使用BlackBerry App安裝SSL證書

Question

我們有一個BlackBerry應用程序，用於訪問使用未在某些BlackBerry OS5設備上安裝的SSL證書的安全Web服務。這對我們看到此消息的應用的用戶造成了問題。

「您正試圖打開安全連接，但服務器的證書不受信任。」

我們可以通過這種方法

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO4477&actp=search&viewlocale=en_US&searchid=1328216150785

手動安裝證書，但這顯然是不爲我們的客戶一個很好的解決方案。

有沒有辦法打包&安裝所需的證書與應用程序？此證書適用於iOS，Android，IE，Firefox & Chrome。

Answer 1

您可以將代碼包中的證書X509作爲資源包含在密鑰存儲區中。但用戶將不得不手動進入他們的證書存儲並信任它。如果用戶之前沒有使用過證書存儲，那麼這會在強制他們選擇密碼的過程中產生不幸的副作用。

以下代碼將從PEM格式的資源文件中讀取證書，但會刪除----- BEGIN/END CERTIFICATE -----行。我已經使用了這個代碼的所有元素，但不是以這個確切的配置。如果有任何問題，我會很樂意嘗試將它們整理出來。

證書將不會被信任，因此用戶將不得不手動進入設備選項下的證書存儲應用程序並「信任」該證書。確保他們明白他們不能吊銷證書。無需清除和重新安裝操作系統，該操作無法在設備上取消。唯一的其他選擇是重新頒發新證書。

如果有人知道如何獲得這些finiky位讓我知道，我會在這個代碼中包含解決方案，或鏈接到現在它存在的任何地方。

X509Certificate _x509; 

try { 
    // Get an input stream for the certificate in a resource file 
    InputStream rs = getClass().getResourceAsStream("/certificate.pem"); 

    // PEM format is Base64 encoded 
    Base64InputStream b64is = new Base64InputStream(rs); 

    // Create the X509 certificate 
    _x509 = new X509Certificate(b64is); 

    // Clean up. 
    b64is.close(); 
    rs.close(); 

    // if the certificate is self signed this will perform a 
    // verfication check. For non-self signed certificates 
    // one could provide the signer's certificate in another 
    // resource file and validate it with that public key. Other 
    // versions of verify will verify it with a certificate in 
    // a keystore, but then we wouldn't need to do all this. 
    _x509.verify(_x509.getPublicKey()); 
    System.out.println(_x509.getSubjectFriendlyName()); 
    System.out.println(Integer.toHexString(_x509.hashCode())); 

    // Add the certificate to the DeviceKeyStore 
    KeyStore ks = DeviceKeyStore.getInstance(); 

    // Associated data is set to null, but can be used if there is associated 
    // data known. You can use _x509.getStatus() instead of encoding the GOOD 
    // constant, but if the device can not find a revokation or validation list 
    // it will set the status to UNKNOWN which will confuse users. ks.getTicket() 
    // will prompt the user for permission for the program to access the key store. 
    // This may also cause the system to ask the user to set a password, unfortunately 
    // I can't remember, but I don't think it will if there is no private key in the 
    // certificate. 
    ks.set(null, _x509.getSubjectFriendlyName(), _x509, CertificateStatus.GOOD, 
     ks.getTicket()); 
} catch (CertificateException ce) { 
    System.out.println(ce.toString()); 
} catch (CryptoException crypt) { 
    System.out.println(crypt); 
} catch (IOException ioe) { 
    System.out.println(ioe.toString()); 
}