Hi,
I am developing an enterprise communications app to run on Android 4.0+. This app has a native transport layer written in c/c++ which manages the SSL connections with a SIP server. The native layer uses openSSL libraries for the SSL connection. I need to implement validation of the server certificate when the app opens an SSL connection. This includes validating the certificate chain against available root CA certificates and hostname validation. My problem is that there is no access (that I am aware of) to Androids trust store CA certificates. By this, I mean the built-in certificates (e.g. Verisign) and user installed trusted CAs. Therefore, I am pretty sure what I have to do is pass the certificate chain up to the java code (this is implemented and working) so that I can use the java security APIs. Essentially, what I have to start with is an array of certificates (the chain received from the server) in PEM format (could be DER, if that was better). I understand how I can convert the chain into Certificate objects and the Certificate objects into a CertPath object. It looks like one can then use the CertPathValidator to validate the CertPath. Am I on the right track? The point at which I am hung up here is that CertPathValidator.validate(cp,params) takes a PKIXParameters object. This, in turn, seems to need either a keystore or a Set of TrustAnchors. I assume that the keystore or set of TrustAnchors represents the trusted root CAs that are to be used to validate cp (the CertPath), correct? If so, how/where do I get the input parameters for the PKIXParameters constructor? On another tack, I just started looking into whether a TrustManager could/should be used to validate the server certificate. I think I understand how TrustManagers fit in and are used when working with an HTTPSUrlConnection, but it is not clear how I might do this when all I start with is my array of PEM certificates. Can someone point me in the correct direction? Thanks, - Ken -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
