[英]TLS/SSL client authentication using a client certificate which comes available at runtime Android/Java
Suppose I have an application which in some way retrieves a client certificate (private/public key pair) at runtime via a secure channel (so I don't have this client certificate at build time). 假设我有一个应用程序,它在某种程度上通过安全通道在运行时检索客户端证书(私钥/公钥对)(所以我在构建时没有这个客户端证书)。
How can I use this client certificate for client authentication without using keytool and not using some on persistent/ondisk keystore. 如何在不使用keytool且不在persistent / ondisk密钥库上使用某些客户端身份验证的情况下将此客户端证书用于客户端身份验证。 So I do not want (actually I can't) to import it using a command line keytool? 所以我不想(实际上我不能)使用命令行keytool导入它?
Actually I want to replicate the functionality done in libcurl. 实际上我想复制libcurl中完成的功能。 You just set the client certificate (with private key) and your done. 您只需设置客户端证书(使用私钥)即可。 It doesn't involve a keystore. 它不涉及密钥库。
All this has to be done in Java/Android. 所有这一切都必须在Java / Android中完成。
You can do it in Java by defining your own KeyManager as described in the JSSE Reference Guide . 您可以通过定义自己的KeyManager来实现Java ,如JSSE参考指南中所述 。 I can't speak for Android. 我不能代表Android。
I just got this working and I dont think you'll be very happy with my answer but it does work :) 我刚刚完成这项工作,我不认为你对我的答案会很满意但它确实有效:)
So the hard part is to get the pkcs12 certificate you need to perform client authentication, if your certificate is already in pkcs12 then you've got all the hard stuff out of the way and you can refer to the second answer on SSL client authentication in Android to see how to use that certificate. 所以困难的部分是获得执行客户端身份验证所需的pkcs12证书,如果你的证书已经在pkcs12中,那么你已经完成了所有的困难,你可以参考关于SSL客户端身份验证的第二个答案。 Android看看如何使用该证书。
if you just have a public private key pair and not a pkcs12 certificate then you will need to make one. 如果你只有公共私钥对而不是pkcs12证书,那么你需要制作一个。 As far as I could tell there is no way in java/android to create this certificate so you need to use the android NDK and openssl. 据我所知,在java / android中没有办法创建这个证书所以你需要使用android NDK和openssl。
if you download the openssl-android project from https://github.com/guardianproject/openssl-android you can use it to build openssl. 如果你从https://github.com/guardianproject/openssl-android下载openssl-android项目,你可以用它来构建openssl。 By default it compiles as a .so shared object but only some of the android devices I tried to run this code on were able to link against libcrypto, so, although im sure there is a better way I went into the Android.mk files and replaced include $(BUILD_SHARED_LIBRARY) with include $(BUILD_STATIC_LIBRARY) in a few places so that I could compile a .a static library. 默认情况下,它编译为.so共享对象,但只有我试图运行此代码的一些Android设备能够链接到libcrypto,所以,虽然我确信有更好的方法我进入Android.mk文件和在几个地方替换了包含$(BUILD_STATIC_LIBRARY)的$(BUILD_SHARED_LIBRARY),以便我可以编译.a静态库。
I then used the info from Android NDK: Link using a pre-compiled static library to link the libcrypto.a I compiled to my native code. 然后我使用Android NDK中的信息:链接使用预编译的静态库将我编译的libcrypto.a链接到我的本机代码。
This native code uses openssl to first create an X509 certificate and then uses it to create a PKCS12 file which can be used in the manner I mentioned before located at SSL client authentication in Android 此本机代码使用openssl首先创建X509证书,然后使用它创建一个PKCS12文件,该文件可以我之前在Android中的SSL客户端身份验证中提到的方式使用
first you need to get your public and private keys into native land as EVP_PKEY pointers which can happen in a variety of ways based on what format your keys are in then you can use the following code to create an X509 certificate 首先,您需要将公钥和私钥作为EVP_PKEY指针进入本地,这可以根据您的密钥的格式以各种方式发生,然后您可以使用以下代码创建X509证书
X509 *public_key_cert = X509_new();
X509_gmtime_adj(X509_get_notBefore(public_key_cert),0);
X509_gmtime_adj(X509_get_notAfter(public_key_cert), (long) 60*60*24*365);
X509_set_pubkey(public_key_cert,evp_pub_key);
This creates the most minimally valid X509 certificate which is valid for 1 year. 这将创建最低有效的X509证书,该证书有效期为1年。 You may want to do other stuff like sign the certificate if you are going to run your own certificate authority, or set any of a large set of headers which contain various bits of information. 如果您要运行自己的证书颁发机构,或者设置包含各种信息的大量标题集,您可能需要执行其他操作,例如签署证书。
next you need to create the pkcs12 certificate using the X509 cert like this: 接下来,您需要使用X509证书创建pkcs12证书,如下所示:
PKCS12 *pkcs12 = PKCS12_create(password, "Some Sort of Friendly Name", evp_priv_key, public_key_cert, NULL, 0, 0, 0, 0, 0);
password is a char* containing the password which will be used to encrypt the private key using triple-DES password是一个包含密码的char *,该密码将用于使用triple-DES加密私钥
Now that you have a pkcs12 certificate you can go over to SSL client authentication in Android and get client authentication going. 现在您已拥有pkcs12证书,您可以转到Android中的SSL客户端身份验证并获取客户端身份验证。
Good Luck! 祝好运!
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.