Skip to content

Commit

Permalink
Merge pull request #38 from AdguardTeam/fix/rollback_second_cert_check
Browse files Browse the repository at this point in the history
Don't check second certificate
  • Loading branch information
sfionov authored Sep 22, 2023
2 parents ee81188 + 6e3b1d6 commit 7c3c7eb
Show file tree
Hide file tree
Showing 2 changed files with 8 additions and 13 deletions.
4 changes: 2 additions & 2 deletions module/module.prop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
id=adguardcert
name=AdGuard Certificate
version=v2.0-beta3
versionCode=32
version=v2.0-beta4
versionCode=33
author=AdGuard
description=Moves AdGuard's root CA certificate from the user certificate store to the system certificate store.
17 changes: 6 additions & 11 deletions module/post-fs-data.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,27 +3,22 @@ MODDIR=${0%/*}

# Android hashes the subject to get the filename, field order is significant.
# (`openssl x509 -in ... -noout -hash`)
# AdGuard's primary certificate is "/C=EN/O=AdGuard/CN=AdGuard Personal CA".
# AdGuard's intermediate certificate is "/C=EN/O=AdGuard/CN=AdGuard Personal Intermediate".
# AdGuard's certificate is "/C=EN/O=AdGuard/CN=AdGuard Personal CA".
# The filename is then <hash>.<n> where <n> is an integer to disambiguate
# different certs with the same hash (e.g. when the same cert is installed repeatedly).
#
# Due to https://github.com/AdguardTeam/AdguardForAndroid/issues/2108
# 1. Retrieve the most recent primary and intermediate certificates with our hash from the user store.
# It is assumed that the last installed AdGuard's certs are the correct ones.
# 2. Check the existence of AdGuard's intermediate certificate. If the certificate is not present,
# the steps 3 and 4 will be skipped.
# 3. Copy the primary AdGuard certificate to the system store under the name "<hash>.0".
# 1. Retrieve the most recent certificate with our hash from the user store.
# It is assumed that the last installed AdGuard's cert is the correct one.
# 2. Copy the AdGuard certificate to the system store under the name "<hash>.0".
# Note that some apps may ignore other certs.
# 4. Remove all certs with our hash from the `cacerts-removed` directory.
# 3. Remove all certs with our hash from the `cacerts-removed` directory.
# They get there if a certificate is "disabled" in the security settings.
# Apps will reject certs that are in the `cacerts-removed`.
AG_CERT_HASH=0f4ed297
AG_INTERMEDIATE_CERT_HASH=47ec1af8
AG_CERT_FILE=$(ls /data/misc/user/*/cacerts-added/${AG_CERT_HASH}.* | (IFS=.; while read -r left right; do echo $right $left.$right; done) | sort -nr | (read -r left right; echo $right))
AG_INTERMEDIATE_CERT_FILE=$(ls /data/misc/user/*/cacerts-added/${AG_INTERMEDIATE_CERT_HASH}.* | (IFS=.; while read -r left right; do echo $right $left.$right; done) | sort -nr | (read -r left right; echo $right))
if [ -e "${AG_CERT_FILE}" ] && [ -e "${AG_INTERMEDIATE_CERT_FILE}" ]; then
if [ -e "${AG_CERT_FILE}" ]; then
cp -f ${AG_CERT_FILE} ${MODDIR}/system/etc/security/cacerts/${AG_CERT_HASH}.0
rm -f /data/misc/user/*/cacerts-removed/${AG_CERT_HASH}.*
fi
Expand Down

0 comments on commit 7c3c7eb

Please sign in to comment.