Like I literally said before:
"You don't want to use
KeyManagerFactory, but make your own X509KeyManager and pass that when
you create your SSLContext. You can put logging there to verify is
getting called and of course have the code to return the PrivateKey
and certificate chain you received from
Hi Brian,
sorry for writing the third time.
That is how I try to accomplish it right now:
KeyManager keyManager =
KeyChainKeyManager.fromAlias(getApplicationContext(), ht.mClientCertAlias);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[] { keyManager }, getCustomT
Hi Brian,
why do I have to create my own my *own X509KeyManager*? Can't I just use
the one from the google email app?
The *SSLUtils*.class (google email app) has a fromAlias methode which gives
back a *KeyChainKeyManager-*object.
see: (return new KeyChainKeyManager(alias, certificateChain, pri
So if your really need to get certs from the system keystore daemon,
then KeyChain is what you want. You don't want to use
KeyManagerFactory, but make your own X509KeyManager and pass that when
you create your SSLContext. You can put logging there to verify is
getting called and of course have the
It doesn't sound like you need to use KeyChain at all, but just
HttpsURLConnection, which isn't Android specific, there are lots of
examples of doing this with Java in general.
http://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html
how are you distributing the client cert? a
Hi Brian,
every user of my app has its own client certificate installed: for example
CN=N127391
These client certificates are signed by the root authority (This
certificate is also installed on the device)
The problem is that I still get the *403 forbidden error* (authentication
fails), when I
I don't recall the exact reasons why the Email code is the way it is. I
think the primary reason is that they don't know ahead of time if the
server is going to want a client cert, so they install a manager to record
the fact that a cert was requested, then do some UI to ask the user what
they want
Hi Brian,
yes, I took a look at the SSLUtils.class.
The class *TrackingKeyManager* (static class inside the SSLUtils) extends
the class *StubKeyManager* which extends the class *X509ExtendedKeyManager*.
But why do I need this class? I tried to use the
SSLCertificateSocketFactory instead (It has
