3

In the app I'm working on, I have to make an HTTPS connection to my web server which uses self signed certificate. I was getting certificate not trusted errors and after consulting SO, I found this blog posting: http://blog.antoine.li/index.php/2010/10/android-trusting-ssl-certificates/

I created a JKS keystore for my tomcat running on my local machine using Keytool with following command

 keytool -genkey -keyalg RSA -alias selfsigned -keystore keystore.jks -storepass password -validity 360 -keysize 2048

And i extracted certificate from that JKS keystore in DER Encoded format using a open source tool called portecle

And then i created a new BKS KeyStore with the above certificate using the same portecle tool as android has built support for Bouncy Castle provider.

Now if i make a http post as shown in the first URL, I am getting the following exception in the logcat.

WARN/System.err(498): javax.net.ssl.SSLException: Not trusted server certificate
WARN/System.err(498):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:371)
WARN/System.err(498):     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:92)
WARN/System.err(498):     at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
WARN/System.err(498):     at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:164)
WARN/System.err(498):     at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
WARN/System.err(498):     at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
WARN/System.err(498):     at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:348)
WARN/System.err(498):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
WARN/System.err(498):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
WARN/System.err(498):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
WARN/System.err(498):     at com.portal.activity.Registration$ProgressThread.run(Registration.java:324)
WARN/System.err(498): Caused by: java.security.cert.CertificateException: java.security.InvalidAlgorithmParameterException: the trust anchors set is empty
WARN/System.err(498):     at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:151)
WARN/System.err(498):     at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:366)
WARN/System.err(498):     ... 10 more
WARN/System.err(498): Caused by: java.security.InvalidAlgorithmParameterException: the trust anchors set is empty
WARN/System.err(498):     at java.security.cert.PKIXParameters.checkTrustAnchors(PKIXParameters.java:611)
WARN/System.err(498):     at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:86)
WARN/System.err(498):     at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.<init>(TrustManagerImpl.java:82)
WARN/System.err(498):     at org.apache.harmony.xnet.provider.jsse.TrustManagerFactoryImpl.engineGetTrustManagers(TrustManagerFactoryImpl.java:132)
WARN/System.err(498):     at javax.net.ssl.TrustManagerFactory.getTrustManagers(TrustManagerFactory.java:226)
WARN/System.err(498):     at org.apache.http.conn.ssl.SSLSocketFactory.createTrustManagers(SSLSocketFactory.java:263)
WARN/System.err(498):     at org.apache.http.conn.ssl.SSLSocketFactory.<init>(SSLSocketFactory.java:190)
WARN/System.err(498):     at org.apache.http.conn.ssl.SSLSocketFactory.<init>(SSLSocketFactory.java:216)
WARN/System.err(498):     at com.portal.httpclient.MyHttpClient.newSslSocketFactory(MyHttpClient.java:51)
WARN/System.err(498):     at com.portal.httpclient.MyHttpClient.createClientConnectionManager(MyHttpClient.java:31)
WARN/System.err(498):     at org.apache.http.impl.client.AbstractHttpClient.getConnectionManager(AbstractHttpClient.java:221)
WARN/System.err(498):     at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:539)
WARN/System.err(498):     ... 3 more

My HttpClient is same as in the first URL except that ports for http and https are changed to 8080 and 8443 instead of 80 and 443 respectively.

Please help.

Sreeram
  • 3,160
  • 6
  • 33
  • 44
  • http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https – Samir Mangroliya Sep 30 '11 at 10:33
  • @Divyesh-Thanks for the response.I don't want to accept all certificates.I want to build my own trusted store so that i can accept certificates from that server only.I want it the similar way which is specified in the first URL of my post. – Sreeram Sep 30 '11 at 10:45

2 Answers2

1

You can find instructions for using custom truststores with Android here http://blog.crazybob.org/2010/02/android-trusting-ssl-certificates.html

Briefly:

  • Get the public cert for the server
  • Create a BKS truststore with that certificate
  • Create and use a custom HttpClient for your post

Sounds like you've done the top two but not the bottom step.

Also, did Portecle use the correct flags? You need the trustcacerts flag when creating the BKS store or it won't work.

Ryan Schipper
  • 1,019
  • 7
  • 8
  • Thanks for the response.I did all the three steps.I didn't post the third step here.I will have to check on the trustcacerts flag in portecle. – Sreeram Sep 30 '11 at 11:32
  • I didn't find any flag for setting in portecle.Can you download from the URL i mentioned and check out – Sreeram Sep 30 '11 at 11:37
  • @Sreeram I can't see a specific option, though I'd guess you should use the 'Import Trusted Certificate' item. As a troubleshooting step, I recommend recreating your truststore using the command line (as per the link I provided). – Ryan Schipper Sep 30 '11 at 11:41
  • I found out the flag. I will try with setting it and let you know – Sreeram Sep 30 '11 at 11:42
0

I stopped using portecle and did everything using commandline

i am using just keytool for doing everything as shown in the URL of my question.

It worked for me.

Sreeram
  • 3,160
  • 6
  • 33
  • 44