Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
847 views
in Technique[技术] by (71.8m points)

ssl - android webview with client certificate

I tried for days to use a web view with a client certificate embedded in the application, but it seems to me that the android sdk does not provide any way to do it, is there a callback to intercept the challenge sent by the server? is there a way to use webview with a client certificate and make https request?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Answer

0 votes
by (71.8m points)

Since I'm interested in your problem as well, I checked the documentation for WebView and WebViewClient, surfed around and indeed it looks that you can't authenticate a webview session using a client certificate, as the required method (ClientCertRequestHandler) is not a public API.

Using a Android WebView to connect to secure server with Client Certificate

A search in the Android Security Discussions confirms that the call is indeed not available:

https://groups.google.com/forum/#!msg/android-security-discuss/0hzTGaA9swQ/1Oqc8UpGLH8J

and even though

The Android 4.0 release does include support for client certificate authentication in the browser.

(ref: https://code.google.com/p/android/issues/detail?id=8196)

no mention about WebViews is made :(

Even though there are some new API to load certificates in a Keychain:

http://developer.android.com/reference/android/security/KeyChain.html http://nelenkov.blogspot.it/2011/11/using-ics-keychain-api.html

it is not clear whether the WebView is gonna use them... So I guess you should try the KeyChain class and see if you can correctly authenticate (I have no simple way to test this, so you are on your own).

If KeyChain doesn't work with WebViews, I guess it all boils down to a couple of far from perfect workarounds:

Solution 1:

use ClientCertRequestHandler anyway (It's marked as hidden, but apparently still usable):

https://code.google.com/p/android/issues/detail?id=53491

However even assuming that you make it, the Android Dev. Team might modify/remove the method without notice and your app might stop working on future releases of the SO.

Solution 2:

If you can limit your target to Android 4.0 or newer, a bold (and unlikely...) solution is to try to load the certificate in the webview from your local storage using a file scheme:

Load local HTML file into WebView

but i strongly doubt that the webview will behave as the browser does...

Solution 3: (which should work but requires a lot of effort)

Handle every https connection in background using HTTPClient or HttpURLConnection and then pass the data to the WebView:

http://chariotsolutions.com/blog/post/https-with-client-certificates-on/

You have my sympathy.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome to OStack Knowledge Sharing Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...