如何使用Android的自签名SSL证书 [英] How to use a self signed SSL certificate in Android

问题描述

这件事已被窃听我几天吧。我读过许多关于这整个问题的其他问题，仍然没有能够继续进行。

This thing has been bugging me for couple days now. I've read lots of other questions about this whole issue and still haven't been able to proceed.

我创建了一个简单的测试应用程序只是在Android上测试SSL。该应用程序只有一个按钮，然后单击当应用程序试图发送的Hello World通过SSL加密连接到我的测试服务器，然后用完全相同的短语来响应。

I've created a simple test application just to test SSL on Android. The application has only one button and when clicked the application tries to send "Hello World" over SSL encrypted connection to my test server, which then responds with the exact same phrase.

首先，我创建了一个测试键和测试证书，它使用OpenSSL我的服务器。然后，我已经按照指示显示，疯狂Bob的博客。我得到了直接的充气城堡供应商从充气城堡的网站，创造了一个值得信赖的密钥库上所示疯狂Bob的博客，并得到了一切正确的，在这一点上，我相信。

First I created a test key and test certificate for my server using openssl. Then I've been following the instructions showed in Crazy Bob's blog. I got the Bouncy Castle provider directly from Bouncy Castle's site, created a trusted keystore as shown on Crazy Bob's blog and got everything right at that point I believe.

当我试图运行我的code，我得到了异常IOException异常：错误的版本密钥存储区后来我发现上的StackOverflow这个问题。目前有人建议我应该尝试使用旧充气城堡供应商，而不是最新的 bcprov-jdk15on-147.jar 。我又考虑到这一点，实际上结束了试图从jdk13-146每bcprovider到jdk16-146。不过每次我得到了相同的IOExcpetion：错版密钥存储区例外。

When I tried to run my code, I got the exception "IOException: Wrong version of key store." Then I found this question on StackOverflow. There it was suggested that I should try using older Bouncy Castle Providers rather than the newest bcprov-jdk15on-147.jar. I went on with this in mind and actually ended up trying every bcprovider from jdk13-146 to jdk16-146. Still every time I got the same "IOExcpetion: wrong version of key store." exception.

后来我发现<一href="http://stackoverflow.com/questions/8411008/android-client-http-server-how-do-i-know-client-is-sending-data-using-my-app">yet关于StackOverflow的类似问题的另一个问题。目前有人使用512位大小键，而不是1024大小的关键设法摆脱那个例外。好吧，我给它一个尝试，一事无成，但同样的异常。

Then I found yet another question about similar problem on StackOverflow. There someone had managed to get rid of that exception by using 512 bit sized key instead of 1024 sized key. Well I gave it a try and accomplished nothing, but the same exception.

所以在这里我现在，不知道下一步该怎么做。我在pretty的很多运行的想法和谷歌的搜索结果。

So here I am now, wondering what to do next. I'm pretty much running out of ideas and google search results.

我的网络code是1对疯狂Bob的code 1份，此外，该应用程序只有仅处理该按钮的活动类。我想实现这个API上的7级。

My web code is 1 on 1 copy of crazy bob's code and besides that the application has only the activity class that handles the button only. I'm trying to implement this on API level 7.

任何帮助将是很大的AP preciated。谢谢你。

Any help would be greatly appreciated. Thanks.

推荐答案

2的选择：

1. 您可以做你做什么，并创建自己的密钥存储，我已经做到了，这里是我存放从我的code指令（因为它是如此耗费时间得到它的工作）

1. You can do what you do and create your own key store and I've done that, here is instructions from my code that I stored (because it was so time consuming to get it to work):

/ * 要生成PKS：

/* To generate PKS:

1. 创建证书在IIS7，然后导出为PFX。按照说明上SelfSSL的：<一href="http://www.robbagby.com/iis/self-signed-certificates-on-iis-7-the-easy-way-and-the-most-effective-way/" rel="nofollow">http://www.robbagby.com/iis/self-signed-certificates-on-iis-7-the-easy-way-and-the-most-effective-way/ 1A。下载工具： http://cid-3c8d41bb553e84f5.skydrive.live.com/browse。 ASPX / SelfSSL的 1B。兼营：SelfSSL的/ N：CN = mydomainname / V：1000 / S：1 / P：8081 我使用的端口8181我的服务器上 1C。出口从IIS管理器来cert.pfx
在SSL
2. 运行命令行转换文件到X.509： OpenSSL的PKCS12 -in C：\ cert.pfx退房手续C：\ cert.cer -nodes
3. 编辑文件，并删除所有除----- BEGIN .... END CERTIFICATE -----重要！当我得到正确的（5）量破折号这是工作，把标签和数据在单独的行
4. 使用密钥工具。 C：\ Java的\ JDK \ bcprov.jar被单独下载 C：\用户>的keytool -import -v -trustcacerts -alias key_alias - 文件C：\ cert.cer -keystore C：\ mystore.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath C：\ Java的\ JDK \ bcprov.jar -storepass 123456 * /

1. Created cert in IIS7 and then exported as pfx. Follow instruction on SelfSSL: http://www.robbagby.com/iis/self-signed-certificates-on-iis-7-the-easy-way-and-the-most-effective-way/ 1a. Download tool: http://cid-3c8d41bb553e84f5.skydrive.live.com/browse.aspx/SelfSSL 1b. Run: SelfSSL /N:CN=mydomainname /V:1000 /S:1 /P:8081 I use port 8181 on my server 1c. Export from IIS manager to cert.pfx
2. Run command line in SSL to convert file into X.509: openssl pkcs12 -in C:\cert.pfx -out C:\cert.cer -nodes
3. Edit file and delete all except -----BEGIN.... END CERTIFICATE----- IMPORTANT! It was working when I got proper (5) amount of dashes and put tags and data on separate lines
4. use keytool. C:\Java\JDK\bcprov.jar was downloaded separately C:\Users>keytool -import -v -trustcacerts -alias key_alias -file C:\cert.cer -keystore C:\mystore.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath C:\Java\JDK\bcprov.jar -storepass 123456 */

创建信任所有密钥库和忘掉这一切。基本上，你可以使用任何SSL没有错误。只需禁用它在生产中，如果你真的关心。这里是code我用得到SSL客户端prepared（假设你使用Apache HTTP客户端）

Create TRUST ALL KeyStore and forget about all this. Basically, you can use any SSL without errors. Just disable it in production if you really care. Here is code I use to get SSL client prepared (assuming you use Apache Http client)

私人HttpClient的getHttpClient（）     {         的HttpParams PARAMS =新BasicHttpParams（）;

private HttpClient getHttpClient() { HttpParams params = new BasicHttpParams();

    //Set main protocol parameters
    HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
    HttpProtocolParams.setContentCharset(params, HTTP.DEFAULT_CONTENT_CHARSET);
    HttpProtocolParams.setUseExpectContinue(params, true);

    // Turn off stale checking.  Our connections break all the time anyway, and it's not worth it to pay the penalty of checking every time.
    HttpConnectionParams.setStaleCheckingEnabled(params, false);
    // FIX v2.2.1+ - Set timeout to 30 seconds, seems like 5 seconds was not enough for good communication
    HttpConnectionParams.setConnectionTimeout(params, 30 * 1000);
    HttpConnectionParams.setSoTimeout(params, 30 * 1000);
    HttpConnectionParams.setSocketBufferSize(params, 8192);

    // Don't handle redirects -- return them to the caller.  Our code often wants to re-POST after a redirect, which we must do ourselves.
    HttpClientParams.setRedirecting(params, false);

    // Register our own "trust-all" SSL scheme
    SchemeRegistry schReg = new SchemeRegistry();
    try
    {
        KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
        trustStore.load(null, null);

        TrustAllSSLSocketFactory sslSocketFactory = new TrustAllSSLSocketFactory(trustStore);
        sslSocketFactory.setHostnameVerifier(SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

        Scheme sslTrustAllScheme = new Scheme("https", sslSocketFactory, 443);
        schReg.register(sslTrustAllScheme);
    }
    catch (Exception ex)
    {
        LogData.e(LOG_TAG, ex, LogData.Priority.None);
    }

    ClientConnectionManager conMgr = new ThreadSafeClientConnManager(params,schReg);
    return new DefaultHttpClient(conMgr, params);
}

这篇关于如何使用Android的自签名SSL证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！