How to create a BKS (BouncyCastle) format Java Keystore that contains a client certificate chain

by

Detailed Step by Step instructions I followed to achieve this

  • Download bouncycastle JAR from
    http://repo2.maven.org/maven2/org/bouncycastle/bcprov-ext-jdk15on/1.46/bcprov-ext-jdk15on-1.46.jar
    or take it from the “doc” folder.
  • Configure BouncyCastle for PC using one of the below methods.
    • Adding the BC Provider Statically (Recommended)
      • Copy the bcprov-ext-jdk15on-1.46.jar to each
        • D:\tools\jdk1.5.0_09\jre\lib\ext (JDK (bundled JRE)
        • D:\tools\jre1.5.0_09\lib\ext (JRE)
        • C:\ (location to be used in env variable)
      • Modify the java.security file under
        • D:\tools\jdk1.5.0_09\jre\lib\security
        • D:\tools\jre1.5.0_09\lib\security
        • and add the following entry
          • security.provider.7=org.bouncycastle.jce.provider.BouncyCastleProvider
      • Add the following environment variable in “User Variables” section
        • CLASSPATH=%CLASSPATH%;c:\bcprov-ext-jdk15on-1.46.jar
    • Add bcprov-ext-jdk15on-1.46.jar to CLASSPATH of your project and Add the following line in your code
      • Security.addProvider(new BouncyCastleProvider());
  • Generate the Keystore using Bouncy Castle
    • Run the following command
      • keytool -genkey -alias myproject -keystore C:/myproject.keystore -storepass myproject -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider
    • This generates the file C:\myproject.keystore
    • Run the following command to check if it is properly generated or not
      • keytool -list -keystore C:\myproject.keystore -storetype BKS

  • Configure BouncyCastle for TOMCAT

    • Open D:\tools\apache-tomcat-6.0.35\conf\server.xml and add the following entry

      • <Connector
        port=”8443″
        keystorePass=”myproject”
        alias=”myproject”
        keystore=”c:/myproject.keystore”
        keystoreType=”BKS”
        SSLEnabled=”true”
        clientAuth=”false”
        protocol=”HTTP/1.1″
        scheme=”https”
        secure=”true”
        sslProtocol=”TLS”
        sslImplementationName=”org.bouncycastle.jce.provider.BouncyCastleProvider”/>

    • Restart the server after these changes.

  • Configure BouncyCastle for Android Client
    • No need to configure since Android supports Bouncy Castle Version 1.46 internally in the provided “android.jar”.
    • Just implement your version of HTTP Client (MyHttpClient.java can be found below) and set the following in code
      • SSLSocketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
    • If you don’t do this, it gives an exception as below
      • javax.net.ssl.SSLException: hostname in certificate didn’t match: <192.168.104.66> !=
    • In production mode, change the above code to
      • SSLSocketFactory.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);

MyHttpClient.java

package com.arisglobal.aglite.network;

import java.io.InputStream;
import java.security.KeyStore;

import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.SingleClientConnManager;

import com.arisglobal.aglite.activity.R;

import android.content.Context;

public class MyHttpClient extends DefaultHttpClient {

    final Context context;

    public MyHttpClient(Context context) {
        this.context = context;
    }

    @Override
    protected ClientConnectionManager createClientConnectionManager() {
        SchemeRegistry registry = new SchemeRegistry();

        registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));

        // Register for port 443 our SSLSocketFactory with our keystore to the ConnectionManager
        registry.register(new Scheme("https", newSslSocketFactory(), 443));
        return new SingleClientConnManager(getParams(), registry);
    }

    private SSLSocketFactory newSslSocketFactory() {
        try {
            // Get an instance of the Bouncy Castle KeyStore format
            KeyStore trusted = KeyStore.getInstance("BKS");

            // Get the raw resource, which contains the keystore with your trusted certificates (root and any intermediate certs)
            InputStream in = context.getResources().openRawResource(R.raw.aglite);
            try {
                // Initialize the keystore with the provided trusted certificates.
                // Also provide the password of the keystore
                trusted.load(in, "aglite".toCharArray());
            } finally {
                in.close();
            }

            // Pass the keystore to the SSLSocketFactory. The factory is responsible for the verification of the server certificate.
            SSLSocketFactory sf = new SSLSocketFactory(trusted);

            // Hostname verification from certificate
            // http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
            sf.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
            return sf;
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }
}

How to invoke the above code in your Activity class:

DefaultHttpClient client = new MyHttpClient(getApplicationContext());
HttpResponse response = client.execute(...);

More Related Contents:

  1. Https Connection Android
  2. HTTPS GET (SSL) with Android and self-signed server certificate
  3. Using client/server certificates for two way authentication SSL socket on Android
  4. java – ignore expired ssl certificate
  5. javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
  6. Disable SSL certificate check in retrofit library
  7. How to do an HTTPS POST from Android?
  8. Enabling specific SSL protocols with Android WebViewClient
  9. How to override the cipherlist sent to the server by Android when using HttpsURLConnection?
  10. OkHttp javax.net.ssl.SSLPeerUnverifiedException: Hostname domain.com not verified
  11. javax.net.ssl.SSLException: SSL handshake aborted Connection reset by peer while calling webservice Android
  12. Android SSL HttpGet (No peer certificate) error OR (Connection closed by peer) error
  13. How Can I Access an SSL Connection Through Android?
  14. How to allow all Network connection types HTTP and HTTPS in Android (9) Pie?
  15. Convert string to JSON array
  16. Changing EditText bottom line color with appcompat v7
  17. converting Java bitmap to byte array
  18. Which Cipher Suites to enable for SSL Socket?
  19. Android – Programmatically Hide/Show Soft Keyboard [duplicate]
  20. How can I generate random number in specific range in Android? [duplicate]
  21. java.io.FileNotFoundException: This file can not be opened as a file descriptor; it is probably compressed
  22. How to get TimeZone from android mobile?
  23. How to force java server to accept only tls 1.2 and reject tls 1.0 and tls 1.1 connections
  24. Difference between google() and maven { url ‘https://maven.google.com’ }
  25. Sending HTTP Post Request with Android
  26. how to get country phone prefix from iso
  27. Android: Can’t figure how to use setImeActionLabel
  28. Generate certificates, public and private keys with Java [closed]
  29. connect failed: ECONNREFUSED
  30. How to connect to a secure website using SSL in Java with a pkcs12 file?

Leave a Comment