0

我正在尝试使用相同的 keystore 连接客户端和服务器。客户端套接字可以获得对等证书,而服务器套接字无法获得对等证书但端口。获取证书失败,报SSLPeerUnverifiedException异常。修改后的问题困扰了我好几天,请帮忙解决,谢谢

我的安卓代码如下:

客户:

    java.security.Security.addProvider(
        new org.bouncycastle.jce.provider.BouncyCastleProvider());

SSLContext sslcontext = SSLContext.getInstance("TLS");
           sslcontext.init(getKeyManagers(), {new DummyTrustManager()}, null);
SocketFactory socketFactory = sslcontext.getSocketFactory();

SSLSocket socket = (SSLSocket) socketFactory.createSocket("127.0.0.1", 8080); 
socket.getSession().getLocalCertificates();
socket.getSession().getPeerHost();
socket.getSession().getPeerPort();
socket.getSession().getPeerCertificates();`

服务器:

    SSLContext sslcontext = SSLContext.getInstance("TLS");
    sslcontext.init(getKeyManagers(), {new DummyTrustManager()}, null);
ServerSocketFactory   mFactory = sslcontext.getServerSocketFactory();
ServerSocket serverSocket =mFactory.createServerSocket(8080);
SSLSocket clientSocket = serverSocket.accept();
socket.getSession().getLocalCertificates();
socket.getSession().getPeerHost();
socket.getSession().getPeerPort();
socket.getSession().getPeerCertificates();`

信任管理器:</p>

import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager;
public class DummyTrustManager implements X509TrustManager {
  public void checkClientTrusted(X509Certificate[] chain, String authType) {
    // Does not throw CertificateException: all chains trusted
    return;
  }
  public void checkServerTrusted(X509Certificate[] chain, String authType) {
    // Does not throw CertificateException: all chains trusted
    return;
  }
  public X509Certificate[] getAcceptedIssuers() {
    return new X509Certificate[0];
  }
}

密钥库:</p>

public void initializeKeyStore(String id) {
try {
  Log.v(LOG_TAG, "Generating key pair ...");
  KeyPairGenerator kg = KeyPairGenerator.getInstance("RSA");
  KeyPair keyPair = kg.generateKeyPair();


  Log.v(LOG_TAG, "Generating certificate ...");
  String name = getCertificateName(id);
  X509Certificate cert = SslUtil.generateX509V3Certificate(keyPair, name);
  Certificate[] chain = {cert};


  Log.v(LOG_TAG, "Adding key to keystore  ...");
  mKeyStore.setKeyEntry(
      LOCAL_IDENTITY_ALIAS, keyPair.getPrivate(), null, chain);


  Log.d(LOG_TAG, "Key added!");
} catch (GeneralSecurityException e) {
  throw new IllegalStateException("Unable to create identity KeyStore", e);
}
store(mKeyStore);}




public synchronized KeyManager[] getKeyManagers()
  throws GeneralSecurityException {
if (mKeyStore == null) {
  throw new NullPointerException("null mKeyStore");
}
KeyManagerFactory factory =
    KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
factory.init(mKeyStore, "".toCharArray());
return factory.getKeyManagers();

}

证书:</p>

public static X509Certificate generateX509V3Certificate(KeyPair pair,
  String name) throws GeneralSecurityException {
Calendar calendar = Calendar.getInstance();
calendar.set(2009, 0, 1);
Date notBefore  = new Date(calendar.getTimeInMillis());
calendar.set(2099, 0, 1);
Date notAfter = new Date(calendar.getTimeInMillis());

BigInteger serialNumber = BigInteger.valueOf(Math.abs(
    System.currentTimeMillis()));

return generateX509V3Certificate(pair, name, notBefore, notAfter,
    serialNumber);

}

public static X509Certificate generateX509V3Certificate(KeyPair pair,
  String name, Date notBefore, Date notAfter, BigInteger serialNumber)
    throws GeneralSecurityException {
java.security.Security.addProvider(
    new org.bouncycastle.jce.provider.BouncyCastleProvider());
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
X509Name dnName = new X509Name(name);

certGen.setSerialNumber(serialNumber);
certGen.setIssuerDN(dnName);
certGen.setSubjectDN(dnName);   // note: same as issuer
certGen.setNotBefore(notBefore);
certGen.setNotAfter(notAfter);
certGen.setPublicKey(pair.getPublic());
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");


certGen.addExtension(X509Extensions.BasicConstraints, true,
    new BasicConstraints(false));

certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature
    | KeyUsage.keyEncipherment | KeyUsage.keyCertSign));
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(
    KeyPurposeId.id_kp_serverAuth));


AuthorityKeyIdentifier authIdentifier = createAuthorityKeyIdentifier(
    pair.getPublic(), dnName, serialNumber);

certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, true,
    authIdentifier);
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, true,
    new SubjectKeyIdentifierStructure(pair.getPublic()));


certGen.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(
    new GeneralName(GeneralName.rfc822Name, "googletv@test.test")));


// This method is deprecated, but Android Eclair does not provide the 
// generate() methods.
X509Certificate cert = certGen.generateX509Certificate(pair.getPrivate(), "BC");
return cert;

}

enter code here
4

2 回答 2

0

您可能需要调用SSLServerSocket.setNeedClientAuth()以使服务器端需要客户端身份验证。然后客户端将发送其证书,您应该可以使用getPeerCertificates().

参考:

http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setNeedClientAuth%28boolean%29

于 2012-04-04T07:14:02.953 回答
0

我正在尝试使用相同的密钥库连接客户端和服务器

这只是一个有效的做法,客户端实体和服务器实体实际上是同一个法律实体。

如果不是这样,那你肯定是完全找错了树,这会产生非常深远的法律后果。我建议您在继续之前寻求商业/法律方面的建议。

于 2012-04-04T09:39:27.483 回答