Welcome!

Welcome to the official BlackBerry Support Community Forums.

This is your resource to discuss support topics with your peers, and learn from each other.

inside custom component

Native Development

Reply
Retired
Posts: 571
Registered: ‎06-25-2010
My Device: Z10
My Carrier: Vodafone

Re: custom certificates. how to

I think you only have 2 options to meet your requirements:

 

1. Deploy a certificate whose CA is trusted by default on BlackBerry 10

 

2. Request that we add support for that certificate in a future BlackBerry 10 release

 

If you opt for #2 send me a private message with details of the certificate and I'll see what I can do.

--------------------------------------------------------------------------------------------
Feel free to press the like button on the right side if you liked my attempts to help :-)
And please mark posts as solved if you think I found the solution or set you on its path. Thanks!
Follow me on Twitter: @mdwrim
Developer
Posts: 125
Registered: ‎07-02-2013
My Device: Q10 v10.3.1.1565
My Carrier: {unbranded}

Re: custom certificates. how to

thanks, I will check this out. 

Developer
Posts: 16,788
Registered: ‎07-29-2008
My Device: Z10 LE, Z30, Passport
My Carrier: O2 Germany

Re: custom certificates. how to


mwoolley wrote:

I think you only have 2 options to meet your requirements:


Not correct. As i have written you can add your own certificates in your code.

We use this successfully with a number of different servers.

----------------------------------------------------------
feel free to press the like button on the right side to thank the user that helped you.
please mark posts as solved if you found a solution.
@SimonHain on twitter
Developer
Posts: 150
Registered: ‎10-19-2012
My Device: Playbook, BB10DevAlphaB/C, Z10
My Carrier: Sonera, Saunalahti

Re: custom certificates. how to

Untested, but I believe you can use your custom CA, see http://qt-project.org/doc/qt-4.8/qsslsocket.html#addCaCertificate
Retired
Posts: 571
Registered: ‎06-25-2010
My Device: Z10
My Carrier: Vodafone

Re: custom certificates. how to

Thanks Simon. I hadn't absorbed your most recent answer. I had only noticed the ones requiring the user to manually import the certificate. But yes, I see what you mean. And I guess this is OK from a security point of view as well.... the application developer indicating that they trust the certificate rather than simply ignoring a certificate error, which imho would not be sensible.

 

Excellent :-)

--------------------------------------------------------------------------------------------
Feel free to press the like button on the right side if you liked my attempts to help :-)
And please mark posts as solved if you think I found the solution or set you on its path. Thanks!
Follow me on Twitter: @mdwrim
Retired
Posts: 571
Registered: ‎06-25-2010
My Device: Z10
My Carrier: Vodafone

Re: custom certificates. how to

I've established that we're already planning to support/trust certificates of the sort you reported to me by private message. This will be the case after release 10.2.1 is available. So it sounds like you have choices now thanks to this news and Simon's idea :-)

--------------------------------------------------------------------------------------------
Feel free to press the like button on the right side if you liked my attempts to help :-)
And please mark posts as solved if you think I found the solution or set you on its path. Thanks!
Follow me on Twitter: @mdwrim
Highlighted
Developer
Posts: 125
Registered: ‎07-02-2013
My Device: Q10 v10.3.1.1565
My Carrier: {unbranded}

Re: custom certificates. how to

yep. that was my first shot - "Add Exception", but i couldn't do that with QNetworkRequest, or I didn't find out yet how to get SslSocket from behind QNetworkRequest (to add custom trusted certificates).  i will research some about idea with expected errors that Simon gave.

 

I will post example when I finish.

Developer
Posts: 125
Registered: ‎07-02-2013
My Device: Q10 v10.3.1.1565
My Carrier: {unbranded}

Re: custom certificates. how to

ok, I am back with my research done at bigger scale, with a working code as a result.

 

the concept with ignoring errors doesn't work in my case - as the certificate i had is not "self-signed". it is issued by more or less known certification authority and the errors i get are as follow:

 

 

QSslError::UnableToGetLocalIssuerCertificate
QSslError::CertificateUntrusted

which stands for: 

- The issuer certificate of a locally looked up certificate could not be found
- The root CA certificate is not trusted for this purpose

 

it could be ofcourse ignored, by setting up different error for ignoreSsl, but it's not a case.

 

to solve this, i've just exported certificate using web browser, put this in asset directory and on runtime added to local keystore, so it's working for my app and it's not system-wide as intended:

 

// load certificates from file in asset directory
//
QString certPath="app/native/assets/certs/*.pem";
QList<QSslCertificate> certsFromFile=QSslCertificate::fromPath(certPath, QSsl::Pem, QRegExp::Wildcard);

// init net manager - one per entire app
// netaccess=new QNetworkAccessManager(this);
QSslConfiguration sslConfig=QSslConfiguration::defaultConfiguration();
QList<QSslCertificate> certs;

// get current certificates from default config
//
certs.append(sslConfig.caCertificates());

// get custom certificates loaded from file previously
//
certs.append(certsFromFile);

// set it up in new config
//
sslConfig.setCaCertificates(certs);
QSslConfiguration::setDefaultConfiguration(sslConfig);