Android Question read ssl certifikate from Server

[Siam]

Hello,

it is possible to read the information from a ssl-certificate such as fingerprint, validity etc. from a SSL connection with the network library ?

greetings

Andy

 

[Erel]

I wasn't able to find any information about this. So I'm not sure.

You can play with WireShark and monitor the network while you get the certificate in the browser.

 

[Siam]

hello erel,

thanks for your feedback!

I have a java code found with this it should be possible to examine the SSL Certificate. Maybe someone could porting to b4a? (sorry java is not my world)

greetings

andy

import java.io.IOException;
import java.net.URL;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import javax.net.ssl.HttpsURLConnection;
import javax.security.cert.CertificateException;

private static String getFingerprint(String s)
        throws IOException, NoSuchAlgorithmException, CertificateException, CertificateEncodingException
    {
        s = (HttpsURLConnection)(new URL(s)).openConnection();
        s.connect();
        s = s.getServerCertificates()[0];
        MessageDigest messagedigest = MessageDigest.getInstance("SHA1");
        messagedigest.update(s.getEncoded());
        return dumpHex(messagedigest.digest());
    }
private static String dumpHex(byte abyte0[])
    {
        int j = abyte0.length;
        StringBuilder stringbuilder = new StringBuilder(j * 3 - 1);
        for (int i = 0; i < j; i++)
        {
            if (i > 0)
            {
                stringbuilder.append(' ');
            }
            stringbuilder.append(HEX_CHARS[abyte0[i] >> 4 & 0xf]);
            stringbuilder.append(HEX_CHARS[abyte0[i] & 0xf]);
        }

        return stringbuilder.toString();
    }

 

[Erel]

You can add this code with the inline java feature. Note that you will also need to add this workaround: Workaround the NetworkOnMainThread exception

 

[Siam]

thx erel

then I'm going to try my luck

 

[Siam]

i have the certificate but i'm to stupid to return only the public key from this code

#if java

import java.io.IOException;
import java.net.URL;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.security.cert.CertificateEncodingException;
import javax.security.cert.CertificateException;
import javax.net.ssl.HttpsURLConnection;

public Certificate chkssl(String Server)
       throws IOException, CertificateException, CertificateEncodingException
    {
        HttpsURLConnection s = (HttpsURLConnection)(new URL(Server)).openConnection();
        s.connect();
           Certificate certs = s.getServerCertificates()[0];
        BA.Log("response" + certs.getPublicKey ());   
        return certs; //"test";
    }


#end if

i only will have certs.getPublicKey () but i only get errors if i insert this maybe you can give me a hint ?

 

[Erel]

Which error do you get?

 

[Siam]

if i do this

return certs.get ();

src\b4a\example\main.java:471: error: incompatible types
     return certs.getPublicKey ();//certs; //"test";
      ^
  required: Certificate
  found:  PublicKey

if i change this

public PublicKey chkssl(String Server,String Key)

i get

src\b4a\example\main.java:464: error: cannot find symbol
public PublicKey chkssl(String Server,String Key)
       ^
  symbol:   class PublicKey
  location: class main
1 error

 

[Erel]

Change PublicKey with java.security.PublicKey

Or:

public byte[] chkssl(...)
 return certs.getPublicKey ().getEncoded();

 

[Siam]

Erel you are great !!!! i'm not finish with my man in the middle Protection but now i know a bit more what i do

 

[M. Giray Ozkan]

Dear Siam,

did you complete your MITM attack protection work? This is exactly what I need in my current project.

Thank you