Android-SSL / TLS和ECC(椭圆曲线加密) [英] Android - SSL/TLS and ECC (Elliptic curve cryptography)
问题描述
我正在开发一个与网络服务器通信的android应用程序。我们使用HTTPS进行通信,并且在android应用程序中也有用于身份验证的客户端证书。
I'm developing an android application which communicates with a web server. We use HTTPS for this communication and we have also a client certificate inside the android application for authentication.
我们使用ECC(ANSI x9.62)创建了SSL证书,以便
We created SSL certificates using ECC (ANSI x9.62) in order to have very small certificates so we can reduce the transmission cost during handshake.
通信的源代码或多或少是这样的:
The source code for the communication is more or less like this:
InputStream keystoreIs = getResources().openRawResource(R.raw.client_bks);
KeyStore keystore = KeyStore.getInstance("BKS");
keystore.load(keystoreIs, KEYSTORE_PASSWORD);
SSLSocketFactory socketFactory = new SSLSocketFactory(keystore, KEYSTORE_PASSWORD, keystore);
Scheme serverScheme = new Scheme("https", socketFactory, SERVER_PORT);
HttpClient httpclient = new DefaultHttpClient();
httpclient.getConnectionManager().getSchemeRegistry().register(iServerScheme);
HttpPost httppost = new HttpPost(SERVER_URL);
HttpResponse response = httpclient.execute(httppost);
问题是,当我们尝试连接时,会出现以下错误:
The problem is that when we try to connect we have errors like:
E/NativeCrypto(4744): Unknown error 5 during connect
W/System.err(4744): java.io.IOException: SSL handshake failure: I/O error during system call, Connection reset by peer
W/System.err(4744): at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.nativeconnect(Native Method)
W/System.err(4744): at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:316)
W/System.err(4744): at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLInputStream.<init>(OpenSSLSocketImpl.java:520)
W/System.err(4744): at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.getInputStream(OpenSSLSocketImpl.java:461)
W/System.err(4744): at org.apache.http.impl.io.SocketInputBuffer.<init>(SocketInputBuffer.java:93)
W/System.err(4744): at org.apache.http.impl.SocketHttpClientConnection.createSessionInputBuffer(SocketHttpClientConnection.java:83)
W/System.err(4744): at org.apache.http.impl.conn.DefaultClientConnection.createSessionInputBuffer(DefaultClientConnection.java:170)
W/System.err(4744): at org.apache.http.impl.SocketHttpClientConnection.bind(SocketHttpClientConnection.java:106)
W/System.err(4744): at org.apache.http.impl.conn.DefaultClientConnection.openCompleted(DefaultClientConnection.java:129)
(...)
我尝试过查找ECC和SSL的示例,但我什么也没找到。我发现了几篇有关加密和密钥对生成的文章(例如 http://nelenkov.blogspot.com/2011/12/using-ecdh-on-android.html#!/2011/12/using-ecdh-on- android.html ),但与此SSL错误类型无关。
I trid to find an example with ECC and SSL but I didn't found anything. I found several articles about encryption and key pair generation (for example http://nelenkov.blogspot.com/2011/12/using-ecdh-on-android.html#!/2011/12/using-ecdh-on-android.html) but nothing related to this SSL kind of errors.
我们将不胜感激。
推荐答案
默认Android 7.0 SSLSocketFactory 不会,谢谢!!不支持OpenSSL / BoringSSL已知的所有椭圆曲线。握手仅在客户端Hello的 supported_curves 中列出 secp256r1 。
Default Android 7.0 SSLSocketFactory doesn't support all of the elliptic curves known to OpenSSL/BoringSSL. The handshake only lists secp256r1 in the supported_curves in the Client Hello.
SSLEngine 文档甚至没有提及支持的曲线。
The SSLEngine documentation doesn't even mention supported curves.
如果服务器不同意要使用该曲线,它将关闭连接,并且在客户端握手失败,并显示I / O错误。
If the server can't agree to use that curve, it will close the connection and the handshake fails on the client side with the I/O error shown.
Android上的Chrome浏览器支持3条常见曲线, secp256r1 , secp384r1 和 x25519 。
Chrome on android however supports 3 common curves, secp256r1, secp384r1, and x25519.
编辑
我应该添加签名哈希算法支持扩展确实包括ECDSA以及SHA1到SHA512 ,因此在服务器端使用ECDSA证书应该没问题。
I should add the signature hash algorithm support extension does include ECDSA with SHA1 through SHA512, so it should be fine to use an ECDSA certificate on the server side.
这篇关于Android-SSL / TLS和ECC(椭圆曲线加密)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
