» How can I validate a PEM encoded server certificate and chain agains the Android trusted CAs?
How can I validate a PEM encoded server certificate and chain agains the Android trusted CAs?
|March 20, 2013
Posted by forumadmin
I am developing an enterprise communications app to run on Android 4.0+. This app has a native transport layer written in c/c++ which manages the SSL connections with a SIP server. The native layer uses openSSL libraries for the SSL connection.
I need to implement validation of the server certificate when the app opens an SSL connection. This includes validating the certificate chain against available root CA certificates and hostname validation. My problem is that there is no access (that I am aware of) to Androids trust store CA certificates. By this, I mean the built-in certificates (e.g. Verisign) and user installed trusted CAs.
Therefore, I am pretty sure what I have to do is pass the certificate chain up to the java code (this is implemented and working) so that I can use the java security APIs. Essentially, what I have to start with is an array of certificates (the chain received from the server) in PEM format (could be DER, if that was better).
I understand how I can convert the chain into Certificate objects and the Certificate objects into a CertPath object. It looks like one can then use the CertPathValidator to validate the CertPath. Am I on the right track? The point at which I am hung up here is that CertPathValidator.validate(cp,params) takes a PKIXParameters object. This, in turn, seems to need either a keystore or a Set of TrustAnchors. I assume that the keystore or set of TrustAnchors represents the trusted root CAs that are to be used to validate cp (the CertPath), correct? If so, how/where do I get the input parameters for the PKIXParameters constructor?
On another tack, I just started looking into whether a TrustManager could/should be used to validate the server certificate. I think I understand how TrustManagers fit in and are used when working with an HTTPSUrlConnection, but it is not clear how I might do this when all I start with is my array of PEM certificates.
Can someone point me in the correct direction?
More Related Questions
- Why is using a certificate, made with the MakeCert tool, in production bad? I'm currently working on a project where I've created a CA cert and a couple of child certs to that CA cert. The certificates are going to be used to protect inter-server communication in […]
- axis client call using SSL i making a call to the webservices using Axis implementation by SSL certificate. I added the certificate to my keystore using the keytool.
it showed as "Certificate was added to the […]
- Android SSLContext trusted certificates Not Working on API 8 I have the following code for configuring and SSL Connection and instantiating a JsonRpcHttpClient using the Jsonrpc4j implementation:
public static void createJsonRpcClient(Context ctx) […]
- Android L – No peer certificate I've developed a small app that connect to my server using SSL with a self signed certificate. To make it work, i've loaded my certificate in a custom keystore using the […]
- How to install trusted CA certificate on Android device? I have created my own CA certificate and now I want to install it on my Android Froyo device (HTC Desire Z), so that the device trusts my certificate.
Android stores CA certificates in […]
- WCF Transport Security Using Client Certificates I've been working off the following URL's to try to accomplish WCF Transport Security using client certificates on my development machine (so my box is serving as the client and the […]
- Get SSL certificate details I want to examine the SSL certificate that -(void)connection:(NSURLConnection *)connection didReceiveAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge receives and I have […]
- IIS hosted WCF with SSL Certifcate I am new to WCF and WCF Security. I am trying to use a WCF service using SSL. There are lots of examples on the internet, but I am really confused. The issue is this:
In the IIS we can […]
- x.509 Authentication not enabled in MongoDB I am trying to enable x.509 authentication in MongoDB.
I was able to compile with ssl support and was able to connect to the db using ca signed client certificate.
However it looks like […]
- SSLException Bad Certificate I've got a brief assignment for class which is to extend a simple Java server to support SSL on Ubuntu.
Ok, so to start, I did this:
private static SSLServerSocketFactory […]