我正在尝试从我的应用程序到内部服务器建立SSL连接。我下载了包含所有必需的证书和CA的PKCS12文件。然后,将其加载到用于进行SSL调用的密钥库中。
[当我进行SSL呼叫时,出现以下异常:java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
查看android dev website,似乎是由于未知的证书颁发机构。
到目前为止是我的代码:
private void testConnect(String base64Pkcs) {
KeyStore keyStore;
SSLContext sslContext = null;
TrustManager trustManager = null;
try {
keyStore = KeyStore.getInstance("PKCS12");
writeFile(base64Pkcs);
if (keyStore != null) {
keyStore.load(readFile(), DEBUG_CERT_PWD.toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, DEBUG_CERT_PWD.toCharArray());
KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
sslContext = SSLContext.getInstance("TLS");
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
trustManagerFactory.init(keyStore);
sslContext.init(keyManagers, trustManagerFactory.getTrustManagers(), null);
trustManager = trustManagerFactory.getTrustManagers()[0];
OkHttpClient client = new OkHttpClient.Builder()
.sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustManager)
.build();
final Request request = new Request.Builder().url(getApplication().getString(R.string.https_test_endpoint_url)).build();
client.newCall(request).enqueue(new Callback() {
@Override
public void onFailure(Call call, IOException e) {
Log.e(TAG, "Error while calling the test secure endpoint", e);
}
@Override
public void onResponse(Call call, Response response) throws IOException {
Log.d(TAG, response.message());
if (response.body() != null) {
Log.d(TAG, response.body().string());
}
}
});
}
} catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | UnrecoverableKeyException | KeyManagementException e) {
//TODO: Handle exceptions
Log.wtf(TAG, e);
}
}
我可以使用openSSL从PKCS12文件中手动提取CA,将其放入我的应用程序资源中,然后使用以下方式加载它,从而使连接正常工作:
openssl pkcs12 -in tls.pkcs -cacerts -nokeys -chain -out tls.trust - password pass:mydevpassword`
keyStore.setCertificateEntry("ca", myCaCert);`
我的问题是,我无法从应用程序中使用openSSL来导出CA并将其以编程方式加载到密钥库中。有什么方法可以做,还是我不得不在应用程序资产中包括CA?
您是否没有在清单中设置networkSecurityConfig的问题?