的SSLContext和PKCS12密钥库 - 工作在JVM而不是在Android [英] SSLContext and PKCS12 keystore - works on JVM but not on Android
问题描述
Android版本:
Android version:
final SSLContext context = SSLContext.getInstance("TLS");
final KeyStore keystore = KeyStore.getInstance("PKCS12");
keystore.load(ctx.getAssets().open("ca_cli.pkcs12"), "password".toCharArray());
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keystore, "password".toCharArray());
context.init(keyManagerFactory.getKeyManagers(), new TrustManager[] { new X509TrustManager() {
@Override
public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[] {}; }
@Override
public void checkClientTrusted(final X509Certificate[] arg0, final String arg1) throws CertificateException {
// TODO Auto-generated method stub
}
@Override
public void checkServerTrusted(final X509Certificate[] arg0, final String arg1) throws CertificateException {
// TODO Auto-generated method stub
}
} }, new SecureRandom());
JVM版本:
final SSLContext context = SSLContext.getInstance("TLS");
final KeyStore keystore = KeyStore.getInstance("pkcs12");
keystore.load(new FileInputStream(new File("ca-cli.pkcs12")), "password".toCharArray());
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keystore, "password".toCharArray());
context.init(keyManagerFactory.getKeyManagers(), new TrustManager[] {
new X509TrustManager() {
@Override
public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[]{}; }
@Override
public void checkClientTrusted(final X509Certificate[] arg0, final String arg1) throws CertificateException {
// TODO Auto-generated method stub
}
@Override
public void checkServerTrusted(final X509Certificate[] arg0, final String arg1) throws CertificateException {
// TODO Auto-generated method stub
}
}
}, new SecureRandom());
在code是pretty相同,但JVM版本正常工作和Android版本的产生:
The code is pretty same but JVM version works fine and Android version produces:
09-16 12:24:17.024: E/AuthByPasswordLoader(14580): Got unexpected error
09-16 12:24:17.024: E/AuthByPasswordLoader(14580):
javax.net.ssl.SSLHandshakeException:
javax.net.ssl.SSLProtocolException: SSL handshake terminated:
ssl=0x656b0148: Failure in SSL library, usually a protocol error
09-16 12:24:17.024: E/AuthByPasswordLoader(14580): error:14094410:SSL
routines:SSL3_READ_BYTES:sslv3 alert handshake failure
(external/openssl/ssl/s3_pkt.c:1290 0x40086500:0x00000003)
我试着转换PKCS12 - > BKS但它并没有帮助...
I've tried to convert PKCS12 -> BKS but it doesn't helped...
推荐答案
所以,万一有人面临着同样的问题 - 事实证明这是一个错误,这是在Android 3.0的推出
So, in case someone face the same issue - it turned out that this is a bug, which was introduced in Android 3.0.
引用肯尼根(的Android安全话题):
谢谢,这看起来是在Android 3.0的推出的一个错误。这将要求客户端密钥类型具有相同的CA类型。你看到这一点,因为你的客户端证书是RSA和CA为EC。
Thanks, it looks like a bug that was introduced in Android 3.0. It will require that client key types have the same CA type. You are seeing this because your client certificate is RSA and the CA is EC.
您可以通过包装的KeyManager和拦截到chooseClientAlias呼吁增加RSA_EC到keyTypes解决此bug您的具体情况。
You can work around this bug for your situation by wrapping the KeyManager and intercepting calls to chooseClientAlias to add "RSA_EC" to the keyTypes.
如果您有兴趣的特定补丁,将在未来的版本: https://开头的android -review.googlesource.com/66581
If you're interested in the particular fix that will be in a future release: https://android-review.googlesource.com/66581
这篇关于的SSLContext和PKCS12密钥库 - 工作在JVM而不是在Android的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
