Wednesday, April 20, 2016

Check in the onReceivedSslError() method of a WebViewClient if a certificate is signed from a specific self-signed CA

By Hường Hana 8:30 AM , , , , Leave a Comment

I would like to override the onReceivedSslError() of a WebViewClient. Here I want to check if the error.getCertificate() certificate is signed from a self-signed CA and, only in this case, call the handler.proceed(). In pseudo-code:

@Override public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {     SslCertificate serverCertificate = error.getCertificate();      if (/* signed from my self-signed CA */) {         handler.proceed();     }     else {         super.onReceivedSslError(view, handler, error);     } }

The public key of my CA is saved in a BouncyCastle resource called rootca.bks. How can I do?

3 Answers

Answers 1

based on documentation:

Have you tried using the method getIssuedBy().getDName() of class SslCertificate. This method returns a String representing "The entity that issued this certificate".

Take a look here: http://developer.android.com/reference/android/net/http/SslCertificate.html#getIssuedBy()

Then you just need to know wich string is returned when it is self signed.

EDIT: I think that if it is selfsigned, that should return empty string, and if not, it would return the entity

Regards

Answers 2

I think this should work (SSL_IDMISMATCH means "Hostname mismatch").

@Override public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {     SslCertificate serverCertificate = error.getCertificate();      if (error.hasError(SSL_UNTRUSTED)) {         // Check if Cert-Domain equals the Uri-Domain         String certDomain = serverCertificate.getIssuedTo().getCName();         if(certDomain.equals(new URL(error.getUrl()).getHost())) {           handler.proceed();         }     }     else {         super.onReceivedSslError(view, handler, error);     } }

If "hasError()" is not working, try error.getPrimaryError() == SSL_IDMISMATCH

Check Documentation of SslError for all error-types.

EDIT: I tested the function on my own self-cert server (its a Xampp), and I got Error #3. That means you have to check for error.hasError(SslError.SSL_UNTRUSTED) for a self-signed cert.

Answers 3

i think you can get help from here http://developer.android.com/training/articles/security-ssl.html

If You Enjoyed This, Take 5 Seconds To Share It

0 comments:

Post a Comment