1

Hi I am working on android application where I am using https protocol in all the web service. so to communicate with https enabled server from android app do we need to add any certificate in my raw folder of android ?

If yes then what is the process of it. I checked many answers but people are simply ignoring the https procotol just accepting all certificates or by pass.

Thanks in advance.

N Sharma
  • 33,489
  • 95
  • 256
  • 444

1 Answers1

1
  1. Create BouncyCastle KeyStore, put your certificate in it (you can use openssl), later put created KeyStore into res/raw folder.

In app:

  1. Load your keystore file into java KeyStore
  2. Feed your HttpClient with your KeyStore

Example:

// Load CAs from an InputStream
// (could be from a resource or ByteArrayInputStream or ...)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// From https://www.washington.edu/itconnect/security/ca/load-der.crt
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
    ca = cf.generateCertificate(caInput);
    System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
    caInput.close();
}

// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);

// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);

// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);

// Tell the URLConnection to use a SocketFactory from our SSLContext
URL url = new URL("https://certs.cac.washington.edu/CAtest/");
HttpsURLConnection urlConnection =
    (HttpsURLConnection)url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();
copyInputStreamToOutputStream(in, System.out);

source: https://developer.android.com/training/articles/security-ssl.html

Than
  • 2,759
  • 1
  • 20
  • 41
  • Do I have to use same generated KeyStore certificate to server also ? – N Sharma Oct 08 '14 at 05:08
  • I'm not sure what are you asking – Than Oct 13 '14 at 19:43
  • I am asking for this process we have to keep certificate file either in `raw` or `assests` of android project so to make https connection with server do we have to keep same certificate file to server also which we have in android ? – N Sharma Oct 14 '14 at 05:03
  • Look here: http://stackoverflow.com/questions/188266/how-are-ssl-certificates-verified, the only difference is that you (application, which acts as web browser in that link) don't download certificate - you provide it with your application. – Than Oct 14 '14 at 22:07
  • so according to that answer it means that you don't have to create any certificate & no need to add in android client also but you told this `Create BouncyCastle KeyStore, put your certificate in it (you can use openssl), later put created KeyStore into res/raw folder.`. now I am confused :( – N Sharma Oct 15 '14 at 05:11
  • Case in link describes how web browser works. Android has it's own CA (certificate authority) store. If your server certificate is not signed by one of certificate authority, you will have to tell android android to trust it (create `TrustStore` from `KeyStore` as described above). – Than Oct 15 '14 at 09:19
  • alright so in case of server certificate is signed by one the certificate authority then in this case i don't have to create any certificate again & add it to raw folder. please confirm – N Sharma Oct 15 '14 at 09:53
  • please confirm about my above question & lets close it then i will accept it sure – N Sharma Oct 26 '14 at 19:44