onReceivedClientCertRequest is not called

Question

I made an app which uses WebView and YouTube iframe for watching YouTube videos. I use WebViewClient to store all urls and I want to force usage of my generated private key so I could decrypt Wireshark traffic ( I capture that traffic in app using Android command line and tcpdump command).

My WebViewClient class is this:

private class MyWebviewClient extends WebViewClient {

    @Override
    public void onReceivedError(WebView view, int errorCode,
                                String description, String failingUrl) {
        // TODO Auto-generated method stub
        super.onReceivedError(view, errorCode, description, failingUrl);
        Log.d(TAG, "onReceivedError : description = " + description);

    }

    @Override
    public boolean shouldOverrideUrlLoading(WebView view, String url) {
        // TODO Auto-generated method stub
        System.out.println("********************************************");
        Log.d(TAG, "shouldOverrideUrlLoading : url = " + url);
        return true;
    }

    @Override
    public void onLoadResource(WebView view, String url) {
        webAppInterface.logResourceURL(url);
        System.out.println("************************************ " + url + " ************************************");
    }

    @Override
    public void onReceivedSslError(WebView view, SslErrorHandler handler, SslError error) {
        handler.proceed();
    }

    //forcing my private key
    @Override
    public void onReceivedClientCertRequest(WebView view, ClientCertRequest request) {
        System.out.println("test test test");

        X509Certificate cert = CertificateKey.getCertificate();
        X509Certificate[] mCertificates = new X509Certificate[1];
        mCertificates[0] = (X509Certificate)cert;

        request.proceed(CertificateKey.getKey(), mCertificates);
    }
}

The problem is that method onReceivedClientCertRequest is never called! I don't even get a print.

• All other methods work as intended (i.e. onLoadResource works)
• I am using SSL/HTTPS as can be seen in wireshark captured traffic wireshark traffic
• I am using method onReceivedSslError(view, handler, error) in case of mistake
• I am using self generated certificate (which is not signed by CA, at least I think)
• Both certificate and private key are saved on phone

Could the problem be Android version (currently 5.1)?

Answer 1

The onReceivedClientCertRequest method will be invoked each time, server-side, is required a client authentication. This isn't a common service for a web server (surely Youtube does not require client authentication at all) and due to this you cannot force nothing. Furthermore the onReceivedClientCertRequest method is a listener so by default it depends on an external input to be triggered, because web server never asks for a client certificate to your browser agent (e.g. your WebView) your code will never be executed.

For further detais see Android guide to Client Certificate and how SSL works in 2-way handshake