使用BlackBerry App安装SSL证书

Question

我们有一个BlackBerry应用程序，用于访问使用未在某些BlackBerry OS5设备上安装的SSL证书的安全Web服务。这对我们看到此消息的应用的用户造成了问题。

“您正试图打开安全连接，但服务器的证书不受信任。”

我们可以通过这种方法

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO4477&actp=search&viewlocale=en_US&searchid=1328216150785

手动安装证书，但这显然是不为我们的客户一个很好的解决方案。

有没有办法打包&安装所需的证书与应用程序？此证书适用于iOS，Android，IE，Firefox & Chrome。

Answer 1

您可以将代码包中的证书X509作为资源包含在密钥存储区中。但用户将不得不手动进入他们的证书存储并信任它。如果用户之前没有使用过证书存储，那么这会在强制他们选择密码的过程中产生不幸的副作用。

以下代码将从PEM格式的资源文件中读取证书，但会删除----- BEGIN/END CERTIFICATE -----行。我已经使用了这个代码的所有元素，但不是以这个确切的配置。如果有任何问题，我会很乐意尝试将它们整理出来。

证书将不会被信任，因此用户将不得不手动进入设备选项下的证书存储应用程序并“信任”该证书。确保他们明白他们不能吊销证书。无需清除和重新安装操作系统，该操作无法在设备上取消。唯一的其他选择是重新颁发新证书。

如果有人知道如何获得这些finiky位让我知道，我会在这个代码中包含解决方案，或链接到现在它存在的任何地方。

X509Certificate _x509; 

try { 
    // Get an input stream for the certificate in a resource file 
    InputStream rs = getClass().getResourceAsStream("/certificate.pem"); 

    // PEM format is Base64 encoded 
    Base64InputStream b64is = new Base64InputStream(rs); 

    // Create the X509 certificate 
    _x509 = new X509Certificate(b64is); 

    // Clean up. 
    b64is.close(); 
    rs.close(); 

    // if the certificate is self signed this will perform a 
    // verfication check. For non-self signed certificates 
    // one could provide the signer's certificate in another 
    // resource file and validate it with that public key. Other 
    // versions of verify will verify it with a certificate in 
    // a keystore, but then we wouldn't need to do all this. 
    _x509.verify(_x509.getPublicKey()); 
    System.out.println(_x509.getSubjectFriendlyName()); 
    System.out.println(Integer.toHexString(_x509.hashCode())); 

    // Add the certificate to the DeviceKeyStore 
    KeyStore ks = DeviceKeyStore.getInstance(); 

    // Associated data is set to null, but can be used if there is associated 
    // data known. You can use _x509.getStatus() instead of encoding the GOOD 
    // constant, but if the device can not find a revokation or validation list 
    // it will set the status to UNKNOWN which will confuse users. ks.getTicket() 
    // will prompt the user for permission for the program to access the key store. 
    // This may also cause the system to ask the user to set a password, unfortunately 
    // I can't remember, but I don't think it will if there is no private key in the 
    // certificate. 
    ks.set(null, _x509.getSubjectFriendlyName(), _x509, CertificateStatus.GOOD, 
     ks.getTicket()); 
} catch (CertificateException ce) { 
    System.out.println(ce.toString()); 
} catch (CryptoException crypt) { 
    System.out.println(crypt); 
} catch (IOException ioe) { 
    System.out.println(ioe.toString()); 
}