在安卓4.x的SSL客户端身份验证 [英] SSL Client authentication in Android 4.x
问题描述
我想创建一个应用程序连接到服务器。此服务器使用SSL客户端身份验证。该应用程序的用户应该能够选择证书并允许使用它喜欢它是在浏览器应用程序来实现。
I would like to create an App which connects to a server. This server uses SSL Client Authentication. The User of the App should be able to choose the certificate and allow the use of it like it is implemented in the browser app.
在浏览器应用程序的认证工作正常,所以我用的证书是有效的。
In the browser app the authentication is working as expected, so the certificate I use is valid.
当我尝试在我的应用程序连接我得到以下错误:
When I try to connect in my App I get the following Error:
javax.net.ssl.SSLHandshakeException: javax.net.ssl.SSLProtocolException:
SSL handshake terminated: ssl=0x2a2d3b38:
Failure in SSL library, usually a protocol error
error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
(external/openssl/ssl/s3_pkt.c:1290 0x2a2df880:0x00000003)
我试图按照android的文档,我的实现。
I tried to follow the android documentation for my implementation.
- 在ICS统一密钥存储访问
- <一个href="http://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html">HttpsURLConnection
- Unifying Key Store Access in ICS
- HttpsURLConnection
下面是我的示例活动的code:
Here is the code of my sample Activity:
public class ClientCertificateActivity extends Activity implements
KeyChainAliasCallback {
protected static final String TAG = "CERT_TEST";
private String alias;
@Override
protected void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
choseCertificate();
LinearLayout layout = new LinearLayout(this);
Button connectToServer = new Button(this);
connectToServer.setText("Try to connect to Server");
connectToServer.setLayoutParams(new LayoutParams(LayoutParams.FILL_PARENT, LayoutParams.WRAP_CONTENT));
connectToServer.setOnClickListener(new OnClickListener() {
@Override
public void onClick(View v) {
connectToServer();
}
});
layout.addView(connectToServer);
addContentView(layout, new LayoutParams(LayoutParams.FILL_PARENT, LayoutParams.FILL_PARENT));
}
protected void connectToServer() {
final Context ctx = this;
new AsyncTask<Void, Void, Boolean>() {
private Exception error;
@Override
protected Boolean doInBackground(Void... arg) {
try {
PrivateKey pk = KeyChain.getPrivateKey(ctx, alias);
X509Certificate[] chain = KeyChain.getCertificateChain(ctx,
alias);
KeyStore keyStore = KeyStore.getInstance("AndroidCAStore");
TrustManagerFactory tmf = TrustManagerFactory
.getInstance(TrustManagerFactory
.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
URL url = new URL("https://usecert.example.com/");
HttpsURLConnection urlConnection = (HttpsURLConnection) url
.openConnection();
urlConnection.setSSLSocketFactory(context
.getSocketFactory());
InputStream in = urlConnection.getInputStream();
return true;
} catch (Exception e) {
e.printStackTrace();
error = e;
return false;
}
}
@Override
protected void onPostExecute(Boolean valid) {
if (error != null) {
Toast.makeText(ctx, "Error: " + error.getMessage(),
Toast.LENGTH_LONG).show();
return;
}
Toast.makeText(ctx, "Success: ", Toast.LENGTH_SHORT).show();
}
}.execute();
}
protected void choseCertificate() {
KeyChain.choosePrivateKeyAlias(this, this,
new String[] { "RSA", "DSA" }, null, "m.ergon.ch", 443, null);
}
@Override
public void alias(String alias) {
this.alias = alias;
}
}
抛出异常的 urlConnection.getInputStream();
下面是在服务器和客户端之间的握手的捕获。
Here is the capture of the handshake between the server and the client.
感谢您的任何建议和的窍门。
Thanks for any suggestions and tipps.
推荐答案
您永远不会初始化的KeyManager用你的私钥,所以没有办法客户端身份验证可以把它捡起来。
You are never initializing a KeyManager with your private key, so there is no way client authentication can pick it up.
您不得不实施X509KeyManager来回报您的PrivateKey和一些硬codeD别名。
下面是从股票的电子邮件应用程序(ICS +),以供参考之一。您可能需要稍微进行修改,但它应该是容易理解:基本上只是它的关键,别名和证书链保存到域,并通过适当的方法(它们返回 StubKeyManager 只是抛出异常的未实现的,不需要的方法):
You'd have to implement X509KeyManager to return your PrivateKey and some hard-coded alias.
Here's the one from the stock Email application (ICS+) for reference. You may need to modify it somewhat, but it should be easy to follow: basically it just saves the key, alias and certificate chain to fields and returns them via the appropriate methods (StubKeyManager just throws exceptions for the unimplemented and unneeded methods):
public static class KeyChainKeyManager extends StubKeyManager {
private final String mClientAlias;
private final X509Certificate[] mCertificateChain;
private final PrivateKey mPrivateKey;
public static KeyChainKeyManager fromAlias(Context context, String alias)
throws CertificateException {
X509Certificate[] certificateChain;
try {
certificateChain = KeyChain.getCertificateChain(context, alias);
} catch (KeyChainException e) {
logError(alias, "certificate chain", e);
throw new CertificateException(e);
} catch (InterruptedException e) {
logError(alias, "certificate chain", e);
throw new CertificateException(e);
}
PrivateKey privateKey;
try {
privateKey = KeyChain.getPrivateKey(context, alias);
} catch (KeyChainException e) {
logError(alias, "private key", e);
throw new CertificateException(e);
} catch (InterruptedException e) {
logError(alias, "private key", e);
throw new CertificateException(e);
}
if (certificateChain == null || privateKey == null) {
throw new CertificateException("Can't access certificate from keystore");
}
return new KeyChainKeyManager(alias, certificateChain, privateKey);
}
private KeyChainKeyManager(
String clientAlias, X509Certificate[] certificateChain,
PrivateKey privateKey) {
mClientAlias = clientAlias;
mCertificateChain = certificateChain;
mPrivateKey = privateKey;
}
@Override
public String chooseClientAlias(String[] keyTypes, Principal[] issuers, Socket socket) {
return mClientAlias;
}
@Override
public X509Certificate[] getCertificateChain(String alias) {
return mCertificateChain;
}
@Override
public PrivateKey getPrivateKey(String alias) {
return mPrivateKey;
}
}
这篇关于在安卓4.x的SSL客户端身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
