I have a keystore file, how do I provide keyManagers to sslContext in Android app?

Question

UPDATE: As for my original question, it turns out that call to java.security.KeyStore.getCertificate(alias) does actually return X509Certiciate. That wasn't the issue though.

(Bear with me please, I'm new to this certificate stuff.)

I managed to connect to my (self-signed) SSL-enabled server, as long as I don't require authenticated clients. When I do require clientAuth my app yields "routines:SSL3_READ_BYTES:sslv3 alert handshake failure (external/openssl/ssl/s3_pkt.c"... (also described here)... For some the cure was to switch from BKS to PKCS12, that did not work for me.

So now I am trying to implement my own X509KeyManager (as suggested here), to hand it to sslContext.init([keyManager], trustManagers, null).

If I understand it correctly the sslContext will ask my keyManager(s) for either a certificate chain and/or a private key for a given alias. (Whenever it asks what alias to choose I provide my hard-coded one.)

But according to the X509KeyManager interface I am supposed to return X509Certificate. How do I create one using the keystore?

Answer 1

You can use a KeyStore with your client certificate for client authentication without explicitly creating a KeyManager. The code should be something like this:

KeyStore keyStore = KeyStore.getInstance("BKS");
InputStream is = getResources().openRawResource(R.raw.client);
keyStore.load(is, "yourKeyStorePassword".toCharArray());
is.close();

KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("X509");
keyManagerFactory.init(keyStore, "yourKeyStorePassword".toCharArray());

SSLContext sslContext = SSLContext.getInstance("TLS"); 
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagers, null);

Also make sure that your server trusts your client certificate.