Hello,
I hope you don't mind me asking, since you do all of this, I assumed you would know how I can add the
AuthorityKeyIdentifier
Extension to a keystore like listed below?
keytool -printcert -file CERT.RSA
Owner: EMAILADDRESS=[email protected], CN=OnePlus, OU=SW, O=OnePlus, L=Shenzhen, ST=Guangdong, C=CN
Issuer: EMAILADDRESS=[email protected], CN=OnePlus, OU=SW, O=OnePlus, L=Shenzhen, ST=Guangdong, C=CN
Serial number: ca7f2ef3e2f1842e
Valid from: Wed May 06 21:23:23 HST 2015 until: Sun Sep 21 21:23:23 HST 2042
Certificate fingerprints:
MD5: 0D:2B:B4:93:D4:C2:58:EB:10:5F:A6:E0:D5:9A:C4:7B
SHA1: 23:52:7E:F3:0C:2E:B1:07:DC:50:D2:80:07:94:B5:D5:8E:60:67:FC
SHA256: C6:E8:15:0A:A5:BB:AF:52:3C:A1:E2:D9:E3:56:00:8E:17:28:A1:2F:E2:0C:3C:78:75:A4:46:AF:B7:C5:79:F9
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: E2 4C A1 8E 47 F2 C0 74 76 F9 D3 7C E0 D8 5A 9F .L..G..tv.....Z.
0010: 2F DF 44 56 /.DV
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: E2 4C A1 8E 47 F2 C0 74 76 F9 D3 7C E0 D8 5A 9F .L..G..tv.....Z.
0010: 2F DF 44 56 /.DV
]
]
Oracle states; . For non self-signed certificates, the authorityKeyIdentifier is always created.
I can make a keystore with the BasicConstraints
, it's my understanding that the SubjectKeyIdentifier
is always added.
This is what I've been playing with in a shell script, but it only adds the SubjectKeyIdentifier
and BasicConstraints
Create a self signed key pair root CA certificate
keytool -genkeypair -v
-alias CERT
-dname "CN=Android, OU=Android, O=US, L=US, ST=US, C=US"
-keystore keystore.jks
-keypass android
-storepass android
-keyalg RSA
-keysize 4096
-ext BasicConstraints:"critical=ca:true"
-validity 9855
If I do all of this in a shell, then I get the AuthorityKeyIdentifier but I also get double of the same cert information, listed at the top; owner/issuer serial number, fingerprints, etc...
Create a self signed key pair root CA certificate
keytool -genkeypair -v
-alias CERT
-dname "CN=Android, OU=Android, O=US, L=US, ST=US, C=US"
-keystore keystore.jks
-keypass android
-storepass android
-keyalg RSA
-keysize 4096
-ext BasicConstraints:"critical=ca:true"
-validity 9855
Generate new ca-cert and ca-key
openssl
req
-new
-x509
-subj "/CN=Android/OU=Android/O=US/L=US/ST=US/C=US/"
-passout pass:android
-keyout ca-key
-out ca-cert
-days 9855
Extracting cert/creating cert sign req(csr)
keytool
-keystore keystore.jks
-keypass android
-storepass android
-alias CERT
-certreq
-file cert-file
Sign the “cert-file” and cert-signed wil be the new cert
openssl
x509
-req
-CA ca-cert
-CAkey ca-key
-in cert-file
-out cert-signed
-days 9855
-CAcreateserial
-passin pass:android
Importing the ca-cert to keystore file:
keytool
-keystore keystore.jks
-alias CARoot
-import
-file ca-cert
-storepass android
-noprompt
THANK YOU for your time and help with this, it's greatly appreciated, and I do like uber-apk-signer, I just like trying to learn and do this myself...