我希望有一种方法以编程方式访问的中央信任的密钥存储在Android设备上。我知道存在，至少验证SSL连接等，其中还附带了一个方便的工具添加证书，浏览等（在设置 - 找到>位置和放大器;安全 - >管理受信任的证书）

I'm hoping that there's a way to programmatically access a central trusted keystore on an Android device. I know one exists, at least for verifying SSL connections etc. which also comes with a handy tool for adding certificates, browsing, etc. (Found under settings->location & security->manage trusted certificates)

我希望能够以编程方式检索它的公钥加密文件等的目的。

I'd like to be able to programmatically retrieve public keys from it for the purpose of encrypting files etc.

由于提供的文档，好像其他的应用程序开发人员在他们的应用程序，这似乎是多余的管理自己的密钥库。

Given the documentation available, it seems like other app developers are managing their own keystore within their app, which seems redundant.

任何想法？

推荐答案

这是不支持的，在未来的版本中，等可能会破裂，但这里是如何得到的受信任的证书列表。没有root访问权限不能添加新的，因为/系统挂载只读的。但是，如果你有root权限，你可以使用常规的密钥库的API来添加证书。

This is not supported, may break in future versions, etc., but here's how to get a list of the trusted certificates. You cannot add new ones without root access, because /system is mounted read-only. But if you do have root access, you can use the regular KeyStore API's to add certificates.

KeyStore ks = KeyStore.getInstance("BKS");
InputStream is = new FileInputStream("/etc/security/cacerts.bks");
ks.load(is, "changeit".toCharArray());

List<X509Certificate> certs = new ArrayList<X509Certificate>();
Enumeration<String> aliases = ks.aliases();
while (aliases.hasMoreElements()) {
  String alias = aliases.nextElement();
  X509Certificate cert = (X509Certificate) ks.getCertificate(alias);
  certs.add(cert);
}

编辑：这应与需要硬code中的路径密钥库：

This should work with needing to hardcode the path to the keystore:

TrustManagerFactory tmf = TrustManagerFactory
                    .getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init((KeyStore) null);
X509TrustManager xtm = (X509TrustManager) tmf.getTrustManagers()[0];
for (X509Certificate cert : xtm.getAcceptedIssuers()) {
    String certStr = "S:" + cert.getSubjectDN().getName() + "\nI:"
                        + cert.getIssuerDN().getName();
    Log.d(TAG, certStr);
}