On Thu, Aug 4, 2011 at 3:39 AM, hhenne <[email protected]> wrote: > Thanks Nikolay, > > Don't know if it was obvious from my post, but I'm developing an app, > which communicates with a payment service provider, which I trust. > The apps should be deployed on many customers mobiles. The customers > trusts this app and use it for trading goods. They should not be > worried about certificate issues. Further response is embedded below:
You can't trust it if you are on a public network. If you want your customers to not be worried about certificate issues, you are responsible for implementing the validation properly. > > On Aug 3, 6:30 pm, Nikolay Elenkov <[email protected]> wrote: >> On Thu, Aug 4, 2011 at 1:06 AM, hhenne <[email protected]> wrote: >> Valid and trusted are two different things. If the Android trust store >> doesn't contain the issuer of the certificate, you will get an error. > > Where is the Android trust store, and can I as the app developer > access this trust store ? > Don't know if it's the same on all versions, but on Gingerbread it's in /etc/security/cacerts.bks You can access it, but you cannot change i, since it's on the system partition. >> >> What have you tried? Basically you need to supply your own >> trust store containing the issuer of the server certificate (and >> any other certificates needed to form a full chain, if any) > > The solutions was trying to skip the validation process. Again, don't do this. Anyone with a random certificate could intercept your traffic if you do. There is no point in encryption if you don't know who you are talking to. This is not paranoia, there are real ways to do this: someone could change the DNS record to point to their own server, they could insert their server between you and the target, etc. >> >> Are you sure you don't need the validation? Is it OK , >> if the payments go to a third-party server instead of yours/ >> your partner's? > > How should that be possible ? My app is calling the payment service > provider, which I trust. > You can't trust random servers on the Internet. See above >> >> > W/System.err( 9056): Caused by: java.security.SignatureException: >> > Signature was not verified >> >> This actually sounds like a broken certificate, not a trust problem. >> Can you post it somewhere? > > Here is the response from calling the server with curl from my PC - > the certificate issuer is represented in the trust store on my PC : > > * Server certificate: > * subject: serialNumber=ZKv/oWumfVRvqnb-xqFxf-If2UPPBAst; C=DK; > O=secure.quickpay.dk; OU=GT15378717; OU=See www.geotrust.com/resources/cps > (c)08; OU=Domain Control Validated - QuickSSL(R); > CN=secure.quickpay.dk > * start date: 2010-07-06 04:51:59 GMT > * expire date: 2012-01-27 21:27:45 GMT > * subjectAltName: secure.quickpay.dk matched > * issuer: C=US; O=Equifax; OU=Equifax Secure Certificate Authority > * SSL certificate verify ok. Looks OK, although quick/rapid/cheap domain validated certificates are usually not of much value. You can get the issuer certificate from their resources page if you don't already have it: https://www.geotrust.com/resources/root-certificates/ Then you need to add it to your own trust store and create a socket factory that uses that. See the *second* answer in this SO post (not the first!) about how to do it. It shows how to add the certificates from your own trust store to the system one: http://stackoverflow.com/questions/2642777/trusting-all-certificates-using-httpclient-over-https -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
