Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I validate an android.net.http.SslCertificate with an X509TrustManager?

Android's WebViewClient calls onReceivedSslError when it encounters an untrusted cert. However, the SslError object I receive in that call doesn't have any way public way to get to the underlying X509Certificate to validate it against an existing TrustStoreManager. Looking at the source, I can access the X509Certificate's encoded bytes thusly:

public void onReceivedSslError(WebView view, SslErrorHandler handler,
        SslError error) {
    Bundle bundle = SslCertificate.saveState(error.getCertificate());
    X509Certificate x509Certificate;
    byte[] bytes = bundle.getByteArray("x509-certificate");
    if (bytes == null) {
        x509Certificate = null;
    } else {
        try {
            CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
            Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(bytes));
            x509Certificate = (X509Certificate) cert;
        } catch (CertificateException e) {
            x509Certificate = null;
        }
    }

    // Now I have an X509Certificate I can pass to an X509TrustManager for validation.
}

Obviously, this is private API and is fragile, though I assume it is fairly reliable since they can't change the bundle format. Is there a better way?

like image 898
Heath Borders Avatar asked Nov 26 '13 21:11

Heath Borders


People also ask

How do I validate an Android app certificate?

User taps the validation link, and the app makes a request to the server. The certificate is fetched and tested to see if it is recognized by the Android OS already. If it isn’t a known certificate, the details of the certificate are presented for the user to look at.

How does your custom certificate work with Android applications?

When the application validates the trust chain for our custom certificate, it will find our custom CA in the trust store and our certificate will be trusted. If the application targets Android versions later than 6.0, however, it won’t trust the user-added CA store.

How do I avoid SSL certificate errors?

The simplest way to avoid SSL errors is to have a valid, trusted certificate. This is relatively easy if you can install new, trusted CAs to the device – if the operating system trusts your CA, it will trust a certificate signed by your CA.

How do I convince a mobile application to trust the certificate?

The techniques below all share the common goal of convincing a mobile application to trust the certificate provided by our intercepting proxy. The simplest way to avoid SSL errors is to have a valid, trusted certificate.


1 Answers

After a long wait it seems that a method called getX509Certificate(): java.security.cert.X509Certificate has been added to SslCertificate after my feature request as issue 36984840.

like image 117
Heath Borders Avatar answered Oct 11 '22 03:10

Heath Borders