Initial commit

.github/workflows/workflow.yml

@@ -0,0 +1,30 @@
+name: Build and deploy
+
+on:
+  push:
+    branches:
+      - "*"
+    tags:
+      - v*
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: build dist
+        run: |
+          git submodule init && git submodule update
+          ./dist.sh
+          ls -la
+
+      - name: create release
+        uses: ncipollo/release-action@v1
+        if: startsWith(github.ref, 'refs/tags/v')
+        with:
+          artifacts: "move-user-certs-*.zip"
+          token: ${{ secrets.GITHUB_TOKEN }}
+          generateReleaseNotes: true

.gitignore

@@ -0,0 +1,11 @@
+*.iml
+.gradle
+/local.properties
+/.idea
+.DS_Store
+/build
+/captures
+.externalNativeBuild
+.cxx
+local.properties
+*.zip

README.md

@@ -0,0 +1,31 @@
+# Magisk - Move User Certificates
+
+This module makes all installed user certificates part of the system certificate store, so that they will automatically be used when building the trust chain. This module makes it unnecessary to add the network_security_config property to an application's manifest.
+
+### Installation
+
+1. Install [Magisk](https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445)
+2. Download zip from [latest release](https://github.com/Bloody-Badboy/Move-User-Certificates/releases/latest/) or build using `dist.sh`
+3. Install in Magisk
+4. Install client certificates through [normal flow](https://support.portswigger.net/customer/portal/articles/1841102-installing-burp-s-ca-certificate-in-an-android-device)
+5. Restart your device. Certificate copying happens during boot.
+6. The installed user certificates can now be found in the system store.
+
+### Adding certificates
+
+Install the certificate as a user certificate and restart the device.
+
+### Removing certificates
+
+Remove the certificate from the user store through the settings, and restart the device.
+
+## Building
+
+```shell
+./dist.sh
+```
+
+How to release a new version:
+
+1. Push a new tag with a name like `v*`.
+2. A new release will be automatically created.

dist.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+UPDATE_BINARY_URL="https://raw.githubusercontent.com/topjohnwu/Magisk/master/scripts/module_installer.sh"
+
+mkdir -p ./module/META-INF/com/google/android
+curl "${UPDATE_BINARY_URL}" > ./module/META-INF/com/google/android/update-binary
+echo "#MAGISK" > ./module/META-INF/com/google/android/updater-script
+
+VERSION=$(sed -ne "s/version=\(.*\)/\1/gp" ./module/module.prop)
+NAME=$(sed -ne "s/id=\(.*\)/\1/gp" ./module/module.prop)
+
+rm -f ${NAME}-${VERSION}.zip
+(
+  cd ./module
+  zip ../${NAME}-${VERSION}.zip -r * -x ".*" "*/.*"
+)

module/.gitignore

@@ -0,0 +1,2 @@
+/zygisk
+/META-INF

module/module.prop

@@ -0,0 +1,6 @@
+id=move-user-certs
+name=Move User Certificates
+version=v0.1
+versionCode=1
+author=Arpan
+description=Moves certificates from the user certificate store to the system certificate store.

module/post-fs-data.sh

@@ -0,0 +1,28 @@
+#!/system/bin/sh
+# Do NOT assume where your module will be located.
+# ALWAYS use $MODDIR if you need to know where this script
+# and module is placed.
+# This will make sure your module will still work
+# if Magisk change its mount point in the future
+MODDIR=${0%/*}
+
+# This script will be executed in post-fs-data mode
+
+# If you for some reason do not want all your certificates moved from the user store to the system store, you can specify which certificates to move by replacing the * with the name of the certificate; i.e.,
+
+# mv -f /data/misc/user/0/cacerts-added/12abc345.0 $MODDIR/system/etc/security/cacerts
+
+mv -f /data/misc/user/0/cacerts-added/* $MODDIR/system/etc/security/cacerts
+
+chown -R 0:0 ${MODDIR}/system/etc/security/cacerts
+
+[ "$(getenforce)" = "Enforcing" ] || exit 0
+
+default_selinux_context=u:object_r:system_file:s0
+selinux_context=$(ls -Zd /system/etc/security/cacerts | awk '{print $1}')
+
+if [ -n "$selinux_context" ] && [ "$selinux_context" != "?" ]; then
+    chcon -R $selinux_context $MODDIR/system/etc/security/cacerts
+else
+    chcon -R $default_selinux_context $MODDIR/system/etc/security/cacerts
+fi