使用.cer而不是.p12对android上的服务器进行身份验证
[英]Using a .cer instead of a .p12 to authenticate to a server on android
问题描述
for my current project we use a certificate authentification on our server. 
对于我当前的项目,我们在服务器上使用证书身份验证。 Till now we used PKCS12 to realise that and it was working fine. 直到现在我们使用PKCS12来实现它并且它工作正常。 Because we integrated a PKCS11 security card now i can only get the certificate as a standard .cer. 因为我们现在集成了PKCS11安全卡,所以我只能将证书作为标准.cer获得。 So far so good i can create a keystore and SSLcontext fine but for some reason the server doesn't recognize that im trying to use a certificate if i do it with a .cer. 到目前为止,我可以创建一个密钥库和SSLcontext很好,但由于某种原因服务器无法识别我试图使用证书,如果我使用.cer。 Maybe you guys can find a reason. 也许你们可以找到理由。
Working code: 工作代码:
SSLContext ctx = SSLContext.getInstance("TLS");
KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(new FileInputStream(new File("/data/local/tmp/admin.p12")), certpw.toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keystore, certpw.toCharArray());
ctx.init(keyManagerFactory.getKeyManagers(),
new TrustManager[] { new X509TrustManager() {
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[] {};
}
@Override
public void checkClientTrusted(
final X509Certificate[] arg0,
final String arg1)
throws CertificateException {
}
@Override
public void checkServerTrusted(
final X509Certificate[] arg0,
final String arg1)
throws CertificateException {
}
} }, new SecureRandom());
And here the not working code with a .cer: 这里有一个没有.cer的代码:
SSLContext ctx = SSLContext.getInstance("TLS");
InputStream is = new FileInputStream("/data/local/tmp/admin.cer");
CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate caCert = (Certificate)cf.generateCertificate(is);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, certpw.toCharArray());
ks.setCertificateEntry("caCert", caCert);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(ks, certpw.toCharArray());
ctx.init(keyManagerFactory.getKeyManagers(),
new TrustManager[] { new X509TrustManager() {
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[] {};
}
@Override
public void checkClientTrusted(
final X509Certificate[] arg0,
final String arg1)
throws CertificateException {
}
@Override
public void checkServerTrusted(
final X509Certificate[] arg0,
final String arg1)
throws CertificateException {
}
} }, new SecureRandom());
Basicly the only thing, that changed is that i create an empty keystore now and add the certificate manually. 基本上唯一改变的是我现在创建一个空的密钥库并手动添加证书。
EDIT: I get the .cer via JNI using a .so lib provided by the card manufactor. 编辑:我使用卡制造商提供的.so lib通过JNI获取.cer。 It contains an implementation of the PKCS#11 API. 它包含PKCS#11 API的实现。 I could get the private and public key from the card together with the certificate but don't know how i would use those to make a KeysStore. 我可以从卡中获取私钥和公钥以及证书,但不知道我将如何使用它们来制作KeysStore。
1 个解决方案
解决方案1
3 2014-08-08 14:49:06
You need the private key. 你需要私钥。 With .p12 file you had it and it was used to establish SSL connection to the server. 使用.p12文件,您可以使用它来建立与服务器的SSL连接。
When you moved from .p12 to smartcard you made a big change. 当你从.p12转移到智能卡时,你做了很大的改变。 I don't know if it will be possible to make KeyStore work with smartcard through a PKCS#11 interface or if a PKCS#11 interface is even available on android (I am not an android developer). 我不知道是否可以通过PKCS#11接口使KeyStore与智能卡一起工作,或者如果Android上甚至可以使用PKCS#11接口(我不是Android开发人员)。
Try to do some research if it could be done. 如果可以的话,尝试做一些研究。 The questions you should be asking yourself (or google): 您应该问自己(或谷歌)的问题:
- Is PKCS#11 interface available on android? Android上有PKCS#11接口吗?
- Does your vendor supply the card with a PKCS#11 library for android? 您的供应商是否为Android提供了PKCS#11库?
- Can KeyStore use a PKCS#11 library? KeyStore可以使用PKCS#11库吗?
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.