我们如何对Android N网络安全配置使用自签名证书? [英] What Do We Use for Android N Network Security Configuration for a Self-Signed Certificate?

问题描述

我正在尝试测试N Developer Preview的网络安全配置功能的所有方面.我大部分工作都在进行，但是我对自签名证书方案感到困惑.

I am trying to test out all aspects of the network security configuration capability of the N Developer Preview. I have most of it working, but I am stumped by the self-signed certificate scenario.

根据文档，Android N应该是对于其他证书验证方案，它对PEM或DER文件感到满意.但是，我对自签名证书的使用不多，而我尝试使自签名证书生效的尝试一直遇到证书路径验证异常.

According to the docs, Android N should be happy with a PEM or DER file, as it is for other certificate validation scenarios. However, I do not work with self-signed certificates much, and my attempts to get this working keep running into certificate path validation exceptions.

为了进行测试，我使用thin作为服务器，该服务器在开发计算机上运行，​​并且可以由N仿真器访问.自签名证书适用于我的开发计算机上的浏览器，并且如果我切换为运行带有SSL的thin，则应用程序可以很好地到达服务器.因此，这不是连接问题.

For testing, I am using thin as the server, running on my development machine, reachable by an N emulator. The self-signed certificate works for browsers on my development machine, and if I switch to running thin sans SSL, apps can reach the server just fine. So, it's not a connectivity issue.

我按照此网站上的说明创建了自签名证书:

I created the self-signed certificate using the instructions on this site:

sudo openssl genrsa -out "/etc/[webserver]/ssl/example.key" 2048
sudo openssl req -new -key "/etc/[webserver]/ssl/example.key" \
                 -out "/etc/[webserver]/ssl/example.csr"
sudo openssl x509 -req -days 365 -in "/etc/[webserver]/ssl/example.csr" \
                  -signkey "/etc/[webserver]/ssl/example.key"  \
                  -out "/etc/[webserver]/ssl/example.crt"

根据此堆栈溢出答案，example.crt文件是PEM文件.在其他地方，我看到了创建组合的PEM"文件的说明.但是，我尝试了这两种方法，但是没有运气.

According to this Stack Overflow answer, the example.crt file is a PEM file. Elsewhere, I see instructions for creating a "combined PEM" file. However, I tried both of these, with no luck.

在网络安全配置方面，我已经尝试了<domain-config>和<debug-overrides>.后者看起来像:

In terms of the network security configuration stuff, I have tried both <domain-config> and <debug-overrides>. The latter looks like:

<?xml version="1.0" encoding="utf-8"?>

<network-security-config>
  <debug-overrides>
    <trust-anchors>
      <certificates src="@raw/selfsigned"/>
    </trust-anchors>
  </debug-overrides>
</network-security-config>

但是，无论哪种情况，我都会收到验证错误.

But, I get the validation error in either case.

作为PEM或DER文件，作为原始资源，我们到底应该投入什么才能使这项工作奏效?

What exactly should we be putting in as a PEM or DER file, as a raw resource, that makes this work?

推荐答案

使用问题中显示的openssl脚本生成的example.crt，这似乎在N Developer Preview 2上有效.目前，我将假设N Developer Preview 2发生了变化，而N Developer Preview 1发生了变化.

This appears to be working on N Developer Preview 2, using the example.crt generated by the openssl scripts shown in the question. For the moment, I am going to assume that there was a change in N Developer Preview 2 compared to N Developer Preview 1 that accounts for the change.

这篇关于我们如何对Android N网络安全配置使用自签名证书?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！