Ok, it is wokring now with suggested approach. Thanks again for the help and the additional alternative solution (in memory keystore).
On Monday, 5 November 2012 21:03:26 UTC+2, Brian Carlstrom wrote: > > On Mon, Nov 5, 2012 at 10:49 AM, Frans van Niekerk > <[email protected] <javascript:>> wrote: > > What other options are there to create a pure SSL socket, other then > > SSLSocketFactory? > > The code I referenced in the documentation does create an > SSLSocketFactory, the example is just showing how to supply that to > the HttpsURLConnection. > > KeyStore keyStore = ...; > TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509"); > tmf.init(keyStore); > > SSLContext context = SSLContext.getInstance("TLS"); > context.init(null, tmf.getTrustManagers(), null); > > URL url = new URL("https://www.example.com/";); > HttpsURLConnection urlConnection = (HttpsURLConnection) > url.openConnection(); > urlConnection.setSSLSocketFactory(context.getSocketFactory()); > > > Coming from an JEE background I am used to keeping the things that > change > > per environment (dev/test/prod) in the environment and not in the code. > The > > custom keystore approach seems to introduce dev environment requirements > > into source code, not only the part where you initialise it, but also > the > > actually binary for deployment. Is this not seen as problematic in the > > Android world? (There are other examples like server urls that might > change > > that has a similar issue in my mind) > > Well, if you are using a self-signed server certificate, you don't > have much choice but to bake in what is basically server specific > information, unless you have some other way to supply the self-signed > cert information to the app. > > And I'm not suggesting a custom KeyStore, just is just they way to > provide the self-signed cert to the TrustManager. (These are all just > the javax.net.ssl APIs by the way, nothing Android specific). Here is > a further example with the details of creating the KeyStore in memory > on the fly. Note you can load the bytes for the self-signed cert to > trust from where ever you like, including a resource external to the > code: > > // Load CAs from an InputStream (could be a resource or > ByteArrayInputStream or ...) > CertificateFactory cf = CertificateFactory.getInstance("X.509"); > InputStream caInput = new BufferedInputStream(new > FileInputStream("load-der.crt")); > Certificate ca; > try { > ca = cf.generateCertificate(caInput); > } finally { > caInput.close(); > } > > // Create a KeyStore containing our trusted CAs > String keyStoreType = KeyStore.getDefaultType(); > KeyStore keyStore = KeyStore.getInstance(keyStoreType); > keyStore.load(null, null); > keyStore.setCertificateEntry("ca", ca); > > (note my code references CAs because it is from another example I had, > but the same applies for a self-signed certificate.) > > -bri > > > > > Thanks again for taking the time to help me. > > > > > > On Monday, 5 November 2012 20:25:10 UTC+2, Brian Carlstrom wrote: > >> > >> On Mon, Nov 5, 2012 at 9:27 AM, Frans van Niekerk > >> <[email protected]> wrote: > >> > According to the android.net.SSLCertificateSocketFactory > >> > >> I wouldn't recommend using that class or anything related to it if you > >> can avoid it. > >> > >> The Android HttpsURLConnection documentation > >> > >> > http://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html > >> has an example of making an application specific X509TrustManager. If > >> you provide it a KeyStore containing your self-signed cert, it will > >> trust it. > >> > >> -bri > > > > -- > > You received this message because you are subscribed to the Google > Groups > > "Android Security Discussions" group. > > To view this discussion on the web visit > > https://groups.google.com/d/msg/android-security-discuss/-/wKa5AM1jV-0J. > > > > > To post to this group, send email to > > [email protected] <javascript:>. > > To unsubscribe from this group, send email to > > [email protected] <javascript:>. > > For more options, visit this group at > > http://groups.google.com/group/android-security-discuss?hl=en. > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To view this discussion on the web visit https://groups.google.com/d/msg/android-security-discuss/-/Lpqg_w8vHUMJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/android-security-discuss?hl=en.
