在系统上下文中在Android上安装CA证书 [英] Installing CA certificate on android in system context

问题描述

我需要通过Xamarin APP通过HTTPS访问REST API.当然，在我的开发环境中，我不使用公开签名的证书，而是使用本地CA签名的证书.因此，我需要将我的CA证书添加到Android模拟器上的受信任CA中.在一些Google搜索之后，我发现的第一种方法是将其拖放到模拟器中，然后使用"Files"(文件)进行安装.应用程序.但这似乎只能将其安装在用户上下文中.我的应用似乎并不在乎哪个，因为它仍然不接受来自API的证书作为受信任的证书.所以我搜索了更多...

I need to access a REST API by HTTPS from my Xamarin APP. Of course in my development environment, I don't use a publicly signed certificate but signed from my local CA. So I need to add my CA certificate to the trusted CAs on the Android emulator. After some google searches the first approach I've found was, to just drag and drop it into the emulator and then install it with the "Files" app. But this only seems to install it in the user context. Which my App doesn't seem to care about since it still did not accept the certificate from the API as trusted. So I searched for some more...

下一种方法是从证书中获取发行者哈希值，在文件之后重命名文件，禁用 Google APIs 和 Google Play商店，然后执行以下操作:

The next approach was to get the issuer hash value from the certificate, rename the file after it, disable Google APIs and Google Play Store and do this:

emulator -avd <avd_name_here> -writable-system

adb root
adb shell remount
adb push <cert_filename> /system/etc/security/cacerts
adb shell "chmod 664 /system/etc/security/cacerts/<cert_filename>"

adb reboot

这确实有效，但有一些缺点.始终使用 -writable-system 启动模拟器，这意味着我必须手动启动而不是从Visual Studio启动模拟器，并保留 Google API 和 Google Play商店已禁用.我不知道如果禁用这些API会有什么不同.

This did work but has some downsides. Always launch the emulator with -writable-system which means I have to launch it manually instead of from Visual Studio, and keeping Google APIs and Google Play Store disabled. I don't know what difference it makes if I keep those APIs disabled.

我真的不能相信这是安装CA证书的唯一方法.如何在真实设备上完成?我以为我不能在那里禁用Google API?

I can't really believe that this is the only way to install a CA certificate. How is it done on a real device? I assume I can't just disable the google APIs there?

推荐答案

Tim Biegeleisen的评论使我投入了一些时间来寻找以纯文本格式访问API的方向.默认情况下，Android和iOS都不允许这样做.足够幸运的是，有可能允许它用于特定域，我认为这是可以接受的解决方案:

Tim Biegeleisen's comment made me invest some time looking in the direction of accessing the API in plain text. Neither Android nor iOS do allow this by default. Fortunate enough it is possible to allow it for specific domains which I think is an acceptable solution:

在此处找到 https://devblogs.microsoft.com/xamarin/cleartext-http-android-network-security/

1. 在Android项目的资源下添加以下文件和文件夹: xml \ network_security_config.xml
2. 将这样的行添加到文件中:

    <?xml version="1.0" encoding="utf-8"?>
    <network-security-config>
      <domain-config cleartextTrafficPermitted="true">
        <domain includeSubdomains="true">10.0.2.2</domain> <!-- Debug port -->
        <domain includeSubdomains="true">xamarin.com</domain>
      </domain-config>
    </network-security-config>

1. 在 Properties \ AssemblyInfo.xml 中将 android:networkSecurityConfig 添加到应用程序标头中:

1. In Properties\AssemblyInfo.xml Add android:networkSecurityConfig to the application header:

    <manifest>
    <application android:networkSecurityConfig="@xml/network_security_config">
        ...
    </application>
    </manifest>

iOS

在这里找到: https://stackoverflow.com/a/33306373/3883521

在 info.plist 中添加如下内容:

<key>NSAppTransportSecurity</key>
<dict>
    <key>NSExceptionDomains</key>
    <dict>
        <key>domain.com</key>
        <dict>
            <key>NSExceptionAllowsInsecureHTTPLoads</key>
            <true/>
            <key>NSIncludesSubdomains</key>
            <true/>
        </dict>
    </dict>
</dict>

将 domain.com 更改为您的域...

change domain.com to your domain...

这篇关于在系统上下文中在Android上安装CA证书的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！