X509Tools was created on top of a proof of concept to provide S/MIME capabilities and X.509 certificate support to Android. It supports the decryption of S/MIME encrypted attachments (smime.p7m) and can send encrypted (and signed) emails. Please note that this is not an email client. The App only decrypts messages received via other mail clients or sends mails over SMTP.
The application needs the following permissions:
- Full Internet Access - required to send emails over SMTP
- Modify/Delete SD card content - required to access the private keystore and to write logfile information
- Read Email Attachments - required to read smime.p7m attachments, if your are using K9 email client
- Read Contacts - required to suggest email addresses from your contacts, if sending plain or signed messages
Since the application is still under development please help us to improve it by sending us your feedback to android [at] rundquadrat.at or by useing the contact form ("Kontakt"). A logfile is written to /sdcard/x509tools/ to help us to reproduce your issues. If you got a decryption error please send us an equivalent encrypted mail (using the following certificate: http://rundquadrat.at/selbitschka.crt), so that we can debug this issue.
New in Version 2.3:
- New user interface
- Interface to allow other applications (like mail clients) to use X509Tools to sign/encrypt/decrypt/verify emails.
- Certificates from signed emails (p7s attachments) can now be displayed and imported to your personal store.
- Your personal store is now protected with an auto-generated keystore-password. This allows us to check if your certificate store is tempered with or not. Your private keys are further protected with the old store-password and you can now change the password for each key.
- Certificate validation via OCSP and/or CRLs.
- Certificate Store shows the system root and private store in one screen.
|If you open the application the main screen shows the two parts of the application: the "Certificate Store Management" and the "Encryption/Decryption" part.|
The certificate store management allows you to show two different stores: the system root store (preinstalled with android) and your personal store. Your personal store can be found on the SDCard at /X509Tools/private.bks and you can backup this file manually. If no personal store is found the application will create a new one by clicking on "Personal Certificate Store".
At "Encryption/Decryption" you manage your SMTP account (necessary to send encrypted emails).
The Certificate Store lists all certificates stored in the internal database. This includes the the built-in store (/system/etc/security/cacerts.bks) and your personal store. The View is split into 3 sections, your "keys", certificates from "other" people and CA certificates. By tapping Menu->Import Key/Cert you can import new keys or certificates from files stored at your sdcard. At the moment *.p12 and *.pfx (PKCS#12) to import key/certpairs and *.cer, *.crt, *.pem and *.p7s files to import certificates are supported. To view the details of a certificate simply tap it to open the certificate viewer. To change a the key password or delete an entry use the context menu of the entry (long-press). If you want to view or change the keystore password press Menu -> "View/Change Store Password". The Menu->ReSync Store to DB option in the Menu deletes the internal certificate database and reimports the private keystore and system rootstore, which is only needed if you manually changed the private.bks file on the SD card.
Send Encrypted Mails
To send encrypted mails you have to add a SMTP account, because sending through other mail clients is not possible at the moment. After adding your account details you can send an encrypted email to users of who you have certificates in your certificate store. The "Add" button shows a list of email addresses found in the certificates of your certificate store and it is only possible to send encrypted mails to these addresses. If you need to send to another address please import a certificate which contains this email address in the subject or subject alternative name rfc822 extension.
If you have installed a private key associated with your account email address you can additionally sign the email before encryption by enabling the "Sign" checkbox.
By clicking the "Copy to Me" checkbox the email is encrypted and send to your own account too. This feature allows you to store the sent messages, since the application itself isn't capable of doing so.
To add an attachment tap the "Attachment" button and to remove the attachment tap the attachment itself.
SMIME Viewer / Email Decryption
To decrypt an SMIME encrypted email use your preferred email client, receive the mail and open the smime.p7m attachment. X509Tools are associated with the special mime-type of this kind of attachment and will automatically be used to view the content. After entering your key password the decrypted content of the mail is shown.
If the encrypted message contains mail header information as from, to, subject, etc. you can reply to that mail, otherwise you can only forward the mail since X509Tools has not enough information to reply. You can find the forward and reply options in the Menu.
We are currently working (if we find the time) on some requested new features and fixing some issues. Here's a list of upcoming features:
- Import of *.pem key files
Some ideas we have for X509Tools:
- Alternative certificate store for "others": maybe extend contacts, request them from ldap directories, ....
- Support for G&Ds Mobile Security Card to store private keys in a secure environment
- Proxy to sign, encrypt outgoing and decrypt incoming mails
Technical Description (The Development Experience)
In this part you find a more technical description of X509Tool to give you a deeper view of what we've done.
Certificate Stores and Viewers
Introduction: "What we learned so far.": The aim of the app is to provide S/MIME functionality, but we have to recognise that there is no X.509 support in Android at all. Yes, there is a mysterious point called "Install from SD Card" in your security menu, but no one knows what it does exactly and you have the possibility to view your certificate store.Therefore back to start and write some simple viewers for certificate stores and certificates. The StoreView called Activity simply reads the system root store located at /system/etc/security/cacerts.bks, parse the certificates and display them ordered by the organisation name (or if not present the common name) of their issuers. Because the system store is read-only you cannot import certificates to it, but non the less now you are able to see which CAs are pre-installed.
To get a detailed view of a certificate tap on it and a simple certificate viewer opens, which shows you the most common attributes and extension. To view certificates system-wide two intent filters are defined for the CertificateViewer Activity: one to view the mime-types "application/x-x509-ca-cert" and "application/pkix-cert" and the second to view file with extensions .cer or .crt.
Since there is no writeable system-wide key or certificate store we could use, we have to create a new one. Your private store is automatically created if you open it the first time and located at /sdcard/X509Tools/private.bks. So it is easy to backup but also accessible to all other applications (later more on: security issues). As keystore format we used the BKS (Bouncycastle Key Store) already used for the system keystore. This keystore is publicly readable and only the private keys are protected with a password
Note: More or less all these things have been implemented using on-board Android embedded libs.
As we started our development the usage of bouncycastle was predetermined because it is java native and widely spread. But as we tried to import the standard jars we noticed that some classes are already included in Android and so we recompiled all classes to org2.bouncycastle and imported parts of javamail, activition and dummy awt classes to get things running. After all this work was done, we were able to start developing the s/mime functions.
Decryption and viewing of s/mime messages is done by the SMimeViewer Activity which has an intent filter to open "application/(x-)pkcs7-mime" mime types. So you can use your preferred email client to receive the message and only open the smime.p7m attachment with this viewer. One big problem is that the viewer only gets the attachment which may not contain any header information, therefore replying "directly" is not possible in most cases. If the message was signed before encryption the signature certificate is shown, but not verified (in any way: no signature cipherment, neither crl-checking)!
Because we don't want to implement an email client, we tried to send emails through others using ACTION_SEND, but unfortunately you cannot provide the whole message or set the mime types correctly and therefore we wrote our own SMTP client based on javamail. The SMTP client is very simple, which leads to the point that only plain username and password can be chosen in the account setup.That's not because we don't want to implement CRAM-MD5 or others, we simply have no public servers to test it. We guess that it should work anyway, because javamail does this transparent, but it's not tested.
As mentioned before there is and always will be some security issues if you store your keys in a file although it is password protected. The fact that the keystore is public (without password) readable is necessary that we can grab the certificates or the email addresses from the certificate without requesting you to enter your passphrase every time you want to send an encrypted mail. To provide real security we plan to implement G&Ds Mobile Security Card (http://code.google.com/p/seek-for-android/) as a keystore, but this is a long way to go.
How to use X509Tool from your application
Since Version 2.0 X509Tools support other application to use it for smime operation. To keep it simple we registered the responsible activity to the mime-type "application/mime-message" and the ACTIONs:
To get your message processed simply store it in a temp directory and create an intent with the requested action, uri and mime type and start it for result:
Intent intent = new Intent();
As a result you get RESULT_OK and an URI to the processed message or RESULT_CANCEL and an error string in the extras field EXTRA_ERROR.
For better understanding we wrote a simple test app which allows you to select a file from sdcard, delivers it to X509Tools for the selected operation and displays the path of the processed message or the error value. Find the complete source and the apk of this app at http://rundquadrat.at/SignTestMail.zip.