带有客户端证书的Android 2.2 SSL错误? [英] Android 2.2 SSL Bug with client certificate?
问题描述
我的问题:
有人通过多证书链成功验证了Android 2.1 / 2.2中客户端证书的SSL连接吗? ?
详细信息:
我正在尝试实施Android平台的客户端证书身份验证。 StackOverflow中已经有很多关于如何使用KeyStore进行讨论的讨论,我正在通过将标准方法提供给SSLContext来遵循标准方法。
I am trying to implement a client certificate authentication for Android platform. There are plenty of discussion already in StackOverflow on how to do it using KeyStore and I am following the standard approach by supplying them to the SSLContext.
context.init(keyManagerFactory.getKeyManagers(),trustManagerFactory.getTrustManagers(),null);
我的客户证书附有3个证书,形成一个证书链。在Android 2.3以上版本中,SSL握手已成功执行,我可以继续执行请求。
My client certificate has 3 certificates attached to it forming a cert chain. In Android 2.3+, the SSL handshake is successfully executed and I could move on with the request.
在Android 2.2中,相同的方法会引发证书错误
In Android 2.2 however, the same approach would throw "bad certificate error"
error:14094412:SSL routines:SSL3_READ_BYTES:sslv3 alert bad certificate (external/openssl/ssl/s3_pkt.c:1139 0x26bd38:0x00000003)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.nativeconnect(Native Method)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:316)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl$SSLOutputStream.(OpenSSLSocketImpl.java:564)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.getOutputStream(OpenSSLSocketImpl.java:479)
如果我在CAfile参数中使用不完整的证书链发出OpenSSL命令,则这是相同的错误:
This is the same error if I issue OpenSSL command with incomplete certificate chain in CAfile argument:
openssl s_client -showcerts -cert [certificateFile] -key [keyFile] -connect [ip:port] -CAfile [cert-chain]
这使我相信Android 2.1 / 2.2不会检查整个链。为了确保我使用 getCertificateChain()方法检查出KeyStore中的链数。
Which lead me to believe that Android 2.1/2.2 does not inspect the full chain. To be sure I check out the number of chain in KeyStore by using getCertificateChain() method.
寻找与我的问题相关的Android错误,但尚未找到任何错误。类似的问题已经在SO中发布,而没有答案
I was looking for a bug in Android related to my question, but haven't found any. Similar questions have been posted in SO without answer
- ssl-在android-2-2-only-in-2-3
- android-2-2-ssl-library-error 。唯一答案中尼古拉·埃伦科夫(Nikolay Elenkov)的最后评论似乎表明了我的相同结论,但我找不到支持该结论的任何文档
- ssl-not-working-on-android-2-2-only-in-2-3
- android-2-2-ssl-library-error. The last comment by Nikolay Elenkov in the only answer seem to indicate the same conclusion that I have, but I can't find any documentation backing it
推荐答案
这似乎确实是Android 2.1 / 2.2的错误。
This seems indeed a bug with Android 2.1/2.2.
我要做的是请管理员创建另一个由根CA直接颁发的客户端证书。获得该证书后,我将其作为资源放入代码中,除了KeyStore指向新证书之外,它无需任何修改即可工作。
What I did is ask our administrator to create another client certificate that is issued directly by the Root CA. After having that certificate, I put that as resource in the code and it works without any modification other than having the KeyStore point to the new certificate.
这篇关于带有客户端证书的Android 2.2 SSL错误?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
