2

We had received mail regarding “You are using an unsafe implementation of X509TrustManagfer”. To resolve this issue we have applied solution from http://transoceanic.blogspot.in/2011/11/android-import-ssl-certificate-and-use.html

Here we have generated new BKS key store and pass this Key Store SSLSocketFactory. This Factory is responsible for verification of Server certificate. We have already existing Keystore but it is not in .BKS formate . That’s why we have created new one for specially HTTPS call. Please review my below code:

DefaultHttpClient sslClient = new MyHttpClient(StartupActivity.activity);

public class MyHttpClient extends DefaultHttpClient {

    final Context context;

    public MyHttpClient(Context context) {
        this.context = context;

    }

    @Override
    protected ClientConnectionManager createClientConnectionManager() {
        SchemeRegistry registry = new SchemeRegistry();
        registry.register(new Scheme("http", PlainSocketFactory
                .getSocketFactory(), 80));
        // Register for port 443 our SSLSocketFactory with our keystore
        // to the ConnectionManager
        registry.register(new Scheme("https", newSslSocketFactory(), 443));


        return new SingleClientConnManager(getParams(), registry);
    }

    private SSLSocketFactory newSslSocketFactory() {
        try {
            // Get an instance of the Bouncy Castle KeyStore format
            KeyStore trusted = KeyStore.getInstance("BKS");
            // Get the raw resource, which contains the keystore with
            // your trusted certificates (root and any intermediate certs)
            InputStream in = context.getResources().openRawResource(
                    R.raw.mykeystore);
            try {
                // Initialize the keystore with the provided trusted
                // certificates
                // Also provide the password of the keystore

                trusted.load(in, "keystore_password".toCharArray());
            } finally {
                in.close();
            }
            // Pass the keystore to the SSLSocketFactory. The factory is
            // responsible
            // for the verification of the server certificate.
            SSLSocketFactory sf = new SSLSocketFactory(trusted);
            // Hostname verification from certificate
            // http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
            sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
            return sf;
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }
}

Can you please check and confirm that with this solution our application would be safe?

Let us know if you have any other best solution.

jww
  • 97,681
  • 90
  • 411
  • 885
Dev
  • 71
  • 6
  • Usually the problem arises from `X509TrustManager` and the `checkServerTrusted` method. Many folks simply return `true` rather than path building and verifying the server's identity. Also see [Validate X.509 certificate agains concrete CA Java](http://stackoverflow.com/q/6629473) on Stack Overflow and [The most dangerous code in the world: validating SSL certificates in non-browser software](https://crypto.stanford.edu/~dabo/pubs/abstracts/ssl-client-bugs.html) – jww Jan 30 '17 at 11:47
  • 1
    This is a "code review" question, and too broad for StackOverflow. (I imagine that is one reason that nobody has tried to answer it in the last 5 years. Another is that an answer would probably no longer be relevant to the OP.) – Stephen C Apr 04 '21 at 03:10

0 Answers0