I am trying to apply certificate pinning in android from internal storage of the application. I have a certificate with .pfx file extension. It works fine when I try to read the file from bundle raw folder but when I try to read it from internal storage then it gives me an exception that is:
java.io.IOException: stream does not represent a PKCS12 key store
Method I am using is:
fun generateSecureOkHttpClient(): OkHttpClient {
var httpClientBuilder = OkHttpClient.Builder();
try {
// Create a simple builder for our http client, this is only por example purposes
// Here you may wanna add some headers or custom setting for your builder
// Get the file of our certificate
var certFile = File(FilePath.getSSLCertificatePath()+"/sslCertificate.pfx");
var caFileInputStream : InputStream = FileInputStream(certFile);
// var caFileInputStream = JobLogicApp.getContext().resources.openRawResource(R.raw.sslcert)
// val cert = ByteArray(certFile.length().toInt())
// caFileInputStream.read(cert)
// val targetStream: InputStream = ByteArrayInputStream(cert)
// We're going to put our certificates in a Keystore
val keyStore = KeyStore.getInstance("PKCS12")
keyStore.load(caFileInputStream, "password".toCharArray())
// Create a KeyManagerFactory with our specific algorithm our our public keys
// Most of the cases is gonna be "X509"
val keyManagerFactory = KeyManagerFactory.getInstance("X509")
keyManagerFactory.init(keyStore, "password".toCharArray())
val trustManagerFactory: TrustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm()
)
trustManagerFactory.init(null as KeyStore?)
val trustManagers: Array<TrustManager> = trustManagerFactory.getTrustManagers()
check(!(trustManagers.size != 1 || trustManagers[0] !is X509TrustManager)) {
("Unexpected default trust managers:"
+ Arrays.toString(trustManagers))
}
val trustManager: X509TrustManager = trustManagers[0] as X509TrustManager
// Create a SSL context with the key managers of the KeyManagerFactory
val sslContext = SSLContext.getInstance("TLS")
sslContext.init(keyManagerFactory.keyManagers, arrayOf<TrustManager>(trustManager), SecureRandom())
//Finally set the sslSocketFactory to our builder and build it
return httpClientBuilder
.sslSocketFactory(sslContext.socketFactory, trustManager)
.build()
} catch (ex: Exception){
ex.printStackTrace()
}
return httpClientBuilder.build();
}
Can somebody please. Thanks in advance. And sslCertificate.pfx gives this result
> Keystore type: PKCS12 Keystore provider: SUN
>
> Your keystore contains 1 entry
>
> Alias name: {5afb09cb-a876-4802-9dbc-ca535d656991} Creation date:
> 12-Aug-2021 Entry type: PrivateKeyEntry Certificate chain length: 1
> Certificate[1]: Owner: CN=*.joblogicinternal.com, OU=Domain Control
> Validated Issuer: CN=Go Daddy Secure Certificate Authority - G2,
> OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.",
> L=Scottsdale, ST=Arizona, C=US Serial number: f697a66f1ed3d443 Valid
> from: Mon Aug 03 20:17:24 PKT 2020 until: Sat Oct 02 08:06:55 PKT 2021
> Certificate fingerprints:
> SHA1: 44:F4:75:06:8D:CC:2B:43:AE:73:D8:33:1E:1C:0D:E7:F6:A8:C1:A9
> SHA256: F1:F4:00:CF:E5:97:35:C2:EC:FF:59:DE:79:5B:9E:F6:B4:9D:1D:98:D1:B8:FD:41:60:EB:CB:86:35:59:87:9E
> Signature algorithm name: SHA256withRSA Subject Public Key Algorithm:
> 2048-bit RSA key Version: 3
>
> Extensions:
>
> #1: ObjectId: 1.3.6.1.4.1.11129.2.4.2 Criticality=false 0000: 04 81 F3 00 F1 00 76 00 F6 5C 94 2F D1 77 30 22 ......v..\./.w0" 0010: 14 54
> 18 08 30 94 56 8E E3 4D 13 19 33 BF DF 0C .T..0.V..M..3... 0020: 2F
> 20 0B CC 4E F1 64 E3 00 00 01 73 B4 E6 19 78 / ..N.d....s...x 0030:
> 00 00 04 03 00 47 30 45 02 21 00 DA 36 B5 AD AB .....G0E.!..6...
> 0040: 1C FF B1 96 61 1B 94 A5 F8 81 40 B2 D2 61 FC 4F
> [email protected] 0050: 9A EE C9 C8 B9 2F 33 72 CC F2 7C 02 20 51 65
> 13 ...../3r.... Qe. 0060: 7F 2A ED BB 39 85 58 E4 07 40 FC C1 D8 61
> 0E 18 .*[email protected].. 0070: 1F E1 61 BD 73 91 38 1E 94 28 97 34 67
> 00 77 00 ..a.s.8..(.4g.w. 0080: 5C DC 43 92 FE E6 AB 45 44 B1 5E 9A
> D4 56 E6 10 \.C....ED.^..V.. 0090: 37 FB D5 FA 47 DC A1 73 94 B2 5E
> E6 F6 C7 0E CA 7...G..s..^..... 00A0: 00 00 01 73 B4 E6 1A A2 00 00
> 04 03 00 48 30 46 ...s.........H0F 00B0: 02 21 00 AD 29 89 17 C7 62
> 25 D3 E1 F5 A5 AE 17 .!..)...b%...... 00C0: 12 F9 6D 7D 70 A4 53 30
> 7F 98 F5 3F 9F 42 05 AB ..m.p.S0...?.B.. 00D0: 4B F8 4F 02 21 00 82
> 27 19 3A AD 0E 70 4D 83 38 K.O.!..'.:..pM.8 00E0: 02 BB D1 BF 96 64
> 6E 10 F1 AF C2 CB F1 EE A9 AF .....dn......... 00F0: F0 A5 38 82 80
> 27 ..8..'
>
>
> #2: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [ accessMethod: ocsp accessLocation: URIName:
> http://ocsp.godaddy.com/ , accessMethod: caIssuers
> accessLocation: URIName:
> http://certificates.godaddy.com/repository/gdig2.crt ] ]
>
> #3: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ KeyIdentifier [ 0000: 40 C2 BD 27 8E CC 34 83 30 A2 33 D7 FB 6C B3
> F0 @..'..4.0.3..l.. 0010: B4 2C 80 CE
> .,.. ] ]
>
> #4: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:false PathLen: undefined ]
>
> #5: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint:
> [URIName: http://crl.godaddy.com/gdig2s1-2179.crl] ]]
>
> #6: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.16.840.1.114413.1.7.23.1]
> [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier:
> 0000: 16 2B 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69
> .+http://certifi 0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63
> 6F cates.godaddy.co 0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 2F
> m/repository/
>
> ]] ] [CertificatePolicyId: [2.23.140.1.2.1] [] ] ]
>
> #7: ObjectId: 2.5.29.37 Criticality=false ExtendedKeyUsages [ serverAuth clientAuth ]
>
> #8: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ DigitalSignature Key_Encipherment ]
>
> #9: ObjectId: 2.5.29.17 Criticality=false SubjectAlternativeName [ DNSName: *.joblogicinternal.com DNSName: joblogicinternal.com ]
>
> #10: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ 0000: B0 89 77 CE 63 8D 8E 88 2C B6 E5 52 94 70 BB
> 41 ..w.c...,..R.p.A 0010: FA 06 C5 3F
> ...? ] ]
>
>
>
> *******************************************
> *******************************************