如何以编程方式将证书添加到信任库并将其也用于验证服务器身份验证 [英] How to programmatically add certificates to a truststore and use that also for verifying server authentication
问题描述
我的应用程序我想使用https连接到使用自签名证书的用户指定的服务器.我现在收集的是,
I my app I want to use a https connection to a user-specified server which uses a self-signed certificate. What I gathered by now is, that
- 自签名证书被拒绝(如预期)
- Android密钥库/信任库未用于应用程序,因此应用程序必须构建并使用自己的信任库,
- JDK中有一个密钥工具"来构建信任库,该信任库可以作为资源提供给应用程序,但是由于我不知道服务器(及其事先的证书),因此这不是解决方案
由于是用户指定的https服务器,因此我事先不知道服务器的证书,因此想以编程方式将服务器证书添加到应用程序的信任库中(通过向用户显示证书并让他接受).一旦添加到信任库,应用程序应使用该信任库对服务器进行身份验证.
Since the https server is user specified, I do not know the server's certificate beforehand and thus want to add the server certificate programmatically to the app's truststore (by showing the certificate to the user and have him accept it). Once added to the truststore, the app shall use that truststore to authenticate the server.
我不想简单地接受每一个自签名证书,而不必像网络上的一些例子那样要求用户检查指纹.
I do NOT want to simply accept every self-signed certificate without the user checking the fingerprint as some examples on the web suggest.
现在的问题是,我是Java和Android的新手,并且正在努力了解AndroidHttpClient或DefaultHttpClient的内部工作原理.我的应用程序中使用了基本的HTTP,但是没有找到有关如何根据用户的要求将证书实际添加到应用程序内部的信任库中的任何示例.
Now the problem is that I'm completely new to Java and Android and am struggling to understand the inner workings of the AndroidHttpClient or DefaultHttpClient. I have basic HTTP working in my app, but haven't found any example on how to actually ADD certificates to a truststore inside the app on demand of the user.
有人知道如何实现这一目标,或者知道我可以看的可行示例吗?
Does anybody know how to achieve that or knows a working example that I can look at?
任何提示都值得赞赏.谢谢.
Any hints are appreciated. Thanks.
在 K9 Mail的TrustManagerFactory.java类.如果您有相同的问题,建议您看看.
Found the Solution in the TrustManagerFactory.java class of K9 Mail. I suggest to have a look at it if you're having the same question.
推荐答案
前段时间找到了解决方案,但是还没有人创建答案来帮助指导其他人,所以今天上午我将成为Point Pimp(ette),发布作为解决方案添加的URL,以及从公共来源复制代码.希望这有助于指导其他人找到解决方案.:)
Solution was found a while ago but no one has created the Answer yet to help guide others, so I'll be the Point Pimp(ette) this morning and post the URL added as the solution, plus copy in the code from the public source. Hope this helps guide others to the solution. :)
这是URL (以下代码).
package com.fsck.k9.mail.store;
import android.app.Application;
import android.content.Context;
import android.util.Log;
import com.fsck.k9.K9;
import com.fsck.k9.helper.DomainNameChecker;
import org.apache.commons.io.IOUtils;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
public final class TrustManagerFactory {
private static final String LOG_TAG = "TrustManagerFactory";
private static X509TrustManager defaultTrustManager;
private static X509TrustManager unsecureTrustManager;
private static X509TrustManager localTrustManager;
private static X509Certificate[] lastCertChain = null;
private static File keyStoreFile;
private static KeyStore keyStore;
private static class SimpleX509TrustManager implements X509TrustManager {
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
}
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
private static class SecureX509TrustManager implements X509TrustManager {
private static final Map<String, SecureX509TrustManager> mTrustManager =
new HashMap<String, SecureX509TrustManager>();
private final String mHost;
private SecureX509TrustManager(String host) {
mHost = host;
}
public synchronized static X509TrustManager getInstance(String host) {
SecureX509TrustManager trustManager;
if (mTrustManager.containsKey(host)) {
trustManager = mTrustManager.get(host);
} else {
trustManager = new SecureX509TrustManager(host);
mTrustManager.put(host, trustManager);
}
return trustManager;
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
defaultTrustManager.checkClientTrusted(chain, authType);
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
// FIXME: Using a static field to store the certificate chain is a bad idea. Instead
// create a CertificateException subclass and store the chain there.
TrustManagerFactory.setLastCertChain(chain);
try {
defaultTrustManager.checkServerTrusted(chain, authType);
} catch (CertificateException e) {
localTrustManager.checkServerTrusted(new X509Certificate[] {chain[0]}, authType);
}
if (!DomainNameChecker.match(chain[0], mHost)) {
try {
String dn = chain[0].getSubjectDN().toString();
if ((dn != null) && (dn.equalsIgnoreCase(keyStore.getCertificateAlias(chain[0])))) {
return;
}
} catch (KeyStoreException e) {
throw new CertificateException("Certificate cannot be verified; KeyStore Exception: " + e);
}
throw new CertificateException("Certificate domain name does not match "
+ mHost);
}
}
public X509Certificate[] getAcceptedIssuers() {
return defaultTrustManager.getAcceptedIssuers();
}
}
static {
java.io.InputStream fis = null;
try {
javax.net.ssl.TrustManagerFactory tmf = javax.net.ssl.TrustManagerFactory.getInstance("X509");
Application app = K9.app;
keyStoreFile = new File(app.getDir("KeyStore", Context.MODE_PRIVATE) + File.separator + "KeyStore.bks");
keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
try {
fis = new java.io.FileInputStream(keyStoreFile);
} catch (FileNotFoundException e1) {
fis = null;
}
try {
keyStore.load(fis, "".toCharArray());
} catch (IOException e) {
Log.e(LOG_TAG, "KeyStore IOException while initializing TrustManagerFactory ", e);
keyStore = null;
} catch (CertificateException e) {
Log.e(LOG_TAG, "KeyStore CertificateException while initializing TrustManagerFactory ", e);
keyStore = null;
}
tmf.init(keyStore);
TrustManager[] tms = tmf.getTrustManagers();
if (tms != null) {
for (TrustManager tm : tms) {
if (tm instanceof X509TrustManager) {
localTrustManager = (X509TrustManager)tm;
break;
}
}
}
tmf = javax.net.ssl.TrustManagerFactory.getInstance("X509");
tmf.init((KeyStore)null);
tms = tmf.getTrustManagers();
if (tms != null) {
for (TrustManager tm : tms) {
if (tm instanceof X509TrustManager) {
defaultTrustManager = (X509TrustManager) tm;
break;
}
}
}
} catch (NoSuchAlgorithmException e) {
Log.e(LOG_TAG, "Unable to get X509 Trust Manager ", e);
} catch (KeyStoreException e) {
Log.e(LOG_TAG, "Key Store exception while initializing TrustManagerFactory ", e);
} finally {
IOUtils.closeQuietly(fis);
}
unsecureTrustManager = new SimpleX509TrustManager();
}
private TrustManagerFactory() {
}
public static X509TrustManager get(String host, boolean secure) {
return secure ? SecureX509TrustManager.getInstance(host) :
unsecureTrustManager;
}
public static KeyStore getKeyStore() {
return keyStore;
}
public static void setLastCertChain(X509Certificate[] chain) {
lastCertChain = chain;
}
public static X509Certificate[] getLastCertChain() {
return lastCertChain;
}
public static void addCertificateChain(String alias, X509Certificate[] chain) throws CertificateException {
try {
javax.net.ssl.TrustManagerFactory tmf = javax.net.ssl.TrustManagerFactory.getInstance("X509");
for (X509Certificate element : chain) {
keyStore.setCertificateEntry
(element.getSubjectDN().toString(), element);
}
tmf.init(keyStore);
TrustManager[] tms = tmf.getTrustManagers();
if (tms != null) {
for (TrustManager tm : tms) {
if (tm instanceof X509TrustManager) {
localTrustManager = (X509TrustManager) tm;
break;
}
}
}
java.io.OutputStream keyStoreStream = null;
try {
keyStoreStream = new java.io.FileOutputStream(keyStoreFile);
keyStore.store(keyStoreStream, "".toCharArray());
} catch (FileNotFoundException e) {
throw new CertificateException("Unable to write KeyStore: " + e.getMessage());
} catch (CertificateException e) {
throw new CertificateException("Unable to write KeyStore: " + e.getMessage());
} catch (IOException e) {
throw new CertificateException("Unable to write KeyStore: " + e.getMessage());
} finally {
IOUtils.closeQuietly(keyStoreStream);
}
} catch (NoSuchAlgorithmException e) {
Log.e(LOG_TAG, "Unable to get X509 Trust Manager ", e);
} catch (KeyStoreException e) {
Log.e(LOG_TAG, "Key Store exception while initializing TrustManagerFactory ", e);
}
}
}
这篇关于如何以编程方式将证书添加到信任库并将其也用于验证服务器身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
