Android中编译集成证书

证书简介

• DER（Distinguished Encoding Rules）
  DER是二进制格式，不可读。
• PEM（Privacy Enhanced Mail）
  PEM以"-----BEGIN CERTIFICATE-----"开头, "-----END CERTIFICATE-----"结尾，内容以BASE64编码。

# 查看DER格式证书的信息
openssl x509 -in certificate.der -inform der -text -noout

生成方式

通过查看/system/ca-certificates/下的README.cacerts
格式为：.

#hash 查看
openssl x509 -subject_hash_old -in 证书文件 


#cer格式
openssl x509 -inform DER -text -in cerfile > ${hash}.0

#pem格式
openssl x509 -inform PEM -text -in pemfile > ${hash}.0

集成方法

/system/ca-certificates/Android.mk

LOCAL_PATH := $(call my-dir)

#
# Definitions for installing Certificate Authority (CA) certificates
#

define all-files-under
$(patsubst ./%,%, \
  $(shell cd $(LOCAL_PATH) ; \
          find $(1) -type f) \
 )
endef

# $(1): module name
# $(2): source file
# $(3): destination directory
define include-prebuilt-with-destination-directory
include $$(CLEAR_VARS)
LOCAL_MODULE := $(1)
LOCAL_ADDITIONAL_DEPENDENCIES := $(LOCAL_PATH)/Android.mk
LOCAL_MODULE_STEM := $(notdir $(2))
LOCAL_MODULE_TAGS := optional
LOCAL_MODULE_CLASS := ETC
LOCAL_MODULE_PATH := $(3)
LOCAL_SRC_FILES := $(2)
include $$(BUILD_PREBUILT)
endef

cacerts := $(call all-files-under,files)

cacerts_target_directory := $(TARGET_OUT)/etc/security/cacerts
$(foreach cacert, $(cacerts), $(eval $(call include-prebuilt-with-destination-directory,target-cacert-$(notdir $(cacert)),$(cacert),$(cacerts_target_directory))))
cacerts_target := $(addprefix $(cacerts_target_directory)/,$(foreach cacert,$(cacerts),$(notdir $(cacert))))
.PHONY: cacerts_target
cacerts: $(cacerts_target)

# This is so that build/target/product/core.mk can use cacerts in PRODUCT_PACKAGES
ALL_MODULES.cacerts.INSTALLED := $(cacerts_target)

cacerts_host_directory := $(HOST_OUT)/etc/security/cacerts
$(foreach cacert, $(cacerts), $(eval $(call include-prebuilt-with-destination-directory,host-cacert-$(notdir $(cacert)),$(cacert),$(cacerts_host_directory))))

cacerts_host := $(addprefix $(cacerts_host_directory)/,$(foreach cacert,$(cacerts),$(notdir $(cacert))))
.PHONY: cacerts-host
cacerts-host: $(cacerts_host)

include $(call all-makefiles-under,$(LOCAL_PATH))

可以看出只需要将${hash}.h拷贝到/system/ca-certificates/files目录下即可。

编译：

source/lunch/make

查看结果：

编译生成的文件在目录out/target/product/${product_name}/system/etc/security/cacerts/下。

其他

google目录下：These CA certs are appropriate for connecting to Google services.
wfa_certs: These CA certs are Wi-Fi Alliance Root certificates.