http://blog.antoine.li/index.php/2010/10/android-trusting-ssl-certificates/
Two weeks ago I got the task to establish TLS secured connections via certificates to a service endpoint.
I thought it’s not a big deal, because the endpoint already uses an EV certificate from a trusted CA (SwissSign) in Switzerland. Therefore I shouldn’t have to worry that the certificate would be considered as untrusted so I don’t have to import it to the trusted certs in the Java key store etc.
FAIL! I’ve got a security exception, cert is not trusted. Same problem when I visit the website with the browser. Ok, that’s bad, SwissSign is not such a big player like thawte, so, it needs some time till it will be added to the android trusted CA list. But, when I visit thawte.com, their cert is also not trusted by android. WTF?
Windows Phone and iPhone trust my SwissSign CA and don’t complain.
So, let’s ask google, stackoverflow and the blogosphere. Found a lot of solutions how to disable certificate checking entirely.
Yeah, great, this will solve my problem, my connection will be “secure” and everyone will be able to intercept my connection and inject his own certificate.But I finally found the solution with help from other sites and some testing and debugging.
The Solution
The following main steps are required to achieve a secured connection from trusted Certification Authorities.
- Grab all required certificates (root and any intermediate CA’s)
- Create a keystore with keytool and the BouncyCastle provider and import the certs
- Load the keystore in your android app and use it for the secured connections
- Don’t use the standardjava.net.ssl.HttpsURLConnection for the secure connection. Use theApache HttpClient (Version 4 atm) library, which is already built-in in android. It’s built on top of the java connection libraries and is, in my opinion, faster, bettermodularizedand easier to understand.
Step 1: Grab the certs
You have to obtain all certificates that build a chain from the endpoint certificate the whole way up to the Root CA. This means, any (if present) Intermediate CA certs and also the Root CA cert. You don’t need to obtain the endpoint certificate.
You can obtain those certs from the chain (if provided) included in the endpoint certificate or from the official site of the issuer (in my case SwissSign).
Ensure that you save the obtained certificates in the Base64 encoded X.509 format. The content should look similar to this:
1
2
3
|
-----BEGIN CERTIFICATE-----
MIIGqTC.....
-----END CERTIFICATE-----
|
Step 2: Create the keystore
Download the BouncyCastle Provider and store it to a known location.
Also ensure that you can invoke the keytool command (usually located under the bin folder of your JRE installation).
Now import the obtained certs (don’t import the endpoint cert) into a BouncyCastle formatted keystore.
I didn’t tested it, but I think the order of importing the certificates is important. This means, import the lowermost Intermediate CA certificate first and then all the way up to the Root CA certificate.
With the following command a new keystore (if not already present) with the password mysecret will be created and the Intermediate CA certificate will be imported. I also defined the BouncyCastle provider, where it can be found on my file system and the keystore format. Execute this command for each certificate in the chain.
1 |
keytool -importcert -v -trustcacerts -file "path_to_cert/interm_ca.cer" -alias IntermediateCA -keystore "res/raw/myKeystore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "path_to_bouncycastle/bcprov-jdk16-145.jar" -storetype BKS -storepass mysecret
|
Verify if the certificates were imported correctly into the keystore:
1 |
keytool -list -keystore "res/raw/myKeystore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "path_to_bouncycastle/bcprov-jdk16-145.jar" -storetype BKS -storepass mysecret
|
Should output the whole chain:
1
2
|
RootCA, 22.10.2010, trustedCertEntry,Thumbprint(MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93
IntermediateCA, 22.10.2010, trustedCertEntry,Thumbprint (MD5): 98:0F:C3:F8:39:F7:D8:05:07:02:0D:E3:14:5B:29:43
|
Now you can copy the keystore as a raw resource in your android app under res/raw/
Step 3: Use the keystore in your app
First of all we have to create a custom Apache HttpClient that uses our keystore for HTTPS connections:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
public class MyHttpClient extends DefaultHttpClient {
final Context context;
public MyHttpClient(Context context) {
this .context = context;
}
@Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register( new Scheme( "http" , PlainSocketFactory.getSocketFactory(), 80 ));
registry.register( new Scheme( "https" , newSslSocketFactory(), 443 ));
return new SingleClientConnManager(getParams(), registry);
}
private SSLSocketFactory newSslSocketFactory() {
try {
KeyStore trusted = KeyStore.getInstance( "BKS" );
InputStream in = context.getResources().openRawResource(R.raw.mykeystore);
try {
trusted.load(in, "mysecret" .toCharArray());
} finally {
in.close();
}
SSLSocketFactory sf = new SSLSocketFactory(trusted);
sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
return sf;
} catch (Exception e) {
throw new AssertionError(e);
}
}
}
|
We have created our custom HttpClient, now we can just use it for secure connections. For example when we make a GET call to a REST resource.
1
2
3
4
5
6
|
DefaultHttpClient client = new MyHttpClient(getApplicationContext());
HttpResponse getResponse = client.execute(get);
HttpEntity responseEntity = getResponse.getEntity();
|
That’s it. Took me long to figure it out, hope this helps and saves you that time.
I really hope that the android platform will implement a better mechanism in future releases for defining which Certification Authorities should be trusted or not or just expand their own trusted CA list. If they don’t, I can’t believe they will get good acceptance from the business sector. Ok, you can control which certificates you want to trust in your app, but you still can’t add thawte as a trusted CA in the android keystore and your browser will always complain about an untrusted CA. The only way I know to eliminate this problem is to root your phone (very user friendly) and add your CA manually to the android keystore.
分享到:
相关推荐
pokedex:https://trusting-meitner-c444fd.netlify.app-源码
Betrayal of Reputation:Trusting the Untrustable Hardware and Software with Reputation.pdf Browser Script Engine Zero Days in 2018.pdf Discovering Vulnerabilities with Data Flow Sensitive Fuzzing.pdf ...
Ken Thompson著作 Reprinted from Communication of the ACM, Vol. 27, No. 8, August 1984, pp. 761-763. Copyright © 1984, Association for Computing Machinery, Inc. Also appears in ACM Turing Award ...
Reflections on Trusting Trust 思考,信任,信托
Betrayal of Reputation -- Trusting the Untrustable Hardware and Software with Reputation
Betrayal of Reputation -- Trusting the Untrustable Hardware and Software with Reputation
SSLContext sc = SSLContext.getInstance("SSL"); sc.init(null, trustAllCerts, new java.security.SecureRandom()); HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); // ...
web安全,有需要的可以看一下,学习网络安全一样要看的书之一
信息安全_数据安全_Reflection_on_trusting_trust 云安全 漏洞挖掘 自动化 安全威胁 安全对抗
向云端转移,存在诸多原因:现买现付成本模型、可以从任何位置或通过任何设备进行全球访问、根据业务需求变化调整规模、内置的灾难恢复、和为 IT 部门提供更大的灵活性
信任天网 跟踪有关可解释机器学习的当前和过去作品的存储库。 有可用代码的可解释方法: 迈向具有常识的符号强化学习 代码: : 从策略学习中解耦特征提取 代码: : 可解释的强化学习的趣味性元素:了解特工...
截屏 链接解决方案URL: https : //github.com/miguel-tostado/profile_card_component 实时站点URL: https : //trusting-swanson-0821a3.netlify.app/ 我的过程 内置语义HTML5标记CSS自定义属性弹性盒 我学到的是...
Smart Cities Cybersecurity and Privacy examines the latest research developments and their outcomes for safe, secure, and trusting smart cities residents. Smart cities improve the quality of life of ...
Reflections on Trusting Trust – Ken Thompson 6. Lisp: Good News, Bad News, How to Win Big – Richard Gabriel 7. An experimental evaluation of the assumption of independence in multiversion ...
without trusting the server, privacy preserving data mining, electronic auctions without a trusted auctioneer, electronic elections without a trusted central authority. 3. Zero knowledge proofs: Prove...
生成状态: PolicyFileEditor TJX.PolFileEditor.PolFile .NET类周围的PowerShell函数和DSC资源包装器。... Write-host " Trusting PS Gallery " Set-PSRepository - Name ' PSGallery ' - Installatio
['ANDROID APP安全从入门到放弃.pdf', 'CNCERT车联网众测平台与漏洞库介绍.pdf', 'IOS URL Scheme之殇.pdf', 'OT&核心基础架构安全.pdf', 'RedTeam视角下的二进制攻防研究.pdf', 'Reflection on trusting trust.pdf'...
SpoolerScanner检查假脱机程序(MS-RPRN)是否可以通过powershell / c#远程使用。这是@tifkin_所作的DerbyCon演示文稿“信任Active Directory @ DerbyCon 2018的意外风险”的... ,@ enigma0x3(马特·尼尔森)参考:...
.NET Code Security Code Access Security Versus Role-Based Security Code Access Security in .NET Location, Location, Location Strong Names Publisher Certificates Trusting ...
.NET Code Security Code Access Security Versus Role-Based Security Code Access Security in .NET Location, Location, Location Strong Names Publisher Certificates Trusting ...