Like I literally said before:
"You don't want to use
KeyManagerFactory, but make your own X509KeyManager and pass that when
you create your SSLContext. You can put logging there to verify is
getting called and of course have the code to return the PrivateKey
and certificate chain you received from the KeyChain. the logging will
ensure that the SSL handshake is attempting to call the KeyManager to
get the client certificate and key information."
-bri
On Mon, Dec 3, 2012 at 1:05 PM, Jens Hoffmann <jenssap2...@gmail.com> wrote:
> Hi Brian,
>
> sorry for writing the third time.
> That is how I try to accomplish it right now:
>
> KeyManager keyManager =
> KeyChainKeyManager.fromAlias(getApplicationContext(), ht.mClientCertAlias);
> sslContext = SSLContext.getInstance("TLS");
> sslContext.init(new KeyManager[] { keyManager }, getCustomTrustManagers(),
> new SecureRandom());
> HttpsURLConnection urlConnection = null;
>
> URL url = new URL(this.url);
> urlConnection = (HttpsURLConnection) url.openConnection();
> urlConnection.setConnectTimeout(5000); // 5 seconds
> urlConnection.setReadTimeout(10000);
> urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());
>
> iResponseCode = urlConnection.getResponseCode();
>
>
> I get an exception: javax.net.ssl.SSLException: Read error: ssl=0x2c5e40:
> I/O error during system call, Connection reset by peer
>
> Do you know what this can mean. I didn't find much information in the net.
>
> best regards,
>
> jens
>
>
> Am Montag, 3. Dezember 2012 18:14:35 UTC+1 schrieb Jens Hoffmann:
>>
>> Hi Brian,
>>
>> why do I have to create my own my own X509KeyManager? Can't I just use the
>> one from the google email app?
>>
>> The SSLUtils.class (google email app) has a fromAlias methode which gives
>> back a KeyChainKeyManager-object.
>> see: (return new KeyChainKeyManager(alias, certificateChain, privateKey)
>>
>> That is how I init my SSLContext :
>>
>> sslContext = SSLContext.getInstance("TLS");
>> sslContext.init(new KeyManager[] { keyManager }, null, null;
>>
>> => The KeyChainKeyManager class extends the StubKeyManager class, which
>> extends the X509ExtendedKeyManager class.
>>
>> And the methods: chooseClientAlias, getCertificateChain, getPrivateKey are
>> implemented there.
>>
>> best regards,
>>
>> jens.
>>
>>
>>
>>
>> Am Donnerstag, 29. November 2012 23:19:59 UTC+1 schrieb Brian Carlstrom:
>>>
>>> So if your really need to get certs from the system keystore daemon,
>>> then KeyChain is what you want. You don't want to use
>>> KeyManagerFactory, but make your own X509KeyManager and pass that when
>>> you create your SSLContext. You can put logging there to verify is
>>> getting called and of course have the code to return the PrivateKey
>>> and certificate chain you received from the KeyChain. the logging will
>>> ensure that the SSL handshake is attempting to call the KeyManager to
>>> get the client certificate and key information.
>>>
>>> if that seems to be working, but you are still getting 403, I would
>>> look with tcpdump/wireshark to confirm that the client certificate is
>>> being sent during the handshake, as well as the server logs for what
>>> information they provide about the cause of failure. but i'm guessing
>>> the cert isn't being sent from the client at all.
>>>
>>> -bri
>>>
>>> On Thu, Nov 29, 2012 at 1:10 AM, Jens Hoffmann <jenss...@gmail.com>
>>> wrote:
>>> > Hi Brian.
>>> >
>>> > I use the KeyChain Api to set the necessary permissions to the
>>> > certificate.
>>> >
>>> > // That methode opens a view where the user can choose the certificate
>>> > an
>>> > allow it.
>>> > private void setPermissionsForCertificate() {
>>> > KeyChain.choosePrivateKeyAlias(this, new KeyChainAliasCallback() {
>>> >
>>> > public void alias(String alias) {
>>> > // Credential alias selected. Remember the alias selection for
>>> > // future use.
>>> >
>>> > }
>>> > }, null, // List of acceptable key types. null for any new String[]
>>> > // {"RSA"}
>>> > null, // issuer, null for any
>>> > null, // host name of server requesting the cert, null if
>>> > // unavailable
>>> > -1, // port of server requesting the cert, -1 if unavailable
>>> > null); // alias to preselect, null if unavailable
>>> > }
>>> >
>>> > The client certs are pre-installed on each device.
>>> > (It comes with a special software which is installed on the devices)
>>> > => So the client certficates are installed in the existing keystore of
>>> > the
>>> > device.
>>> >
>>> >
>>> >
>>> > Thats the code from:
>>> >
>>> > http://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html
>>> >
>>> > KeyStore keyStore = ...;
>>> > KeyManagerFactory kmf = KeyManagerFactory.getInstance("X509");
>>> > kmf.init(keyStore);
>>> > SSLContext context = SSLContext.getInstance("TLS");
>>> > context.init(kmf.getKeyManagers(), null, null);
>>> >
>>> >
>>> > So I need to have a KeyStore. Instead of creating a custom KeyStore
>>> > I wanted to use the existing KeyStore.
>>> > That's why I have to use the KeyChain Api, to read the chain and the
>>> > private
>>> > key from the store.
>>> > Is this correct?
>>> >
>>> >
>>> > I already tried the example with the HttpsULRConnection, but I still
>>> > get a
>>> > forbidden exception.
>>> >
>>> > best regards,
>>> >
>>> > jens.
>>> >
>>> >
>>> >
>>> > 2012/11/28 Brian Carlstrom <b...@google.com>
>>> >>
>>> >> It doesn't sound like you need to use KeyChain at all, but just
>>> >> HttpsURLConnection, which isn't Android specific, there are lots of
>>> >> examples
>>> >> of doing this with Java in general.
>>> >>
>>> >>
>>> >>
>>> >> http://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html
>>> >>
>>> >> how are you distributing the client cert? are you going to have them
>>> >> type
>>> >> their other credentials (such as password) once, and then download the
>>> >> client cert to the app?
>>> >>
>>> >> -bri
>>> >>
>>> >>
>>> >>
>>> >> On Wed, Nov 28, 2012 at 1:45 PM, Jens Hoffmann <jenss...@gmail.com>
>>> >> wrote:
>>> >>>
>>> >>> Hi Brian,
>>> >>>
>>> >>> every user of my app has its own client certificate installed: for
>>> >>> example CN=N127391
>>> >>> These client certificates are signed by the root authority (This
>>> >>> certificate is also installed on the device)
>>> >>> The problem is that I still get the 403 forbidden error
>>> >>> (authentication
>>> >>> fails), when I connect with an android device..
>>> >>> With a windows device (for example with the internet explorer or
>>> >>> chrom),
>>> >>> it works.
>>> >>>
>>> >>> first use case: authentication (Single Sign On, so that android user
>>> >>> does
>>> >>> not have to type in his password)
>>> >>> The use case is that I want to authenticate the android clients to
>>> >>> the
>>> >>> server (WCF Service).
>>> >>> In the WCF Service I can then extract the Number ("N127391") and use
>>> >>> for
>>> >>> example ASP Membership.
>>> >>>
>>> >>> So for the first use case I would need class which transfers the
>>> >>> certificate to the server. In the google code I
>>> >>> have found the SSLSocketFactory:
>>> >>>
>>> >>> * SSLSocketFactory will enable client authentication when supplied
>>> >>> with
>>> >>> a
>>> >>> * {@link KeyStore keystore} file containg a private key/public
>>> >>> certificate
>>> >>> * pair. The client secure socket will use the private key to
>>> >>> authenticate
>>> >>> * itself to the target HTTPS server during the SSL session handshake
>>> >>> if
>>> >>> * requested to do so by the server. The target HTTPS server will in
>>> >>> its
>>> >>> turn
>>> >>> * verify the certificate presented by the client in order to
>>> >>> establish
>>> >>> client's
>>> >>> * authenticity
>>> >>>
>>> >>> So I guess I have to use this class for the authentication?
>>> >>>
>>> >>> seconde use case: encryption
>>> >>> The traffic should be encrypted (SSL). That's why I need the server
>>> >>> certificate.
>>> >>>
>>> >>> Is there a simple way how I can achieve these two use cases.
>>> >>> I am new to android and I am trying to accomplish this for weeks :(.
>>> >>>
>>> >>> I hope you can help me.
>>> >>>
>>> >>> best regards,
>>> >>> jens
>>> >>>
>>> >>>
>>> >>>
>>> >>> Am Mittwoch, 28. November 2012 19:29:13 UTC+1 schrieb Brian
>>> >>> Carlstrom:
>>> >>>>
>>> >>>> I don't recall the exact reasons why the Email code is the way it
>>> >>>> is. I
>>> >>>> think the primary reason is that they don't know ahead of time if
>>> >>>> the server
>>> >>>> is going to want a client cert, so they install a manager to record
>>> >>>> the fact
>>> >>>> that a cert was requested, then do some UI to ask the user what they
>>> >>>> want to
>>> >>>> use, then use a different one configured with the users choice.
>>> >>>>
>>> >>>> it's much simpler in an app where you know ahead of time what client
>>> >>>> cert to use. is that your case? if so, I'd ignore the email example
>>> >>>> code as
>>> >>>> overly convoluted for your use case.
>>> >>>>
>>> >>>> -bri
>>> >>>>
>>> >>>>
>>> >>>> On Wed, Nov 28, 2012 at 4:31 AM, Jens Hoffmann <jenss...@gmail.com>
>>> >>>> wrote:
>>> >>>>>
>>> >>>>> Hi Brian,
>>> >>>>> yes, I took a look at the SSLUtils.class.
>>> >>>>> The class TrackingKeyManager (static class inside the SSLUtils)
>>> >>>>> extends
>>> >>>>> the class StubKeyManager which extends the class
>>> >>>>> X509ExtendedKeyManager.
>>> >>>>> But why do I need this class? I tried to use the
>>> >>>>> SSLCertificateSocketFactory instead (It has X509KeyManager Object
>>> >>>>> inside) .
>>> >>>>> But unfortunately I got an 403 response, access forbidden.
>>> >>>>>
>>> >>>>> It also throws an exception:
>>> >>>>>
>>> >>>>> java.io.FileNotFoundException:
>>> >>>>> https://nameoftheserver/MyService/Service.svc/rest/GetDNumber
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> I have tested the WCF Service with the Internet Explorer and it
>>> >>>>> works
>>> >>>>> just fine.
>>> >>>>> Is my client certificate may be not transferred, so that the server
>>> >>>>> does not get the public key?
>>> >>>>>
>>> >>>>>
>>> >>>>> Code:
>>> >>>>> SSLCertificateSocketFactory sslCertificateSocketFactory = null;
>>> >>>>> try {
>>> >>>>> KeyManager keyManager = KeyChainKeyManager.fromAlias(
>>> >>>>> getApplicationContext(), ht.mClientCertAlias);
>>> >>>>>
>>> >>>>>
>>> >>>>> sslCertificateSocketFactory =
>>> >>>>> SSLUtils.getSSLSocketFactory(false);
>>> >>>>> // use SSL
>>> >>>>>
>>> >>>>>
>>> >>>>> sslCertificateSocketFactory
>>> >>>>> .setKeyManagers(new KeyManager[] { keyManager });
>>> >>>>>
>>> >>>>>
>>> >>>>> } catch (CertificateException e1)..
>>> >>>>>
>>> >>>>>
>>> >>>>> URL url = null;
>>> >>>>> try {
>>> >>>>> url = new URL(this.url);
>>> >>>>> } catch (MalformedURLException e)..
>>> >>>>>
>>> >>>>>
>>> >>>>> HttpsURLConnection urlConnection = null;
>>> >>>>> try {
>>> >>>>> urlConnection = (HttpsURLConnection) url.openConnection();
>>> >>>>> urlConnection.setSSLSocketFactory(sslCertificateSocketFactory);
>>> >>>>> } catch (IOException e)..
>>> >>>>>
>>> >>>>>
>>> >>>>> try {
>>> >>>>> iResponseCode = urlConnection.getResponseCode();
>>> >>>>> if(iResponseCode == 403)
>>> >>>>> {
>>> >>>>> Log.d(TAG, "Response Code is 403, Access forbidden.");
>>> >>>>> }
>>> >>>>> InputStream in = urlConnection.getInputStream();
>>> >>>>> } catch (IOException e)..
>>> >>>>>
>>> >>>>> I hope you can help me. Thanks in advance.
>>> >>>>>
>>> >>>>> best regards,
>>> >>>>> jens
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>>
>>> >>>>> Am Dienstag, 27. November 2012 09:29:46 UTC+1 schrieb Jens
>>> >>>>> Hoffmann:
>>> >>>>>>
>>> >>>>>> Hi everybody,
>>> >>>>>>
>>> >>>>>> I am developing an android application which querys a WCF
>>> >>>>>> Webservice
>>> >>>>>> (SSL + Authentication).
>>> >>>>>> On this link
>>> >>>>>>
>>> >>>>>> (http://android-developers.blogspot.de/2012/03/unifying-key-store-access-in-ics.html)
>>> >>>>>> I found the following:
>>> >>>>>>
>>> >>>>>> "A common use of the private key is for SSL client authentication.
>>> >>>>>> This can be implemented by
>>> >>>>>> using an HttpsURLConnection with a custom X509KeyManager that
>>> >>>>>> returns
>>> >>>>>> the PrivateKey
>>> >>>>>> retrieved from the KeyChain API. The open source Email application
>>> >>>>>> for
>>> >>>>>> ICS uses KeyChain
>>> >>>>>> with an X509ExtendedKeyManager. To learn more, have a look at the
>>> >>>>>> source code (in SSLUtils.java)."
>>> >>>>>>
>>> >>>>>> So I looked into this google code and tried to use the classes.
>>> >>>>>> But it
>>> >>>>>> doesn't work.
>>> >>>>>> I always get an 403 Error - Forbbiden. I really hope you can help
>>> >>>>>> me.
>>> >>>>>>
>>> >>>>>> Here is some code:
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> Android:
>>> >>>>>>
>>> >>>>>> private void setHttpsAdvanced() {
>>> >>>>>> HostAuth ht = new HostAuth();
>>> >>>>>> ht.mPort = 443;
>>> >>>>>> ht.mClientCertAlias = "jensZert";
>>> >>>>>>
>>> >>>>>> HttpParams params = getHttpParams();
>>> >>>>>> MyThreadSafeClientConnManager ccm = MyThreadSafeClientConnManager
>>> >>>>>> .newInstance(params, true, 443);
>>> >>>>>>
>>> >>>>>> try {
>>> >>>>>> ccm.registerClientCert(getApplicationContext(), ht);
>>> >>>>>> } catch (CertificateException e) {
>>> >>>>>> e.printStackTrace();
>>> >>>>>> }
>>> >>>>>>
>>> >>>>>> this.httpclient = new DefaultHttpClient(ccm, params);
>>> >>>>>>
>>> >>>>>> connectionInfo = this.getConnectionInfo();
>>> >>>>>>
>>> >>>>>> this.url = String.format("%1$s://%2$s/%3$s/%4$s",
>>> >>>>>> connectionInfo.Protocol, connectionInfo.ServerName,
>>> >>>>>> connectionInfo.WebserviceName, connectionInfo.Path);
>>> >>>>>>
>>> >>>>>> httpGet = new HttpGet(url);
>>> >>>>>> }
>>> >>>>>>
>>> >>>>>> private String callTheWebserviceCertificate() {
>>> >>>>>> this.setupClient();
>>> >>>>>> String result = "";
>>> >>>>>>
>>> >>>>>> HttpResponse response = null;
>>> >>>>>> try {
>>> >>>>>> response = (HttpResponse) this.httpclient.execute(httpGet);
>>> >>>>>> result = EntityUtils.toString(response.getEntity());
>>> >>>>>>
>>> >>>>>> } catch (ClientProtocolException e) {
>>> >>>>>>
>>> >>>>>> e.printStackTrace();
>>> >>>>>> } catch (IOException e) {
>>> >>>>>> Log.d(TAG, result);
>>> >>>>>> }
>>> >>>>>> return result;
>>> >>>>>> }
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>> My WCF Service web.config:
>>> >>>>>>
>>> >>>>>> <behavior name="ServCertificatBehavior">
>>> >>>>>> <serviceMetadata httpGetEnabled="true" httpsGetEnabled="true" />
>>> >>>>>> <serviceDebug includeExceptionDetailInFaults="true" />
>>> >>>>>> <serviceAuthorization principalPermissionMode="UseWindowsGroups"
>>> >>>>>> />
>>> >>>>>> <serviceCredentials>
>>> >>>>>> <clientCertificate>
>>> >>>>>> <authentication certificateValidationMode="PeerOrChainTrust" />
>>> >>>>>> </clientCertificate>
>>> >>>>>> <serviceCertificate findValue="02 00 0b 30"
>>> >>>>>> storeLocation="LocalMachine" storeName="My"
>>> >>>>>> x509FindType="FindBySerialNumber" />
>>> >>>>>> </serviceCredentials>
>>> >>>>>> </behavior>
>>> >>>>>>
>>> >>>>>> Best regards,
>>> >>>>>> jens
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>>>
>>> >>>>> --
>>> >>>>> You received this message because you are subscribed to the Google
>>> >>>>> Groups "Android Security Discussions" group.
>>> >>>>> To view this discussion on the web visit
>>> >>>>>
>>> >>>>> https://groups.google.com/d/msg/android-security-discuss/-/qKI0PaZewBoJ.
>>> >>>>>
>>> >>>>> To post to this group, send email to
>>> >>>>> android-secu...@googlegroups.com.
>>> >>>>>
>>> >>>>> To unsubscribe from this group, send email to
>>> >>>>> android-security-discuss+unsubscr...@googlegroups.com.
>>> >>>>> For more options, visit this group at
>>> >>>>> http://groups.google.com/group/android-security-discuss?hl=en.
>>> >>>>
>>> >>>>
>>> >>> --
>>> >>> You received this message because you are subscribed to the Google
>>> >>> Groups
>>> >>> "Android Security Discussions" group.
>>> >>> To view this discussion on the web visit
>>> >>>
>>> >>> https://groups.google.com/d/msg/android-security-discuss/-/mtzvEGj2YEAJ.
>>> >>>
>>> >>> To post to this group, send email to
>>> >>> android-secu...@googlegroups.com.
>>> >>>
>>> >>> To unsubscribe from this group, send email to
>>> >>> android-security-discuss+unsubscr...@googlegroups.com.
>>> >>> For more options, visit this group at
>>> >>> http://groups.google.com/group/android-security-discuss?hl=en.
>>> >>
>>> >>
>>> >
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/android-security-discuss/-/lhbWus8O0loJ.
>
> To post to this group, send email to
> android-security-discuss@googlegroups.com.
> To unsubscribe from this group, send email to
> android-security-discuss+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To post to this group, send email to android-security-discuss@googlegroups.com.
To unsubscribe from this group, send email to
android-security-discuss+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
