Guardian Project CA Bundle for Android

In response to growing concerns about the less-than trustworthy state of the global Certificate Authority ecosystem, we have decided to began curating our own CACert keystore for use on Android devices.

This certificate bundle contains all the CAs from the Mozilla CA Certificate Store as obtained through Debian's ca-certificates package.

TODO: How to use the pinned certificate store?

Projects using this cacert

• NetCipher - strong TLS verification and proxy library for Android

Usage

We rely on Debian's tool to parse the Mozilla trust database and output PEM encoded certificates, which we then combine into a keystore ready for inclusion in Android.

    git submodule update --init --recursive
    make

The resulting keystore will be in stores/debiancacerts.bks ready to be imported into an Android project.

Add it as a raw resource to your project, then use something like the following to load it:

    mTrustStore = KeyStore.getInstance("BKS");
    in = mContext.getResources().openRawResource(R.raw.cacerts);
    mTrustStore.load(in, new String("changeit").toCharArray());

Relevant Reading

• DigiNotar Debacle
• Your app shouldn't suffer SSL's problems
• Unifying Key Store Access in ICS
• ICS Trust Store Implementation

Credits

We would like to ack Open WhisperSystems as an inspiration for this, as they were able to push out a small patch through their WhisperCore update tool in order to modify the keystore to remove DigiNotar.