Login/Register
A proper way to install PEM certifiate in Android
Asked Answered
androidkeychainpempkcs#12
T

1

6

I am developing an Android project.

I have a PEM certificate string:

-----BEGIN CERTIFICATE-----
MIIEczCCA1ugAwIBAgIBADANBgkqhkiG9w0BAQQFAD..AkGA1UEBhMCR0Ix
EzARBgNVBAgTClNvbWUtU3RhdGUxFDASBgNVBAoTC0..0EgTHRkMTcwNQYD
VQQLEy5DbGFzcyAxIFB1YmxpYyBQcmltYXJ5IENlcn..XRpb24gQXV0aG9y
...MANY LINES...
It8una2gY4l2O//on88r5IWJlm1L0oA8e4fR2yrBHX..adsGeFKkyNrwGi/
7vQMfXdGsRrXNGRGnX+vWDZ3/zWI0joDtCkNnqEpVn..HoX
-----END CERTIFICATE-----

(assigned above certificate string to a variable named CERT_STR)

I decode above PEM string to byte array:

byte[] pemBytes = Base64.decode(
                CERT_STR.replaceAll("-----(BEGIN|END) CERTIFICATE-----", "")
                        .replaceAll("\n", "")
                        .getBytes("UTF-8"),
                Base64.DEFAULT
        );

I try to programmatically install the PEM certificate to my Android phone by following code:

Intent intent = KeyChain.createInstallIntent();
// because my PEM only contains a certificate, no private key, so I use EXTRA_CERTIFICATE
intent.putExtra(KeyChain.EXTRA_CERTIFICATE, pemBytes);// above PEM bytes
intent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK);
context.startActivity(intent);

When run my code (in Android 7 device), the Android system certificate installer app pops up the window, when I press "OK" button of that window, I got following log:

 java.io.IOException: stream does not represent a PKCS12 key store
  at com.android.org.bouncycastle.jcajce.provider.keystore.pkcs12.PKCS12KeyStoreSpi.engineLoad(PKCS12KeyStoreSpi.java:793)
  at java.security.KeyStore.load(KeyStore.java:1247)
  at com.android.certinstaller.CredentialHelper.loadPkcs12Internal(CredentialHelper.java:396)
  at com.android.certinstaller.CredentialHelper.extractPkcs12Internal(CredentialHelper.java:364)
  at com.android.certinstaller.CredentialHelper.extractPkcs12(CredentialHelper.java:354)
  at com.android.certinstaller.CertInstaller$1.doInBackground(CertInstaller.java:328)
  at com.android.certinstaller.CertInstaller$1.doInBackground(CertInstaller.java:327)

My questions:

  1. I have used EXTRA_CERTIFICATE & set it to intent, I am NOT using EXTRA_PKCS12, but from the log, Android system thinks I am installing PKCS#12 keystore. Why?

  2. What is the correct way to programmatically install PEM certificate in Android?

Tetrabrach answered 5/11, 2016 at 19:44 Comment(6)
stream does not represent a PKCS12 key store any reason to not try converting it to PKCS12 then?Paperboard
But I still want to know what is the proper way to install PEM in Android, that's the point of my question.Tetrabrach
This appears to be exact duplicate of #40465315Plausible
What wersion of android platfrom do you use? I'm tryed to run your code and in worked good. I seen Toast "<inputted_sert_name> is installed". Android 5.1.0Juneberry
I am running it in Android 7Tetrabrach
@Tetrabrach Were you able to find a solution?Scoter
R
0

Your code should work, as said @Sergey Nikitin. This starred example at Github is using similar code

I have reviewed the Android 7.1 source code of CredentialHelper and CertInstaller to trace your exception log. The unique reachable path to execute the pkcs12 loader at

 com.android.certinstaller.CredentialHelper.extractPkcs12(CredentialHelper.java:354)

is the method onScreenlockOk

private void onScreenlockOk() {
    if (mCredentials.hasPkcs12KeyStore()) {
        if (mCredentials.hasPassword()) {
            showDialog(PKCS12_PASSWORD_DIALOG);
        } else {
            new Pkcs12ExtractAction("").run(this);
        }

which is protected by CredentialHelper.hasPkcs12KeyStore() 

boolean hasPkcs12KeyStore() {
    return mBundle.containsKey(KeyChain.EXTRA_PKCS12);
}

I have not found default assigned values or alternative paths, so I deduce that KeyChain.EXTRA_PKCS12 is being used in some way. It is a weird behaviour, may be you have a clean&rebuild issue?

I suggest to debug the code including Android CertInstaller class to ensure the values of the Extras and ensure that the executed code is the expected

Roundfaced answered 13/11, 2016 at 20:44 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.