list certificate stored in user credentials

Question

In Android 7 Nougat, user installed certificate goes to "User credentials" instead of "Trusted credentials"(which consists of system credential & user credential).

I used to access "Trusted credentials" by:

KeyStore keystore = KeyStore.getInstance("AndroidCAStore");

through the above code I can then access system & user trusted credentials.

But now, in Android 7, user installed certificate goes to a separate place called "User credentials" under Settings --> Security --> User credentials.

My question is how can I programmatically list the credentials inside User credentials in Android 7?

Answer 1

To provide a more consistent and more secure experience across the Android ecosystem, beginning with Android Nougat, compatible devices trust only the standardized system CAs maintained in AOSP.

Previously, the set of pre-installed CAs bundled with the system could vary from device to device. This could lead to compatibility issues when some devices did not include CAs that apps needed for connections as well as potential security issues if CAs that did not meet our security requirements were included on some devices.

First, be sure that your CA needs to be included in the system. The preinstalled CAs are only for CAs that meet our security requirements because they affect the secure connections of most apps on the device. If you need to add a CA for connecting to hosts that use that CA, you should instead customize your apps and services that connect to those hosts. For more information on Customizing trusted CAs.

In above link you can find all the necessary information for trusting custom CAs with different needs like

1. Trusting custom CAs for debugging
2. Trusting custom CAs for a domain
3. Trusting user-added CAs for some domains
4. Trusting user-added CAs for all domains except some
5. Trusting user-added CAs for all secure connections

So, Basically you need to add a Security Configuration File and Configure a custom CA(For Android 7.0 (API level 24) and higher).

In Your manifest.xml

<manifest ... >
    <application android:networkSecurityConfig="@xml/network_security_config"
                    ... >
        ...
    </application>
</manifest>

In res/xml/network_security_config.xml:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <domain-config>
        <domain includeSubdomains="true">example.com</domain>
        <trust-anchors>
            <certificates src="@raw/my_ca"/>
        </trust-anchors>
    </domain-config>
</network-security-config>

Just for Information :- If you operate a CA that you believe should be included in Android, first complete the Mozilla CA Inclusion Process and then file a feature request against Android to have the CA added to the standardized set of system CAs.

Let me know for any further help.

Hope this will help you. Keep Coding!!!

Answer 2

In addition to changing how to configure the Ca (@Pravin D answer),Android has changed the way a pkcs12 certificate is loaded from 6 to 7. I highlight the important elements:

When importing a pkcs12, is the root CA imported as trusted?

• Android 6: Yes
• Android 7: No

Where can I see the trusted credentials?

• Android 6: Settings ---> Security-->Trusted credentials (system & user)
• Android 7: Settings ---> Security-->Trusted credentials (system & user tab)

How to install user credentials?

• Android 6: pkcs#12 file, certificate file, programmatically
• Android 7: pkcs#12 file( without private keys), certificate file, programmatically, custom CA configuration(@ Pravin D answer)

Where can I see the user credentials (private keys)?

• Android 6: not available from settings
• Android 7: Settings-->Security-->User credentials

Is it possible to list user credentials programmatically?

• Android 6: No
• Android 7: No

Reviewing Android code in depth, internal Android Keystore is wilfully hidden, only available to use from Android core classes. It is not possible to implement a workaround to list user credentials