On Tue, Aug 28, 2012 at 11:06 PM, android_newbie <[email protected]> wrote: > I am developing an android application that uses a public key certificate to > sign messages sent to the server. When the user logs in to the app, he > receives a x509 certificate from the server. Now, when he wants to send > messages to the server, he has to sign the message using the certificate > public key and send it to the server along with the message.
You might want to review the basics once more before going forward with this. You sign the message with a private key, not with the certificate. The certificate is there to convince people that you are indeed who you say you are. How you enroll for a certificate depends on your server, but generally you need to generate a key, create a certificate signing request, send it to the server and receive your certificate. You need to make sure you are talking to the right server, so you have to use HTTPS. The server needs to make sure you are who you say you are, so some form of authentication is needed before it can issue a certificate. > I am new to > security in android and I don't know how to go about this. These are some of > the questions I have: > > How can i securely store the certificate in the phone so that my app can use > it to sign messages sent to the server? If you are using ICS (4.0) or later, you can use the KeyChain API. On earlier version there is no standard API, but you can create a standard Java keystore file private to your app and protect it with a password. > > I am also planning to do key rotation once in some time. So, the server will > send the updated certificate to the user and my app has to update the > certificate stored in the phone. > This is also somewhat tricky. If you change the key you will need to issue a new certificate, see above. You might be able to authenticate with your existing certificate to receive a new one, but some authentication protocol needs to be in place. > If you can point me to a tutorial or any issues i need to carefully handle , > it will be really helpful. Thanks There is no ready-made tutorial, since this is fairly complex and hugely depends on your environment (who is your CA? how do they verify your identity? what certificate profile do they use? etc.) and required security level. -- You received this message because you are subscribed to the Google Groups "Android Developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/android-developers?hl=en
