Commit 81c459f8 authored by IceCodeNew's avatar IceCodeNew

Initial commit

parents
# Newline format in Windows(CR-LF)
*.bat text eol=crlf
*.config text eol=crlf
*.cs text eol=crlf
*.csproj text eol=crlf
*.manifest text eol=crlf
*.sln text eol=crlf
Windows/* eol=crlf
# Newline format in Android/Linux/macOS(LF)
*.bats text eol=lf
*.orig text eol=lf
*.plist text eol=lf
*.py text eol=lf
*.sh text eol=lf
*.torestore text eol=lf
Android/* eol=lf
Linux/* eol=lf
Mac/* eol=lf
./flashable.zip
flashable/data/misc/keychain/*_blacklist.txt
Copyright 2015-2019 phoeagon_AT_gmail_DOT_com
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Android Certificates Blacklisting
=====================================================
This tool generates flashable zip to use with custom recovery on an Android 4.1+ device.
* [简体中文介绍](README.zh-Hans.md)
* [繁體中文介紹](README.zh-Hant.md)
## Introduction
This utility blacklists CA and EE certificates.
Please make sure all scripts must have execute permission.
## Usage -- Use prebuilt configurations (Recommended)
### With root access
Assuming you have root access on your phone, `cd` into the folder whose
name corresponds to the config you want (RESTORE, ALL, EXTENDED or BASE).
git clone [REPO_ADDRESS]
cd Android/prebuilt/[type]
./rooted.sh
If you are on windows and do not have BASH, use:
git clone [REPO_ADDRESS]
cd Android/prebuilt/[type]
adb push pubkey_blacklist.txt /sdcard/pubkey_blacklist.txt
adb push serial_blacklist.txt /sdcard/serial_blacklist.txt
adb shell su -c "cp /sdcard/pubkey_blacklist.txt /data/misc/keychain/pubkey_blacklist.txt"
adb shell su -c "cp /sdcard/serial_blacklist.txt /data/misc/keychain/serial_blacklist.txt"
### Without root access
git clone [REPO_ADDRESS]
cd Android/prebuilt/[type]
adb push flashable.zip /sdcard/update.zip
# Reboot phone to recovery
adb reboot recovery
# Now flash the zip file using your custom recovery
## Usage -- Building from source
First, use `git` to clone the whole repo. `cd` to this dir. Use `generate.sh`
to generate the configuration files you need.
git clone [REPO_ADDRESS]
cd RevokeChinaCerts/Android
./generate.sh extended
By substituting `extended` with `restore`, `base` or `all` you can get
corresponding configuration files.
### If you have root
If you have a rooted Android device and appropriate ADB drivers installed,
use `rooted.sh` to transfer the configuration files to your device.
./rooted.sh
Then, reboot the device so that the new configuration applies.
If the above method fails, please use the recovery-based approach described below.
### Recovery-based approach
After you run `generate.sh` you get a `flashable.zip` in the current folder,
which can be flashed on to Android via a custom recovery.
## Notes
The utility changes configurations under `/data` partition of your Android device,
which is wiped every time you do a factory reset or flash a factory image.
This utility doesn't remove any certificates under `/system` and should not
cause any trouble when doing OTAs. Still, this configuration overrides the certs
installed on your system. (That's to say, if you remove trust of *Wosign* using
this tool, manually installing the CA cert from *Wosign* *DOES NOT* cause
the system to see certs issued by Wosign as valid.)
On Android, each application can define its own policy of certificate validation.
An application may define custom methods to accept only some specific certificates (aka
pinning, which is also available system-wide), or accept whatever certificate regardless
of its issuer (e.g., Twidere). Having certs removed with this tool does NOT guarantee that
a particular app rejects certificates associated with those.
Blacklisting in Android works as follows. The CA certs are blacklisted by the
SHA1 checksum of their public keys and EE certs the serial number. Since serial
numbers are only required to be unique for respective certificate authorities,
blacklisting serial numbers may accidentally blacklist other *innocent* ones, especially
when the serial number is small.
The certificate blacklisting in Android is probably updated via the Play services,
and installing this tool may interfere with future blacklistings from Google, which is probably
done when setting up the first Google Account on a device and maybe sometime later. Although,
Google didn't push much certificate revocation info through this channel. Up to now (Feb of 2015)
the blacklists consists of only two respectively:
CA Public Key: 5f3ab33d55007054bc5e3e5553cd8d8465d77c61,
783333c9687df63377efceddd82efa9101913e8e
Serial Number: 827,864 [These are hex values]
Installing this tool may prevent you from getting an updated blacklist,
should a next Diginotar occurs.
For more detailed description on certificate blacklisting on Android, see
[here](https://nelenkov.blogspot.com/2012/07/certificate-blacklisting-in-jelly-bean.html). And
[here](https://nelenkov.blogspot.com/2012/12/certificate-pinning-in-android-42.html) for
certificate pinning.
## License
This tool is distributed under the Apache License.
Android 证书屏蔽
=====================================================
本工具为 Android 4.1 或以上之设备安装用于屏蔽某些数字证书的配置。
## 简介
本工具安装的配置文件将屏蔽某些 CA 和 EE 证书。使用前请确保所有脚本具有执行权限。
## 用法 -- 使用预先生成的配置文件(推荐)
### 有 root 权限
若您持有待配置之 Android 设备 root 访问,请在 `cd` 进入对应名称的文件夹中 (RESTORE, ALL, EXTENDED or BASE,推荐 EXTENDED) 并调用 root.sh 文件安装入对应的配置文件。
git clone [REPO_ADDRESS]
cd Android/prebuilt/[type]
./rooted.sh
若您使用 Windows 平台且未有 BASH,请在命令行中运行:
git clone [REPO_ADDRESS]
cd Android/prebuilt/[type]
adb push pubkey_blacklist.txt /sdcard/pubkey_blacklist.txt
adb push serial_blacklist.txt /sdcard/serial_blacklist.txt
adb shell su -c "cp /sdcard/pubkey_blacklist.txt /data/misc/keychain/pubkey_blacklist.txt"
adb shell su -c "cp /sdcard/serial_blacklist.txt /data/misc/keychain/serial_blacklist.txt"
### 若无 root 权限
git clone [REPO_ADDRESS]
cd Android/prebuilt/[type]
adb push flashable.zip /sdcard/update.zip
# 下面命令将重启您的 Android 设备至 recovery 状态
adb reboot recovery
# 请使用 recovery 刷入 zip 包
## 用法 -- 通过源代码生成配置文件
首先使用 `git` 克隆整个项目并 `cd` 到这个目录。使用 `generate.sh` 来生成您需要的配置文件。
git clone [REPO_ADDRESS]
cd RevokeChinaCerts/Android
./generate.sh extended
通过用 `restore``base``all` 来代替 `extended` 以得到相应的配置文件。
### 有 root 权限
如果您的 Android 设备有 root 权限和适当的 ADB 驱动程序,请使用 `rooted.sh` 将配置文件传输到您的设备。
./rooted.sh
然后重新启动设备,以便应用新配置。如果上述方法失败,请使用下面提到的恢复方法。
### 恢复方法
运行 `generate.sh` 之后,您会在当前文件夹中获得一个 `flashable.zip` 它可以通过第三方的 recovery 程序刷入 Android 上。
## 注意
程序更改 Android 设备的 `/data` 分区下的配置,每当您进行数据重置或刷入工厂映像时都会擦除该设备。
此实用程序不会删除 `/system` 下的任何证书,所以在执行 OTA 时不会造成任何麻烦。不过这种配置会覆盖您的系统上安装的证书(也就是说,如果您使用此工具删除 *Wosign* 的信任,请从 *Wosign* 手动安装 CA 证书,此操作 *不会* 导致系统将 Wosign 颁发的证书视为有效)。
在 Android 上,每个应用程序都可以定义自己的证书验证策略。应用程序可以定义自定义方法来仅接受某些特定的证书(称为锚定,也可以在系统范围内使用),或者接受任何证书而不管其颁发者(例如 Twidere)。使用此工具删除证书 *不保证* 特定的应用拒绝与这些证书关联的证书。
Android 中的黑名单工作如下。CA 证书通过公钥的 SHA-1 校验和列入黑名单并 EE 证明序列号。由于序列号对于相应的证书颁发机构只需要是唯一的,所以列入黑名单的序列号可能会意外地将其它 *无辜* 列入黑名单,特别是当序列号很小时。
Android 中的证书黑名单可能通过 Play Services 进行更新,安装此工具可能会干扰未来的 Google 黑名单,这可能是在设备上设置第一个 Google 帐户时完成的,也可能是在稍后的某个时间。虽然 Google 没有通过这个渠道推送更多的证书撤销信息。截至目前(2015年2月),黑名单仅分别由两部分组成:
CA Public Key: 5f3ab33d55007054bc5e3e5553cd8d8465d77c61,
783333c9687df63377efceddd82efa9101913e8e
Serial Number: 827,864 [这是 16 进制数值]
如果发生下一个类似 Diginotar 的事件,安装此工具可能会阻止您获取更新的黑名单。
有关 Android 上证书黑名单的更多详细说明,请参阅 [这里](https://nelenkov.blogspot.com/2012/07/certificate-blacklisting-in-jelly-bean.html)。关于证书锚定功能,请参阅 [这里](https://nelenkov.blogspot.com/2012/12/certificate-pinning-in-android-42.html)
## 授权
本工具在 Apache License 下授权。
Android 證書屏蔽
=====================================================
本工具為 Android 4.1 或以上之設備安裝用於屏蔽某些數位憑證的配置。
## 簡介
本工具安裝的設定檔將屏蔽某些 CA 和 EE 證書。使用前請確保所有腳本具有執行許可權。
## 用法 -- 使用預先生成的設定檔(推薦)
### 有 root 許可權
若您持有待配置之 Android 設備 root 訪問,請在 `cd` 進入對應名稱的資料夾中 (RESTORE, ALL, EXTENDED or BASE,推薦 EXTENDED) 並調用 root.sh 檔安裝入對應的設定檔。
git clone [REPO_ADDRESS]
cd Android/prebuilt/[type]
./rooted.sh
若您使用 Windows 平臺且未有 BASH,請在命令列中運行:
git clone [REPO_ADDRESS]
cd Android/prebuilt/[type]
adb push pubkey_blacklist.txt /sdcard/pubkey_blacklist.txt
adb push serial_blacklist.txt /sdcard/serial_blacklist.txt
adb shell su -c "cp /sdcard/pubkey_blacklist.txt /data/misc/keychain/pubkey_blacklist.txt"
adb shell su -c "cp /sdcard/serial_blacklist.txt /data/misc/keychain/serial_blacklist.txt"
### 若無 root 許可權
git clone [REPO_ADDRESS]
cd Android/prebuilt/[type]
adb push flashable.zip /sdcard/update.zip
# 下面命令將重啟您的 Android 設備至 recovery 狀態
adb reboot recovery
# 請使用 recovery 刷入 zip 包
## 用法 -- 通過原始程式碼組建設定檔
首先使用 `git` 克隆整個專案並 `cd` 到這個目錄。使用 `generate.sh` 來生成您需要的設定檔。
git clone [REPO_ADDRESS]
cd RevokeChinaCerts/Android
./generate.sh extended
通過用 `restore``base``all` 來代替 `extended` 以得到相應的設定檔。
### 有 root 許可權
如果您的 Android 設備有 root 許可權和適當的 ADB 驅動程式,請使用 `rooted.sh` 將配置檔案傳輸到您的設備。
./rooted.sh
然後重新開機設備,以便應用新配置。如果上述方法失敗,請使用下面提到的恢復方法。
### 恢復方法
運行 `generate.sh` 之後,您會在當前資料夾中獲得一個 `flashable.zip` 它可以第三方廠商的 recovery 程式刷入 Android 上。
## 注意
程式更改 Android 設備的 `/data` 分區下的配置,每當您進行資料重置或刷入工廠鏡像時都會擦除該設備。
此實用程式不會刪除 `/system` 下的任何證書,所以在執行 OTA 時不會造成任何麻煩。不過這種配置會覆蓋您的系統上安裝的證書(也就是說,如果您使用此工具刪除 *Wosign* 的信任,請從 *Wosign* 手動安裝 CA 憑證,此操作 *不會* 導致系統將 Wosign 頒發的證書視為有效)。
在 Android 上,每個應用程式都可以定義自己的證書驗證策略。應用程式可以定義自訂方法來僅接受某些特定的證書(稱為錨定,也可以在系統範圍內使用),或者接受任何證書而不管其頒發者(例如 Twidere)。使用此工具刪除證書 *不保證* 特定的應用拒絕與這些證書關聯的證書。
Android 中的黑名單工作如下。CA 憑證通過公開金鑰的 SHA-1 校驗和列入黑名單並 EE 證明序號。由於序號對於相應的憑證授權單位只需要是唯一的,所以列入黑名單的序號可能會意外地將其它 *無辜* 列入黑名單,特別是當序號很小時。
Android 中的證書黑名單可能通過 Play Services 進行更新,安裝此工具可能會干擾未來的 Google 黑名單,這可能是在設備上設置第一個 Google 帳戶時完成的,也可能是在稍後的某個時間。雖然 Google 沒有通過這個管道推送更多的證書撤銷資訊。截至目前(2015年2月),黑名單僅分別由兩部分組成:
CA Public Key: 5f3ab33d55007054bc5e3e5553cd8d8465d77c61,
783333c9687df63377efceddd82efa9101913e8e
Serial Number: 827,864 [這是 16 進制數值]
如果發生下一個類似 Diginotar 的事件,安裝此工具可能會阻止您獲取更新的黑名單。
有關 Android 上證書黑名單的更多詳細說明,請參閱 [這裡](https://nelenkov.blogspot.com/2012/07/certificate-blacklisting-in-jelly-bean.html)。關於證書錨定功能,請參閱 [這裡](https://nelenkov.blogspot.com/2012/12/certificate-pinning-in-android-42.html)
## 授權
本工具在 Apache License 下授權。
#!/bin/sh
# Generate CA-blacklist
# Android blacklists CAs by their public key hash
SOURCE_DIR=`dirname "$0"`
CERTIFICATES="$SOURCE_DIR/../Shared/Certificates/certificates.sh"
# OpenSSL 0.9.8 does not have pkey command
openssl_pkey () {
stdin=`cat`
for pkey in pkey rsa dsa ec; do
stdout=`echo "$stdin" | command openssl "$pkey" "$@" 2>/dev/null`
if test -n "$stdout"; then
break
fi
done
echo "$stdin" | command openssl "$pkey" "$@"
}
# Built-in blacklist (2015 Feb)
echo "5f3ab33d55007054bc5e3e5553cd8d8465d77c61"
echo "783333c9687df63377efceddd82efa9101913e8e"
for crt in "$@"; do
openssl x509 -in "$SOURCE_DIR/$crt" -pubkey -noout | openssl_pkey -pubin -outform DER 2>/dev/null | openssl dgst -sha1 | sed -e 's/^(stdin)= //g'
done
#!/bin/sh
# Android blacklists EE by serial number
SOURCE_DIR=`dirname "$0"`
CERTIFICATES="$SOURCE_DIR/../Shared/Certificates/certificates.sh"
# Builtin Blacklist (2015 Feb)
echo "827"
echo "864"
for crt in "$@";do
openssl x509 -in "$SOURCE_DIR/$crt" -noout -serial | awk -F '=' '{print tolower($2)}'
done
#!/bin/sh
# Generate flashable
GEN_ZIP='flashable.zip'
mkdir -p flashable/data/misc/keychain
test -f $GEN_ZIP && rm $GEN_ZIP
cp pubkey_blacklist.txt flashable/data/misc/keychain
cp serial_blacklist.txt flashable/data/misc/keychain
(cd flashable; zip ../$GEN_ZIP -r *)
#!/sbin/sh
OUTFD=$2
ZIP=$3
ui_print() {
echo -n -e "ui_print $1\n" > /proc/self/fd/$OUTFD
echo -n -e "ui_print\n" > /proc/self/fd/$OUTFD
}
ui_print "*********************"
ui_print "RevokeChinaCerts"
ui_print "*********************"
ui_print "- Mounting /system, /data and rootfs"
mount /system
mount /data
mount -o rw,remount /system
mount -o rw,remount /system /system
mount -o rw,remount /data
mount -o rw,remount /data /data
mount -o rw,remount /
mount -o rw,remount / /
ui_print "- Extracting files"
cd /tmp
mkdir revoke
cd revoke
unzip -o "$ZIP"
FILESPATH=/tmp/revoke
ui_print "- Installing files"
cp $FILESPATH/data/misc/keychain/serial_blacklist.txt /data/misc/keychain/serial_blacklist.txt
cp $FILESPATH/data/misc/keychain/pubkey_blacklist.txt /data/misc/keychain/pubkey_blacklist.txt
ui_print "- Unmounting /system and /data"
umount /system
umount /data
ui_print "- Done !"
exit 0
# this is a dummy file, the magic is in update-binary, which is a shell script
#!/bin/sh
SOURCE_DIR=`dirname "$0"`
CERTIFICATES="$SOURCE_DIR/../Shared/Certificates/certificates.sh"
if [ ${1:-extended} = 'all' ];then
echo "Generating ALL CRL set"
CA_CERTS=`SEVERITY="High Medium Low" TYPE="Root.CA Intermediate.CA" "$CERTIFICATES"`
EE_CERTS=`SEVERITY="High Medium Low" TYPE="SSL" "$CERTIFICATES"`
elif [ ${1:-extended} = 'extended' ];then
echo "Generating EXTENDED CRL set"
CA_CERTS=`SEVERITY="High Medium" TYPE="Root.CA Intermediate.CA" "$CERTIFICATES"`
EE_CERTS=`SEVERITY="High Medium" TYPE="SSL" "$CERTIFICATES"`
elif [ ${1:-extended} = 'restore' ];then
echo "Generating RESTORE CRL set"
CA_CERTS=''
EE_CERTS=''
else
echo "Generating Basic CRL set"
CA_CERTS=`SEVERITY="High" TYPE="Root.CA Intermediate.CA" "$CERTIFICATES"`
EE_CERTS=`SEVERITY="High" TYPE="SSL" "$CERTIFICATES"`
fi
echo "Generating Configurations"
# Generate a blacklist of CA cert public keys
PUBKEYS=`"$SOURCE_DIR/ca-blacklist.sh" ${CA_CERTS} | sort | uniq | tr '\n' ','`
# Generate a blacklist of EE cert serial numbers
SERIALS=`"$SOURCE_DIR/ee-blacklist.sh" ${EE_CERTS} | sort | uniq | tr '\n' ','`
echo "Writing Configurations"
echo $PUBKEYS > pubkey_blacklist.txt
echo $SERIALS > serial_blacklist.txt
echo "Generated and saved to pubkey_blacklist.txt and serial_blacklist.txt"
echo "Building Flashable Zip"
bash "$SOURCE_DIR/flashable.sh"
echo "Done!"
#!/bin/bash
# This script is used to generate configurations by the author.
# The generated content is already included in the repo and you should
# not need to manually run this one.
# remove files
echo "Purging old files..."
rm -rf prebuilt
mkdir prebuilt
echo "Building new configurations"
for type in `echo all restore extended base`;do
mkdir prebuilt/$type
bash generate.sh $type
cp *_blacklist.txt prebuilt/$type/
cp flashable.zip prebuilt/$type/
cp rooted.sh prebuilt/$type
done
01a17a5d694770dcd773ea9161a7cba09cf886c6,0239d7a9a1635afbd1e8339bf1c7d6990de88ada,024ce473f36c0e61f65d61d46211af4210aff0aa,051c6d0c7ca9b0d9b9e50a5bc8f9f5e38348eb78,187a65df1b21f117c81798650279f7a3e722ec6f,1af49f3422fb42ac986d0a59a898d99eac88554a,1bcdfe7c5a0832b44f7e533b8f927881c7932dc1,2004d06897e19bda09600bd29ad83c9d962ebad0,234b71255613e130dde34269c9cc30d46f0841e0,264fa5733857d33724d183edc9069286e4f4fa0e,28a4baee613e0ab8158395654e4fcc13c170e3e3,2a7ef2d7ea0914ca15b84b69332153cf5ff4faf2,2a7f775e363d4af5d1ccc6ce28966113ea2c80dc,2b4da71b2b88d19b8b83e66bc088e3847cc67cb7,2cdd8e7bef3b800169a389712256018a6337f416,313f4613292545f326f99ed52f39984851290f4d,32765b4b3047be92bb2e62aefecfdb538ad40516,3592761947e2907b7ac880f429bf2be66c81511a,361a7afb69a9add6ba6f295e0aedaeba7fcd4a69,36ff9341e91308242df0171c987ae629d55dd341,380a68cc29a7a9c9b1a4ef80a2974e1074041bb5,38e78134577f7f6a958cb90c66f62d2537bcfaac,3d9f4ee4171de9cc8ccb6bee8403c2cdd7bc0b9f,3f0271074612afc94fb5e43da72947cc00645120,3f89633e2cd86a916895b3af56afa2ed31490e73,41265c11a73cf10ba4da111ef3d5b70f36176db9,4207ca4764eb37f582bc90130288e419939cd7c3,439ccb9b4e1ac12a6360f7aa658fd55fa481d86c,4bd5e15116a2a7eda3a5c7e0ffb187180ec0e3d5,4f42e6b444bbf9ba7f6abd334421f278e4fbe9e2,512f553fc62ace8ab3852d74cade03e78d8d9ef1,53c8324671888791e1802158a76d288057ce58f3,55921a5b2e62b0e07b8ba9ae9ffca0f6e656263c,5867cf8c46341efd6ce4457e9ae26283d58dfeea,58f4733635ba21d4d9d63f2dcdec69bcb7d45dde,5934617255c265dd911b933e743d1312a36777a8,59b822a9e2bea49475e8cc056d9bb4bce442fb80,5a508a34e620e11d3775668fb6a331fe49ad73a4,5f3ab33d55007054bc5e3e5553cd8d8465d77c61,65cd0ac947c072a9348e635736bd49892241b54f,683240764e1190f70c1e4fe8c02f832c54fcbe7a,68c76297f5f2e7c3ceea09d195f48971ca7ab97e,693c0d541a48e9db81a144b0c7360fedbd3e4737,699f1b7ae9b8da18496c608bce4f4eaaf9f0b7aa,759e400b8cbd77566149255d373ec159947c6294,783333c9687df63377efceddd82efa9101913e8e,7956e439a442b98e845afd1964352393015082db,79ef6f41e89da009aefc1c00289fd3a301fae845,7cd3951ff4481b32cf6be35543036d0b457d7226,81ec1649ce4ad73bfe488d1ad6a1e0da8a509157,8476c303b2e34d57fd0645a7c4315f2dbeaaf0a4,8a534b089bc61c824d694f55d9c902a58c67b661,8e11db748e0f42b1aba7ad285ced5aa4fd1c9235,8f51a3755493f9a82c7310531f13605b9428cccc,907e69b99e692a3c4a96deb5781f02abb488d389,90e241c211418b95b1a9e09c37247e849fe4bea1,9554dec2b762ff8033b8abe95e580d9c111bad88,9585230a9ef4a857f3bafb4309c0d5daed992ba0,95f31021be052330b2a21f847e4d4ba48f87ae0c,9714cf161e7e84d8cfca484bd1edacfda5f9c586,97bdf28b14637ce17043698ed04a3be76918eeb0,995c999cd7b0d41801f6f525b72b5700d1caaab8,999b76540b4a9c7a35ca8f0f2eaa747a0faec56e,9a6e29e6c0093715891ae94cbe9f2b90ff1e02ae,9b4d42e2b453de5b8c7022c0f3598358025422a2,a4308c48245f033e30b392d4cc6460e029001df5,ac25af9980d450f9b0713773b5b0aa2dd895c96d,ad0e6682a87932e81c8bc594049ed7d0aec958e8,ae9d8d5e418c1bfbade8f4574dc43758ea628289,aeeca8e857e9bf7da296c473c071f8cabc31999f,bb2d75ce172accdf05d9a86d278298889986c891,bb987213808a5ac0e14e3e980f1cb9a3479f8fae,c206fbd53bba0ceef2d2d2453d0752263a9fe75f,c8188f7a06a99bf579dd9f8896afd1d91f19bc2a,cf15cbcc9f3aad38e721cf7d7d7f6acd41d1150d,d1f95439ed1916e5f289f10950db39d8d95dfb83,d308d7d8901154aa1a7b4cc1bd1f11a85c8fd71b,d4751cf3ba9c46eae256e6a0cc7dcba78e1561b8,d69f981e878991857486449306aa950c8283035f,dc8ccda44a6e1a1a98bcda5f98bddbbfb57082b3,de87a22419f1c1c39ed12d43dfa740de8372b097,e0c7129fdeb4ccfb957608cad78020a98dc1a98e,e4c5745946f0d1047a4c38d64065b2a35d47890b,e6b522830449c0b777ce02617e072f8f338f2931,e7577eb3b871c1f45034e869ef311e17d04b5283,e8a384492874d89bf28206a9980f5cec90c3046f,ece6909cc1673781198a8a0e33c0e31eaf36a766,f50dfdd3d321ab37e13aae93d58d589470a0dab6,f8920be908a9c5d5a0fbf39aaa98a5743749ad9f,f9dae5809fd2d82419aa30c7f903640a55df944f,fb29a52dbbfa72e61c0ea0e57e0aa452f1306816,fd2dac2a1e30c2e18e78a330c97b7d867bfa60f7,
#!/bin/sh
adb push pubkey_blacklist.txt /sdcard/pubkey_blacklist.txt
adb push serial_blacklist.txt /sdcard/serial_blacklist.txt
adb shell su -c "cp /sdcard/pubkey_blacklist.txt /data/misc/keychain/pubkey_blacklist.txt"
adb shell su -c "cp /sdcard/serial_blacklist.txt /data/misc/keychain/serial_blacklist.txt"
echo "Please reboot your phone"
03,17,27,29,2c,6497d09c3bbc9baf857ed3c29a31d1ec,827,864,9455da355e229e22,a40fd55e2a14343323a8d407a2255ae8,f0c1fb04dd2c9ed8f94f0820591e72ad,
01a17a5d694770dcd773ea9161a7cba09cf886c6,024ce473f36c0e61f65d61d46211af4210aff0aa,1bcdfe7c5a0832b44f7e533b8f927881c7932dc1,2004d06897e19bda09600bd29ad83c9d962ebad0,2a7f775e363d4af5d1ccc6ce28966113ea2c80dc,2b4da71b2b88d19b8b83e66bc088e3847cc67cb7,32765b4b3047be92bb2e62aefecfdb538ad40516,36ff9341e91308242df0171c987ae629d55dd341,380a68cc29a7a9c9b1a4ef80a2974e1074041bb5,3d9f4ee4171de9cc8ccb6bee8403c2cdd7bc0b9f,4bd5e15116a2a7eda3a5c7e0ffb187180ec0e3d5,55921a5b2e62b0e07b8ba9ae9ffca0f6e656263c,59b822a9e2bea49475e8cc056d9bb4bce442fb80,5f3ab33d55007054bc5e3e5553cd8d8465d77c61,693c0d541a48e9db81a144b0c7360fedbd3e4737,783333c9687df63377efceddd82efa9101913e8e,8e11db748e0f42b1aba7ad285ced5aa4fd1c9235,907e69b99e692a3c4a96deb5781f02abb488d389,9714cf161e7e84d8cfca484bd1edacfda5f9c586,ac25af9980d450f9b0713773b5b0aa2dd895c96d,ae9d8d5e418c1bfbade8f4574dc43758ea628289,bb2d75ce172accdf05d9a86d278298889986c891,dc8ccda44a6e1a1a98bcda5f98bddbbfb57082b3,e8a384492874d89bf28206a9980f5cec90c3046f,f50dfdd3d321ab37e13aae93d58d589470a0dab6,fb29a52dbbfa72e61c0ea0e57e0aa452f1306816,
#!/bin/sh
adb push pubkey_blacklist.txt /sdcard/pubkey_blacklist.txt
adb push serial_blacklist.txt /sdcard/serial_blacklist.txt
adb shell su -c "cp /sdcard/pubkey_blacklist.txt /data/misc/keychain/pubkey_blacklist.txt"
adb shell su -c "cp /sdcard/serial_blacklist.txt /data/misc/keychain/serial_blacklist.txt"
echo "Please reboot your phone"
03,17,27,29,2c,6497d09c3bbc9baf857ed3c29a31d1ec,827,864,9455da355e229e22,a40fd55e2a14343323a8d407a2255ae8,f0c1fb04dd2c9ed8f94f0820591e72ad,
01a17a5d694770dcd773ea9161a7cba09cf886c6,0239d7a9a1635afbd1e8339bf1c7d6990de88ada,024ce473f36c0e61f65d61d46211af4210aff0aa,187a65df1b21f117c81798650279f7a3e722ec6f,1bcdfe7c5a0832b44f7e533b8f927881c7932dc1,2004d06897e19bda09600bd29ad83c9d962ebad0,234b71255613e130dde34269c9cc30d46f0841e0,264fa5733857d33724d183edc9069286e4f4fa0e,2a7ef2d7ea0914ca15b84b69332153cf5ff4faf2,2a7f775e363d4af5d1ccc6ce28966113ea2c80dc,2b4da71b2b88d19b8b83e66bc088e3847cc67cb7,313f4613292545f326f99ed52f39984851290f4d,32765b4b3047be92bb2e62aefecfdb538ad40516,3592761947e2907b7ac880f429bf2be66c81511a,36ff9341e91308242df0171c987ae629d55dd341,380a68cc29a7a9c9b1a4ef80a2974e1074041bb5,3d9f4ee4171de9cc8ccb6bee8403c2cdd7bc0b9f,3f89633e2cd86a916895b3af56afa2ed31490e73,41265c11a73cf10ba4da111ef3d5b70f36176db9,439ccb9b4e1ac12a6360f7aa658fd55fa481d86c,4bd5e15116a2a7eda3a5c7e0ffb187180ec0e3d5,4f42e6b444bbf9ba7f6abd334421f278e4fbe9e2,53c8324671888791e1802158a76d288057ce58f3,55921a5b2e62b0e07b8ba9ae9ffca0f6e656263c,5867cf8c46341efd6ce4457e9ae26283d58dfeea,58f4733635ba21d4d9d63f2dcdec69bcb7d45dde,5934617255c265dd911b933e743d1312a36777a8,59b822a9e2bea49475e8cc056d9bb4bce442fb80,5f3ab33d55007054bc5e3e5553cd8d8465d77c61,65cd0ac947c072a9348e635736bd49892241b54f,68c76297f5f2e7c3ceea09d195f48971ca7ab97e,693c0d541a48e9db81a144b0c7360fedbd3e4737,699f1b7ae9b8da18496c608bce4f4eaaf9f0b7aa,759e400b8cbd77566149255d373ec159947c6294,783333c9687df63377efceddd82efa9101913e8e,7956e439a442b98e845afd1964352393015082db,79ef6f41e89da009aefc1c00289fd3a301fae845,7cd3951ff4481b32cf6be35543036d0b457d7226,8476c303b2e34d57fd0645a7c4315f2dbeaaf0a4,8e11db748e0f42b1aba7ad285ced5aa4fd1c9235,8f51a3755493f9a82c7310531f13605b9428cccc,907e69b99e692a3c4a96deb5781f02abb488d389,9554dec2b762ff8033b8abe95e580d9c111bad88,9585230a9ef4a857f3bafb4309c0d5daed992ba0,9714cf161e7e84d8cfca484bd1edacfda5f9c586,97bdf28b14637ce17043698ed04a3be76918eeb0,995c999cd7b0d41801f6f525b72b5700d1caaab8,9a6e29e6c0093715891ae94cbe9f2b90ff1e02ae,9b4d42e2b453de5b8c7022c0f3598358025422a2,a4308c48245f033e30b392d4cc6460e029001df5,ac25af9980d450f9b0713773b5b0aa2dd895c96d,ae9d8d5e418c1bfbade8f4574dc43758ea628289,aeeca8e857e9bf7da296c473c071f8cabc31999f,bb2d75ce172accdf05d9a86d278298889986c891,bb987213808a5ac0e14e3e980f1cb9a3479f8fae,c206fbd53bba0ceef2d2d2453d0752263a9fe75f,cf15cbcc9f3aad38e721cf7d7d7f6acd41d1150d,d1f95439ed1916e5f289f10950db39d8d95dfb83,d308d7d8901154aa1a7b4cc1bd1f11a85c8fd71b,d4751cf3ba9c46eae256e6a0cc7dcba78e1561b8,d69f981e878991857486449306aa950c8283035f,dc8ccda44a6e1a1a98bcda5f98bddbbfb57082b3,de87a22419f1c1c39ed12d43dfa740de8372b097,e0c7129fdeb4ccfb957608cad78020a98dc1a98e,e4c5745946f0d1047a4c38d64065b2a35d47890b,e6b522830449c0b777ce02617e072f8f338f2931,e7577eb3b871c1f45034e869ef311e17d04b5283,e8a384492874d89bf28206a9980f5cec90c3046f,ece6909cc1673781198a8a0e33c0e31eaf36a766,f50dfdd3d321ab37e13aae93d58d589470a0dab6,f9dae5809fd2d82419aa30c7f903640a55df944f,fb29a52dbbfa72e61c0ea0e57e0aa452f1306816,fd2dac2a1e30c2e18e78a330c97b7d867bfa60f7,
#!/bin/sh
adb push pubkey_blacklist.txt /sdcard/pubkey_blacklist.txt
adb push serial_blacklist.txt /sdcard/serial_blacklist.txt
adb shell su -c "cp /sdcard/pubkey_blacklist.txt /data/misc/keychain/pubkey_blacklist.txt"
adb shell su -c "cp /sdcard/serial_blacklist.txt /data/misc/keychain/serial_blacklist.txt"
echo "Please reboot your phone"
03,17,27,29,2c,6497d09c3bbc9baf857ed3c29a31d1ec,827,864,9455da355e229e22,a40fd55e2a14343323a8d407a2255ae8,f0c1fb04dd2c9ed8f94f0820591e72ad,
5f3ab33d55007054bc5e3e5553cd8d8465d77c61,783333c9687df63377efceddd82efa9101913e8e,
#!/bin/sh
adb push pubkey_blacklist.txt /sdcard/pubkey_blacklist.txt
adb push serial_blacklist.txt /sdcard/serial_blacklist.txt
adb shell su -c "cp /sdcard/pubkey_blacklist.txt /data/misc/keychain/pubkey_blacklist.txt"
adb shell su -c "cp /sdcard/serial_blacklist.txt /data/misc/keychain/serial_blacklist.txt"
echo "Please reboot your phone"
01a17a5d694770dcd773ea9161a7cba09cf886c6,024ce473f36c0e61f65d61d46211af4210aff0aa,1bcdfe7c5a0832b44f7e533b8f927881c7932dc1,2004d06897e19bda09600bd29ad83c9d962ebad0,2a7f775e363d4af5d1ccc6ce28966113ea2c80dc,2b4da71b2b88d19b8b83e66bc088e3847cc67cb7,32765b4b3047be92bb2e62aefecfdb538ad40516,36ff9341e91308242df0171c987ae629d55dd341,380a68cc29a7a9c9b1a4ef80a2974e1074041bb5,3d9f4ee4171de9cc8ccb6bee8403c2cdd7bc0b9f,4bd5e15116a2a7eda3a5c7e0ffb187180ec0e3d5,55921a5b2e62b0e07b8ba9ae9ffca0f6e656263c,59b822a9e2bea49475e8cc056d9bb4bce442fb80,5f3ab33d55007054bc5e3e5553cd8d8465d77c61,693c0d541a48e9db81a144b0c7360fedbd3e4737,783333c9687df63377efceddd82efa9101913e8e,8e11db748e0f42b1aba7ad285ced5aa4fd1c9235,907e69b99e692a3c4a96deb5781f02abb488d389,9714cf161e7e84d8cfca484bd1edacfda5f9c586,ac25af9980d450f9b0713773b5b0aa2dd895c96d,ae9d8d5e418c1bfbade8f4574dc43758ea628289,bb2d75ce172accdf05d9a86d278298889986c891,dc8ccda44a6e1a1a98bcda5f98bddbbfb57082b3,e8a384492874d89bf28206a9980f5cec90c3046f,f50dfdd3d321ab37e13aae93d58d589470a0dab6,fb29a52dbbfa72e61c0ea0e57e0aa452f1306816,
#!/bin/sh
adb push pubkey_blacklist.txt /sdcard/pubkey_blacklist.txt
adb push serial_blacklist.txt /sdcard/serial_blacklist.txt
adb shell su -c "cp /sdcard/pubkey_blacklist.txt /data/misc/keychain/pubkey_blacklist.txt"
adb shell su -c "cp /sdcard/serial_blacklist.txt /data/misc/keychain/serial_blacklist.txt"
echo "Please reboot your phone"
03,17,27,29,2c,6497d09c3bbc9baf857ed3c29a31d1ec,827,864,9455da355e229e22,a40fd55e2a14343323a8d407a2255ae8,f0c1fb04dd2c9ed8f94f0820591e72ad,
Copyright 2015-2019 phoeagon_AT_gmail_DOT_com
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Revoke-China-Certs on Linux
==========================================
This tool revokes certain CA certificates for OpenSSL and NSS-based applications
on Linux (most notably, Firefox & Chrome).
* [简体中文介绍](README.zh-Hans.md)
* [繁體中文介紹](README.zh-Hant.md)
## Introduction
On Linux there are multiple libraries for SSL/TLS and each may have its own
certificate store. The `/etc/ca-certificates.conf` configures the trusted
Root CAs for OpenSSL (which `wget` uses by default). Another widely used
library is NSS by Mozilla, which supports blacklisting a specific intermediate
CA without fiddling with the Root CA.
Please make sure all scripts must have execute permission.
**This tool is experimental. DO MAKE BACKUPS before you do anything!**
## Revoke CA certificates for NSS.
### Usage
First you need to have packages installed to provide `certutil`. On Ubuntu it would be:
``` sh
sudo apt-get install libnss3-tools
```
Then, use the `revoke-china-certs.sh` to do the revocation.
For most NSS-based applications including Chrome, it would be:
``` sh
./revoke-china-certs.sh extended $HOME/.pki/nssdb
```
to revoke trust of CAs within the *extended* set. Change `extended` to