如何使用未知 CA 自签名的证书让 Android Volley 执行 HTTPS 请求? [英] How can I make Android Volley perform HTTPS request, using a certificate self-signed by an Unknown CA?

问题描述

在提出问题之前，我找到了一些链接，我一一检查了，没有一个，给了我一个解决方案:

Before making the question, I found some links, which I checked, one by one, and none of them, gives me a solution:

• 知名 CA使用 volley 的 HTTPS 请求
• 接受所有 SSL 证书无对等证书异常 - Volley 和 Android with self签名证书
• Node.js (Socket.io)Socket.io + SSL + 自签名 CA连接时证书出错
• 自签名证书​​手动"导入:使用自签名证书和 CA 的 Android SSL HTTP 请求

到目前为止我找到的唯一链接是这个，它提供了两种方法:使用 Android Volley 发出 HTTPS 请求

The only link which I have found until now, is this one, which gives two approaches: Making a HTTPS request using Android Volley

• 1º 指示将一些类导入到您的应用程序中，但确实有其他类必须导入，并且这些类正在使用apache.org"中已弃用的库
• 2º NUKE 所有 SSL 证书的示例(非常糟糕的主意...)

我也找到了这个博客，它有很多解释，但最后，我意识到这些示例使用了来自apache.org"的不推荐使用的库，而且博客本身没有 Android Volley 的内容.https://nelenkov.blogspot.mx/2011/12/using-custom-certificate-trust-store-on.html

还有来自 Android 的链接和未知证书颁发机构"部分的代码，它提供了一个关于解决方案的好主意，但代码本身在其结构中缺乏一些东西(Android Studio 抱怨......):https://developer.android.com/training/articles/security-ssl.html

但是链接中的这句话似乎是解决问题的核心概念.

But this quote from the link, seems the core concept for solving the problem.

系统使用 TrustManager 来验证来自服务器的证书，并且通过从具有一个或多个 CA 的 KeyStore 创建一个证书，这些将是该 TrustManager 信任的唯一 CA.鉴于新的 TrustManager，该示例初始化了一个新的 SSLContext，它提供了一个 SSLSocketFactory，您可以使用它来覆盖来自 HttpsURLConnection 的默认 SSLSocketFactory.这样，连接将使用您的 CA 进行证书验证."

现在，这是我的问题:我有一个使用自签名证书的网络服务器，我已经根据它的证书创建了一个BKS 信任库".我已将 de BKS truststore 导入到我的 Android 应用程序中，现在，我的应用程序上有以下代码(我只是在此处发布 MainActivity，我想这是迄今为止唯一与该主题相关的类):

And now, here is my problem: I have a webserver that is using a self-signed certificate and I have created a "BKS truststore" based on its certificate. I have imported de BKS truststore to my Android APP and now, I have the following code on my App (I'm just posting here the MainActivity, which is the only class that has relevance to this subject until now, I suppose):

package com.domain.myapp;


import android.content.Context;
import android.content.Intent;
import android.os.Bundle;
import android.support.v7.app.AppCompatActivity;
import android.util.Log;
import android.view.View;

import android.widget.EditText;
import android.widget.Toast;

import com.android.volley.Request;
import com.android.volley.RequestQueue;
import com.android.volley.Response;
import com.android.volley.VolleyError;
import com.android.volley.toolbox.HurlStack;
import com.android.volley.toolbox.StringRequest;
import com.android.volley.toolbox.Volley;

import java.io.InputStream;
import java.security.KeyStore;
import java.util.HashMap;
import java.util.Map;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;


public class LoginScreen extends AppCompatActivity {

Context ctx          = null;
InputStream inStream = null;
HurlStack hurlStack  = null;

EditText username    = null;
EditText password    = null;
String loginStatus   = null;

public LoginScreen() {

    try {
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        KeyStore ks = KeyStore.getInstance("BKS");
        inStream = ctx.getApplicationContext().getResources().openRawResource(R.raw.mytruststore);
        ks.load(inStream, null);
        inStream.close();
        tmf.init(ks);
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, tmf.getTrustManagers(), null);
        final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
        hurlStack = new HurlStack(null, sslSocketFactory);
    } catch (Exception e){
        Log.d("Exception:",e.toString());
    }
}

@Override
public void onCreate(Bundle savedInstanceState) {
    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_login_screen);
    username = (EditText) findViewById(R.id.user);
    password = (EditText) findViewById(R.id.passwd);
}

public void login(View view) {

    RequestQueue queue = Volley.newRequestQueue(this, hurlStack);
    final String url = "https://myserver.domain.com/app/login";

    StringRequest postRequest = new StringRequest(Request.Method.POST, url,
            new Response.Listener<String>()
            {
                @Override
                public void onResponse(String response) {
                    Log.d("Response", response);
                    loginStatus = "OK";
                }
            },
            new Response.ErrorListener()
            {
                @Override
                public void onErrorResponse(VolleyError error) {
                    Log.d("Error.Response", String.valueOf(error));
                    loginStatus = "NOK";
                }
            }
    ) {
        @Override
        protected Map<String, String> getParams()
        {
            Map<String, String>  params = new HashMap<String, String>();
            params.put("username", String.valueOf(user));
            params.put("domain", String.valueOf(passwd));

            return params;
        }
    };
    queue.add(postRequest);

    if (loginStatus == "OK") {
        Intent intent = new Intent(LoginScreen.this, OptionScreen.class);
        startActivity(intent);
    } else {
        Toast.makeText(getApplicationContext(), "Login failed",Toast.LENGTH_SHORT).show();
    }
}

}

关于构造函数类，我冒昧地复制了代码，并就我从它的每一部分理解的内容发表了一些评论:

Regarding the constructor class, I took the liberty of copying the code, putting some comments about what do I understand from each part of it:

try {
// I have a TrustManagerFactory object
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
// I have a KeyStore considering BKS (BOUNCY CASTLE) KeyStore object
KeyStore ks = KeyStore.getInstance("BKS");
// I have configured a inputStream using my TrustStore file as a Raw Resource
inStream = ctx.getApplicationContext().getResources().openRawResource(R.raw.mytruststore);
// I have loaded my Raw Resource into the KeyStore object
ks.load(inStream, null);
inStream.close();
// I have initialiazed my Trust Manager Factory, using my Key Store Object
tmf.init(ks);
// I have created a new SSL Context object
SSLContext sslContext = SSLContext.getInstance("TLS");
// I have initialized my new SSL Context, with the configured Trust Managers found on my Trust Store
sslContext.init(null, tmf.getTrustManagers(), null);
// I have configured a HttpClientStack, using my brand new Socket Context
final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
hurlStack = new HurlStack(null, sslSocketFactory);
} catch (Exception e){
Log.d("Exception:",e.toString());
}

在此之后，在另一个类方法中，我有 RequestQueue，使用我在类构造函数上配置的 HttpClientStack:

After this, in another Class Method, I have the RequestQueue, using the HttpClientStack which I have configured on the Class COnstructor:

RequestQueue queue = Volley.newRequestQueue(this, hurlStack);
final String url = "https://myserver.domain.com/app/login";
StringRequest postRequest = new StringRequest(Request.Method.POST, url,new Response.Listener<String>()
    {
    ...
    ...
    }

当我运行我的应用程序时，提供我的 WebServer 所需的用户名和密码，我可以在 Android Studio 的 Android Monitor 中看到以下消息:

When I run my app, giving the user and password which is expected by my WebServer, I can see in the Android Monitor from Android Studio the following messages:

09-17 21:57:13.842 20617-20617/com.domain.myapp D/Error.Response:com.android.volley.NoConnectionError:javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorException:未找到证书路径的信任锚.

09-17 21:57:13.842 20617-20617/com.domain.myapp D/Error.Response: com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

经过所有这些解释，我有以下问题:

After all this explanation, I have the following question:

• 为了让 Android 接受来自我在类的构造函数中配置的自定义 TrustManager 的 CA 的 SSL 证书，还必须配置什么?

请原谅我，我是 Android 编程和 Java 的初学者，所以也许我犯了一个可怕的错误......

Forgive me, but I'm beginner on Android programming, as well on Java, so maybe, I'm making a terrible mistake...

任何帮助，将不胜感激.

Any help, would be much appreciated.

更新

我改进了类的构造函数，对语句进行了更好的分组，并且还使用了 KeyManagerFactory，这在此过程中似乎非常重要.这是:

I have improved the constructor of the class, doing a better grouping of the statements, and also using the KeyManagerFactory, which seems to be pretty important on this process. Here goes:

public class LoginScreen extends AppCompatActivity {

...
...

  public LoginScreen() {

    try {
        inStream = this.getApplicationContext().getResources().openRawResource(R.raw.mytruststore);

        KeyStore ks = KeyStore.getInstance("BKS");
        ks.load(inStream, "bks*password".toCharArray());
        inStream.close();

        KeyManagerFactory kmf = KeyManagerFactory.getInstance("X509");
        kmf.init(ks, "bks*password".toCharArray());

        TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
        tmf.init(ks);

        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(kmf.getKeyManagers(),tmf.getTrustManagers(), null);
        SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
        hurlStack = new HurlStack(null, sslSocketFactory);
    } catch (Exception e){
        Log.d("Exception:",e.toString());
    }

  }

...
...

}

不管怎样，我还是有问题..

Anyway, I'm still having problems..

响应:com.android.volley.NoConnectionError:javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorException:未找到证书路径的信任锚.

Response: com.android.volley.NoConnectionError: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

推荐答案

我已经通过以下代码在我的 volley 类中创建新的 requestQueue 来实现 https

i have implemented https by creating new requestQueue in my volley class by the following code

public RequestQueue getRequestQueue() {
    if (mRequestQueue == null) {
        mRequestQueue = Volley.newRequestQueue(getApplicationContext(), new HurlStack(null, newSslSocketFactory()));

    }

    return mRequestQueue;
}

private SSLSocketFactory newSslSocketFactory() {
    try {
        // Get an instance of the Bouncy Castle KeyStore format
        KeyStore trusted = KeyStore.getInstance("BKS");
        // Get the raw resource, which contains the keystore with
        // your trusted certificates (root and any intermediate certs)
        InputStream in = getApplicationContext().getResources().openRawResource(R.raw.keystore);
        try {
            // Initialize the keystore with the provided trusted certificates
            // Provide the password of the keystore
            trusted.load(in, KEYSTORE_PASSWORD);
        } finally {
            in.close();
        }

        String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
        tmf.init(trusted);

        SSLContext context = SSLContext.getInstance("TLS");
        context.init(null, tmf.getTrustManagers(), null);

        SSLSocketFactory sf = context.getSocketFactory();
        return sf;
    } catch (Exception e) {
        throw new AssertionError(e);
    }
}

这篇关于如何使用未知 CA 自签名的证书让 Android Volley 执行 HTTPS 请求?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！