如何在Android中使用自签名SSL证书

Question

This thing has been bugging me for couple days now. I've read lots of other questions about this whole issue and still haven't been able to proceed.

I've created a simple test application just to test SSL on Android. The application has only one button and when clicked the application tries to send "Hello World" over SSL encrypted connection to my test server, which then responds with the exact same phrase.

First I created a test key and test certificate for my server using openssl. Then I've been following the instructions showed in Crazy Bob's blog . I got the Bouncy Castle provider directly from Bouncy Castle's site, created a trusted keystore as shown on Crazy Bob's blog and got everything right at that point I believe.

When I tried to run my code, I got the exception "IOException: Wrong version of key store." Then I found this question on StackOverflow. There it was suggested that I should try using older Bouncy Castle Providers rather than the newest bcprov-jdk15on-147.jar . I went on with this in mind and actually ended up trying every bcprovider from jdk13-146 to jdk16-146. Still every time I got the same "IOExcpetion: wrong version of key store." exception.

Then I found yet another question about similar problem on StackOverflow. There someone had managed to get rid of that exception by using 512 bit sized key instead of 1024 sized key. Well I gave it a try and accomplished nothing, but the same exception.

So here I am now, wondering what to do next. I'm pretty much running out of ideas and google search results.

My web code is 1 on 1 copy of crazy bob's code and besides that the application has only the activity class that handles the button only. I'm trying to implement this on API level 7.

Any help would be greatly appreciated. Thanks.

Answer 1

2 choices:

1. You can do what you do and create your own key store and I've done that, here is instructions from my code that I stored (because it was so time consuming to get it to work):

   To generate PKS:

   1. Created cert in IIS7 and then exported as pfx. Follow instruction on SelfSSL: http://www.robbagby.com/iis/self-signed-certificates-on-iis-7-the-easy-way-and-the-most-effective-way/ 1a. Download tool: http://cid-3c8d41bb553e84f5.skydrive.live.com/browse.aspx/SelfSSL 1b. Run: SelfSSL /N:CN=mydomainname /V:1000 /S:1 /P:8081 I use port 8181 on my server 1c. Export from IIS manager to cert.pfx
   2. Run command line in SSL to convert file into X.509: openssl pkcs12 -in C:\\cert.pfx -out C:\\cert.cer -nodes
   3. Edit file and delete all except -----BEGIN.... END CERTIFICATE----- IMPORTANT! It was working when I got proper (5) amount of dashes and put tags and data on separate lines
   4. use keytool. C:\\Java\\JDK\\bcprov.jar was downloaded separately C:\\Users>keytool -import -v -trustcacerts -alias key_alias -file C:\\cert.cer -keystore C:\\mystore.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath C:\\Java\\JDK\\bcprov.jar -storepass 123456

2. Create TRUST ALL KeyStore and forget about all this. Basically, you can use any SSL without errors. Just disable it in production if you really care. Here is code I use to get SSL client prepared (assuming you use Apache Http client)

    private HttpClient getHttpClient() { HttpParams params = new BasicHttpParams(); //Set main protocol parameters HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1); HttpProtocolParams.setContentCharset(params, HTTP.DEFAULT_CONTENT_CHARSET); HttpProtocolParams.setUseExpectContinue(params, true); // Turn off stale checking. Our connections break all the time anyway, and it's not worth it to pay the penalty of checking every time. HttpConnectionParams.setStaleCheckingEnabled(params, false); // FIX v2.2.1+ - Set timeout to 30 seconds, seems like 5 seconds was not enough for good communication HttpConnectionParams.setConnectionTimeout(params, 30 * 1000); HttpConnectionParams.setSoTimeout(params, 30 * 1000); HttpConnectionParams.setSocketBufferSize(params, 8192); // Don't handle redirects -- return them to the caller. Our code often wants to re-POST after a redirect, which we must do ourselves. HttpClientParams.setRedirecting(params, false); // Register our own "trust-all" SSL scheme SchemeRegistry schReg = new SchemeRegistry(); try { KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(null, null); TrustAllSSLSocketFactory sslSocketFactory = new TrustAllSSLSocketFactory(trustStore); sslSocketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); Scheme sslTrustAllScheme = new Scheme("https", sslSocketFactory, 443); schReg.register(sslTrustAllScheme); } catch (Exception ex) { LogData.e(LOG_TAG, ex, LogData.Priority.None); } ClientConnectionManager conMgr = new ThreadSafeClientConnManager(params,schReg); return new DefaultHttpClient(conMgr, params); } 

Answer 2

It is similar my question when I try to request to EWS. You can refer to this link and download example source code then modify it like my answer. Hope this helps!

Update :
The following command worked for me (I tried it about 2 months ago):

  C:\OpenSSL-Win32\bin>keytool -importcert -v -trustcacerts -file "d:/cer.cer" 
  -alias parkgroup_restful -keystore "D:/parkgroup-ws-client.bks" 
  -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath 
 "D:/bcprov-jdk16-145.jar" -storetype BKS -storepass 1234567

  .... /**It should show the result here**/

   Trust this certificate? [no]:  yes
   Certificate was added to keystore
   [Storing D:/parkgroup-ws-client.bks]

   C:\OpenSSL-Win32\bin>keytool -list -keystore "D:/parkgroup-ws-client.bks" -provi
   der org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "D:/bcprov-
   jdk16-145.jar" -storetype BKS -storepass 1234567

   Keystore type: BKS
   Keystore provider: BC

   Your keystore contains 1 entry

   parkgroup_restful, Apr 10, 2012, trustedCertEntry,
   Certificate fingerprint (MD5): 36:47:88:62:23:1C:F3:52:17:BE:7A:A9:94:56:19:18

You can see, I use bcprov-jdk16-145.jar and openssl lib. You can try it.
Another tool to create keystore: http://portecle.sourceforge.net/

Answer 3

Well I also faced this same situation and to solve it I took help from same blog post( http://nelenkov.blogspot.in/2011/12/using-custom-certificate-trust-store-on.html ) referred by R4j . Following are the steps involved :

1. Create custom trustore : I used Portecle to create a keystore and imported Public Key Certificate from my server into it.
2. Create custom keystore with keypair : keytool -genkeypair -alias sample -keyalg RSA -sigalg SHA1withRSA -dname "CN=Nazgul, OU=Assault, O=Sauron Enterprises, L=Mordor, ST=Middle Earth, C=ME" -keypass welcome123 -validity 365 -storetype pkcs12 -keystore g:\\mordor_key_store.pfx -storepass welcome123 -keysize 2048
3. You then use them as mentioned in nelkov's blog. You may also need to create your own custom AbstractVerifier in case you land into a situation where certificate is issued for abc.com and the Verifier rejects www.abc.com

4. Finally to create secure HTTPClient you can do something like this:

     public static DefaultHttpClient getSecureHttpClient(){ SchemeRegistry schemeRegistry = new SchemeRegistry(); SSLContext sslContext = null; try { sslContext = createSslContext(true); } catch (GeneralSecurityException e) { e.printStackTrace(); } final X509HostnameVerifier delegate = new BrowserCompatHostnameVerifier(); MySSLSocketFactory socketFactory = new MySSLSocketFactory(sslContext, delegate); schemeRegistry.register(new Scheme("https", socketFactory, 443)); DefaultHttpClient client = new DefaultHttpClient(); HttpParams params = client.getParams(); client = new DefaultHttpClient(new ThreadSafeClientConnManager(params, schemeRegistry), params){ protected HttpParams determineParams(HttpRequest req) { HttpParams params = req.getParams(); // req is an HttpRequest object HttpConnectionParams.setSoTimeout(params, 60000); HttpConnectionParams.setConnectionTimeout(params, 60000); return params; } }; return client; } 

For detailed reasons of my choices you can refer to this post http://fuking-android.quora.com/Implement-HTTPS-for-android-apps-a-novices-tale .