Hi Brian, I am having my server certificate,intermediate CA certificate and root certificate that are stored in an Array list. Now my requirement is to check whether the issuer of my server certificate(either intermediate CA or root certificate) present in the android trusted store.
How to achieve this. Also, is there a way to get the names of trusted store certificates. On Tue, Jul 1, 2014 at 11:06 PM, Brian Carlstrom <[email protected]> wrote: > I sketched out some sample code. These aren't Android specific APIs. > You call an X509TrustManager, you don't write one. You get one from a > TrustManagerFactory. you need to provide the intermediate CA along > with the server cert, it just does come up with that out of thin air. > > you never answered why you need to do this. If you are getting the > server and intermediate as part of an SSLSocket (or > HttpsURLConnection), the chain should already be verified. > > -bri > > On Tue, Jul 1, 2014 at 7:45 AM, Vetrichelvan G <[email protected]> > wrote: > > Hi, > > > > My question is simple. > > > > I would like to check whether my certificate has been well signed by any > > one of root certificate in the Android trusted certificate store(needs > to be > > validated against root CA and intermediate CA). > > > > How can I achieve that. > > > > Sorry. I didn't the answer from your post. > > > > Currently i am having x509 certificate which needs to be validated. > > > > Brian please help me on this please. > > > > > > On Sun, Jun 29, 2014 at 8:19 AM, Brian Carlstrom <[email protected]> wrote: > >> > >> You can use something like > >> > >> tmf = > >> > TrustManargerFactory.getInstance(TrustManargerFactory.getDefaultAlgorithm()); > >> tmf.init((KeyStore) null); // use default platform set of trusted CAs > >> tms = tmf.getTrustManagers() > >> > >> then search the array for an X509TrustManager. you don't want to > >> implementing your own. > >> > >> note that your chain probably needs to have an intermediate added > >> > >> you can wrap this with using X509TrustManagerExtensions > >> > >> > >> > http://developer.android.com/reference/android/net/http/X509TrustManagerExtensions.html > >> > >> if you need to get the chain you passed in extended with the trusted CA. > >> > >> There isn't a public API that can give you the list of current CAs, at > >> least not without relying on implicit implementation details. > >> > >> but the really question is what you are trying to do. if you use > >> SSLSocket or HttpsURLConnection with the system defaults, it will > >> check against the system CAs. > >> > >> -bri > >> > >> On Fri, Jun 27, 2014 at 9:03 AM, Vetrichelvan G > >> <[email protected]> wrote: > >> > > >> > Hi All, > >> > > >> > I am having one server certificate and I have to check whether the > >> > issuer of > >> > this certificate exists in the android trust store or not. > >> > > >> > How to achieve this one? From the net I found we can use the > >> > checkServerTrusted method present in X509TrustManager interface. > >> > > >> > cert = my server certificate > >> > > >> > 1.Creating certificate chain that can be passed for validation > >> > > >> > X509Certificate certs [] = new X509Certificate [] {cert}; > >> > > >> > 2. > >> > public class Myclass implements X509TrustManager { > >> > // Activity activity = null; > >> > String[] trustedCertificate = new String[0]; > >> > > >> > public void checkClientTrusted(X509Certificate[] chain, String > >> > authType) > >> > throws CertificateException > >> > { > >> > } > >> > > >> > public void checkServerTrusted(X509Certificate[] chain, String > >> > authType) > >> > throws CertificateException > >> > { > >> > > >> > } > >> > > >> > > >> > Here my question is how can I get all the certificates present in > >> > Truststore > >> > in array or in some other format. > >> > > >> > Any help will be really appreciatable. > >> > > >> > > >> > > >> > > >> > > >> > > >> > -- > >> > You received this message because you are subscribed to the Google > >> > Groups > >> > "Android Security Discussions" group. > >> > To unsubscribe from this group and stop receiving emails from it, send > >> > an > >> > email to [email protected]. > >> > To post to this group, send email to > >> > [email protected]. > >> > Visit this group at > >> > http://groups.google.com/group/android-security-discuss. > >> > For more options, visit https://groups.google.com/d/optout. > > > > > -- You received this message because you are subscribed to the Google Groups "Android Security Discussions" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/android-security-discuss. For more options, visit https://groups.google.com/d/optout.
