0

Certificate format

I want to make an SSL connection with client certificte in android.

The file containing the certificate and the private key is in *.pem format (e.g user_cert.pem). PEM format looks like this:

-----BEGIN RSA PRIVATE KEY-----

  ...

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

  ...

-----END CERTIFICATE-----

Since android supports only BKS Format, i converted the user_cert.pem into BKS format via Portecle software.

Errors

I make the SSL connection, following this post .

I have the certificate in the phone folder /storage/Documents.

Running the application, I get this error:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

Various reasons are described in Android Developers, but i cannot imagine what is wrong.

The function making the POST Request is:

public void setTestbedData(String path, String data)
    throws KeyStoreException, NoSuchAlgorithmException, CertificateException, 
    UnrecoverableKeyException, IOException
{
    HttpURLConnection con = null;
    con = (HttpURLConnection) ( new URL(Constants.BASE_URL + path)).openConnection();

    InputStream clientInput = new BufferedInputStream(new FileInputStream("/sdcard/Documents/user_cert.bks"));

    // load client certificate
    KeyStore keyStore = null;
    keyStore = KeyStore.getInstance("BKS");
    keyStore.load(clientInput, null);

    System.out.println("Loaded client certificates: " + keyStore.size());

    // initialize key manager factory with the read client certificate
    KeyManagerFactory keyManagerFactory = null;
    keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keyStore, null);


    SSLContext sc = SSLContext.getInstance("TLS");
    try {
        sc.init(keyManagerFactory.getKeyManagers(), null, null);
    } catch (KeyManagementException e1) {
        // TODO Auto-generated catch block
        e1.printStackTrace();
    }

    if (con instanceof HttpsURLConnection) {
        ((HttpsURLConnection)con).setSSLSocketFactory(sc.getSocketFactory());
    }

    // If you invoke the method setDoOutput(true) on the URLConnection, it will always use the POST method.
    con.setRequestMethod("POST");
    con.setDoInput(true);
    con.setDoOutput(true);
    con.setRequestProperty("Accept", "application/json");
    con.setRequestProperty("Content-Type", "application/json");

    OutputStream outputStream = con.getOutputStream();
    outputStream.write(data.getBytes());
    outputStream.flush();

    InputStream _is;
    if (con.getResponseCode() /100 == 2) {
        _is = con.getInputStream();
    } else {
        _is = con.getErrorStream();

        String result = getStringFromInputStream(_is);
        Log.i("Error != 2xx", result);

        BufferedReader responseBuffer1 = new BufferedReader(new InputStreamReader((con.getErrorStream())));

        String output1;
        while ((output1 = responseBuffer1.readLine()) != null) {
            // ...
        }
    }        

    if (con.getResponseCode() != 200) {
        throw new RuntimeException("Failed : HTTP error code : "
                                   + con.getResponseCode());
    }

    BufferedReader responseBuffer = new BufferedReader(new InputStreamReader((con.getInputStream())));

    String output;
    while ((output = responseBuffer.readLine()) != null) {
        // ...
    }

    con.disconnect();
}
Community
  • 1
  • 1
zoe vas
  • 281
  • 9
  • 25
  • Does the server use a commercial or self-signed certificate? – Robert Aug 27 '14 at 14:41
  • It is self-signed certificate... I wonder if the conversion into BKS format changed something to PEM file and this is the reason why the server does not accept the client certificate. Does Java support some library to manage PEM Files?? – zoe vas Aug 27 '14 at 15:28
  • I assume that the error message has nothing to do with the client certificate, it is about the server certificate. You have to add it to your certificate store as trusted certificate. – Robert Aug 28 '14 at 07:37
  • There is no server certificate. Only client certificate i have. – zoe vas Aug 28 '14 at 07:53
  • In SSL/TLS the server always has a certificate. The only question is which one, a commercial one, a self-signed one or a temporary generated by the server. – Robert Aug 28 '14 at 11:19
  • In my case, only the client has a certificate and sends it to the server. So, may i am wrong? I should not use SSLContext.getInstance("TLS")? – zoe vas Aug 28 '14 at 12:04

0 Answers0