I am trying to learn how to bind a certificate in an Android app. I found a tutorial here . I wanted to clarify, I doubt that I based this code on my testing.
I used the code as follows:
public class CertificatePinning { static SSLSocketFactory constructSSLSocketFactory(Context context) { SSLSocketFactory sslSocketFactory = null; try { AssetManager assetManager = context.getAssets(); InputStream keyStoreInputStream = assetManager.open("myapp.store"); KeyStore trustStore = KeyStore.getInstance("BKS"); trustStore.load(keyStoreInputStream, "somepass".toCharArray()); sslSocketFactory = new SSLSocketFactory(trustStore); sslSocketFactory.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER); } catch(Exception e){ Log.d("Exception", e.getLocalizedMessage()); } return sslSocketFactory; } public static HttpClient getNewHttpClient(Context context) { DefaultHttpClient httpClient = null; try { SSLSocketFactory sslSocketFactory = constructSSLSocketFactory(context); HttpParams params = new BasicHttpParams(); HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1); HttpProtocolParams.setContentCharset(params, HTTP.UTF_8); SchemeRegistry registry = new SchemeRegistry(); registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80)); registry.register(new Scheme("https", sslSocketFactory, 443)); ClientConnectionManager ccm = new ThreadSafeClientConnManager(params, registry); httpClient = new DefaultHttpClient(ccm, params); } catch (Exception e) { Log.d("Exception", e.getLocalizedMessage() ); return null; } return httpClient; }
}
Quoting instructions from this tutorial:
On the client side, you simply need to distribute the signing certificate with your app and validate against it.
On my web server, I have my own CA, which I created using open SSL, and was used to sign certificates for the different domain names that are used with my application.
This statement indicates that this guide is for the CA certificate that I have. I checked the code using ca.pem (from my CA crt file) and it works fine.
But I also tested the same code with a certificate signed with this CA, for example. server.pem (from a signed .crt server), and yet it works.
I did something wrong, or this code is for pinning:
1) CA certificate (covering all certificates signed by that CA) or
2) a specific certificate (signed by some CA)?