2

I have some code on Android that makes use of URL.openStream. For internal test purposes I need to be able to point it to a server that uses a private CA. We already have our CA bundles in PEM format (as we're also using libcurl from NDK), and would like to be able to just read the PEM files directly into whatever KeyStore (or similar) that URL.openStream uses.

So this question is a multi-part thing:

  1. How do you get the key storage used by URL.openStream? Or should I just be using HttpClient directly?
  2. How do you add a PEM certificate to said key storage? (even if using HttpClient)

Thanks.

fluffy
  • 5,212
  • 2
  • 37
  • 67

1 Answers1

1

I can't speak for Android specifically, but at least standard desktop Java has a default keystore that is used by all instances of the JVM, located at /lib/security/cacerts.

In many cases, this file should not be modified globally for all instances of the JVM, but on a case-by-case basis, as you already eluded to. To do this, you can't call .openStream directly. Instead, get a HttpsURLConnnection by calling URLConnection.openConnection() (and casting it do a HttpsURLConnection). Before performing any other operations on this connection, set a custom SSLSocketFactory by calling HttpsURLConnection.setSSLSocketFactory. From here, you'll need to work with a custom SSLContext and TrustManagers.

Some additional details around this are already answered at How can I use different certificates on specific connections?.

If you want to use HttpClient, additional references are available at http://hc.apache.org/httpclient-3.x/sslguide.html and How to handle invalid SSL certificates with Apache HttpClient?.

Community
  • 1
  • 1
ziesemer
  • 27,712
  • 8
  • 86
  • 94