请求自动或用户选择适当的客户端证书

时间:2017-07-05 14:53:05

标签: java android ssl ssl-certificate client-certificates

我正在开发可能连接到不同服务器的混合cordova应用程序。其中一些确实需要客户证书。

在Android手机上安装相应的根证书+客户端证书。

在Chrome浏览器上,我会看到以下对话框,为网络连接选择相应的客户端证书。

Choose certificate on Chrome

使用cordova插件cordova-client-cert-authentication,在WebView中弹出相同的Http(s)请求对话框。

我的问题是如何在原生Android 平台上对Http(s)请求实现自动证书选择,而无需明确声明相应的客户端证书。或者类似用户选择的证书,就像在Chrome上实现一样?

这是当前的实现,它会抛出握手异常:

try {
    URL url = new URL( versionUrl );
    HttpsURLConnection urlConnection = ( HttpsURLConnection ) url.openConnection();

    urlConnection.setConnectTimeout( 10000 );

    InputStream in = urlConnection.getInputStream();
}
catch(Exception e)
{
    //javax.net.ssl.SSLHandshakeException: Handshake failed
}

2 个答案:

答案 0 :(得分:6)

您可以使用之前安装在Android KeyChain(系统密钥存储区)中的证书X509ExtendedKeyManager来配置SSLContext使用的URLConnection

证书由您需要的别名引用。要使用类似于chrome的对话框提示用户进行选择:

KeyChain.choosePrivateKeyAlias(this, this, // Callback
            new String[] {"RSA", "DSA"}, // Any key types.
            null, // Any issuers.
            null, // Any host
            -1, // Any port
            DEFAULT_ALIAS);

这是使用自定义KeyManager配置SSL连接的代码。它使用默认的TrustManagerHostnameVerifier。如果服务器使用的是Android默认信任库中不存在的自签名证书,则需要配置它们(不建议信任所有证书)

//Configure trustManager if needed
TrustManager[] trustManagers = null;

//Configure keyManager to select the private key and the certificate chain from KeyChain
KeyManager keyManager = KeyChainKeyManager.fromAlias(
            context, mClientCertAlias);

//Configure SSLContext
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[] {keyManager}, trustManagers, null);


//Perform the connection
URL url = new URL( versionUrl );
HttpsURLConnection urlConnection = ( HttpsURLConnection ) url.openConnection();
urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());
//urlConnection.setHostnameVerifier(hostnameVerifier);  //Configure hostnameVerifier if needed
urlConnection.setConnectTimeout( 10000 );
InputStream in = urlConnection.getInputStream();

最后,您已经完成了从herehere中提取的自定义X509ExtendedKeyManager的完整实施,负责选择客户端证书。我已经提取了所需的代码。

public static class KeyChainKeyManager extends X509ExtendedKeyManager {
    private final String mClientAlias;
    private final X509Certificate[] mCertificateChain;
    private final PrivateKey mPrivateKey;

        /**
         * Builds an instance of a KeyChainKeyManager using the given certificate alias.
         * If for any reason retrieval of the credentials from the system {@link android.security.KeyChain} fails,
         * a {@code null} value will be returned.
         */
        public static KeyChainKeyManager fromAlias(Context context, String alias)
                throws CertificateException {
            X509Certificate[] certificateChain;
            try {
                certificateChain = KeyChain.getCertificateChain(context, alias);
            } catch (KeyChainException e) {
                throw new CertificateException(e);
            } catch (InterruptedException e) {
                throw new CertificateException(e);
            }

            PrivateKey privateKey;
            try {
                privateKey = KeyChain.getPrivateKey(context, alias);
            } catch (KeyChainException e) {
                throw new CertificateException(e);
            } catch (InterruptedException e) {
                throw new CertificateException(e);
            }

            if (certificateChain == null || privateKey == null) {
                throw new CertificateException("Can't access certificate from keystore");
            }

            return new KeyChainKeyManager(alias, certificateChain, privateKey);
        }

        private KeyChainKeyManager(
                String clientAlias, X509Certificate[] certificateChain, PrivateKey privateKey) {
            mClientAlias = clientAlias;
            mCertificateChain = certificateChain;
            mPrivateKey = privateKey;
        }


        @Override
        public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
            return mClientAlias;
        }

        @Override
        public X509Certificate[] getCertificateChain(String alias) {
            return mCertificateChain;
        }

        @Override
        public PrivateKey getPrivateKey(String alias) {
            return mPrivateKey;
        }

         @Override
        public final String chooseServerAlias( String keyType, Principal[] issuers, Socket socket) {
            // not a client SSLSocket callback
            throw new UnsupportedOperationException();
        }

        @Override
        public final String[] getClientAliases(String keyType, Principal[] issuers) {
            // not a client SSLSocket callback
            throw new UnsupportedOperationException();
        }

        @Override
        public final String[] getServerAliases(String keyType, Principal[] issuers) {
            // not a client SSLSocket callback
            throw new UnsupportedOperationException();
        }
    }
}

我没有测试它。报告任何错误!

答案 1 :(得分:-2)

如果您的网址仍处于开发阶段(非生产版本),则可以跳过安装的SSL / NON-SSL证书以访问网址。

以下是跳过SSL验证的方法: 在活动onCreate()或访问URL之前需要时调用。

double quote

注意:如果您的HTTPS URL有效,则无需使用服务器生成的证书。您应该仅使用此方法进行测试/开发。对于发布/制作,您不必使用此方法。

相关问题
最新问题