diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml new file mode 100644 index 0000000..dff4977 --- /dev/null +++ b/.github/workflows/workflow.yml @@ -0,0 +1,30 @@ +name: Build and deploy + +on: + push: + branches: + - "*" + tags: + - v* + pull_request: + workflow_dispatch: + +jobs: + build: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + + - name: build dist + run: | + git submodule init && git submodule update + ./dist.sh + ls -la + + - name: create release + uses: ncipollo/release-action@v1 + if: startsWith(github.ref, 'refs/tags/v') + with: + artifacts: "move-user-certs-*.zip" + token: ${{ secrets.GITHUB_TOKEN }} + generateReleaseNotes: true diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..c16975a --- /dev/null +++ b/.gitignore @@ -0,0 +1,11 @@ +*.iml +.gradle +/local.properties +/.idea +.DS_Store +/build +/captures +.externalNativeBuild +.cxx +local.properties +*.zip diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000..e69de29 diff --git a/README.md b/README.md new file mode 100644 index 0000000..a495e7b --- /dev/null +++ b/README.md @@ -0,0 +1,31 @@ +# Magisk - Move User Certificates + +This module makes all installed user certificates part of the system certificate store, so that they will automatically be used when building the trust chain. This module makes it unnecessary to add the network_security_config property to an application's manifest. + +### Installation + +1. Install [Magisk](https://forum.xda-developers.com/apps/magisk/official-magisk-v7-universal-systemless-t3473445) +2. Download zip from [latest release](https://github.com/Bloody-Badboy/Move-User-Certificates/releases/latest/) or build using `dist.sh` +3. Install in Magisk +4. Install client certificates through [normal flow](https://support.portswigger.net/customer/portal/articles/1841102-installing-burp-s-ca-certificate-in-an-android-device) +5. Restart your device. Certificate copying happens during boot. +6. The installed user certificates can now be found in the system store. + +### Adding certificates + +Install the certificate as a user certificate and restart the device. + +### Removing certificates + +Remove the certificate from the user store through the settings, and restart the device. + +## Building + +```shell +./dist.sh +``` + +How to release a new version: + +1. Push a new tag with a name like `v*`. +2. A new release will be automatically created. diff --git a/dist.sh b/dist.sh new file mode 100755 index 0000000..4bdf8a3 --- /dev/null +++ b/dist.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +UPDATE_BINARY_URL="https://raw.githubusercontent.com/topjohnwu/Magisk/master/scripts/module_installer.sh" + +mkdir -p ./module/META-INF/com/google/android +curl "${UPDATE_BINARY_URL}" > ./module/META-INF/com/google/android/update-binary +echo "#MAGISK" > ./module/META-INF/com/google/android/updater-script + +VERSION=$(sed -ne "s/version=\(.*\)/\1/gp" ./module/module.prop) +NAME=$(sed -ne "s/id=\(.*\)/\1/gp" ./module/module.prop) + +rm -f ${NAME}-${VERSION}.zip +( + cd ./module + zip ../${NAME}-${VERSION}.zip -r * -x ".*" "*/.*" +) diff --git a/module/.gitignore b/module/.gitignore new file mode 100644 index 0000000..90233b6 --- /dev/null +++ b/module/.gitignore @@ -0,0 +1,2 @@ +/zygisk +/META-INF diff --git a/module/module.prop b/module/module.prop new file mode 100644 index 0000000..4d479c1 --- /dev/null +++ b/module/module.prop @@ -0,0 +1,6 @@ +id=move-user-certs +name=Move User Certificates +version=v0.1 +versionCode=1 +author=Arpan +description=Moves certificates from the user certificate store to the system certificate store. diff --git a/module/post-fs-data.sh b/module/post-fs-data.sh new file mode 100644 index 0000000..54388b7 --- /dev/null +++ b/module/post-fs-data.sh @@ -0,0 +1,28 @@ +#!/system/bin/sh +# Do NOT assume where your module will be located. +# ALWAYS use $MODDIR if you need to know where this script +# and module is placed. +# This will make sure your module will still work +# if Magisk change its mount point in the future +MODDIR=${0%/*} + +# This script will be executed in post-fs-data mode + +# If you for some reason do not want all your certificates moved from the user store to the system store, you can specify which certificates to move by replacing the * with the name of the certificate; i.e., + +# mv -f /data/misc/user/0/cacerts-added/12abc345.0 $MODDIR/system/etc/security/cacerts + +mv -f /data/misc/user/0/cacerts-added/* $MODDIR/system/etc/security/cacerts + +chown -R 0:0 ${MODDIR}/system/etc/security/cacerts + +[ "$(getenforce)" = "Enforcing" ] || exit 0 + +default_selinux_context=u:object_r:system_file:s0 +selinux_context=$(ls -Zd /system/etc/security/cacerts | awk '{print $1}') + +if [ -n "$selinux_context" ] && [ "$selinux_context" != "?" ]; then + chcon -R $selinux_context $MODDIR/system/etc/security/cacerts +else + chcon -R $default_selinux_context $MODDIR/system/etc/security/cacerts +fi diff --git a/module/system/etc/security/cacerts/.gitkeep b/module/system/etc/security/cacerts/.gitkeep new file mode 100644 index 0000000..e69de29