[英]SSL mutual authentication FAIL on Android Client accepts servers certificate but server does not get the client cert
我正在嘗試在Linux服務器和Android APP之間建立一個相互認證的SSL。 到目前為止,我已經能夠讓應用程序使用服務器證書通過SSL進行通信,但是一旦我將服務器設置為僅接受客戶端證書就停止工作。 服務器配置似乎沒問題,但我有點卡住了。 我最好的猜測是客戶端證書沒有正確呈現給服務器,但不知道如何測試它。 我嘗試在我的OS X鑰匙串中使用.pem作為客戶端,但瀏覽器似乎不能使用該證書。 然后,服務器證書再次完美,因為我可以實現https連接,APP接受我的未簽名服務器證書。
我正在使用的代碼是各種教程的組合,答案這是我收藏的主要內容:
這是我用於連接的兩個主要類:1)此類處理JSON解析並執行請求
package edu.hci.additional;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.util.List;
import android.content.Context;
import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.NameValuePair;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.utils.URLEncodedUtils;
import org.json.JSONException;
import org.json.JSONObject;
import android.util.Log;
public class JSONParser {
static InputStream is = null;
static JSONObject jObj = null;
static String json = "";
// constructor
public JSONParser() {
}
// function get json from url
// by making HTTP POST or GET mehtod
public JSONObject makeHttpRequest(String url, String method,
List<NameValuePair> params, Context context) {
// Making HTTP request
try {
// check for request method
if(method == "POST"){
// request method is POST
// defaultHttpClient
SecureHttpClient httpClient = new SecureHttpClient(context);
HttpPost httpPost = new HttpPost(url);
httpPost.setEntity(new UrlEncodedFormEntity(params));
HttpResponse httpResponse = httpClient.execute(httpPost);
HttpEntity httpEntity = httpResponse.getEntity();
is = httpEntity.getContent();
}else if(method == "GET"){
// request method is GET
SecureHttpClient httpClient = new SecureHttpClient(context);
String paramString = URLEncodedUtils.format(params, "utf-8");
url += "?" + paramString;
HttpGet httpGet = new HttpGet(url);
HttpResponse httpResponse = httpClient.execute(httpGet);
HttpEntity httpEntity = httpResponse.getEntity();
is = httpEntity.getContent();
}
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
try {
BufferedReader reader = new BufferedReader(new InputStreamReader(
is, "iso-8859-1"), 8);
StringBuilder sb = new StringBuilder();
String line = null;
while ((line = reader.readLine()) != null) {
sb.append(line + "\n");
}
is.close();
json = sb.toString();
} catch (Exception e) {
Log.e("Buffer Error", "Error converting result " + e.toString());
}
// try parse the string to a JSON object
try {
jObj = new JSONObject(json);
} catch (JSONException e) {
Log.e("JSON Parser", "Error parsing data " + e.toString());
}
// return JSON String
return jObj;
}
}
第二個類處理SSL身份驗證:
package edu.hci.additional;
import android.content.Context;
import android.util.Log;
import edu.hci.R;
import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.params.HttpParams;
import java.io.IOException;
import java.io.InputStream;
import java.security.*;
public class SecureHttpClient extends DefaultHttpClient {
private static Context appContext = null;
private static HttpParams params = null;
private static SchemeRegistry schmReg = null;
private static Scheme httpsScheme = null;
private static Scheme httpScheme = null;
private static String TAG = "MyHttpClient";
public SecureHttpClient(Context myContext) {
appContext = myContext;
if (httpScheme == null || httpsScheme == null) {
httpScheme = new Scheme("http", PlainSocketFactory.getSocketFactory(), 80);
httpsScheme = new Scheme("https", mySSLSocketFactory(), 443);
}
getConnectionManager().getSchemeRegistry().register(httpScheme);
getConnectionManager().getSchemeRegistry().register(httpsScheme);
}
private SSLSocketFactory mySSLSocketFactory() {
SSLSocketFactory ret = null;
try {
final KeyStore clientCert = KeyStore.getInstance("BKS");
final KeyStore serverCert = KeyStore.getInstance("BKS");
final InputStream client_inputStream = appContext.getResources().openRawResource(R.raw.authclientcerts);
final InputStream server_inputStream = appContext.getResources().openRawResource(R.raw.certs);
clientCert.load(client_inputStream, appContext.getString(R.string.client_store_pass).toCharArray());
serverCert.load(server_inputStream, appContext.getString(R.string.server_store_pass).toCharArray());
String client_password = appContext.getString(R.string.client_store_pass);
server_inputStream.close();
client_inputStream.close();
ret = new SSLSocketFactory(clientCert,client_password,serverCert);
} catch (UnrecoverableKeyException ex) {
Log.d(TAG, ex.getMessage());
} catch (KeyStoreException ex) {
Log.d(TAG, ex.getMessage());
} catch (KeyManagementException ex) {
Log.d(TAG, ex.getMessage());
} catch (NoSuchAlgorithmException ex) {
Log.d(TAG, ex.getMessage());
} catch (IOException ex) {
Log.d(TAG, ex.getMessage());
} catch (Exception ex) {
Log.d(TAG, ex.getMessage());
} finally {
return ret;
}
}
}
要創建密鑰,我使用openssl使用此命令:
openssl req -nodes -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 500
為了獲得BKS for Android的鑰匙,我使用了位於以下網站的充氣城堡bcprov-jdk15on-150.jar: http : //www.bouncycastle.org/latest_releases.html
並使用命令:
keytool -import -v -trustcacerts -alias 0 -file ~/cert.pem -keystore ~/Downloads/authclientcerts.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath ~/Downloads/bcprov-jdk15on-150.jar -storepass passWORD
最后,我添加到/etc/httpd/conf.d/ssl.conf以獲取客戶端證書並檢查Fedora 19中的證書有效性(與我創建的客戶端證書相匹配)的行是:
...
SSLVerifyClient require
SSLVerifyDepth 5
...
<Location />
SSLRequire ( %{SSL_CLIENT_S_DN_O} eq "Develop" \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "Operations", "Dev"} )
</Location>
...
SSLOptions +FakeBasicAuth +StrictRequire
我在這個配置文件上嘗試了很多組合,所有結果都以相同的結果告訴我“SSLPeerUnverifiedException:No peer certificate”異常。 我在服務器的SSL配置文件中注釋了這一行,並且一切正常,但服務器接受了我不需要的所有客戶端。
提前致謝 :)
UPDATE
@EJP的答案就行了
首先,我必須將證書添加到正確的(/ etc / pki / tls / certs /)路徑並使用以下命令加載它:重命名cert:mv ca-andr.pem ca-andr.crt現在加載證書:
ln -s ca-andr.crt $( openssl x509 -hash -noout -in ca-andr.crt )".0"
這將創建一個名為“f3f24175.0”的openSSL可讀符號鏈接
然后我在/etc/httpd/conf.d/ssl.conf配置文件中設置新的證書文件。
…
SSLCACertificateFile /etc/pki/tls/certs/f2f62175.0
…
現在重新啟動http服務並測試證書是否加載:
openssl verify -CApath /etc/pki/tls/certs/ f2f62175.0
如果一切正常你應該看到:
f3f24175.0:好的
您可以通過以下方式結束測試:
openssl s_client -connect example.com:443 -CApath /etc/pki/tls/certs
這應該返回受信任的客戶端證書列表(如果您看到您添加的證書,則工作正常)
現在問題的第二部分是我的authclientcerts.BKS不包含私鑰,因此我提供的密碼從未使用過,服務器也不會對證書進行身份驗證。 所以我將我的密鑰和證書導出到pkcs12並相應地更新了JAVA代碼。
出口指令:
openssl pkcs12 -export -in ~/cert.pem -inkey ~/key.pem > android_client_p12.p12
然后,我更改了SecureHttpClient.java類的部分,以使用PKCS12而不是BKS來創建客戶端證書。
要將密鑰庫類型從BKS更改為PKCS12,我將其替換為:
final KeyStore clientCert = KeyStore.getInstance("BKS”);
為了這:
final KeyStore clientCert = KeyStore.getInstance("PKCS12");
然后我更新了對res / raw / By Replacing上的實際密鑰庫文件的引用:
final InputStream client_inputStream = appContext.getResources().openRawResource(R.raw.authclientcerts);
為了這:
final InputStream client_inputStream = appContext.getResources().openRawResource(R.raw.android_client_p12);
這就是訣竅:D
當服務器請求客戶端證書時,它會提供一個CA列表,它將接受由其簽名的證書。 如果客戶端沒有其中一個簽名的證書,則不會發送證書作為回復。 如果服務器配置為需要客戶端證書,而不是只需要一個客戶端證書,則它將關閉連接。
因此,請確保客戶端具有服務器信任庫可接受的證書。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.