android webview with client certificate

前端 未结 8 2013
情歌与酒
情歌与酒 2020-11-29 04:16

I tried for days to use a web view with a client certificate embedded in the application, but it seems to me that the android sdk does not provide any way to do it, is there

相关标签:
8条回答
  • 2020-11-29 04:39

    The Chronium based WebView on Android 4.4 introduced a bug: When the server requests a client certificate, the WebView stops the loading process. The onPageFinished-Method will be immediately called, but no page is displayed.

    --> https://code.google.com/p/android/issues/detail?id=62533

    0 讨论(0)
  • 2020-11-29 04:41

    Since I'm interested in your problem as well, I checked the documentation for WebView and WebViewClient, surfed around and indeed it looks that you can't authenticate a webview session using a client certificate, as the required method (ClientCertRequestHandler) is not a public API.

    Using a Android WebView to connect to secure server with Client Certificate

    A search in the Android Security Discussions confirms that the call is indeed not available:

    https://groups.google.com/forum/#!msg/android-security-discuss/0hzTGaA9swQ/1Oqc8UpGLH8J

    and even though

    The Android 4.0 release does include support for client certificate authentication in the browser.

    (ref: https://code.google.com/p/android/issues/detail?id=8196)

    no mention about WebViews is made :(

    Even though there are some new API to load certificates in a Keychain:

    http://developer.android.com/reference/android/security/KeyChain.html http://nelenkov.blogspot.it/2011/11/using-ics-keychain-api.html

    it is not clear whether the WebView is gonna use them... So I guess you should try the KeyChain class and see if you can correctly authenticate (I have no simple way to test this, so you are on your own).

    If KeyChain doesn't work with WebViews, I guess it all boils down to a couple of far from perfect workarounds:

    Solution 1:

    use ClientCertRequestHandler anyway (It's marked as hidden, but apparently still usable):

    https://code.google.com/p/android/issues/detail?id=53491

    However even assuming that you make it, the Android Dev. Team might modify/remove the method without notice and your app might stop working on future releases of the SO.

    Solution 2:

    If you can limit your target to Android 4.0 or newer, a bold (and unlikely...) solution is to try to load the certificate in the webview from your local storage using a file scheme:

    Load local HTML file into WebView

    but i strongly doubt that the webview will behave as the browser does...

    Solution 3: (which should work but requires a lot of effort)

    Handle every https connection in background using HTTPClient or HttpURLConnection and then pass the data to the WebView:

    http://chariotsolutions.com/blog/post/https-with-client-certificates-on/

    You have my sympathy.

    0 讨论(0)
  • 2020-11-29 04:44

    If you just need to ignore ssl certificate requests inside the web view, this worked for me on Lollipop:

    Inside your web view client, overwrite:

    @Override
    public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
        handler.proceed(); // Ignore SSL certificate errors
    }
    

    This is useful for debugging webviews against qa/dev/stage environments.

    0 讨论(0)
  • 2020-11-29 04:45

    To properly handle SSL certificate validation to prevent app from rejection from Google play according to updated Security Policy, Change your code to invoke SslErrorHandler.proceed() whenever the certificate presented by the server meets your expectations, and invoke SslErrorHandler.cancel() otherwise.

    For example, I add an alert dialog to make user have confirmed and seems Google no longer shows warning.

        @Override
        public void onReceivedSslError(WebView view, final SslErrorHandler handler, SslError error) {
        final AlertDialog.Builder builder = new AlertDialog.Builder(this);
        String message = "SSL Certificate error.";
            switch (error.getPrimaryError()) {
                case SslError.SSL_UNTRUSTED:
                    message = "The certificate authority is not trusted.";
                    break;
                case SslError.SSL_EXPIRED:
                    message = "The certificate has expired.";
                    break;
                case SslError.SSL_IDMISMATCH:
                    message = "The certificate Hostname mismatch.";
                    break;
                case SslError.SSL_NOTYETVALID:
                    message = "The certificate is not yet valid.";
                    break;
            }
            message += " Do you want to continue anyway?";
    
            builder.setTitle("SSL Certificate Error");
            builder.setMessage(message);
        builder.setPositiveButton("continue", new DialogInterface.OnClickListener() {
            @Override
            public void onClick(DialogInterface dialog, int which) {
                handler.proceed();
            }
        });
        builder.setNegativeButton("cancel", new DialogInterface.OnClickListener() {
            @Override
            public void onClick(DialogInterface dialog, int which) {
                handler.cancel();
            }
        });
        final AlertDialog dialog = builder.create();
        dialog.show();
    }
    

    After this changes it will not show warning.

    0 讨论(0)
  • 2020-11-29 04:50

    Self signed SSL certificate is working for me

    Please check this answer https://stackoverflow.com/a/49003522/5058630

    0 讨论(0)
  • 2020-11-29 04:51

    We can not access the client certificate in webview, There is a google issue raised for the same. https://code.google.com/p/android/issues/detail?id=53491

    0 讨论(0)
提交回复
热议问题