Android应用中的双向SSL无法正常工作

时间:2015-03-18 14:06:46

标签: java android ssl

我正在尝试创建一个使用双向SSL与NodeJS应用程序通信的Android应用。我有两个版本的代码来发出请求,这两个版本都没有。如果我使用普通Java运行它,第一个版本的代码就可以工作,但是当我尝试将它拉入我的Android应用程序时,服务器无法识别客户端证书:

版本1:

    System.setProperty("javax.net.ssl.keyStore", "jks-keystore.jks");
    System.setProperty("javax.net.ssl.keyStorePassword", "pass1");
    System.setProperty("javax.net.ssl.trustStore", "jkstruststore.jks");
    System.setProperty("javax.net.ssl.trustStorePassword", "pass2");



    // specify url
    String url = "https://example.com/startup";

    System.out.println("Startup URL is " + url);

    // This block of code keeps self-signed certificates from causing errors.
    javax.net.ssl.HttpsURLConnection.setDefaultHostnameVerifier(
        new javax.net.ssl.HostnameVerifier(){
            public boolean verify(String hostname, javax.net.ssl.SSLSession sslSession) {
                return true;
            }
        }
    );

    // initiate the request
    try
    {
        URL hp = new URL(url);
        HttpsURLConnection hpCon = (HttpsURLConnection)hp.openConnection();

        boolean isProxy = hpCon.usingProxy();
        InputStream obj = (InputStream) hpCon.getInputStream();

        // print out JSON response
        System.out.println(convertStreamToString(obj));
    }
    catch (Exception ex)
    {
        ex.printStackTrace();
    }

错误1:

03-17 12:25:18.616: W/System.err(331): javax.net.ssl.SSLHandshakeException:     
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

第2版:

          // load truststore certificate
          InputStream clientTruststoreIs = getResources().openRawResource(R.raw.tsserver);
          KeyStore trustStore = null;
          trustStore = KeyStore.getInstance("BKS");
          trustStore.load(clientTruststoreIs, "pass1".toCharArray());

          System.out.println("Loaded server certificates: " + trustStore.size());

          // initialize trust manager factory with the read truststore
          TrustManagerFactory trustManagerFactory = null;
          trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
          trustManagerFactory.init(trustStore);

          // setup client certificate

          // load client certificate
          InputStream keyStoreStream = getResources().openRawResource(R.raw.tsclient);
          KeyStore keyStore = null;
          keyStore = KeyStore.getInstance("BKS");
          keyStore.load(keyStoreStream, "pass2".toCharArray());

          System.out.println("Loaded client certificates: " + keyStore.size());

          // initialize key manager factory with the read client certificate
          KeyManagerFactory keyManagerFactory = null;
          keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
          keyManagerFactory.init(keyStore, "pass2".toCharArray());


          // initialize SSLSocketFactory to use the certificates
          SSLSocketFactory socketFactory = new SSLSocketFactory(SSLSocketFactory.TLS, keyStore, "pass2", trustStore, null, null);

          // Set basic data
          HttpParams params = new BasicHttpParams();
          HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
          HttpProtocolParams.setContentCharset(params, "UTF-8");
          HttpProtocolParams.setUseExpectContinue(params, true);
          HttpProtocolParams.setUserAgent(params, "Android app/1.0.0");

          // Make pool
          ConnPerRoute connPerRoute = new ConnPerRouteBean(12);
          ConnManagerParams.setMaxConnectionsPerRoute(params, connPerRoute);
          ConnManagerParams.setMaxTotalConnections(params, 20);

          // Set timeout
          HttpConnectionParams.setStaleCheckingEnabled(params, false);
          HttpConnectionParams.setConnectionTimeout(params, 20 * 1000);
          HttpConnectionParams.setSoTimeout(params, 20 * 1000);
          HttpConnectionParams.setSocketBufferSize(params, 8192);

          // Some client params
          HttpClientParams.setRedirecting(params, false);

          // Register http/s schemas!
          SchemeRegistry schReg = new SchemeRegistry();
          schReg.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
          schReg.register(new Scheme("https", socketFactory, 443));
          ClientConnectionManager conMgr = new ThreadSafeClientConnManager(params, schReg);
          DefaultHttpClient sClient = new DefaultHttpClient(conMgr, params);

          try {
                String res = executeHttpGet(sClient, "https://example.com/startup");
                System.out.println("------- SSL RESULT IS = " + res);
            } catch (Exception e) {
                System.out.println("---- ex " + e.getMessage());
                e.printStackTrace();
            }

错误2:服务器未看到客户端证书

这两个代码示例都导致服务器无法看到客户端证书。任何想法为什么这不起作用?谢谢。

1 个答案:

答案 0 :(得分:0)

如果我们仔细阅读documentaion,我们就会发现:

自签名证书会抛出类似于您遇到的错误。自签名证书在没有任何服务器错误的情况下被传递并不重要,在任何一种情况下都会抛出SSLHandshakeException。

要步行传递,这是为了组装一组受信任的CA证书并将它们添加到您的信任库。然后,从该CA发出的所有证书都将受到信任,这将忽略直接在da truststore文件中添加它们的需要。

现在,如何将CA可信证书添加到信任库:

设置您自己的CA here

然后:

鉴于 CA证书 cacert.pe m,以 PEM 格式,您可以将证书添加到 JKS < / em> truststore(或创建新的信任库),输入以下命令:

keytool -import -file cacert.pem -alias CAAlias -keystore truststore.ts -storepass StorePass

其中 CAAlias 是一个方便的标记,使您可以使用keytool实用程序访问此特定CA证书。文件 truststore.ts 是包含 CA证书的密钥库文件 - 如果此文件尚不存在,则keytool实用程序会创建一个。 StorePass密码提供对密钥库文件 truststore.t

的访问

请查看此document

相关问题
最新问题