tmdroid/KeyPinStore.java

## KeyPinStore.java
package your.package;

import android.content.Context;

import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;

/**
 * this script to be used with Android Asynchronous Networking and Image Loading
 * https://github.com/koush/ion/
 * and maybe for other library and SSL Connection Script
 *
 * Save Cloudflare Origin CA — RSA Root as CloudFlareCA.crt at assets folder in Android Studio project
 * https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root-certificate-authorities-CAs-used-with-CloudFlare-Origin-CA-
 * put this file anywhere in your src folder
 *
 * Use it like this
 try {
      KeyPinStore keystore = KeyPinStore.getInstance(this);
      AsyncHttpClient.getDefaultInstance().getSSLSocketMiddleware().setSSLContext(keystore.getContext());
      AsyncHttpClient.getDefaultInstance().getSSLSocketMiddleware().setTrustManagers(keystore.getTmf().getTrustManagers());
  }catch (Exception e){}
 * and do Ion Connection
 *
 * Created by Ricardo Iramar dos Santos on 14/08/2015.
 * https://github.com/riramar/pubkey-pin-android/blob/master/src/org/owasp/pubkeypin/KeyPinStore.java
 */
public class KeyPinStore {

    private static KeyPinStore instance = null;
    private SSLContext sslContext = SSLContext.getInstance("TLS");
    private TrustManagerFactory tmf;

    public static synchronized KeyPinStore getInstance(Context cx) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException{
        if (instance == null){
            instance = new KeyPinStore(cx);
        }
        return instance;
    }

    private KeyPinStore(Context context) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException{
        // https://developer.android.com/training/articles/security-ssl.html
        // Load CAs from an InputStream
        // (could be from a resource or ByteArrayInputStream or ...)
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        // randomCA.crt should be in the Assets directory (tip from here http://littlesvr.ca/grumble/2014/07/21/android-programming-connect-to-an-https-server-with-self-signed-certificate/)
        InputStream caInput = new BufferedInputStream(context.getAssets().open("cloudflare.crt"));
        Certificate ca;
        try {
            ca = cf.generateCertificate(caInput);
            System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
        } finally {
            caInput.close();
        }

        // Create a KeyStore containing our trusted CAs
        String keyStoreType = KeyStore.getDefaultType();
        KeyStore keyStore = KeyStore.getInstance(keyStoreType);
        keyStore.load(null, null);
        keyStore.setCertificateEntry("ca", ca);

        // Create a TrustManager that trusts the CAs in our KeyStore
        String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
        tmf.init(keyStore);

        // Create an SSLContext that uses our TrustManager
        // SSLContext context = SSLContext.getInstance("TLS");
        sslContext.init(null, tmf.getTrustManagers(), null);
    }

    public SSLContext getContext(){
        return sslContext;
    }

    public TrustManagerFactory getTmf(){
        return tmf;
    }
}
	package your.package;

	import android.content.Context;

	import javax.net.ssl.SSLContext;
	import javax.net.ssl.TrustManagerFactory;
	import java.io.BufferedInputStream;
	import java.io.IOException;
	import java.io.InputStream;
	import java.security.KeyManagementException;
	import java.security.KeyStore;
	import java.security.KeyStoreException;
	import java.security.NoSuchAlgorithmException;
	import java.security.cert.Certificate;
	import java.security.cert.CertificateException;
	import java.security.cert.CertificateFactory;
	import java.security.cert.X509Certificate;

	/**
	* this script to be used with Android Asynchronous Networking and Image Loading
	* https://github.com/koush/ion/
	* and maybe for other library and SSL Connection Script
	*
	* Save Cloudflare Origin CA — RSA Root as CloudFlareCA.crt at assets folder in Android Studio project
	* https://support.cloudflare.com/hc/en-us/articles/218689638-What-are-the-root-certificate-authorities-CAs-used-with-CloudFlare-Origin-CA-
	* put this file anywhere in your src folder
	*
	* Use it like this
	try {
	KeyPinStore keystore = KeyPinStore.getInstance(this);
	AsyncHttpClient.getDefaultInstance().getSSLSocketMiddleware().setSSLContext(keystore.getContext());
	AsyncHttpClient.getDefaultInstance().getSSLSocketMiddleware().setTrustManagers(keystore.getTmf().getTrustManagers());
	}catch (Exception e){}
	* and do Ion Connection
	*
	* Created by Ricardo Iramar dos Santos on 14/08/2015.
	* https://github.com/riramar/pubkey-pin-android/blob/master/src/org/owasp/pubkeypin/KeyPinStore.java
	*/
	public class KeyPinStore {

	private static KeyPinStore instance = null;
	private SSLContext sslContext = SSLContext.getInstance("TLS");
	private TrustManagerFactory tmf;

	public static synchronized KeyPinStore getInstance(Context cx) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException{
	if (instance == null){
	instance = new KeyPinStore(cx);
	}
	return instance;
	}

	private KeyPinStore(Context context) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException, KeyManagementException{
	// https://developer.android.com/training/articles/security-ssl.html
	// Load CAs from an InputStream
	// (could be from a resource or ByteArrayInputStream or ...)
	CertificateFactory cf = CertificateFactory.getInstance("X.509");
	// randomCA.crt should be in the Assets directory (tip from here http://littlesvr.ca/grumble/2014/07/21/android-programming-connect-to-an-https-server-with-self-signed-certificate/)
	InputStream caInput = new BufferedInputStream(context.getAssets().open("cloudflare.crt"));
	Certificate ca;
	try {
	ca = cf.generateCertificate(caInput);
	System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
	} finally {
	caInput.close();
	}

	// Create a KeyStore containing our trusted CAs
	String keyStoreType = KeyStore.getDefaultType();
	KeyStore keyStore = KeyStore.getInstance(keyStoreType);
	keyStore.load(null, null);
	keyStore.setCertificateEntry("ca", ca);

	// Create a TrustManager that trusts the CAs in our KeyStore
	String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
	tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
	tmf.init(keyStore);

	// Create an SSLContext that uses our TrustManager
	// SSLContext context = SSLContext.getInstance("TLS");
	sslContext.init(null, tmf.getTrustManagers(), null);
	}

	public SSLContext getContext(){
	return sslContext;
	}

	public TrustManagerFactory getTmf(){
	return tmf;
	}
	}