Android : Manually validating SSL Certificates

Question

I have a small school project and my teacher is asking me to do the following :

1. Validate if the URL match the certificate (and display it)
2. Validate if the certificate is not expired (and display the date)
3. Display all who have signed the certificates
4. Maybe few more if I have the time during the limited time frame

The only thing I can find is how to fully validate a certificate but not how to validate manually step by step.

Could anyone point me in the right direction ? :)

Thanks in advance

Answer 1

Depends how do you obtain your certificate and what exactly you want to validate. Whether it's during SSL conneciton with 2way auth, or client side auth, or just the steps you described.

In case of HTTP connection the difference is where you can obtain certificate (and which methods allows you to do it), if you don't need this just skip to bottom:

HTTP Tricky thing here, since android 6.0 Apache HTTP client was removed from Android SDK thus all info descibed below may be deprecated. However since it's school project you may get general idea how it can be done: http://developer.android.com/intl/es/about/versions/marshmallow/android-6.0-changes.html#behavior-apache-http-client

Nevertheless, There is a interface called X509HostnameVerifier https://stuff.mit.edu/afs/sipb/project/android/docs/reference/org/apache/http/conn/ssl/X509HostnameVerifier.html

abstract boolean    verify(String host, SSLSession session)
abstract void   verify(String host, X509Certificate cert)
abstract void   verify(String host, SSLSocket ssl)
abstract void   verify(String host, String[] cns, String[] subjectAlts)

And here you can acces server certificate

OWN CERTIFICATE

Question is how you want to provide certificate to your app. There couple possibilities:

• hardcode PEM string in app
• generate BKS keystore and store certificate in it, keep keystore in assets
• keep certificate in either der or crt format in assets

All three above are almost the same, because retrieving X509Certificate from them is very easy and you can find plenty examples how to do it.

As soon as you get your desired X509Certificate object:

1.you can extract it from X509Cert principals 2. checkValidity() for validation and getNotAfter() getNotBefore() methods for exact date 3. X509Certificate can have only on signer so: getIssuerX500Principal() or getIssuerDn() . If you want to go up you'd need certificate chain

Answer 2

Official Android documentation give this:

// Load CAs from an InputStream
// (could be from a resource or ByteArrayInputStream or ...)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// From https://www.washington.edu/itconnect/security/ca/load-der.crt
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
    ca = cf.generateCertificate(caInput);
    System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
    caInput.close();
}

// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);

// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);

// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);

// Tell the URLConnection to use a SocketFactory from our SSLContext
URL url = new URL("https://certs.cac.washington.edu/CAtest/");
HttpsURLConnection urlConnection =
    (HttpsURLConnection)url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();
copyInputStreamToOutputStream(in, System.out);

CHECK COMPLETE INFORMATION HERE