21

I am trying to test out all aspects of the network security configuration capability of the N Developer Preview. I have most of it working, but I am stumped by the self-signed certificate scenario.

According to the docs, Android N should be happy with a PEM or DER file, as it is for other certificate validation scenarios. However, I do not work with self-signed certificates much, and my attempts to get this working keep running into certificate path validation exceptions.

For testing, I am using thin as the server, running on my development machine, reachable by an N emulator. The self-signed certificate works for browsers on my development machine, and if I switch to running thin sans SSL, apps can reach the server just fine. So, it's not a connectivity issue.

I created the self-signed certificate using the instructions on this site:

sudo openssl genrsa -out "/etc/[webserver]/ssl/example.key" 2048
sudo openssl req -new -key "/etc/[webserver]/ssl/example.key" \
                 -out "/etc/[webserver]/ssl/example.csr"
sudo openssl x509 -req -days 365 -in "/etc/[webserver]/ssl/example.csr" \
                  -signkey "/etc/[webserver]/ssl/example.key"  \
                  -out "/etc/[webserver]/ssl/example.crt"

According to this Stack Overflow answer, the example.crt file is a PEM file. Elsewhere, I see instructions for creating a "combined PEM" file. However, I tried both of these, with no luck.

In terms of the network security configuration stuff, I have tried both <domain-config> and <debug-overrides>. The latter looks like:

<?xml version="1.0" encoding="utf-8"?>

<network-security-config>
  <debug-overrides>
    <trust-anchors>
      <certificates src="@raw/selfsigned"/>
    </trust-anchors>
  </debug-overrides>
</network-security-config>

But, I get the validation error in either case.

What exactly should we be putting in as a PEM or DER file, as a raw resource, that makes this work?

Community
  • 1
  • 1
CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491
  • Have you added `android:debuggable = true` ? – Prerak Sola Apr 11 '16 at 15:13
  • @PrerakSola: I am testing from a series of product flavors, but I am always using `debug` as the build type. – CommonsWare Apr 11 '16 at 15:16
  • 1
    I tried this out by generating a self signed certificate as you outlined and it worked. I copied the example.crt file, put it in the raw resource folder, and removed the extension. I think the only big difference is I am running Tomcat locally as the web server. One thing to double check is that you added the meta-data element to the `AndroidManifest.xml` file. The cert worked with any of ``, ``, or `` in the xml file. – George Mulligan Apr 14 '16 at 14:18
  • 1
    @GeorgeMulligan: Out of curiosity, did you try it on N Developer Preview 2 (NDP2) or NDP1? When I posted this, I was testing on NDP1. Now, with a fresh emulator with NDP2, it is working with the plain CRT file (not the "combined PEM" one). The file extension does not seem to matter -- it works with or without, which makes sense, given that it's a raw resource. Thanks for the kick in the right direction! – CommonsWare Apr 14 '16 at 15:48
  • I am showing revision 2 which I assume means I'm using NDP2 so maybe there was an issue in the original preview. I'm not sure how to go back and try testing using NDP1. – George Mulligan Apr 14 '16 at 16:04
  • OK, I am going to assume it was actually a bug and is fixed now. Thanks again for your help! – CommonsWare Apr 14 '16 at 16:29
  • Where did you obtain **example.crt** from? – IgorGanapolsky Sep 30 '16 at 20:47
  • 1
    @IgorGanapolsky: It is the output of the `openssl` command pipeline shown in the question. – CommonsWare Sep 30 '16 at 22:46

1 Answers1

7

This appears to be working on N Developer Preview 2, using the example.crt generated by the openssl scripts shown in the question. For the moment, I am going to assume that there was a change in N Developer Preview 2 compared to N Developer Preview 1 that accounts for the change.

CommonsWare
  • 986,068
  • 189
  • 2,389
  • 2,491