Unable to add SSL certificate using Retrofit 2 - java

Unable to add SSL certificate using Retrofit 2 getting below error:
java.net.UnknownHostException: Unable to resolve host "abcd.com": No address associated with hostname
Below is the code:
try {
cf = CertificateFactory.getInstance("X.509");
cert = context.getResources().openRawResource(R.raw.abcd);
ca = cf.generateCertificate(cert);
cert.close();
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
client = new OkHttpClient.Builder()
.sslSocketFactory(sslContext.getSocketFactory())
.build();
} catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException | KeyManagementException e) {
Log.e("Certificate Exception",e.toString());
e.printStackTrace();
}
catch (Exception e)
{
Log.e("Certificate Exception",e.toString());
e.printStackTrace();
}

Related

How to connect to private url with private ssl certificate

I am trying to connect my android app to a url belonging to a private company in order to retrieve and send information. When I do so however I receive an error Trust anchor for certification path not found, the ssl certificate for the url is valid though, I did research and I used the following code I used to trust the certificate in a class Http TrustManager
public class HttpsTrustManager {
public void trust() throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
SSLContext context = null;
try {
context = SSLContext.getInstance("TLS");
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
try {
context.init(null, tmf.getTrustManagers(), null);
} catch (KeyManagementException e) {
e.printStackTrace();
}
// Tell the URLConnection to use a SocketFactory from our SSLContext
URL url = new URL("https://systems.syspearl.com/api");
HttpsURLConnection urlConnection =
(HttpsURLConnection) url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();
IOUtils.copyStream(in,out);
}
And this is how I call it in the main activity
new HttpsTrusrtManger().trust();
This doesn't work however. Please render necessary help

How to download a binary large file throw HTTPS when the web server require a client TLS certificate?

I didn't find any way to implement an SSLContext with DownloadManager. Is there a way to add a Client certificate (keystore)?
For now, it is a self signed certificate (both client&server). I'm able to connect to this server with okhttp (managing SSLContext) but with DownloadManager i get an error 'SSL Handshake'.

Here is my code,
#Nullable
private static SSLContext initTrustManager(Context context) {
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
InputStream is = context.getAssets().open("s_cert.cer");
Certificate ca;
try {
ca = certificateFactory.generateCertificate(is);
Log.i("TrustManager", "ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
is.close();
}
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
return sslContext;
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
}
return null;
}
And here is how I implement it:
builder.sslSocketFactory(initTrustManager(context).getSocketFactory());
This is working code, so if you still get exceptions, pay attention to SSL certificate itself or make some changes inside api of server. Hope it helps))

HttpsParameters cannot be resolved to a type

I want to secure my http request ,Im using something like http://123.456.789.123:1234 and I want secure it. I create a keystore.csr carets.jks server.cer and keystore.jks with the java keytool after that I implement my code, but it can't read HttpsParameters
String alias = "alias";
char [] storepass = "changeit".toCharArray();
String keystoreName = "c:\\keystore.jks";
FileInputStream in = new FileInputStream(keystoreName);
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(in, storepass);
Certificate cert = keystore.getCertificate(alias);
Log.debug("the certification is here : " + cert);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
char [] keypass = "changeit".toCharArray();
kmf.init(keystore, keypass);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(keystore);
HttpsServer server = HttpsServer.create(new InetSocketAddress(port), 0);
SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
server.setHttpsConfigurator(new HttpsConfigurator(sslContext) {
public void configure(HttpsParameters params) {
try {
SSLContext c = SSLContext.getDefault();
SSLEngine engine = c.createSSLEngine();
params.setNeedClientAuth(false);
params.setCipherSuites(engine.getEnabledCipherSuites());
params.setProtocols(engine.getEnabledProtocols());
SSLParameters defaultSSLParameters=c.getDefaultSSLParameters();
params.setSSLParameters(defaultSSLParameters);
} catch (Exception ex) {
ex.printStackTrace();
System.out.println("Failed to create HTTPS server");
}
}
});`

I did a mistake that I forgot to add the import to my class
import com.sun.net.httpserver.HttpsParameters;

SSLHandshakeException when trying to connect to my server using self-signed certificate with Retrofit 2 on Android

I'm trying to connect to my API server using a self-signed certificate. The certificate was successfully installed on the server. I've tested it via OpenSSL and also in Firefox.
I followed the Andrey Makarov's answer to configure OkHttp. But it doesn't work. When I try to execute my request I get javax.net.ssl.SSLHandshakeException with java.security.cert.CertPathValidatorException: Trust anchor for certification path not found message.
Here is my code:
public HttpClient() {
/* ... */
SSLContext sslContext = null;
try {
sslContext = SSLContext.getInstance("TLSv1.2");
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
KeyStore keyStore = readKeyStore();
TrustManagerFactory trustManagerFactory = null;
try {
trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "password".toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
}
catch (final Exception e) {
Log.e(TAG, e.toString());
}
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
X509TrustManager trustManager = (X509TrustManager) trustManagers[0];
OkHttpClient client = new OkHttpClient.Builder()
.sslSocketFactory(sslContext.getSocketFactory(), trustManager)
.build();
mRetrofit = new Retrofit.Builder()
.client(client)
.baseUrl(mBaseUrl)
.addConverterFactory(GsonConverterFactory.create())
.build();
}
private KeyStore readKeyStore() {
KeyStore ks = null;
try {
ks = KeyStore.getInstance("BKS");
}
catch (final Exception e) {
Log.e(TAG, e.toString());
}
char[] password = "password".toCharArray();
final Context context = App.app;
InputStream is = context.getResources().openRawResource(R.raw.key_sorage);
try {
ks.load(is, password);
}
catch (final Exception e) {
Log.e(TAG, e.toString());
}
finally {
if (is != null) {
try {
is.close();
}
catch (final Exception e2) {
Log.e(TAG, e2.toString());
}
}
}
return ks;
}
Retrofit version is 2.3.0.

Problems with TLS Android - Netty

I'm working on Android client for client-server application. I need TLS session with server with mutual authentication. I use Netty on the server. My client code:
// private key
File client_tls_key = new File("/sdcard/GreatParents/tls/client_key.pkcs8");
KeyManagerFactory kmf = null;
KeyStore ks;
try {
ks = KeyStore.getInstance("BKS");
ks.load(new FileInputStream("/sdcard/GreatParents/tls/client_ks.bks"), "changeit".toCharArray());
String kmf_type = KeyManagerFactory.getDefaultAlgorithm();
kmf = KeyManagerFactory.getInstance(kmf_type);
kmf.init(ks, "changeit".toCharArray());
} catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException | UnrecoverableKeyException e) {
e.printStackTrace();
}
TrustManagerFactory tmf = null;
KeyStore ts;
try {
ts = KeyStore.getInstance("BKS");
ts.load(new FileInputStream("/sdcard/GreatParents/tls/client_ts.bks"), "changeit".toCharArray());
String tmf_type = TrustManagerFactory.getDefaultAlgorithm();
tmf = TrustManagerFactory.getInstance(tmf_type);
tmf.init(ts);
} catch (KeyStoreException | NoSuchAlgorithmException | CertificateException | IOException e) {
e.printStackTrace();
}
if (tmf != null) {
SslContext sslCtx = null;
try {
sslCtx = SslContext.newClientContext(SslProvider.JDK,null,tmf,null,client_tls_key,keypass,kmf,null,IdentityCipherSuiteFilter.INSTANCE,(ApplicationProtocolConfig) null,0,0);
} catch (SSLException e) {
e.printStackTrace();
logger.error("TLS Session not initialized");
return;
}
}
Server's certificate stores in file client_ts.bks. Client's certificate stores in file client_ks.bks.
I got Exception:
java.security.NoSuchAlgorithmException: KeyStore JKS implementation not found
I found in stacktrace method:
io.netty.handler.ssl.JdkSslContext.buildKeyManagerFactory
with code:
KeyStore ks = KeyStore.getInstance("JKS");
Netty creates JKS-keystores forced, instead of using my BKS-keystores, right?! If I'm right, Netty doesn't compatible with Android in TLS part.

As you mentioned that "JKS" is hard coded in Netty, they can use Keystore.getDefaultType() but not sure whether it may cause any problems or not.
Apart from that, there is a workaround to use TLS in Android using Netty. You could use JAVA's SSLContext and create new SslHandler to add in channel pipeline via SslHandler(SSLContext.createSSLEngine).
Something like this after initializing trust manager factory:
...
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf.getKeyManagers(),tmf.getTrustManagers(), new SecureRandom());
SSLEngine sslEngine = sslContext.createSSLEngine();
sslEngine.setUseClientMode(true);
SslHandler sslHandler = new SslHandler(sslEngine);
channel.pipeline().addFirst(sslHandler)
...

Categories

Resources