On Mon, Nov 5, 2012 at 10:49 AM, Frans van Niekerk
<[email protected]> wrote:
> What other options are there to create a pure SSL socket, other then
> SSLSocketFactory?
The code I referenced in the documentation does create an
SSLSocketFactory, the example is just showing how to supply that to
the HttpsURLConnection.
KeyStore keyStore = ...;
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(keyStore);
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
URL url = new URL("https://www.example.com/";);
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
> Coming from an JEE background I am used to keeping the things that change
> per environment (dev/test/prod) in the environment and not in the code. The
> custom keystore approach seems to introduce dev environment requirements
> into source code, not only the part where you initialise it, but also the
> actually binary for deployment. Is this not seen as problematic in the
> Android world? (There are other examples like server urls that might change
> that has a similar issue in my mind)
Well, if you are using a self-signed server certificate, you don't
have much choice but to bake in what is basically server specific
information, unless you have some other way to supply the self-signed
cert information to the app.
And I'm not suggesting a custom KeyStore, just is just they way to
provide the self-signed cert to the TrustManager. (These are all just
the javax.net.ssl APIs by the way, nothing Android specific). Here is
a further example with the details of creating the KeyStore in memory
on the fly. Note you can load the bytes for the self-signed cert to
trust from where ever you like, including a resource external to the
code:
// Load CAs from an InputStream (could be a resource or
ByteArrayInputStream or ...)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(new
FileInputStream("load-der.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
} finally {
caInput.close();
}
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
(note my code references CAs because it is from another example I had,
but the same applies for a self-signed certificate.)
-bri
>
> Thanks again for taking the time to help me.
>
>
> On Monday, 5 November 2012 20:25:10 UTC+2, Brian Carlstrom wrote:
>>
>> On Mon, Nov 5, 2012 at 9:27 AM, Frans van Niekerk
>> <[email protected]> wrote:
>> > According to the android.net.SSLCertificateSocketFactory
>>
>> I wouldn't recommend using that class or anything related to it if you
>> can avoid it.
>>
>> The Android HttpsURLConnection documentation
>>
>> http://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html
>> has an example of making an application specific X509TrustManager. If
>> you provide it a KeyStore containing your self-signed cert, it will
>> trust it.
>>
>> -bri
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/android-security-discuss/-/wKa5AM1jV-0J.
>
> To post to this group, send email to
> [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
