Menu

Certificates for government apps

In this scenario, a customer has a number of government apps that need certificates. They want to make a configuration to manage certificates as follows.

Certificate procedure

  1. Place CA1, CA2, and CA3 in the trusted CA restriction list.
List<X509Certificate> caList = new ArrayList<X509Certificate>();

caList.add(certCA1);
caList.add(certCA2);
caList.add(certCA3);

boolean retValue = mCertificatePolicy.addTrustedCaCertificateList(caList);
  1. Place CA7, CA8, and CA9 in the untrusted certificate relist.
List<X509Certificate> caList = new ArrayList<X509Certificate>();

caList.add(certCA7);
caList.add(certCA8);
caList.add(certCA9);

boolean retValue = mCertificatePolicy.addUntrustedCertificateList(caList);
  1. Validate a new certificate CA10; if it is valid, include it in the trusted CA restriction list. boolean retValue = mCertificatePolicy
boolean retValue = mCertificatePolicy.enableCertificateValidationAtInstall(true);
	
// tries to install into an Android keystore (in this case, Wi-Fi keystore)
// the operation will fail in case of an invalid certificate
boolean installResult = mSecurityPolicy.installCertificateToKeystore
   (SecurityPolicy.TYPE_PKCS12, certCA10_byteArray, "certCA10Alias",
       "123456", SecurityPolicy. KEYSTORE_FOR_WI-FI);

// if it is a valid certificate, then we include it to the trusted CA list
if(installResult) {
   List<X509Certificate> caList = new ArrayList<X509Certificate>();
	caList.add(certCA10_x509);
	boolean retValue = mCertificatePolicy.addTrustedCaCertificateList(caList);
   }
  1. Revoke CA1.

Points to consider:

  • A CA certificate is not revocable. To revoke a user certificate, it is necessary to talk to its root CA. The root CA then revokes the user certificate. In order to check for revoked certificates, enable the revocation check policy. For more information, see Step 5.
  • An alternative for this requirement is to insert the CA1 to the untrusted CA certificate list. For more details on how to do this, see Step 2.
  1. Enable revocation check.
String pkgName = "*";

// enables revocation check (using CRL) for all apps
mCertificatePolicy.enableRevocationCheck(pkgName, true);

// enables revocation check (using OCSP) for all apps
mCertificatePolicy.enableOcspCheck(pkgName, true);
  1. Check revocation status.
String pkgName = "*";

// checks if revocation check (using CRL) is enabled for all apps
boolean retValue = mCertificatePolicy.isRevocationCheckEnabled(pkgName);

// checks if revocation check (using OCSP) is enabled for all apps
Boolean retValue2 = mCertificatePolicy.isOcspCheckEnabled(pkgName);
  1. Notify the MDM regarding certification failure status.
// Declare the BroadcastReceiver in AndroidManifest.xml client app

<receiver android:name="com.enterprise.test.CertificateReceiver">
  <intent-filter>
    <action
        android:name="edm.intent.certificate.action.certificate.failure"/>
  </intent-filter>
</receiver>

// Creates the BroadcastReceiver class

public class CertificateReceiver extends BroadcastReceiver {
    @Override
        public void onReceive(Context context, Intent intent) {
          final String action = intent.getAction();
          Log.d(TAG, "received intent action =" + action);

          if (action.equals(CertificatePolicy.ACTION_CERTIFICATE_FAILURE)) {
              String module = intent.getStringExtra
                    (CertificatePolicy.EXTRA_CERTIFICATE_FAILURE_MODULE);

    	    String msg = intent.getStringExtra
                    (CertificatePolicy.EXTRA_CERTIFICATE_FAILURE_MESSAGE);

 Log.d(TAG, "Digital signature failure occurred in: " + module
                  + " - " + msg);
            }
        }
}
  1. Notify end-user regarding certification failure status.
boolean retValue = mCertificatePolicy.enableCertificateFailureNotification(true);
 
  1. Display the identity of the entity that signed an app per user request to the user.
boolean retValue = mCertificatePolicy.enableSignatureIdentityInformation(true);

Note: If the policy is enabled, the user can check any signature identity. This identity displays in the App Info screen that you can access using the App Manager and during app installation.