Feature: install self-signed cacert to trust store
For analysis and reverse engineering, it can be helpful to insert a
custom CA certificate into Waydroid’s system-wide trust store.
Users used to be able to do that via Android’s settings but not anymore.
The `install mitm` command accepts a path to a file that contains a
– typically self-signed – CA certificate in PEM format.
It then renames [1] and copies the file into the overlay file system,
placing it into Waydroid’s trust store.
As a usage example, the following command lines enable your host to use
mitmproxy [2] to act as a proxy and to intercept [3] HTTP(S) connections
that come from the Waydroid container:
```sh
$ timeout --preserve-status 2 mitmdump -n # creates a CA cert in ~/.mitmproxy
$ sudo venv/bin/python3 main.py install mitm --ca-cert ~/.mitmproxy/mitmproxy-ca-cert.pem
INFO: Creating directory: /system/etc/security/cacerts
INFO: Copying /home/yourname/.mitmproxy/mitmproxy-ca-cert.pem to system trust store
INFO: Target file: /system/etc/security/cacerts/6320a7db.0
INFO: mitm installation finished
$ sudo waydroid shell -- ls -l /system/etc/security/cacerts # double-check that it worked
[…]
-rw-r--r-- 1 root root 1191 2024-01-01 00:00 6320a7db.0
[…]
$ adb shell settings put global http_proxy ${YOUR_IP_HERE?}:3128 # tell Waydroid to use the proxy
# for all connections
$ mitmproxy -p 3128 # start proxy and display a TUI
# with HTTP(S) connections
# coming from Waydroid
```
[1]: https://docs.mitmproxy.org/stable/howto-install-system-trusted-ca-android/#2-rename-certificate
[2]: https://mitmproxy.org/
[3]: https://docs.mitmproxy.org/stable/mitmproxytutorial-interceptrequests/
pull/122/head
parent
688c84fd58
commit
b1c88db1ce
@ -0,0 +1,40 @@
|
||||
import os
|
||||
import shutil
|
||||
from stuff.general import General
|
||||
from tools.helper import run
|
||||
from tools.logger import Logger
|
||||
|
||||
class Mitm(General):
|
||||
id = "mitm"
|
||||
partition = "system"
|
||||
|
||||
def __init__(self, ca_cert_file: str=None) -> None:
|
||||
super().__init__()
|
||||
self.ca_cert_file = ca_cert_file
|
||||
|
||||
def download(self):
|
||||
pass
|
||||
|
||||
def skip_extract(self):
|
||||
return True
|
||||
|
||||
def copy(self):
|
||||
file_hash = run([
|
||||
'openssl', 'x509', '-noout', '-subject_hash_old', '-in',
|
||||
self.ca_cert_file,
|
||||
]).stdout.decode("ascii").strip()
|
||||
target_dir = os.path.join(
|
||||
self.copy_dir, self.partition, "etc", "security", "cacerts")
|
||||
Logger.info(f"Creating directory: {target_dir}")
|
||||
os.makedirs(target_dir, exist_ok=True)
|
||||
target_path = os.path.join(target_dir, f'{file_hash}.0')
|
||||
Logger.info(f"Copying {self.ca_cert_file} to system trust store")
|
||||
Logger.info(f"Target file: {target_path}")
|
||||
shutil.copyfile(self.ca_cert_file, target_path)
|
||||
os.chmod(target_path, 0o644)
|
||||
|
||||
def install(self):
|
||||
if not self.ca_cert_file:
|
||||
raise ValueError(
|
||||
"This command requires the --ca-cert switch and a *.pem file")
|
||||
super().install()
|
||||
Loading…
Reference in New Issue