使用UnboundID SDK与SSL证书文件连接到Android应用程序的LDAP服务器 [英] Using UnboundID SDK with an SSL certificate file to connect to LDAP server in Android app

问题描述

我试图在我的Andr​​oid应用程序到LDAP服务器的连接，现在用的是UnboundID SDK。近日，一个改变是由不安全的担保LDAP，我必须相应地更改应用程序。我一直在考虑的SSL证书文件来验证。我已经使用的文件，使密钥库所描述的此处。我有我的应用程序的资产文件夹此密钥库文件，我从那个拉。下面的code目前没有工作，抛出异常：

I'm trying to make a connection to an LDAP server in my Android app, and am using the UnboundID SDK. Recently, a change was made from unsecured to secured LDAP, and I have to change the app accordingly. I have been given the SSL certificates file to validate against. I've already used the file to make a keystore as described here. I've got this keystore file in the assets folder of my app, and am pulling from that. The code below does not currently work, and throws the exception:

LDAPException（结果code = 01（连接错误），的errorMessage =（'试图连接到服务器place.myserver.com:636时发生错误。 cert.CertPathValidatorException：找不到证书路径信任锚

LDAPException(resultCode=01 (connect error), errorMessage=('An error occurred while attempting to connect to server place.myserver.com:636: javax.net.ssl.SSLHandShakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

// code from above link
AssetManager assetManager = getApplicationContext().getAssets();
InputStream keyStoreInputStream = assetManager.open("yourapp.store");
KeyStore trustStore = KeyStore.getInstance("BKS");
trustStore.load(keyStoreInputStream, "myPassword".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(trustStore);
// my code
SSLUtil sslUtil = new SSLUtil(tmf.getTrustManagers());
LDAPConnection connection = new LDAPConnection(sslUtil.createSSLSocketFactory());
connection.connect("place.myserver.com", 636);

不过，code段：

However, the code segment:

SSLUtil sslUtil = new SSLUtil(new TrustAllTrustManager());
LDAPConnection connection = new LDAPConnection(sslUtil.createSSLSocketFactory());
connection.connect("place.myserver.com", 636);

不工作（虽然我获悉，由上级，这将是不安全的）。 我不太清楚，究竟我做错了这里，所以任何帮助，将AP preciated。此外，如果实现这一点比我试图做上面的一种更好的方式，随时让我知道:)我想，虽然与UnboundID库要坚持，因为在code，其余为使用也已经写好了，一切正常，如果我使用TrustAllTrustManager。

does work (although I was informed by the higher-ups that this would be insecure). I'm not quite sure as to what exactly I'm doing wrong here, so any help would be appreciated. Also, if there is a better way of accomplishing this than what I'm attempting to do above, feel free to let me know :) I would like to stick with the UnboundID library though, since the rest of the code is already written using that as well, and everything works if I use the TrustAllTrustManager.

推荐答案

这是真的，信任所有信任管理器并不安全。它的方便用于测试目的，但它可以让一个坏人建立自己的服务器，他会为自己的证书，并用它来冒充真正的服务器，或运行在中间的男人，拦截和潜在警告任何在客户端和真实服务器之间的通信。有了更严格的信任管理器，客户端应该拒绝伪造证书的假冒服务器将present。

It's true that the trust all trust manager isn't secure. It's convenient for testing purposes, but it will allow a bad guy to set up his own server with a certificate he generates for himself and use it to impersonate the real server, or to operate as a man in the middle, intercepting and potentially alerting any communication between the client and the real server. With a more strict trust manager in place, the client should reject the bogus certificate that the fake server will present.

不幸的是，它看起来像信任管理器你想使用在这种情况下，不喜欢你的服务器是presenting给它的证书。因为信任所有信任管理器允许你建立连接，这意味着你的服务器确实有一个证书，并且能够执行SSL通信的，但有一些关于你的信任的经理不喜欢该证书。这几乎可以肯定不是一个问题，与LDAP SDK，因为要与任何其他LDAP API，如果您使用的是相同的信任存储出现了同样的问题。

Unfortunately, though, it looks like the trust manager you're trying to use in this case doesn't like the certificate that your server is presenting to it. Because the trust all trust manager allows you to establish the connection, that means that your server does have a certificate and is capable of performing SSL communication, but there's something about that certificate that your trust manager doesn't like. It's almost certainly not an issue with the LDAP SDK, since the same problem should arise with any other LDAP API if you're using the same trust store.

如果你看看结果，它具有信任锚找不到证书路径的消息。这意味着，无论是服务器使用，也证明那些其任何发行人被发现在信任存储区。你需要导入服务器证书（或其发行人之一的证书）到您正在使用的信任存储区。这听起来像你想这样做，但由于它不工作那么就有一定不能用它做的方式完全正确。我建议你​​机智的工作目录服务器管理员，以确保您正在尝试根据服务器配置，以进口权证书。

If you look at the result, it has a message of "Trust anchor for certification path not found". This implies that neither the certificate the server is using nor those of any of its issuers was found in the trust store. You'll need to import the server certificate (or the certificate of one of its issuers) into the trust store that you're using. It sounds like you've tried to do that, but since it's not working then something must not be quite right with the way it was done. I'd recommend working wit the directory server administrator to ensure that you're trying to import the right certificate based on the server configuration.

这篇关于使用UnboundID SDK与SSL证书文件连接到Android应用程序的LDAP服务器的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！