如何在没有用户交互的情况下以编程方式在 Android 上安装 CA 证书 [英] how to install CA certificate programmatically on Android without user interaction
问题描述
我试图在不提示用户的情况下安装证书.我知道这不是一个好的做法,但这正是 PM 想要的.
I'm trying to install certificates without prompting the user. I know this is not good practice, but that's what PM wants.
使用KeyChain.createInstallIntent(),我可以通过调用startActivity让Android启动证书安装对话框.但是,当我将意图传递给 sendBroadcast 时,没有任何反应.也许平台出于安全原因不支持此功能?
Using KeyChain.createInstallIntent(), I can get Android to launch the certificate installation dialog by calling startActivity. However, when I pass the intent to sendBroadcast, nothing happens. Maybe the platform doesn't support this for security reasons?
String CERT_FILE = Environment.getExternalStorageDirectory() + "/test/IAT.crt";
Intent intent = KeyChain.createInstallIntent();
try {
FileInputStream certIs = new FileInputStream(CERT_FILE);
byte [] cert = new byte[(int)certFile.length()];
certIs.read(cert);
X509Certificate x509 = X509Certificate.getInstance(cert);
intent.putExtra(KeyChain.EXTRA_CERTIFICATE, x509.getEncoded());
intent.putExtra(KeyChain.EXTRA_NAME, "IAT Cert");
EapActivity.this.startActivityForResult(intent, 0); // this works but shows UI
EapActivity.this.sendBroadcast(intent); // this doesn't install cert
} catch (IOException e) {
推荐答案
只有拥有系统权限才能静默安装证书.显示确认对话框是有意的,因为信任证书可能会产生严重后果——Android 可以在没有警告的情况下愉快地打开网络钓鱼站点等.也就是说,ICS/JB 中的对话框非常糟糕——它没有告诉你什么您正在安装的证书以及谁颁发的证书,只是它是一个 CA 证书,这很明显.
You can only install certificates silently if you have system privileges. Showing up a confirmation dialog is intentional, since trusting certificates can have serious consequences -- Android could happily open phishing sites without a warning, etc. That said, the dialog in ICS/JB is pretty bad -- it doesn't tell you what certificate you are installing and who issued it, just that it's a CA certificate, which is kind of obvious.
因此,要么使用公共 KeyChain API 并使用 startActivity() 获取确认对话框,要么在将设备处理给用户之前预先配置设备.
So, either use the public KeyChain API and use startActivity() to get the confirmation dialog, or pre-provision devices before handling them to users.
更新:在 Android 4.4 中,DevicePolicyManager 有一个隐藏的 API (installCaCert),允许您静默安装证书.您需要 MANAGE_CA_CERTIFICATES 权限,即 signature|system,因此对于用户安装的应用程序仍然不可行.
Update: In Android 4.4, DevicePolicyManager has a hidden API (installCaCert) that allows you to install certificates silently. You need the MANAGE_CA_CERTIFICATES permission, which is signature|system, so still not doable for user-installed apps.
这篇关于如何在没有用户交互的情况下以编程方式在 Android 上安装 CA 证书的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
