Question: How to using cert files on Android platform?

Viktor Dukhovni openssl-users at dukhovni.org
Wed Mar 3 05:34:13 UTC 2021


On Wed, Mar 03, 2021 at 01:56:31AM +0000, Yang Rong wrote:

> I am new to OpenSSL. I am working on a project using JNI+ OpenSSL on
> an Android App.

Can you briefly explain your motivation for using OpenSSL via JNI,
rather than just use the native android TLS APIs, which then just use
the Android trust store?

> The OpenSSL is not able to use certs in the Android trust store.

The Android trust store is likely more fine-grained than you'd naively
expect.  Not all the trusted certificates are necessarily trusted for
the same purposes.  If you just extract the certificates, without the
associated trust settings, you may well end up undermining some of the
expected security properties, because some restricted use certificates
may then lose their associated restrictions.
 
> Do we have a way to use the Android trust store in 2021?

The simplest and generally most appropriate answer is: via the Android
APIs, and without JNI into OpenSSL.

If you have a compelling reason to use OpenSSL, you'll probably need
to provision a dedicated trust store of known to be appropriate trust
anchors.

> The target API level of the Android App is 28. If OpenSSL is
> still not able to use the Android default trust stores nowadays. I
> would like to copy the certs from Ubuntu to the Android app.

If it is appropriate to trust the same root CAs (something probably
along the lines of the Mozilla cert bundle), then you could do that,
but why is this necessary?

> But I need to figure out which pem file is used to establish
> connections.

Now it seems that you're not well versed in OpenSSL, which strongly
suggests that it is really best to stick to the provided APIs, and
not roll your own security toolkit.

> Is there a way any OpenSSL command line cmd is able to do
> that?

Almost certainly, but your question is rather oddly phrased and not
completely clear.  PEM files don't establish connections.

Are you looking to capture the entire Ubuntu trust store, or just
the specific trust-anchor that is *currently* the ultimate issuer
of the server's certificate chain?  Do you have good reason to
believe that the server will continue to use the same root CAs
indefinitely? ...

If your reasons for not using the Android APIs are not absolutely
compelling, your best bet is to use those, despite whatever non-critical
disadvantages are driving you to consider OpenSSL instead.

-- 
    Viktor.


More information about the openssl-users mailing list