目前我正在编写一个java库来访问pointhq.com的REST API。
在开发Android客户端时,我意识到默认情况下不接受SSL证书,因此我编写了一个自定义TrustManager并添加了pointhq.com证书,如本文所述:Trusting all certificates using HttpClient over HTTPS
使用此Trustmanager和我导入的bks文件,我在尝试连接时遇到以下错误:IssuerName(CN=GeoTrust Global CA, O=GeoTrust Inc., C=US) does not match SubjectName(CN=RapidSSL CA, O="GeoTrust, Inc.", C=US) of signing certificate.
那我做错了什么?我导入了pointhq.com,rapidssl.com,geotrust.com证书。但没有改变。是否有一种我必须注意的证书分类?我错过了根证书吗?
编辑:以下是导入证书的列表:
类型:BKS 提供者:BC 参赛作品:3
条目别名:geotrust global ca 创作日期:19.10.2011 15:44:35 MESZ 类型:可信证书 证书:1
Certificate 1 of 1
Version: 3
Subject: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Serial Number: 0002 3456
Valid From: 21.05.2002 06:00:00
Valid Until: 21.05.2022 06:00:00
Public Key: RSA (2.048 bits)
Signature Algorithm: SHA1withRSA
SHA-1 Fingerprint: DE:28:F4:A4:FF:E5:B9:2F:A3:C5:03:D1:A3:49:A7:F9:96:2A:82:12
MD5 Fingerprint: F7:75:AB:29:FB:51:4E:B7:77:5E:FF:05:3C:99:8E:F5
条目别名:pointhq.com(rapidssl ca) 创作日期:29.09.2011 18:55:12 MESZ 类型:可信证书 证书:1
Certificate 1 of 1
Version: 3
Subject: CN=pointhq.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/resources/cps (c)11, OU=GT70151377, O=pointhq.com, C=GB, SERIALNUMBER=8Dvj7qRSYLjGZiX2tHocE2FDaqAp8RwO
Issuer: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
Serial Number: 8971
Valid From: 31.01.2011 13:20:09
Valid Until: 03.02.2013 09:15:38
Public Key: RSA (2.048 bits)
Signature Algorithm: SHA1withRSA
SHA-1 Fingerprint: BB:04:D0:3E:1A:36:02:F7:C3:8C:85:99:1D:67:2A:6B:CF:C1:BC:C5
MD5 Fingerprint: 21:9D:DF:72:E6:4A:33:47:E1:BA:D6:52:86:1E:59:B4
条目别名:rapidssl ca(geotrust global ca) 创作日期:29.09.2011 18:54:49 MESZ 类型:可信证书 证书:1
Certificate 1 of 1
Version: 3
Subject: CN=RapidSSL CA, O="GeoTrust, Inc.", C=US
Issuer: CN=GeoTrust Global CA, O=GeoTrust Inc., C=US
Serial Number: 0002 36D1
Valid From: 19.02.2010 23:45:05
Valid Until: 18.02.2020 23:45:05
Public Key: RSA (2.048 bits)
Signature Algorithm: SHA1withRSA
SHA-1 Fingerprint: C0:39:A3:26:9E:E4:B8:E8:2D:00:C5:3F:A7:97:B5:A1:9E:83:6F:47
MD5 Fingerprint: 1B:EE:28:5E:8F:F8:08:5F:79:CC:60:8B:92:99:A4:53
我现在写了一个SSL测试应用程序。结果令人困惑。 正如您在附加的屏幕截图中看到的,有时ssl连接被接受,有时则不被接受!即使它与我正在连接的网站相同。
https://ssltest12.bbtest.net/是RapidSSL证书的演示站点我要使用什么。正如你在Android 2.1屏幕截图所看到的那样,第一个连接得到了不被接受,但第二次尝试完全正常,而最后一次不能再次工作。怎么会发生这种情况?
BTW:自Android 2.3.3起,RapidSSL证书被接受,没有任何自定义代码!
Scrennshots:
答案 0 :(得分:6)
是的,连锁事项中的证书顺序。基本上,您希望将证书从您的证书下载到CA.浏览器为你做,但Java没有。我遇到了链中无序证书的问题,我最终编写了一个简单的X509TrustManager实现:
public void checkServerTrusted(X509Certificate[] certificates,String authType) throws CertificateException {
if ((certificates != null) && LOG.isDebugEnabled()) {
LOG.debug("Server certificate chain:");
for (int i = 0; i < certificates.length; i++) {
LOG.debug("X509Certificate[" + i + "]=" + certificates[i]);
}
}
if ((certificates != null) && (certificates.length == 1)) {
certificates[0].checkValidity();
} else {
List<X509Certificate> certs = new ArrayList<X509Certificate>();
certs.addAll(Arrays.asList(certificates));
X509Certificate certChain = certs.get(0);
certs.remove(certChain);
LinkedList<X509Certificate> chainList= new LinkedList<X509Certificate>();
chainList.add(certChain);
Principal certIssuer = certChain.getIssuerDN();
Principal certSubject = certChain.getSubjectDN();
while(!certs.isEmpty()){
List<X509Certificate> tempcerts = new ArrayList<X509Certificate>();
tempcerts.addAll(certs);
for (X509Certificate cert : tempcerts){
if(cert.getIssuerDN().equals(certSubject)){
chainList.addFirst(cert);
certSubject = cert.getSubjectDN();
certs.remove(cert);
continue;
}
if(cert.getSubjectDN().equals(certIssuer)){
chainList.addLast(cert);
certIssuer = cert.getIssuerDN();
certs.remove(cert);
continue;
}
}
}
standardTrustManager.checkServerTrusted(chainList.toArray(new X509Certificate[]{}),authType);
}
}
注意顺序“while”循环。