Assume that you want to write an Android application, that needs to communicate with your server or your wireless router at home, for personal use. You might be interested in securing this communication against eavesdropping, so that nobody else sees, what you application sends and receives. You also might be interested in authenticating you communication, so that you can be sure that only your application and your server or router communicate, and nobody else is able to modify the content transmitted, without being noticed. The SSL\/TLS protocol is a perfect solution for this problem, so that you don’t need to invent a solution yourself.<\/p>\n
To ensure authenticity of both communication partners, X.509 certificates can be used. Most secure websites in the internet like paypal, ebay, or amazon only use X.509 certificates for the server, and the client is authenticated using a username and a password. For this example, X.509 certificates will be used for both communication partners.<\/p>\n
To generate two self-signed X.509 certificates, the following script can be used. It will generate two new RSA 2048 bit keys, generate two self signed certificates, and bundle the client certificate with the corresponding private key, and the servers public certificate in a PKCS#12 container file.<\/p>\n
#!\/bin\/bash\r\nOPENSSL_OPTS=\"-new -newkey rsa:2048 -nodes -days 5475 -x509\"\r\nCN_SERVER=\"\/CN=server\"\r\nCN_CLIENT=\"\/CN=client\"\r\nPASS=\"123456\"\r\necho \"Generating keys\"\r\nopenssl req -keyout key-server.pem -subj \"$CN_SERVER\" \\\r\n -out cert-server.pem $OPENSSL_OPTS\r\nopenssl req -keyout key-client.pem -subj \"$CN_CLIENT\"\\\r\n -out cert-client.pem $OPENSSL_OPTS\r\necho \"Encrypting key for the client now\"\r\nopenssl pkcs12 -export -passout \"pass:$PASS\" \\\r\n -in cert-client.pem -inkey key-client.pem -out client.p12 \\\r\n -certfile cert-server.pem -name \"Client\" -caname \"Server\"<\/pre>\nStunnel<\/h1>\n
We will use stunnel for the server. Stunnel is a lightweight general SSL\/TLS wrapper and proxy. First, we copy cert-client.pem cert-server.pem and key-server.pem to the server to \/etc\/ssl\/stunnel or another directory. Next is the stunnel configuration file:<\/p>\n
cert = \/etc\/ssl\/stunnel\/cert-server.pem\r\nkey = \/etc\/ssl\/stunnel\/key-server.pem\r\nCAfile = \/etc\/ssl\/stunnel\/cert-client.pem\r\nsslVersion = SSLv3\r\nchroot = \/var\/lib\/stunnel4\/\r\nsetuid = stunnel4\r\nsetgid = stunnel4\r\npid = \/stunnel4.pid\r\nsocket = l:TCP_NODELAY=1\r\nsocket = r:TCP_NODELAY=1\r\n[service]\r\naccept = 1279\r\nconnect = target:1280\r\nverify = 2<\/pre>\nThis will set up a stunnel server, listening on port 1279, and forwarding the unencrypted communication to target port 1280. It will only allow connections from a client, presenting a valid certificate.<\/p>\n
Android<\/h1>\n
Next, we can write the code for our Android application:<\/p>\n
\r\n\/\/ Adopt this in your application\r\nString PASSWORD_FOR_PKCS12 = \"123456\";\r\nInputStream pkcs12in = ......\r\n\/\/ You only need to execute this code once\r\nSSLContext context = SSLContext.getInstance(\"TLS\");\r\n\/\/ Local client certificate and key and server certificate\r\nKeyStore keyStore = KeyStore.getInstance(\"PKCS12\");\r\nkeyStore.load(pkcs12in, PASSWORD_FOR_PKCS12.toCharArray());\r\n\/\/ Build a TrustManager, that trusts only the server certificate\r\nTrustManagerFactory tmf = TrustManagerFactory.getInstance(\"X509\");\r\nKeyStore keyStoreCA = KeyStore.getInstance(\"BKS\");\r\nkeyStoreCA.load(null, null);\r\nCertificate c = keyStore.getCertificate(\"Server\");\r\nkeyStoreCA.setCertificateEntry(\"Server\", c);\r\ntmf.init(keyStoreCA);\r\n\/\/ Build a KeyManager for Client auth\r\nKeyManagerFactory kmf = KeyManagerFactory.getInstance(\r\n KeyManagerFactory.getDefaultAlgorithm());\r\nkmf.init(keyStore, null);\r\ncontext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);\r\n\/\/ Everytime you need your https connection, run this code\r\nURL url = new URL(\"https:\/\/my-router:1279\/\");\r\nHttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();\r\nurlConnection.setSSLSocketFactory(context.getSocketFactory());\r\nurlConnection.setHostnameVerifier(new AllowAllHostnameVerifier());\r\nInputStream in = urlConnection.getInputStream();\r\n<\/pre>\n","protected":false},"excerpt":{"rendered":"Assume that you want to write an Android application, that needs to communicate with your server or your wireless router at home, for personal use. You might be interested in securing this communication against eavesdropping, so that nobody else sees, …<\/p>\n