The Android Browser and Chrome for Android basically do this. It is
easier to tie in at the X509TrustManager interface where you can just
pass in the chain as a X509Certificate[] and let it deal with the
details of CerPath, CertPathValidator, PKIXParameters, TrustAnchors,
etc.
Basically if you have your array of PEM (or DER, and DER would just be
a little more compact) certificates, just use
CertificateFactory.getInstance("X.509").generateCertificate(new
ByteArrayInputStream(...)); to convert each byte[] to an
X509Certificate and then use X509TrustManager.checkServerTrusted
-bri
On Wed, Mar 20, 2013 at 11:37 AM, Kenton Cross <[email protected]> wrote:
> Hi,
>
> I am developing an enterprise communications app to run on Android 4.0+.
> This app has a native transport layer written in c/c++ which manages the SSL
> connections with a SIP server. The native layer uses openSSL libraries for
> the SSL connection.
>
> I need to implement validation of the server certificate when the app opens
> an SSL connection. This includes validating the certificate chain against
> available root CA certificates and hostname validation. My problem is that
> there is no access (that I am aware of) to Androids trust store CA
> certificates. By this, I mean the built-in certificates (e.g. Verisign) and
> user installed trusted CAs.
>
> Therefore, I am pretty sure what I have to do is pass the certificate chain
> up to the java code (this is implemented and working) so that I can use the
> java security APIs. Essentially, what I have to start with is an array of
> certificates (the chain received from the server) in PEM format (could be
> DER, if that was better).
>
> I understand how I can convert the chain into Certificate objects and the
> Certificate objects into a CertPath object. It looks like one can then use
> the CertPathValidator to validate the CertPath. Am I on the right track?
> The point at which I am hung up here is that
> CertPathValidator.validate(cp,params) takes a PKIXParameters object. This,
> in turn, seems to need either a keystore or a Set of TrustAnchors. I assume
> that the keystore or set of TrustAnchors represents the trusted root CAs
> that are to be used to validate cp (the CertPath), correct? If so,
> how/where do I get the input parameters for the PKIXParameters constructor?
>
> On another tack, I just started looking into whether a TrustManager
> could/should be used to validate the server certificate. I think I
> understand how TrustManagers fit in and are used when working with an
> HTTPSUrlConnection, but it is not clear how I might do this when all I start
> with is my array of PEM certificates.
>
> Can someone point me in the correct direction?
>
> Thanks,
>
> - Ken
>
> --
> You received this message because you are subscribed to the Google Groups
> "Android Security Discussions" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To post to this group, send email to
> [email protected].
> Visit this group at
> http://groups.google.com/group/android-security-discuss?hl=en.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
--
You received this message because you are subscribed to the Google Groups
"Android Security Discussions" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at
http://groups.google.com/group/android-security-discuss?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
