Login/Register
Volley trust additional root cert
Asked Answered
androidsslandroid-volley
S

1

0

I have a problem with volley and SSL and some old Android devices.

Problem is that the root certificate we use that is publicly trusted is not in place in these old devices and the OS is no longer updated so I thought I would add the CA as a file. I found lots of examples on how to trust a single certificate but I also want to keep trusting the existing root certificates. I just want to add a few to the trust store used by our app.

Is this possible? Is there a code example of this somewhere?

EDIT: I have checked the following links, all deal with self-signed or a fully custom CA store or simply disable the checks which I do not want to do. I want to keep the default CA store but add one or two additional CAs

How to import self-signed SSL certificate to Volley on Android 4.1+

How can I make Android Volley perform HTTPS request, using a certificate self-signed by an Unknown CA?

Kind regards Jens

Shute answered 29/3, 2021 at 10:16 Comment(4)
Can you include some code snippets how you currently have configure volley with ssl or what the basic ssl configuration is of volley, so we can easily point you in the right directionLuther
I have not added any custom ssl configuration. Just trying to reach https:// urls and found out it did not work on older android phones. I found by using the web browser on the device that it did not have the root certificate. So I want to be able to add some extra trusted root certificates. I will edit the question to link to some info I foundShute
Clear, the additional links are informative. In what kind of format do you have the certificate which needs to be trusted?Luther
It does not really matter. I can convert it if required but i usually prefer working with pem-encoded certificates.Shute
L
1

What you can do is include the certificate within your app and load it programatically and supply it to your volley client.

The links you have shared gives me the idea that it should be possible, however I have never used volley and cannot confirm if it will actually work. So I will do an attempt and hopefully you can test it our and share your results here.

KeyStore baseTrustStore = KeyStore.getInstance(KeyStore.getDefaultType());
baseTrustStore.load(null, null);

// get your custom certificate(s) from your android device our within your app
// and load it as a certificate object
Certificate myTrustedCertificate = // your additional trusted certificate
baseTrustStore.setCertificateEntry("my-trusted-certificate", myTrustedCertificate);

int counter = 0;

KeyStore systemTrustStore = KeyStore.getInstance("AndroidCAStore");
Enumeration<String> aliases = systemTrustStore.aliases();
while (aliases.hasMoreElements()) {
    String alias = aliases.nextElement();
    if (systemTrustStore.isCertificateEntry(alias)) {
        Certificate certificate = systemTrustStore.getCertificate(alias);
        baseTrustStore.setCertificateEntry("" + counter++, certificate);
    }
}

TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(baseTrustStore);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustManagers, null);
SSLSocketFactory socketFactory = sslContext.getSocketFactory();

HurlStack hurlStack = new HurlStack(null, socketFactory);
RequestQueue queue = Volley.newRequestQueue(this, hurlStack);

So I first create an empty trust store where I will add all the certificates which I want to trust. First add the custom root certificate which you have somewhere and map it to an instance of java.security.cert.Certificate. Afterwords get the android CA store and extract all the trusted certificates. Afterwords add all these certificates to your base trust store which you can use to create a TrustManagerFactory, SSLContext and SSLSocketFactory. The counter within the example is just a way to generate some alias, but you can specify or generate your own.

Luther answered 30/3, 2021 at 8:43 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.