SSL客户端身份验证残破的安卓4.0 [英] SSL Client Authentication Broken in Android 4.0
问题描述
我有一个Android应用程序,它使用的SSLSocketFactory的加载PKCS12证书,并使用该证书与我的服务器执行SSL客户端身份验证。这个过程完全工作在Android 2.1,2.2,和2.3,但是当我尝试运行在手机或模拟器上运行4.0中code我的服务器没有收到我的申请提出的要求的公共密钥。
下面是code我使用让我用它来执行我的要求HttpClient的
私人HttpClient的getHttpClient(上下文的背景下){
如果(HttpClient的== NULL){
密钥库mycert = KeyStore.getInstance(PKCS12);
byte []的PKCS12 = persistentStorage.getPKCS12Certificate(上下文);
ByteArrayInputStream的pkcs12BAIS =新ByteArrayInputStream的(PKCS12);
mycert.load(pkcs12BAIS,config.getPassword()toCharArray());
SSLSocketFactory的sockfact =新的SSLSocketFactory(mycert,NULL,NULL);
sockfact.setHostnameVerifier(新StrictHostnameVerifier());
SchemeRegistry注册表=新SchemeRegistry();
registry.register(新计划(https开头,sockfact,config.getPort()));
BasicHttpParams httpParameters =新BasicHttpParams();
HttpProtocolParams.setUseExpectContinue(httpParameters,假);
HttpProtocolParams.setVersion(httpParameters,HttpVersion.HTTP_1_1);
HttpConnectionParams.setConnectionTimeout(httpParameters,3000);
HttpConnectionParams.setSoTimeout(httpParameters,3000);
ThreadSafeClientConnManager厘米=新ThreadSafeClientConnManager(httpParameters,注册表);
cm.closeExpiredConnections();
cm.closeIdleConnections(3000,TimeUnit.MILLISECONDS);
HttpClient的=新DefaultHttpClient(厘米,httpParameters);
}
返回HttpClient的;
}
所以,事实证明,作为ICS的SSLSocketFactory的(或系统的其他部分)将不再正常接受未签名的X509证书(这是我用来创建在PKCS12证书)。我不得不自签署证书和我现有的Java code正常工作。
I have an Android app which uses an SSLSocketFactory to load a pkcs12 certificate and use that certificate to perform SSL Client authentication with my server. This process worked perfectly on Android 2.1, 2.2, and 2.3, but when I attempt to run this code on a phone or emulator running 4.0 my server does not receive a public key from the request made by my application.
Here is the code I am using to get the HttpClient I use to perform my request
private HttpClient getHttpClient(Context context) {
if(httpClient == null) {
KeyStore mycert = KeyStore.getInstance("pkcs12");
byte[] pkcs12 = persistentStorage.getPKCS12Certificate(context);
ByteArrayInputStream pkcs12BAIS = new ByteArrayInputStream(pkcs12);
mycert.load(pkcs12BAIS, config.getPassword().toCharArray());
SSLSocketFactory sockfact = new SSLSocketFactory(mycert, null, null);
sockfact.setHostnameVerifier(new StrictHostnameVerifier());
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("https",sockfact , config.getPort()));
BasicHttpParams httpParameters = new BasicHttpParams();
HttpProtocolParams.setUseExpectContinue(httpParameters, false);
HttpProtocolParams.setVersion(httpParameters, HttpVersion.HTTP_1_1);
HttpConnectionParams.setConnectionTimeout(httpParameters, 3000);
HttpConnectionParams.setSoTimeout(httpParameters, 3000);
ThreadSafeClientConnManager cm = new ThreadSafeClientConnManager(httpParameters, registry);
cm.closeExpiredConnections();
cm.closeIdleConnections(3000, TimeUnit.MILLISECONDS);
httpClient = new DefaultHttpClient(cm, httpParameters);
}
return httpClient;
}
So it turns out that as of ICS the SSLSocketFactory (or some other part of the system) will no longer properly accept unsigned x509 certificates (which I used to create the pkcs12 cert). I just had to self sign the certificate and my existing java code worked fine.
这篇关于SSL客户端身份验证残破的安卓4.0的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!