1

安卓版本:

    final SSLContext context = SSLContext.getInstance("TLS");
    final KeyStore keystore = KeyStore.getInstance("PKCS12");
    keystore.load(ctx.getAssets().open("ca_cli.pkcs12"), "password".toCharArray());
    final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keystore, "password".toCharArray());
    context.init(keyManagerFactory.getKeyManagers(), new TrustManager[] { new X509TrustManager() {
        @Override
        public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[] {}; }

        @Override
        public void checkClientTrusted(final X509Certificate[] arg0, final String arg1) throws CertificateException {
            // TODO Auto-generated method stub
        }

        @Override
        public void checkServerTrusted(final X509Certificate[] arg0, final String arg1) throws CertificateException {
            // TODO Auto-generated method stub
        }
    } }, new SecureRandom());

JVM版本:

final SSLContext context = SSLContext.getInstance("TLS");
final KeyStore keystore = KeyStore.getInstance("pkcs12");
keystore.load(new FileInputStream(new File("ca-cli.pkcs12")), "password".toCharArray());
final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keystore, "password".toCharArray());
context.init(keyManagerFactory.getKeyManagers(), new TrustManager[] {
  new X509TrustManager() {
    @Override
    public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[]{}; }
    @Override
    public void checkClientTrusted(final X509Certificate[] arg0, final String arg1) throws CertificateException {
      // TODO Auto-generated method stub
    }
    @Override
    public void checkServerTrusted(final X509Certificate[] arg0, final String arg1) throws CertificateException {
      // TODO Auto-generated method stub
    }
  }
}, new SecureRandom());

代码几乎相同,但 JVM 版本工作正常,Android 版本产生:

 09-16 12:24:17.024: E/AuthByPasswordLoader(14580): Got unexpected error
 09-16 12:24:17.024: E/AuthByPasswordLoader(14580):
  javax.net.ssl.SSLHandshakeException:
  javax.net.ssl.SSLProtocolException: SSL handshake terminated:
  ssl=0x656b0148: Failure in SSL library, usually a protocol error
 09-16 12:24:17.024: E/AuthByPasswordLoader(14580): error:14094410:SSL
  routines:SSL3_READ_BYTES:sslv3 alert handshake failure
  (external/openssl/ssl/s3_pkt.c:1290 0x40086500:0x00000003)

我试图转换 PKCS12 -> BKS 但它没有帮助......

4

1 回答 1

0

所以,万一有人遇到同样的问题 - 原来这是一个错误,它是在 Android 3.0 中引入的。

引用Kenny RootAndroid 安全讨论线程):

谢谢,它看起来像 Android 3.0 中引入的错误。它将要求客户端密钥类型具有相同的 CA 类型。您看到这一点是因为您的客户端证书是 RSA 而 CA 是 EC。

您可以通过包装 KeyManager 并拦截对 chooseClientAlias 的调用以将“RSA_EC”添加到 keyTypes,从而针对您的情况解决此错误。

如果您对未来版本中的特定修复感兴趣:https ://android-review.googlesource.com/66581

于 2015-03-08T16:37:54.560 回答