1

我有一个应用程序连接到本地 ip 网络中的服务器。此连接使用自定义证书进行 TLS 加密。按照这一方面的指南,我使它在所有 android 版本下工作,直到 android 7。遗憾的是,自从 Android 7 它不再工作。请问有人知道为什么这不再起作用了吗?

我找到了这篇文章并包含了一个带有以下代码的网络配置文件(我知道这可能不安全,但首先这必须工作......):

<network-security-config>  
  <base-config>  
       <trust-anchors>  
            <!-- Only trust the CAs included with the app  
             for connections to internal.example.com -->
            <certificates src="@raw/ca_cert" />
            <certificates src="system"/>
       </trust-anchors>
  </base-config>  
</network-security-config>

可悲的是它仍然无法正常工作。我还在清单中将其添加为android:networkSecurityConfig="@xml/network_security_config".

我得到的例外(仅限Android 7+)!

java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

这是初始化我的 SSL 上下文的代码

// Step 1: Initialize a ssl context with highest version
ssl_ctx = SSLContext.getInstance("TLSv1.2");

// Step 2: Add certificates to context

// Step 2.1 get private key
int pkeyId = context.getResources().getIdentifier("raw/clientkeypkcs", null, context.getPackageName());
InputStream fis = context.getResources().openRawResource(pkeyId);
DataInputStream dis = new DataInputStream(fis);
byte[] bytes = new byte[dis.available()];
dis.readFully(bytes);
ByteArrayInputStream bais = new ByteArrayInputStream(bytes);
byte[] key = new byte[bais.available()];
KeyFactory kf = KeyFactory.getInstance("RSA");
bais.read(key, 0, bais.available());
bais.close();           
PKCS8EncodedKeySpec keysp = new PKCS8EncodedKeySpec ( key );
PrivateKey ff = kf.generatePrivate (keysp);

//Step 2.2 get certificates
int caresId = context.getResources().getIdentifier("raw/ca_cert", null, context.getPackageName());            
InputStream caCertIS = context.getResources().openRawResource(caresId);
CertificateFactory cacf = CertificateFactory.getInstance("X.509");
X509Certificate caCert = (X509Certificate)cacf.generateCertificate(caCertIS);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null); // You don't need the KeyStore instance to come from a file.
ks.setCertificateEntry("caCert", caCert);
tmf.init(ks);

int clientresId = context.getResources().getIdentifier("raw/client_cert", null, context.getPackageName());            
InputStream clientCertIS = context.getResources().openRawResource(clientresId);
CertificateFactory clientcf = CertificateFactory.getInstance("X.509");
X509Certificate clientCert = (X509Certificate)clientcf.generateCertificate(clientCertIS);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
ks.setCertificateEntry("clientCert", clientCert);
kmf.init(ks, "***********".toCharArray());
Certificate[] chain = new Certificate[] { clientCert};
//ks.load(null); // You don't need the KeyStore instance to come from a file.
ks.setKeyEntry("importkey", ff, "***********".toCharArray(), chain );           

ssl_ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
4

2 回答 2

1

您可能缺少用户证书:

<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
    <base-config>
        <trust-anchors>
            <certificates src="system" />
            <certificates src="user" />
        </trust-anchors>
    </base-config>
</network-security-config>
于 2019-09-06T11:08:11.540 回答
0

我在 Android Oreo 设备上遇到了同样的问题

javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

出于其他测试目的,其到期设备日期设置为旧日期。我从来不知道这会导致这种SSLHandshakeException问题。经过一番挣扎,我只是将设备日期设置回当前日期。解决了这个问题。:D

我认为您的情况可能有所不同,需要以其他方式处理。但我刚刚发布了这个答案,以防万一它可能对某人有所帮助。

于 2018-09-28T12:12:36.627 回答