我正在尝试使用我正在编写的Android应用中的HTTPS连接替换当前正在运行的HTTP连接。 HTTPS连接的额外安全性是必要的,因此我不能忽视这一步骤。
我有以下内容:
SSLSocketFactory.getSocketFactory()连接正常,但客户端证书是此应用程序规范的必需部分,所以:javax.net.ssl.SSLPeerUnverifiedException: No peer certificate时,客户端会产生SSLSocketFactory例外,但我不完全确定原因。在互联网上搜索各种解决方案后,这个例外似乎有点模棱两可。以下是客户端的相关代码:
SSLSocketFactory socketFactory = null;
public void onCreate(Bundle savedInstanceState) {
loadCertificateData();
}
private void loadCertificateData() {
try {
File[] pfxFiles = Environment.getExternalStorageDirectory().listFiles(new FileFilter() {
public boolean accept(File file) {
if (file.getName().toLowerCase().endsWith("pfx")) {
return true;
}
return false;
}
});
InputStream certificateStream = null;
if (pfxFiles.length==1) {
certificateStream = new FileInputStream(pfxFiles[0]);
}
KeyStore keyStore = KeyStore.getInstance("PKCS12");
char[] password = "somePassword".toCharArray();
keyStore.load(certificateStream, password);
System.out.println("I have loaded [" + keyStore.size() + "] certificates");
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, password);
socketFactory = new SSLSocketFactory(keyStore);
} catch (Exceptions e) {
// Actually a bunch of catch blocks here, but shortened!
}
}
private void someMethodInvokedToEstablishAHttpsConnection() {
try {
HttpParams standardParams = new BasicHttpParams();
HttpConnectionParams.setConnectionTimeout(standardParams, 5000);
HttpConnectionParams.setSoTimeout(standardParams, 30000);
SchemeRegistry schRegistry = new SchemeRegistry();
schRegistry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
schRegistry.register(new Scheme("https", socketFactory, 443));
ClientConnectionManager connectionManager = new ThreadSafeClientConnManager(standardParams, schRegistry);
HttpClient client = new DefaultHttpClient(connectionManager, standardParams);
HttpPost request = new HttpPost();
request.setURI(new URI("https://TheUrlOfTheServerIWantToConnectTo));
request.setEntity("Some set of data used by the server serialized into string format");
HttpResponse response = client.execute(request);
resultData = EntityUtils.toString(response.getEntity());
} catch (Exception e) {
// Catch some exceptions (Actually multiple catch blocks, shortened)
}
}
我已经验证过,确实是keyStore加载证书并且对此感到满意。
关于HTTPS / SSL连接的阅读,我有两个理论,但是因为这是我的第一次尝试,所以我对解决这个问题的实际需要感到有些困惑。
据我所知,第一种可能性是我需要使用包含所有标准中间证书和终端证书颁发机构的设备信任库来配置此SSLSocketFactory。也就是说,设备的默认值SSLSocketFactory.getSocketFactory()将一些CA加载到工厂的信任库中,该信任库用于在发送证书时信任服务器,这就是我的代码失败的原因,因为我没有正确拥有信任存储已加载。如果这是真的,我最好如何加载这些数据?
第二种可能性是由于客户端证书是自签名的(或由内部证书颁发机构颁发 - 如果我错了,请纠正我,但这些确实相同,对于所有意图和这里的目的)。事实上,我错过了这个信任库,基本上我需要为服务器提供一种方法来验证内部CA的证书,并且还验证这个内部CA实际上是 “可信”。如果这是真的,我到底想要什么样的东西?我已经看到一些提及这一点让我相信这可能是我的问题,如here,但我真的不确定。如果这确实是我的问题,我会从维护内部CA的人那里要求什么,然后我将如何将其添加到我的代码中以便我的HTTPS连接可以正常工作?
第三种,希望不太可能的解决方案是,我在这里完全错误并错过了一个关键步骤,或者完全忽略了我目前还不知道的一部分HTTPS / SSL 。如果是这种情况,你能否请我提供一些方向,以便我可以去了解我需要学习的内容?
感谢阅读!
答案 0 :(得分:8)
有一种更简单的方法来实现@jglouie的解决方案。
基本上,如果您使用SSLContext并使用null将其初始化为trust manager参数,则应使用默认信任管理器获取SSL上下文。请注意,Android文档中未对此进行说明,但Java documentation for SSLContext.init表示
前两个参数中的任何一个都可以为null,在这种情况下,将搜索已安装的安全提供程序以获取相应工厂的最高优先级实现。
这是代码的样子:
// This can be any protocol supported by your target devices.
// For example "TLSv1.2" is supported by the latest versions of Android
final String SSL_PROTOCOL = "TLS";
try {
sslContext = SSLContext.getInstance(SSL_PROTOCOL);
// Initialize the context with your key manager and the default trust manager
// and randomness source
sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
} catch (NoSuchAlgorithmException e) {
Log.e(TAG, "Specified SSL protocol not supported! Protocol=" + SSL_PROTOCOL);
e.printStackTrace();
} catch (KeyManagementException e) {
Log.e(TAG, "Error setting up the SSL context!");
e.printStackTrace();
}
// Get the socket factory
socketFactory = sslContext.getSocketFactory();
答案 1 :(得分:7)
我认为这确实是个问题。
据我所知,第一种可能性是我需要 使用设备的信任库配置此SSLSocketFactory 包括所有标准的中级和终端证书 当局
如果这是真的,我最好如何加载这些数据?
尝试这样的事情(您需要让套接字工厂使用此默认信任管理器):
X509TrustManager manager = null;
FileInputStream fs = null;
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
try
{
fs = new FileInputStream(System.getProperty("javax.net.ssl.trustStore"));
keyStore.load(fs, null);
}
finally
{
if (fs != null) { fs.close(); }
}
trustManagerFactory.init(keyStore);
TrustManager[] managers = trustManagerFactory.getTrustManagers();
for (TrustManager tm : managers)
{
if (tm instanceof X509TrustManager)
{
manager = (X509TrustManager) tm;
break;
}
}
编辑:在使用此处的代码之前,请先查看Pooks的回答。听起来现在有更好的方法。
答案 2 :(得分:2)
我试过了几天 我终于得到了答案 所以我想在这里发布我的步骤和我的所有代码,以帮助其他人。
1)获取您要连接的网站的证书
echo | openssl s_client -connect ${MY_SERVER}:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.pem
2)创建你需要的BouncyCastle库你可以下载here
keytool -import -v -trustcacerts -alias 0 -file mycert.pem -keystore “store_directory/mykst“ -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath “directory_of_bouncycastle/bcprov-jdk16-145.jar” -storepass mypassword
3)检查密钥是否已创建
keytool -list -keystore "carpeta_almacen/mykst" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "directory_of_bouncycastle/bcprov-jdk16-145.jar" -storetype BKS -storepass mypassword
你应该看到这样的东西:
Tipodealmacéndeclaves:BKS Proveedordealmacéndeclaves:BC
Sualmacéndeclaves contiene entrada 1
0,07-dic-2011,trustedCertEntry,
Huella digital de certificado(MD5):
55:FD:E5:E3:8A:4C:D6:B8:69:EB:6A:49:05:5F:18:48
4)然后你需要将文件“mykst”复制到你的android项目中的目录“res / raw”(如果不存在则创建它)。
5)在android清单中添加权限
<uses-permission android:name="android.permission.INTERNET"/>
6)这里有代码!
<强> activity_main.xml中
<?xml version="1.0" encoding="utf-8"?>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
android:layout_width="fill_parent"
android:layout_height="fill_parent"
android:orientation="vertical"
android:padding="10dp" >
<Button
android:id="@+id/button"
android:layout_width="fill_parent"
android:layout_height="wrap_content"
android:text="Cargar contenido" />
<RelativeLayout
android:layout_width="fill_parent"
android:layout_height="fill_parent"
android:background="#4888ef">
<ProgressBar
android:id="@+id/loading"
android:layout_width="50dp"
android:layout_height="50dp"
android:indeterminate="true"
android:layout_centerInParent="true"
android:visibility="gone"/>
<ScrollView
android:layout_width="fill_parent"
android:layout_height="fill_parent"
android:fillViewport="true"
android:padding="10dp">
<TextView
android:id="@+id/output"
android:layout_width="fill_parent"
android:layout_height="fill_parent"
android:textColor="#FFFFFF"/>
</ScrollView>
</RelativeLayout>
</LinearLayout>
<强> MyHttpClient
package com.example.https;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.SingleClientConnManager;
import android.content.Context;
import android.os.Build;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
public class MyHttpClient extends DefaultHttpClient {
final Context context;
public MyHttpClient(Context context) {
this.context = context;
}
@Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
// Register for port 443 our SSLSocketFactory with our keystore
// to the ConnectionManager
registry.register(new Scheme("https", newSslSocketFactory(), 443));
return new SingleClientConnManager(getParams(), registry);
}
private SSLSocketFactory newSslSocketFactory() {
try {
// Trust manager / truststore
KeyStore trustStore=KeyStore.getInstance(KeyStore.getDefaultType());
// If we're on an OS version prior to Ice Cream Sandwich (4.0) then use the standard way to get the system
// trustStore -- System.getProperty() else we need to use the special name to get the trustStore KeyStore
// instance as they changed their trustStore implementation.
if (Build.VERSION.RELEASE.compareTo("4.0") < 0) {
TrustManagerFactory trustManagerFactory=TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
FileInputStream trustStoreStream=new FileInputStream(System.getProperty("javax.net.ssl.trustStore"));
trustStore.load(trustStoreStream, null);
trustManagerFactory.init(trustStore);
trustStoreStream.close();
} else {
trustStore=KeyStore.getInstance("AndroidCAStore");
}
InputStream certificateStream = context.getResources().openRawResource(R.raw.mykst);
KeyStore keyStore=KeyStore.getInstance("BKS");
try {
keyStore.load(certificateStream, "mypassword".toCharArray());
Enumeration<String> aliases=keyStore.aliases();
while (aliases.hasMoreElements()) {
String alias=aliases.nextElement();
if (keyStore.getCertificate(alias).getType().equals("X.509")) {
X509Certificate cert=(X509Certificate)keyStore.getCertificate(alias);
if (new Date().after(cert.getNotAfter())) {
// This certificate has expired
return null;
}
}
}
} catch (IOException ioe) {
// This occurs when there is an incorrect password for the certificate
return null;
} finally {
certificateStream.close();
}
KeyManagerFactory keyManagerFactory=KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "mypassword".toCharArray());
return new SSLSocketFactory(keyStore, "mypassword", trustStore);
} catch (Exception e) {
throw new AssertionError(e);
}
}
}
<强> MainActivity
package com.example.https;
import android.app.Activity;
import android.os.AsyncTask;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.DefaultHttpClient;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
import java.io.StringWriter;
import java.io.Writer;
import javax.net.ssl.SSLSocketFactory;
public class MainActivity extends Activity {
private View loading;
private TextView output;
private Button button;
SSLSocketFactory socketFactory = null;
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
loading = findViewById(R.id.loading);
output = (TextView) findViewById(R.id.output);
button = (Button) findViewById(R.id.button);
button.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
new CargaAsyncTask().execute(new Void[0]);
}
});
}
class CargaAsyncTask extends AsyncTask<Void, Void, String> {
@Override
protected void onPreExecute() {
super.onPreExecute();
loading.setVisibility(View.VISIBLE);
button.setEnabled(false);
}
@Override
protected String doInBackground(Void... params) {
// Instantiate the custom HttpClient
DefaultHttpClient client = new MyHttpClient(getApplicationContext());
HttpGet get = new HttpGet("https://www.google.com");
// Execute the GET call and obtain the response
HttpResponse getResponse;
String resultado = null;
try {
getResponse = client.execute(get);
HttpEntity responseEntity = getResponse.getEntity();
InputStream is = responseEntity.getContent();
resultado = convertStreamToString(is);
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return resultado;
}
@Override
protected void onPostExecute(String result) {
super.onPostExecute(result);
loading.setVisibility(View.GONE);
button.setEnabled(true);
if (result == null) {
output.setText("Error");
} else {
output.setText(result);
}
}
}
public static String convertStreamToString(InputStream is) throws IOException {
/*
* To convert the InputStream to String we use the
* Reader.read(char[] buffer) method. We iterate until the
* Reader return -1 which means there's no more data to
* read. We use the StringWriter class to produce the string.
*/
if (is != null) {
Writer writer = new StringWriter();
char[] buffer = new char[1024];
try {
Reader reader = new BufferedReader(new InputStreamReader(is, "UTF-8"));
int n;
while ((n = reader.read(buffer)) != -1) {
writer.write(buffer, 0, n);
}
} finally {
is.close();
}
return writer.toString();
} else {
return "";
}
}
}
我希望它对其他人有用!! 尽情享受吧!
答案 3 :(得分:1)
似乎您还需要为SSLSocketFactory设置主机名。
尝试添加行
socketFactory.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
在使用SSLFactory。
除了结构上的差异,我们有类似的代码。在我的实现中,我刚刚创建了自己的DefaultHttpClient扩展,它看起来类似于上面的大部分代码。如果这不能解决问题,我可以发布工作代码,你可以尝试一下这个方法。
编辑:这是我的工作版
public class ActivateHttpClient extends DefaultHttpClient {
final Context context;
/**
* Public constructor taking two arguments for ActivateHttpClient.
* @param context - Context referencing the calling Activity, for creation of
* the socket factory.
* @param params - HttpParams passed to this, specifically to set timeouts on the
* connection.
*/
public ActivateHttpClient(Context context, HttpParams params) {
this.setParams(params);
}
/* (non-Javadoc)
* @see org.apache.http.impl.client.DefaultHttpClient#createClientConnectionManager()
* Create references for both http and https schemes, allowing us to attach our custom
* SSLSocketFactory to either
*/
@Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory
.getSocketFactory(), 80));
registry.register(new Scheme("https", newSslSocketFactory(), 443));
return new SingleClientConnManager(getParams(), registry);
}
/**
* Creation of new SSLSocketFactory, which imports a certificate from
* a server which self-signs its own certificate.
* @return
*/
protected SSLSocketFactory newSslSocketFactory() {
try {
//Keystore must be in BKS (Bouncy Castle Keystore)
KeyStore trusted = KeyStore.getInstance("BKS");
//Reference to the Keystore
InputStream in = context.getResources().openRawResource(
R.raw.cert);
//Password to the keystore
try {
trusted.load(in, PASSWORD_HERE.toCharArray());
} finally {
in.close();
}
// Pass the keystore to the SSLSocketFactory. The factory is
// responsible
// for the verification of the server certificate.
SSLSocketFactory sf = new SSLSocketFactory(trusted);
// Hostname verification from certificate
// http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
return sf;
// return new SSLSocketFactory(trusted);
} catch (Exception e) {
e.printStackTrace();
throw new AssertionError(e);
}
}
}
并且可以如图所示调用:
HttpParams params = new BasicHttpParams();
// Set the timeout in milliseconds until a connection is established.
int timeoutConnection = 500;
HttpConnectionParams.setConnectionTimeout( params , timeoutConnection );
// Set the default socket timeout (SO_TIMEOUT)
// in milliseconds which is the timeout for waiting for data.
int timeoutSocket = 1000;
HttpConnectionParams.setSoTimeout( params , timeoutSocket );
//ADD more connection options here!
String url =
"https:// URL STRING HERE";
HttpGet get = new HttpGet( url );
ActivateHttpClient client =
new ActivateHttpClient( this.context, params );
// Try to execute the HttpGet, throwing errors
// if no response is received, or if there is
// an error in the execution.
HTTPResponse response = client.execute( get );
答案 4 :(得分:1)
我发布了一个更新的答案,因为人们仍然参考并投票这个问题。我不得不更改套接字工厂代码几次,因为自Android 4.0以来有些事情发生了变化
// Trust manager / truststore
KeyStore trustStore=KeyStore.getInstance(KeyStore.getDefaultType());
// If we're on an OS version prior to Ice Cream Sandwich (4.0) then use the standard way to get the system
// trustStore -- System.getProperty() else we need to use the special name to get the trustStore KeyStore
// instance as they changed their trustStore implementation.
if (Build.VERSION.RELEASE.compareTo("4.0") < 0) {
TrustManagerFactory trustManagerFactory=TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
FileInputStream trustStoreStream=new FileInputStream(System.getProperty("javax.net.ssl.trustStore"));
trustStore.load(trustStoreStream, null);
trustManagerFactory.init(trustStore);
trustStoreStream.close();
} else {
trustStore=KeyStore.getInstance("AndroidCAStore");
}
InputStream certificateStream=new FileInputStream(userCertFile);
KeyStore keyStore=KeyStore.getInstance("PKCS12");
try {
keyStore.load(certificateStream, certPass.toCharArray());
Enumeration<String> aliases=keyStore.aliases();
while (aliases.hasMoreElements()) {
String alias=aliases.nextElement();
if (keyStore.getCertificate(alias).getType().equals("X.509")) {
X509Certificate cert=(X509Certificate)keyStore.getCertificate(alias);
if (new Date().after(cert.getNotAfter())) {
// This certificate has expired
return;
}
}
}
} catch (IOException ioe) {
// This occurs when there is an incorrect password for the certificate
return;
} finally {
certificateStream.close();
}
KeyManagerFactory keyManagerFactory=KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, certPass.toCharArray());
socketFactory=new SSLSocketFactory(keyStore, certPass, trustStore);
希望这有助于将来仍然来到这里的人。