我正在开发一个简单的android应用,该应用向Web服务器发布带有JSON主体的HTTP POST。
为了提高安全性,我需要通过HTTPS发送它,因此我安装了具有自签名证书的Nginx服务器。
为了进一步提高安全性,我在android应用程序请求中添加了客户端证书,并在nginx服务器中添加了适当的客户端身份验证配置。
然后,我创建了一个JKS文件,其中包含:客户端和服务器公共证书。当我使用keytool检查其内容时,我得到以下信息(我只是用XXXX替换了一些私人信息)。如我所料,它显示2个条目,我认为都不错。
Keystore type: jks
Keystore provider: SUN
Your keystore contains 2 entries
Alias name: XXXXXXXXXXX
Creation date: Jun 4, 2020
Entry type: trustedCertEntry
Owner: EMAILADDRESS=XXX, CN=XXX, OU=XX, O=XX, L=XX, ST=XX, C=XX
Issuer: EMAILADDRESS=XX, CN=XXX, O=XX, L=XX, ST=XX, C=XX
Serial number: xxxx
Valid from: Fri May 29 23:01:01 CEST 2020 until: Mon May 27 23:01:01 CEST 2030
Certificate fingerprints:
MD5: D3:51:13:47:03:2E:54:98:DF:F2:9F:19:89:4A:8B:A0
SHA1: 7F:DF:89:73:94:95:9E:7C:CA:D9:98:C5:EC:FB:DF:B5:88:A1:B9:30
SHA256: F3:A5:77:B4:05:73:51:28:B8:85:E3:34:4C:06:A5:BB:C1:E5:A7:04:BE:C1:01:0D:1E:6D:12:E1:9D:E5:FE:4D
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 9C 2D 56 D4 23 4B 1A DC 7D 82 40 58 F4 37 56 41 .-V.#[email protected]
0010: 5B 0F 62 4B [.bK
]
]
#2: ObjectId: 2.5.29.19 Criticality=false
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 9C 2D 56 D4 23 4B 1A DC 7D 82 40 58 F4 37 56 41 .-V.#[email protected]
0010: 5B 0F 62 4B [.bK
]
]
*******************************************
*******************************************
Alias name: XXXX
Creation date: Jun 4, 2020
Entry type: trustedCertEntry
Owner: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
Issuer: O=Internet Widgits Pty Ltd, ST=Some-State, C=AU
Serial number: 2241b7e2ab0f0463b237ce0e5580c56bd7b56371
Valid from: Fri May 29 13:43:14 CEST 2020 until: Mon May 27 13:43:14 CEST 2030
Certificate fingerprints:
MD5: 11:9D:F4:18:E0:B9:66:84:69:40:EC:74:D9:6C:AB:A4
SHA1: 63:3A:48:9E:2A:C8:46:81:AF:C2:EC:44:A6:86:52:17:3C:DC:1E:09
SHA256: 08:DB:6E:98:DC:C8:98:41:BD:A8:9A:F6:BA:A8:D2:FD:C2:92:BE:AA:43:E0:DD:FB:2C:3F:DB:97:CB:DF:63:A8
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 4096-bit RSA key
Version: 3
Extensions:
#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: BE 15 0C A7 09 23 45 B9 9A 67 A4 7E 61 6B A7 8A .....#E..g..ak..
0010: 3C 9F B0 37 <..7
]
]
#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]
#3: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: BE 15 0C A7 09 23 45 B9 9A 67 A4 7E 61 6B A7 8A .....#E..g..ak..
0010: 3C 9F B0 37 <..7
]
]
但是,当我尝试从android应用程序读取JKS时,它似乎什么也没读。例如,找不到别名。
protected void checkKeyStore (KeyStore keyStore) throws KeyStoreException {
Enumeration aliases = null;
aliases = clientStore.aliases();
for (; aliases.hasMoreElements(); ) {
String alias = (String)aliases.nextElement();
boolean b ;
b = clientStore.isKeyEntry(alias);
b = clientStore.isCertificateEntry(alias);
}
}
密钥库是从文件创建并加载的,代码如下所示:
protected KeyStore createKeyStore () {
KeyStore clientStore = null;
clientStore = KeyStore.getInstance("PKCS12");
clientStore.load(null,null) ;
SharedPreferences prefs = getSharedPreferences(MY_PREFS_NAME, MODE_PRIVATE);
String JKSUriToString = prefs.getString("JKSUriToString", "");
Uri JKSUri= Uri.parse(JKSUriToString);
FileInputStream inputStream = null;
FileDescriptor fd = getApplicationContext().getContentResolver().openFileDescriptor(JKSUri, "r").getFileDescriptor();
inputStream = new FileInputStream(fd);
clientStore.load(inputStream, certPass.toCharArray());
return clientStore;
}
知道我在做什么错吗?在此先感谢
问题是我创建了错误的密钥库类型。我没有看到它,因为我错过了一个异常... :(我的错误
例外说“密钥库不是PCK12密钥库”哪个是对的而不是这样生成密钥:
keytool -import -keystore keystore.jks -storepass XXXX -noprompt -alias alias1 -file cacert.pem
我应该使用参数pck12
keytool -storetype PKCS12 -import -keystore keystore.jks -storepass xXXX -noprompt -alias alias1 -file cacert.pem
我留下问题并回答,以防万一对任何人都有用。