I have a small school project and my teacher is asking me to do the following :
The only thing I can find is how to fully validate a certificate but not how to validate manually step by step.
Could anyone point me in the right direction ? :)
Thanks in advance
Depends how do you obtain your certificate and what exactly you want to validate. Whether it's during SSL conneciton with 2way auth, or client side auth, or just the steps you described.
In case of HTTP connection the difference is where you can obtain certificate (and which methods allows you to do it), if you don't need this just skip to bottom:
HTTP Tricky thing here, since android 6.0 Apache HTTP client was removed from Android SDK thus all info descibed below may be deprecated. However since it's school project you may get general idea how it can be done: http://developer.android.com/intl/es/about/versions/marshmallow/android-6.0-changes.html#behavior-apache-http-client
Nevertheless, There is a interface called X509HostnameVerifier
https://stuff.mit.edu/afs/sipb/project/android/docs/reference/org/apache/http/conn/ssl/X509HostnameVerifier.html
abstract boolean verify(String host, SSLSession session)
abstract void verify(String host, X509Certificate cert)
abstract void verify(String host, SSLSocket ssl)
abstract void verify(String host, String[] cns, String[] subjectAlts)
And here you can acces server certificate
OWN CERTIFICATE
Question is how you want to provide certificate to your app. There couple possibilities:
All three above are almost the same, because retrieving X509Certificate
from them is very easy and you can find plenty examples how to do it.
As soon as you get your desired X509Certificate object:
1.you can extract it from X509Cert principals 2. checkValidity()
for validation and getNotAfter()
getNotBefore()
methods for exact date 3. X509Certificate can have only on signer so: getIssuerX500Principal()
or getIssuerDn()
. If you want to go up you'd need certificate chain
Official Android documentation give this:
// Load CAs from an InputStream
// (could be from a resource or ByteArrayInputStream or ...)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// From https://www.washington.edu/itconnect/security/ca/load-der.crt
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
// Tell the URLConnection to use a SocketFactory from our SSLContext
URL url = new URL("https://certs.cac.washington.edu/CAtest/");
HttpsURLConnection urlConnection =
(HttpsURLConnection)url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();
copyInputStreamToOutputStream(in, System.out);
CHECK COMPLETE INFORMATION HERE
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.