So I have a certificate to use in my app, and also a certificate to an intermediate CA and a root CA certificate, all the hierarchy.
I'm struggling to find how to properly add all three to my application. Based on other StackOverflow posts, I'm using the first certificate and it seems to be working just fine, but because I have the other two certificates not being used, it feels... wrong. How is it validating the certificate if the others are not even mentioned? Does Android have some providers installed and it is using them? Should I be expecting some devices who may not find trust chain up to the root CA?
At the moment, I have this:
CertificateFactory cf = null;
cf = CertificateFactory.getInstance("X.509");
Certificate ca;
TypedValue returnedValue = new TypedValue();
InputStream cert = context.getResources().openRawResource(R.raw.thecertificate);
ca = cf.generateCertificate(cert);
// Creating a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Creating a TrustManager that trusts the CAs in our KeyStore.
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Creating an SSLSocketFactory that uses our TrustManager
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
The certificate at the raw resources folder is the first one I mentioned.
Can anyone clarify?
Best regards, João
