从Android上的PKCS12导出证书颁发机构

问题描述 投票:0回答:1

我正在尝试从我的应用程序到内部服务器建立SSL连接。我下载了包含所有必需的证书和CA的PKCS12文件。然后,将其加载到用于进行SSL调用的密钥库中。

[当我进行SSL呼叫时,出现以下异常:java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.

查看android dev website,似乎是由于未知的证书颁发机构。

到目前为止是我的代码:

private void testConnect(String base64Pkcs) {
    KeyStore keyStore;
    SSLContext sslContext = null;
    TrustManager trustManager = null;
    try {
        keyStore = KeyStore.getInstance("PKCS12");
        writeFile(base64Pkcs);
        if (keyStore != null) {
            keyStore.load(readFile(), DEBUG_CERT_PWD.toCharArray());

            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, DEBUG_CERT_PWD.toCharArray());
            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

            sslContext = SSLContext.getInstance("TLS");
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
            trustManagerFactory.init(keyStore);
            sslContext.init(keyManagers, trustManagerFactory.getTrustManagers(), null);
            trustManager = trustManagerFactory.getTrustManagers()[0];

            OkHttpClient client = new OkHttpClient.Builder()
                    .sslSocketFactory(sslContext.getSocketFactory(), (X509TrustManager) trustManager)
                    .build();

            final Request request = new Request.Builder().url(getApplication().getString(R.string.https_test_endpoint_url)).build();

            client.newCall(request).enqueue(new Callback() {
                @Override
                public void onFailure(Call call, IOException e) {
                    Log.e(TAG, "Error while calling the test secure endpoint", e);
                }

                @Override
                public void onResponse(Call call, Response response) throws IOException {
                    Log.d(TAG, response.message());
                    if (response.body() != null) {
                        Log.d(TAG, response.body().string());
                    }
                }
            });
        }
    } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | UnrecoverableKeyException | KeyManagementException e) {
        //TODO: Handle exceptions
        Log.wtf(TAG, e);
    }
}

我可以使用openSSL从PKCS12文件中手动提取CA,将其放入我的应用程序资源中,然后使用以下方式加载它,从而使连接正常工作:

openssl pkcs12 -in tls.pkcs -cacerts -nokeys -chain -out tls.trust - password pass:mydevpassword`
keyStore.setCertificateEntry("ca", myCaCert);`

我的问题是,我无法从应用程序中使用openSSL来导出CA并将其以编程方式加载到密钥库中。有什么方法可以做,还是我不得不在应用程序资产中包括CA?

java android keystore pkcs#12 boringssl
1个回答
0
投票

您是否没有在清单中设置networkSecurityConfig的问题?

https://stackoverflow.com/a/60102517/114265

最新问题
© www.soinside.com 2019 - 2024. All rights reserved.