客户证书没有从Android的工作 - 如何调试? [英] Client Certificate not working from Android - How to debug?
问题描述
我想实现一个Android应用客户端证书沟通,但至今没有取得多大成功 - 而且似乎这个功能,如果可能的话,很辛苦。全流量,我实施<一个描述href="http://stackoverflow.com/questions/24406266/creating-an-https-connecion-with-client-side-certificate-from-pkcs10-with-spong">my previous问题。
I'm trying to implement a Client Certificates communication for an Android App, so far without much success - and it seems that this feature is, if at all possible, very hard. The full flow I'm implementing is described in my previous question.
我跟从的这篇博客,描述了同样的情况,或多或少,无果。
I followed the code there and code from this blog post, describing the same scenario, more or less, without results.
有什么不工作:打开SSL连接( HttpsURLConnection )的Android客户端和服务器之间将导致服务器返回一个< A HREF =http://en.wikipedia.org/wiki/HTTP_403相对=nofollow> 403状态code 。
AFAIK,这403是因为服务器不获取或不信任的客户端证书,它得到,我不知道如何调试它。
What doesn't work: Opening an SSL Connection (HttpsURLConnection) between the Android Client and the Server causes the server to return an 403 status code.
AFAIK, this 403 is because the server doesn't get or doesn't trust the Client Certificate that it gets, and I'm not sure how to debug it.
什么工作:
- 创建PKCS#10的请求,将其发送到CA,并得到一个签名的PKCS#7( P7B 的)
- 存储接收到的 P7B 的用私有密钥在密钥库中,并将其导出到PKCS#12(的 P12 的)
- (大多数annonying )挑选的 P12 的从设备,在Windows上安装它,与服务器联系,并得到一个一致的(200 HTTP-OK)响应。
- Creating a PKCS#10 request, sending it to the CA and getting a signed PKCS#7 (P7B)
- Storing the received P7B with the private key in a KeyStore, and exporting it to a PKCS#12 (P12)
- (Most annonying) picking the P12 from the device, installing it on windows, contacting the server and getting a coherent (200 HTTP-OK) response.
我已经改变了:从code样我(从<一个href="http://stackoverflow.com/questions/24406266/creating-an-https-connecion-with-client-side-certificate-from-pkcs10-with-spong">here这里 ),我不得不改变一些东西。我使用HttpsURLConnection而不是OkHttpClient为@Than使用存在(但它不应该的问题),我不能提供证书作为富弗里德曼那样(他的有的证书,我通过PKCS#10和#7)获得它,所以我创建了一个CustomTrustManager将信任服务器的证书,基于这个原因,我用SpongyCastle(v1.5.0.0,如果它的事项,设置为0插入提供商)也不会持续证书,但一切都在内存中完成的。
What I've changed: From the code samples I got (from here and here), I had to change a few things. I'm using HttpsURLConnection and not OkHttpClient as @Than used there (but it shouldn't matter), I can't provide the Certificates as Rich Freedman did (he had the certificate, and I'm obtaining it via PKCS#10 and #7), so I've created a CustomTrustManager that would trust the server's certificate, and for this reason I use SpongyCastle (v1.5.0.0 if it matters, set as a provider inserted at 0) and also don't persist the certificate, but all is done in-memory.
的问题是下一步做什么:
- 我怎样才能知道哪些服务器要求(客户端证书明智的)?
- 我如何知道哪个客户端证书(如果有的话)被发送到服务器?
- 如何在一般的调试此方案? (代理如提琴手是毫无用处的底层SSL)
谢谢!
推荐答案
这不是很好的答案,但在这里过多的张贴的评论。
It's not good answer, but there is too much in here to post it as comment.
有关记录,调试,你可以创建自己的 X509KeyManager ,它使用从的KeyManagerFactory 获得正常的密钥管理器:
For logging, debugging you can create your own X509KeyManager which uses normal key manager obtained from KeyManagerFactory:
@DebugLog 注释来源于由杰克沃顿商学院创建雨果库。它打印函数参数和它返回。您可以使用正常Log.d或任何你想要的。
@DebugLog annotation comes from Hugo library created by Jake Wharton. It prints function arguments and what it return. You can use normal Log.d or whatever you want.
例如:
class MyKeyManager implements X509KeyManager {
private final X509KeyManager keyManager;
MyKeyManager(X509KeyManager keyManager) {
this.keyManager = keyManager;
}
@DebugLog
@Override
public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) {
return this.keyManager.chooseClientAlias(strings, principals, socket);
}
@DebugLog
@Override
public String chooseServerAlias(String s, Principal[] principals, Socket socket) {
return keyManager.chooseServerAlias(s, principals, socket);
}
@DebugLog
@Override
public X509Certificate[] getCertificateChain(String s) {
return keyManager.getCertificateChain(s);
}
@DebugLog
@Override
public String[] getClientAliases(String s, Principal[] principals) {
return keyManager.getClientAliases(s, principals);
}
@DebugLog
@Override
public String[] getServerAliases(String s, Principal[] principals) {
return keyManager.getServerAliases(s, principals);
}
@DebugLog
@Override
public PrivateKey getPrivateKey(String s) {
return keyManager.getPrivateKey(s);
}
}
和使用它来初始化的SSL连接
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, password);
final X509KeyManager origKm = (X509KeyManager) kmf.getKeyManagers()[0];
X509KeyManager km = new MyKeyManager(origKm);
SSLContext sslCtx = SSLContext.getInstance("TLS");
sslCtx.init(new KeyManager[]{km}, tmf.getTrustManagers(), null);
您将看到哪些方法被称为,是什么,哪些证书和私钥您的KeyManager回报(从serwer证书获得)的参数。
You will see which method are called, what are the arguments (obtained from serwer certificate) and which certificate and private key your keymanager returns.
这篇关于客户证书没有从Android的工作 - 如何调试?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
