certs/GiantRootCA.crt`
+    EE_CERTS=`ls ../Windows/Certs/\[Fake\]*.crt`
+fi
+
+echo "Generating Configurations"
+# Generate a blacklist of CA cert public keys
+PUBKEYS=`bash ca-blacklist.sh ${CA_CERTS} | tr '\n' ','`
+# Generate a blacklist of EE cert serial numbers
+SERIALS=`bash ee-blacklist.sh ${EE_CERTS} | tr '\n' ','`
+
+echo "Writing Configurations"
+echo $PUBKEYS > pubkey_blacklist.txt
+echo $SERIALS > serial_blacklist.txt
+
+echo "Generated and saved to pubkey_blacklist.txt and serial_blacklist.txt"
+
+echo "Building Flashable Zip"
+bash flashable.sh
+
+echo "Done!"

Android/pubkey_blacklist.txt

+5f3ab33d55007054bc5e3e5553cd8d8465d77c61,783333c9687df63377efceddd82efa9101913e8e,

Android/rooted.sh

+#!/bin/sh
+
+adb push pubkey_blacklist.txt /sdcard/pubkey_blacklist.txt
+adb push serial_blacklist.txt /sdcard/serial_blacklist.txt
+
+adb shell su -c "cp /sdcard/pubkey_blacklist.txt /data/misc/keychain/pubkey_blacklist.txt"
+adb shell su -c "cp /sdcard/serial_blacklist.txt /data/misc/keychain/serial_blacklist.txt"
+
+echo "Please reboot your phone"

Android/serial_blacklist.txt

+827,864,