SSL客户端身份验证残破的安卓4.0 [英] SSL Client Authentication Broken in Android 4.0

问题描述

我有一个Android应用程序，它使用的SSLSocketFactory的加载PKCS12证书，并使用该证书与我的服务器执行SSL客户端身份验证。这个过程完全工作在Android 2.1，2.2，和2.3，但是当我尝试运行在手机或模拟器上运行4.0中code我的服务器没有收到我的申请提出的要求的公共密钥。

下面是code我使用让我用它来执行我的要求HttpClient的

 私人HttpClient的getHttpClient（上下文的背景下）{
    如果（HttpClient的== NULL）{
        密钥库mycert = KeyStore.getInstance（PKCS12）;
        byte []的PKCS12 = persistentStorage.getPKCS12Certificate（上下文）;

        ByteArrayInputStream的pkcs12BAIS =新ByteArrayInputStream的（PKCS12）;
        mycert.load（pkcs12BAIS，config.getPassword（）toCharArray（））;

        SSLSocketFactory的sockfact =新的SSLSocketFactory（mycert，NULL，NULL）;

        sockfact.setHostnameVerifier（新StrictHostnameVerifier（））;

        SchemeRegistry注册表=新SchemeRegistry（）;
        registry.register（新计划（https开头，sockfact，config.getPort（）））;

        BasicHttpParams httpParameters =新BasicHttpParams（）;
        HttpProtocolParams.setUseExpectContinue（httpParameters，假）;
        HttpProtocolParams.setVersion（httpParameters，HttpVersion.HTTP_1_1）;

        HttpConnectionParams.setConnectionTimeout（httpParameters，3000）;
        HttpConnectionParams.setSoTimeout（httpParameters，3000）;

        ThreadSafeClientConnManager厘米=新ThreadSafeClientConnManager（httpParameters，注册表）;
        cm.closeExpiredConnections（）;
        cm.closeIdleConnections（3000，TimeUnit.MILLISECONDS）;

        HttpClient的=新DefaultHttpClient（厘米，httpParameters）;

    }

    返回HttpClient的;
}
 

解决方案

所以，事实证明，作为ICS的SSLSocketFactory的（或系统的其他部分）将不再正常接受未签名的X509证书（这是我用来创建在PKCS12证书）。我不得不自签署证书和我现有的Java code正常工作。

I have an Android app which uses an SSLSocketFactory to load a pkcs12 certificate and use that certificate to perform SSL Client authentication with my server. This process worked perfectly on Android 2.1, 2.2, and 2.3, but when I attempt to run this code on a phone or emulator running 4.0 my server does not receive a public key from the request made by my application.

Here is the code I am using to get the HttpClient I use to perform my request

private HttpClient getHttpClient(Context context) {
    if(httpClient == null) {
        KeyStore mycert = KeyStore.getInstance("pkcs12");
        byte[] pkcs12 = persistentStorage.getPKCS12Certificate(context);

        ByteArrayInputStream pkcs12BAIS = new ByteArrayInputStream(pkcs12);
        mycert.load(pkcs12BAIS, config.getPassword().toCharArray());

        SSLSocketFactory sockfact = new SSLSocketFactory(mycert, null, null);

        sockfact.setHostnameVerifier(new StrictHostnameVerifier());

        SchemeRegistry registry = new SchemeRegistry();
        registry.register(new Scheme("https",sockfact , config.getPort()));

        BasicHttpParams httpParameters = new BasicHttpParams();
        HttpProtocolParams.setUseExpectContinue(httpParameters, false);
        HttpProtocolParams.setVersion(httpParameters, HttpVersion.HTTP_1_1);

        HttpConnectionParams.setConnectionTimeout(httpParameters, 3000);
        HttpConnectionParams.setSoTimeout(httpParameters, 3000);

        ThreadSafeClientConnManager cm = new ThreadSafeClientConnManager(httpParameters, registry);
        cm.closeExpiredConnections();
        cm.closeIdleConnections(3000, TimeUnit.MILLISECONDS);

        httpClient = new DefaultHttpClient(cm, httpParameters);

    }

    return httpClient;
}

解决方案

So it turns out that as of ICS the SSLSocketFactory (or some other part of the system) will no longer properly accept unsigned x509 certificates (which I used to create the pkcs12 cert). I just had to self sign the certificate and my existing java code worked fine.

这篇关于SSL客户端身份验证残破的安卓4.0的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！