Android 7:找不到认证路径的信任锚
[英]Android 7: Trust anchor for certification path not found
问题描述
I have an application that connects to a server in the local ip network. 
我有一个连接到本地IP网络中服务器的应用程序。 This connection is TLS encrypted with a custom certificate. 此连接使用自定义证书进行TLS加密。 Following the guides on this side I made it work under all android version up to android 7. Sadly since Android 7 it is no longer working. 遵循这一方面的指导,我使它在所有android版本(直到android 7)下均可工作。可悲的是,由于Android 7不再起作用。 Please does anybody know why this is not working anymore? 请问有人知道为什么这不再起作用了吗?
I found this article and included a network config file with the following code (I know this might not be secure, but first this has to work...): 我找到了这篇文章,并包含了一个带有以下代码的网络配置文件(我知道这可能并不安全,但是首先这必须起作用...):
<network-security-config>
<base-config>
<trust-anchors>
<!-- Only trust the CAs included with the app
for connections to internal.example.com -->
<certificates src="@raw/ca_cert" />
<certificates src="system"/>
</trust-anchors>
</base-config>
</network-security-config>
Sadly it is still not working. 可悲的是它仍然无法正常工作。 I also added it in the manifest as android:networkSecurityConfig="@xml/network_security_config" . 我还在清单中将它添加为android:networkSecurityConfig="@xml/network_security_config" 。
The exception I am getting (Only Android 7+)! 我得到的例外情况(仅适用于Android 7+)!
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found
This is the code for initializing my SSL Context 这是初始化我的SSL上下文的代码
// Step 1: Initialize a ssl context with highest version
ssl_ctx = SSLContext.getInstance("TLSv1.2");
// Step 2: Add certificates to context
// Step 2.1 get private key
int pkeyId = context.getResources().getIdentifier("raw/clientkeypkcs", null, context.getPackageName());
InputStream fis = context.getResources().openRawResource(pkeyId);
DataInputStream dis = new DataInputStream(fis);
byte[] bytes = new byte[dis.available()];
dis.readFully(bytes);
ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
byte[] key = new byte[bais.available()];
KeyFactory kf = KeyFactory.getInstance("RSA");
bais.read(key, 0, bais.available());
bais.close();
PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );
PrivateKey ff = kf.generatePrivate (keysp);
//Step 2.2 get certificates
int caresId = context.getResources().getIdentifier("raw/ca_cert", null, context.getPackageName());
InputStream caCertIS = context.getResources().openRawResource(caresId);
CertificateFactory cacf = CertificateFactory.getInstance("X.509");
X509Certificate caCert = (X509Certificate)cacf.generateCertificate(caCertIS);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null); // You don't need the KeyStore instance to come from a file.
ks.setCertificateEntry("caCert", caCert);
tmf.init(ks);
int clientresId = context.getResources().getIdentifier("raw/client_cert", null, context.getPackageName());
InputStream clientCertIS = context.getResources().openRawResource(clientresId);
CertificateFactory clientcf = CertificateFactory.getInstance("X.509");
X509Certificate clientCert = (X509Certificate)clientcf.generateCertificate(clientCertIS);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
ks.setCertificateEntry("clientCert", clientCert);
kmf.init(ks, "***********".toCharArray());
Certificate[] chain = new Certificate[] { clientCert};
//ks.load(null); // You don't need the KeyStore instance to come from a file.
ks.setKeyEntry("importkey", ff, "***********".toCharArray(), chain );
ssl_ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
2 个解决方案
解决方案1
0 2018-09-28 12:12:36
I faced this same issue on Android Oreo device 我在Android Oreo设备上遇到了同样的问题
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
Its due to device date is set to old date for some other test purpose. 由于设备日期的原因,出于其他一些测试目的,该日期设置为旧日期。 I never know that could cause this kind of SSLHandshakeException issue. 我不知道这会导致这种SSLHandshakeException问题。 After lot of struggle, i just set device date back to current date. 经过很多努力,我只是将设备日期设置为当前日期。 Solved the issue. 解决了这个问题。 :D :d
I think your scenario may be different and need to handle in other way. 我认为您的情况可能有所不同,需要以其他方式处理。 But I just posted this answer, Just in case it may help somebody. 但我只是发布了此答案,以防万一它可能对某人有所帮助。
解决方案2
0 2019-09-06 11:08:11
You probably might have the user certificate missing: 您可能缺少用户证书:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</base-config>
</network-security-config>
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.