android - How to programmatically add certificates to a truststore and use that also for verifying server authentication -
i app want use https connection user-specified server uses self-signed certificate. gathered is, that
- self signed certificates rejected (as expected)
- the android keystore/truststore not used apps, apps have build , use own truststore,
- there's "keytool" in jdk build truststore can supplied app resource, not solution since not know server (and certificate beforehand)
since https server user specified, not know server's certificate beforehand , want add server certificate programmatically app's truststore (by showing certificate user , have him accept it). once added truststore, app shall use truststore authenticate server.
i not want accept every self-signed certificate without user checking fingerprint examples on web suggest.
now problem i'm new java , android , struggling understand inner workings of androidhttpclient or defaulthttpclient. have basic http working in app, haven't found example on how add certificates truststore inside app on demand of user.
does know how achieve or knows working example can at?
any hints appreciated. thanks.
edit: found solution in trustmanagerfactory.java class of k9 mail. suggest have @ if you're having same question.
solution found while ago no 1 has created answer yet guide others, i'll point pimp(ette) morning , post url added solution, plus copy in code public source. hope helps guide others solution. :)
here's url code below.
package com.fsck.k9.mail.store; import android.app.application; import android.content.context; import android.util.log; import com.fsck.k9.k9; import com.fsck.k9.helper.domainnamechecker; import org.apache.commons.io.ioutils; import javax.net.ssl.trustmanager; import javax.net.ssl.x509trustmanager; import java.io.file; import java.io.filenotfoundexception; import java.io.ioexception; import java.security.keystore; import java.security.keystoreexception; import java.security.nosuchalgorithmexception; import java.security.cert.certificateexception; import java.security.cert.x509certificate; import java.util.hashmap; import java.util.map; public final class trustmanagerfactory { private static final string log_tag = "trustmanagerfactory"; private static x509trustmanager defaulttrustmanager; private static x509trustmanager unsecuretrustmanager; private static x509trustmanager localtrustmanager; private static x509certificate[] lastcertchain = null; private static file keystorefile; private static keystore keystore; private static class simplex509trustmanager implements x509trustmanager { public void checkclienttrusted(x509certificate[] chain, string authtype) throws certificateexception { } public void checkservertrusted(x509certificate[] chain, string authtype) throws certificateexception { } public x509certificate[] getacceptedissuers() { return null; } } private static class securex509trustmanager implements x509trustmanager { private static final map<string, securex509trustmanager> mtrustmanager = new hashmap<string, securex509trustmanager>(); private final string mhost; private securex509trustmanager(string host) { mhost = host; } public synchronized static x509trustmanager getinstance(string host) { securex509trustmanager trustmanager; if (mtrustmanager.containskey(host)) { trustmanager = mtrustmanager.get(host); } else { trustmanager = new securex509trustmanager(host); mtrustmanager.put(host, trustmanager); } return trustmanager; } public void checkclienttrusted(x509certificate[] chain, string authtype) throws certificateexception { defaulttrustmanager.checkclienttrusted(chain, authtype); } public void checkservertrusted(x509certificate[] chain, string authtype) throws certificateexception { // fixme: using static field store certificate chain bad idea. instead // create certificateexception subclass , store chain there. trustmanagerfactory.setlastcertchain(chain); try { defaulttrustmanager.checkservertrusted(chain, authtype); } catch (certificateexception e) { localtrustmanager.checkservertrusted(new x509certificate[] {chain[0]}, authtype); } if (!domainnamechecker.match(chain[0], mhost)) { try { string dn = chain[0].getsubjectdn().tostring(); if ((dn != null) && (dn.equalsignorecase(keystore.getcertificatealias(chain[0])))) { return; } } catch (keystoreexception e) { throw new certificateexception("certificate cannot verified; keystore exception: " + e); } throw new certificateexception("certificate domain name not match " + mhost); } } public x509certificate[] getacceptedissuers() { return defaulttrustmanager.getacceptedissuers(); } } static { java.io.inputstream fis = null; try { javax.net.ssl.trustmanagerfactory tmf = javax.net.ssl.trustmanagerfactory.getinstance("x509"); application app = k9.app; keystorefile = new file(app.getdir("keystore", context.mode_private) + file.separator + "keystore.bks"); keystore = keystore.getinstance(keystore.getdefaulttype()); try { fis = new java.io.fileinputstream(keystorefile); } catch (filenotfoundexception e1) { fis = null; } try { keystore.load(fis, "".tochararray()); } catch (ioexception e) { log.e(log_tag, "keystore ioexception while initializing trustmanagerfactory ", e); keystore = null; } catch (certificateexception e) { log.e(log_tag, "keystore certificateexception while initializing trustmanagerfactory ", e); keystore = null; } tmf.init(keystore); trustmanager[] tms = tmf.gettrustmanagers(); if (tms != null) { (trustmanager tm : tms) { if (tm instanceof x509trustmanager) { localtrustmanager = (x509trustmanager)tm; break; } } } tmf = javax.net.ssl.trustmanagerfactory.getinstance("x509"); tmf.init((keystore)null); tms = tmf.gettrustmanagers(); if (tms != null) { (trustmanager tm : tms) { if (tm instanceof x509trustmanager) { defaulttrustmanager = (x509trustmanager) tm; break; } } } } catch (nosuchalgorithmexception e) { log.e(log_tag, "unable x509 trust manager ", e); } catch (keystoreexception e) { log.e(log_tag, "key store exception while initializing trustmanagerfactory ", e); } { ioutils.closequietly(fis); } unsecuretrustmanager = new simplex509trustmanager(); } private trustmanagerfactory() { } public static x509trustmanager get(string host, boolean secure) { return secure ? securex509trustmanager.getinstance(host) : unsecuretrustmanager; } public static keystore getkeystore() { return keystore; } public static void setlastcertchain(x509certificate[] chain) { lastcertchain = chain; } public static x509certificate[] getlastcertchain() { return lastcertchain; } public static void addcertificatechain(string alias, x509certificate[] chain) throws certificateexception { try { javax.net.ssl.trustmanagerfactory tmf = javax.net.ssl.trustmanagerfactory.getinstance("x509"); (x509certificate element : chain) { keystore.setcertificateentry (element.getsubjectdn().tostring(), element); } tmf.init(keystore); trustmanager[] tms = tmf.gettrustmanagers(); if (tms != null) { (trustmanager tm : tms) { if (tm instanceof x509trustmanager) { localtrustmanager = (x509trustmanager) tm; break; } } } java.io.outputstream keystorestream = null; try { keystorestream = new java.io.fileoutputstream(keystorefile); keystore.store(keystorestream, "".tochararray()); } catch (filenotfoundexception e) { throw new certificateexception("unable write keystore: " + e.getmessage()); } catch (certificateexception e) { throw new certificateexception("unable write keystore: " + e.getmessage()); } catch (ioexception e) { throw new certificateexception("unable write keystore: " + e.getmessage()); } { ioutils.closequietly(keystorestream); } } catch (nosuchalgorithmexception e) { log.e(log_tag, "unable x509 trust manager ", e); } catch (keystoreexception e) { log.e(log_tag, "key store exception while initializing trustmanagerfactory ", e); } } } 
Comments
Post a Comment