与Android应用程序中的客户端证书的HTTPS连接
[英]HTTPS connection with client certificate in an android app
问题描述
我正在尝试用我正在编写的Android应用程序中的HTTPS连接替换当前正在运行的HTTP连接。 HTTPS连接的额外安全性是必要的,因此我不能忽略此步骤。
我有以下内容:
- 服务器配置为建立HTTPS连接,并需要客户端证书
- 此服务器具有由标准大型CA颁发的证书。 简而言之,如果我通过Android中的浏览器访问此连接,它可以正常工作,因为设备信任库可以识别CA. (所以它不是自签名的)
- 客户端证书,基本上是自签名的。 (由内部CA发布)
- 一个Android应用程序,它加载此客户端证书并尝试连接到上述服务器,但具有以下问题/属性:
- 当服务器被配置为不需要客户端证书的客户端可以连接到服务器。 基本上,如果我使用
SSLSocketFactory.getSocketFactory()连接正常,但客户端证书是此应用程序规范的必需部分,因此: - 客户端生成
javax.net.ssl.SSLPeerUnverifiedException: No peer certificate当我尝试连接自定义SSLSocketFactory时javax.net.ssl.SSLPeerUnverifiedException: No peer certificate异常,但我不完全确定原因。 在互联网上搜索各种解决方案后,这个例外似乎有点模棱两可。
- 当服务器被配置为不需要客户端证书的客户端可以连接到服务器。 基本上,如果我使用
以下是客户端的相关代码:
SSLSocketFactory socketFactory = null;
public void onCreate(Bundle savedInstanceState) {
loadCertificateData();
}
private void loadCertificateData() {
try {
File[] pfxFiles = Environment.getExternalStorageDirectory().listFiles(new FileFilter() {
public boolean accept(File file) {
if (file.getName().toLowerCase().endsWith("pfx")) {
return true;
}
return false;
}
});
InputStream certificateStream = null;
if (pfxFiles.length==1) {
certificateStream = new FileInputStream(pfxFiles[0]);
}
KeyStore keyStore = KeyStore.getInstance("PKCS12");
char[] password = "somePassword".toCharArray();
keyStore.load(certificateStream, password);
System.out.println("I have loaded [" + keyStore.size() + "] certificates");
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, password);
socketFactory = new SSLSocketFactory(keyStore);
} catch (Exceptions e) {
// Actually a bunch of catch blocks here, but shortened!
}
}
private void someMethodInvokedToEstablishAHttpsConnection() {
try {
HttpParams standardParams = new BasicHttpParams();
HttpConnectionParams.setConnectionTimeout(standardParams, 5000);
HttpConnectionParams.setSoTimeout(standardParams, 30000);
SchemeRegistry schRegistry = new SchemeRegistry();
schRegistry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
schRegistry.register(new Scheme("https", socketFactory, 443));
ClientConnectionManager connectionManager = new ThreadSafeClientConnManager(standardParams, schRegistry);
HttpClient client = new DefaultHttpClient(connectionManager, standardParams);
HttpPost request = new HttpPost();
request.setURI(new URI("https://TheUrlOfTheServerIWantToConnectTo));
request.setEntity("Some set of data used by the server serialized into string format");
HttpResponse response = client.execute(request);
resultData = EntityUtils.toString(response.getEntity());
} catch (Exception e) {
// Catch some exceptions (Actually multiple catch blocks, shortened)
}
}
我已经验证过,确实是keyStore加载证书并且对此感到满意。
关于HTTPS / SSL连接的阅读,我有两个理论,但是由于这是我的第一次尝试,我对解决这个问题的实际需要感到有些困惑。
据我所知,第一种可能性是我需要使用包含所有标准中间证书和终端证书颁发机构的设备信任库来配置此SSLSocketFactory。 也就是说,设备的默认SSLSocketFactory.getSocketFactory()将一些CA加载到工厂的信任库中,该信任库用于在发送证书时信任服务器,这就是我的代码失败的原因,因为我没有正确拥有信任存储已加载。 如果这是真的,我最好如何加载这些数据?
第二种可能性是由于客户端证书是自签名的(或由内部证书颁发机构颁发 - 如果我错了,请纠正我,但这些确实相同,对于所有意图和目的) 。 事实上,我缺少这个信任库,基本上我需要为服务器提供一种方法来使用内部CA验证证书,并且还验证这个内部CA实际上是“可信任的” 。 如果这是真的,我到底想要什么样的东西? 我已经看到一些提及这个让我相信这可能是我的问题,就像在这里 ,但我真的不确定。 如果这确实是我的问题,我会从维护内部CA的人那里要求什么,然后我将如何将其添加到我的代码中以便我的HTTPS连接可以工作?
第三个,也是希望不太可能的解决方案,就是我在这里完全错误并错过了一个关键步骤,或者完全忽略了我目前还不知道的部分HTTPS / SSL。 如果是这种情况,请你给我一点方向,以便我可以去学习我需要学习的内容?
谢谢阅读!
5 个解决方案
解决方案1
8 2013-08-01 02:40:51
有一种更简单的方法来实现@jglouie的解决方案。 基本上,如果您使用SSLContext并使用null为trust manager参数初始化它,则应使用默认信任管理器获取SSL上下文。 请注意,Android文档中没有记录这一点,但SSLContext.init的Java文档说明了这一点
前两个参数中的任何一个都可以为空,在这种情况下,将搜索已安装的安全提供程序以寻找适当工厂的最高优先级实现。
这是代码的样子:
// This can be any protocol supported by your target devices.
// For example "TLSv1.2" is supported by the latest versions of Android
final String SSL_PROTOCOL = "TLS";
try {
sslContext = SSLContext.getInstance(SSL_PROTOCOL);
// Initialize the context with your key manager and the default trust manager
// and randomness source
sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
} catch (NoSuchAlgorithmException e) {
Log.e(TAG, "Specified SSL protocol not supported! Protocol=" + SSL_PROTOCOL);
e.printStackTrace();
} catch (KeyManagementException e) {
Log.e(TAG, "Error setting up the SSL context!");
e.printStackTrace();
}
// Get the socket factory
socketFactory = sslContext.getSocketFactory();
解决方案2
7 已采纳 2011-10-10 15:35:08
我认为这确实是个问题。
据我所知,第一种可能性是我需要使用包含所有标准中间证书和端点证书颁发机构的设备信任库来配置此SSLSocketFactory
如果这是真的,我最好如何加载这些数据?
尝试这样的事情(你需要让你的套接字工厂使用这个默认的信任管理器):
X509TrustManager manager = null;
FileInputStream fs = null;
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
try
{
fs = new FileInputStream(System.getProperty("javax.net.ssl.trustStore"));
keyStore.load(fs, null);
}
finally
{
if (fs != null) { fs.close(); }
}
trustManagerFactory.init(keyStore);
TrustManager[] managers = trustManagerFactory.getTrustManagers();
for (TrustManager tm : managers)
{
if (tm instanceof X509TrustManager)
{
manager = (X509TrustManager) tm;
break;
}
}
编辑:请在此处使用代码之前查看Pooks的答案。 听起来现在有更好的方法。
解决方案3
2 2015-07-31 09:12:41
我曾经尝试了几天我终于得到了答案,所以我想在这里发布我的步骤和所有代码以帮助其他人。
1)获取您要连接的站点的证书
echo | openssl s_client -connect ${MY_SERVER}:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > mycert.pem
2)创建你需要的BouncyCastle库你可以在这里下载
keytool -import -v -trustcacerts -alias 0 -file mycert.pem -keystore “store_directory/mykst“ -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath “directory_of_bouncycastle/bcprov-jdk16-145.jar” -storepass mypassword
3)检查密钥是否已创建
keytool -list -keystore "carpeta_almacen/mykst" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "directory_of_bouncycastle/bcprov-jdk16-145.jar" -storetype BKS -storepass mypassword
你应该看到这样的事情:
Tipodealmacéndeclaves:BKS Proveedordealmacéndeclaves:BC
Sualmacéndeclaves contiene entrada 1
0,07-dic-2011,trustedCertEntry,
Huella digital de certificado(MD5):
55:FD:E5:E3:8A:4C:D6:B8:69:EB:6A:49:05:5F:18:48
4)然后你需要将文件“mykst”复制到你的android项目中的目录“res / raw”(如果不存在则创建它)。
5)在android清单中添加权限
<uses-permission android:name="android.permission.INTERNET"/>
6)这里的代码!
activity_main.xml中
<?xml version="1.0" encoding="utf-8"?>
<LinearLayout xmlns:android="http://schemas.android.com/apk/res/android"
android:layout_width="fill_parent"
android:layout_height="fill_parent"
android:orientation="vertical"
android:padding="10dp" >
<Button
android:id="@+id/button"
android:layout_width="fill_parent"
android:layout_height="wrap_content"
android:text="Cargar contenido" />
<RelativeLayout
android:layout_width="fill_parent"
android:layout_height="fill_parent"
android:background="#4888ef">
<ProgressBar
android:id="@+id/loading"
android:layout_width="50dp"
android:layout_height="50dp"
android:indeterminate="true"
android:layout_centerInParent="true"
android:visibility="gone"/>
<ScrollView
android:layout_width="fill_parent"
android:layout_height="fill_parent"
android:fillViewport="true"
android:padding="10dp">
<TextView
android:id="@+id/output"
android:layout_width="fill_parent"
android:layout_height="fill_parent"
android:textColor="#FFFFFF"/>
</ScrollView>
</RelativeLayout>
</LinearLayout>
MyHttpClient
package com.example.https;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.Enumeration;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.SingleClientConnManager;
import android.content.Context;
import android.os.Build;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManagerFactory;
public class MyHttpClient extends DefaultHttpClient {
final Context context;
public MyHttpClient(Context context) {
this.context = context;
}
@Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
// Register for port 443 our SSLSocketFactory with our keystore
// to the ConnectionManager
registry.register(new Scheme("https", newSslSocketFactory(), 443));
return new SingleClientConnManager(getParams(), registry);
}
private SSLSocketFactory newSslSocketFactory() {
try {
// Trust manager / truststore
KeyStore trustStore=KeyStore.getInstance(KeyStore.getDefaultType());
// If we're on an OS version prior to Ice Cream Sandwich (4.0) then use the standard way to get the system
// trustStore -- System.getProperty() else we need to use the special name to get the trustStore KeyStore
// instance as they changed their trustStore implementation.
if (Build.VERSION.RELEASE.compareTo("4.0") < 0) {
TrustManagerFactory trustManagerFactory=TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
FileInputStream trustStoreStream=new FileInputStream(System.getProperty("javax.net.ssl.trustStore"));
trustStore.load(trustStoreStream, null);
trustManagerFactory.init(trustStore);
trustStoreStream.close();
} else {
trustStore=KeyStore.getInstance("AndroidCAStore");
}
InputStream certificateStream = context.getResources().openRawResource(R.raw.mykst);
KeyStore keyStore=KeyStore.getInstance("BKS");
try {
keyStore.load(certificateStream, "mypassword".toCharArray());
Enumeration<String> aliases=keyStore.aliases();
while (aliases.hasMoreElements()) {
String alias=aliases.nextElement();
if (keyStore.getCertificate(alias).getType().equals("X.509")) {
X509Certificate cert=(X509Certificate)keyStore.getCertificate(alias);
if (new Date().after(cert.getNotAfter())) {
// This certificate has expired
return null;
}
}
}
} catch (IOException ioe) {
// This occurs when there is an incorrect password for the certificate
return null;
} finally {
certificateStream.close();
}
KeyManagerFactory keyManagerFactory=KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, "mypassword".toCharArray());
return new SSLSocketFactory(keyStore, "mypassword", trustStore);
} catch (Exception e) {
throw new AssertionError(e);
}
}
}
主要活动
package com.example.https;
import android.app.Activity;
import android.os.AsyncTask;
import android.os.Bundle;
import android.view.View;
import android.widget.Button;
import android.widget.TextView;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.DefaultHttpClient;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
import java.io.StringWriter;
import java.io.Writer;
import javax.net.ssl.SSLSocketFactory;
public class MainActivity extends Activity {
private View loading;
private TextView output;
private Button button;
SSLSocketFactory socketFactory = null;
@Override
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
setContentView(R.layout.activity_main);
loading = findViewById(R.id.loading);
output = (TextView) findViewById(R.id.output);
button = (Button) findViewById(R.id.button);
button.setOnClickListener(new View.OnClickListener() {
@Override
public void onClick(View v) {
new CargaAsyncTask().execute(new Void[0]);
}
});
}
class CargaAsyncTask extends AsyncTask<Void, Void, String> {
@Override
protected void onPreExecute() {
super.onPreExecute();
loading.setVisibility(View.VISIBLE);
button.setEnabled(false);
}
@Override
protected String doInBackground(Void... params) {
// Instantiate the custom HttpClient
DefaultHttpClient client = new MyHttpClient(getApplicationContext());
HttpGet get = new HttpGet("https://www.google.com");
// Execute the GET call and obtain the response
HttpResponse getResponse;
String resultado = null;
try {
getResponse = client.execute(get);
HttpEntity responseEntity = getResponse.getEntity();
InputStream is = responseEntity.getContent();
resultado = convertStreamToString(is);
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return resultado;
}
@Override
protected void onPostExecute(String result) {
super.onPostExecute(result);
loading.setVisibility(View.GONE);
button.setEnabled(true);
if (result == null) {
output.setText("Error");
} else {
output.setText(result);
}
}
}
public static String convertStreamToString(InputStream is) throws IOException {
/*
* To convert the InputStream to String we use the
* Reader.read(char[] buffer) method. We iterate until the
* Reader return -1 which means there's no more data to
* read. We use the StringWriter class to produce the string.
*/
if (is != null) {
Writer writer = new StringWriter();
char[] buffer = new char[1024];
try {
Reader reader = new BufferedReader(new InputStreamReader(is, "UTF-8"));
int n;
while ((n = reader.read(buffer)) != -1) {
writer.write(buffer, 0, n);
}
} finally {
is.close();
}
return writer.toString();
} else {
return "";
}
}
}
我希望它对其他人有用!! 好好享受!
解决方案4
1 2015-07-27 15:41:58
我发布了一个更新的答案,因为人们仍然参考并投票这个问题。 我不得不更改套接字工厂代码几次,因为自Android 4.0以来有些事情发生了变化
// Trust manager / truststore
KeyStore trustStore=KeyStore.getInstance(KeyStore.getDefaultType());
// If we're on an OS version prior to Ice Cream Sandwich (4.0) then use the standard way to get the system
// trustStore -- System.getProperty() else we need to use the special name to get the trustStore KeyStore
// instance as they changed their trustStore implementation.
if (Build.VERSION.RELEASE.compareTo("4.0") < 0) {
TrustManagerFactory trustManagerFactory=TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
FileInputStream trustStoreStream=new FileInputStream(System.getProperty("javax.net.ssl.trustStore"));
trustStore.load(trustStoreStream, null);
trustManagerFactory.init(trustStore);
trustStoreStream.close();
} else {
trustStore=KeyStore.getInstance("AndroidCAStore");
}
InputStream certificateStream=new FileInputStream(userCertFile);
KeyStore keyStore=KeyStore.getInstance("PKCS12");
try {
keyStore.load(certificateStream, certPass.toCharArray());
Enumeration<String> aliases=keyStore.aliases();
while (aliases.hasMoreElements()) {
String alias=aliases.nextElement();
if (keyStore.getCertificate(alias).getType().equals("X.509")) {
X509Certificate cert=(X509Certificate)keyStore.getCertificate(alias);
if (new Date().after(cert.getNotAfter())) {
// This certificate has expired
return;
}
}
}
} catch (IOException ioe) {
// This occurs when there is an incorrect password for the certificate
return;
} finally {
certificateStream.close();
}
KeyManagerFactory keyManagerFactory=KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, certPass.toCharArray());
socketFactory=new SSLSocketFactory(keyStore, certPass, trustStore);
希望这可以帮助任何人在未来仍然来到这里。
解决方案5
1 2011-10-10 15:40:24
似乎您还需要为SSLSocketFactory设置主机名。
尝试添加该行
socketFactory.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
在使用SSLFactory创建新连接之前。
除了结构上的差异,我们有类似的代码。 在我的实现中,我刚刚创建了自己的DefaultHttpClient扩展,它看起来类似于上面的大部分代码。 如果这没有解决它,我可以发布工作代码,你可以试试这个方法。
编辑:这是我的工作版本
public class ActivateHttpClient extends DefaultHttpClient {
final Context context;
/**
* Public constructor taking two arguments for ActivateHttpClient.
* @param context - Context referencing the calling Activity, for creation of
* the socket factory.
* @param params - HttpParams passed to this, specifically to set timeouts on the
* connection.
*/
public ActivateHttpClient(Context context, HttpParams params) {
this.setParams(params);
}
/* (non-Javadoc)
* @see org.apache.http.impl.client.DefaultHttpClient#createClientConnectionManager()
* Create references for both http and https schemes, allowing us to attach our custom
* SSLSocketFactory to either
*/
@Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory
.getSocketFactory(), 80));
registry.register(new Scheme("https", newSslSocketFactory(), 443));
return new SingleClientConnManager(getParams(), registry);
}
/**
* Creation of new SSLSocketFactory, which imports a certificate from
* a server which self-signs its own certificate.
* @return
*/
protected SSLSocketFactory newSslSocketFactory() {
try {
//Keystore must be in BKS (Bouncy Castle Keystore)
KeyStore trusted = KeyStore.getInstance("BKS");
//Reference to the Keystore
InputStream in = context.getResources().openRawResource(
R.raw.cert);
//Password to the keystore
try {
trusted.load(in, PASSWORD_HERE.toCharArray());
} finally {
in.close();
}
// Pass the keystore to the SSLSocketFactory. The factory is
// responsible
// for the verification of the server certificate.
SSLSocketFactory sf = new SSLSocketFactory(trusted);
// Hostname verification from certificate
// http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
return sf;
// return new SSLSocketFactory(trusted);
} catch (Exception e) {
e.printStackTrace();
throw new AssertionError(e);
}
}
}
并可以如下所示调用:
HttpParams params = new BasicHttpParams();
// Set the timeout in milliseconds until a connection is established.
int timeoutConnection = 500;
HttpConnectionParams.setConnectionTimeout( params , timeoutConnection );
// Set the default socket timeout (SO_TIMEOUT)
// in milliseconds which is the timeout for waiting for data.
int timeoutSocket = 1000;
HttpConnectionParams.setSoTimeout( params , timeoutSocket );
//ADD more connection options here!
String url =
"https:// URL STRING HERE";
HttpGet get = new HttpGet( url );
ActivateHttpClient client =
new ActivateHttpClient( this.context, params );
// Try to execute the HttpGet, throwing errors
// if no response is received, or if there is
// an error in the execution.
HTTPResponse response = client.execute( get );
具有自签名证书的Android Https连接:hostName未验证
[英]Android Https Connection with self signed certificate : hostName not verified
如何使用用户名/密码(无证书)通过https设置CXF / SOAP客户端连接
[英]How do I setup a CXF/SOAP client connection over https with username/password (no certificate)
Java 11给出了不支持的握手消息:HTTPS与客户端证书的连接上的server_hello_done
[英]Java 11 gives Unsupported handshake message: server_hello_done on HTTPS connection with client certificate
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.