【发布时间】:2016-06-09 22:36:19
【问题描述】:
使用 X509TrustManager 检查服务器是否受信任时收到异常错误。我遵循了开发者的指示:https://developer.android.com/training/articles/security-ssl.html#UnknownCa
我正在尝试获取本地存储在我的应用程序中的证书,并将该证书与我提出的每个 Volley API 请求一起使用,以首先确认该证书是否受信任(已验证)。我从 GoDaddy 下载了证书并添加到我的项目中:https://certs.godaddy.com/repository/。我得到的确切错误如下:
06-09 15:01:20.509 10599-11180/com.app.debug W/System.err: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:324)
06-09 15:01:20.519 10599-11070/com.app.debug I/System.out: (HTTPLog)-Static: isSBSettingEnabled false
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:215)
06-09 15:01:20.519 10599-11070/com.app.debug I/System.out: (HTTPLog)-Static: isSBSettingEnabled false
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.udi.app.framework.net.VolleyClient$3.checkServerTrusted(SourceFile:170)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:117)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.verifyCertificateChain(OpenSSLSocketImpl.java:643)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:353)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.okhttp.internal.http.SocketConnector.connectTls(SocketConnector.java:212)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.okhttp.Connection.connect(Connection.java:1322)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.okhttp.Connection.connectAndSetOwner(Connection.java:1410)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.okhttp.OkHttpClient$1.connectAndSetOwner(OkHttpClient.java:128)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.okhttp.internal.http.HttpEngine.nextConnection(HttpEngine.java:466)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:447)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:353)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:468)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:410)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponseCode(HttpURLConnectionImpl.java:532)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getResponseCode(DelegatingHttpsURLConnection.java:105)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getResponseCode(HttpsURLConnectionImpl.java:25)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.volley.toolbox.HurlStack.performRequest(SourceFile:109)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.volley.toolbox.BasicNetwork.performRequest(SourceFile:93)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: at com.android.volley.NetworkDispatcher.run(SourceFile:105)
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
06-09 15:01:20.519 10599-11180/com.app.debug W/System.err: ... 22 more
我有一个名为“VolleyClient”的类,它管理我通过 Volley 发出的所有请求。这是我的实现。我首先通过 Volley 请求队列传入一个 HurlStack 对象。
HurlStack hurlStack = new HurlStack() {
@Override
protected HttpURLConnection createConnection(URL url) throws IOException {
HttpsURLConnection httpsURLConnection = (HttpsURLConnection) super.createConnection(url);
try {
httpsURLConnection.setSSLSocketFactory(getSSLSocketFactory());
httpsURLConnection.setHostnameVerifier(getHostnameVerifier());
} catch (Exception e) {
e.printStackTrace();
}
return httpsURLConnection;
}
};
RequestQueue mRequestQueue = Volley.newRequestQueue(mContext.getApplicationContext(), hurlStack);
我有一个主机名验证器
/**
* This is used to verify local host. Let's assume the app is hosted inside of a server
* machine which has a server certificate in which "Issued to" is "localhost", then
* this method will verify "localhost". If not, can temporarily return true
* @return
*/
private HostnameVerifier getHostnameVerifier() {
return new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
//return true;
HostnameVerifier hv = HttpsURLConnection.getDefaultHostnameVerifier();
return hv.verify("localhost", session);
}
};
}
private SSLSocketFactory getSSLSocketFactory()
throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException, KeyManagementException {
InputStream caInput = mContext.getResources().openRawResource(R.raw.gdig2); // this certificate file stored in \app\src\main\res\raw folder path
// From https://www.washington.edu/itconnect/security/ca/load-der.crt
//InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
CertificateFactory cf = null;
Certificate ca = null;
try {
cf = CertificateFactory.getInstance("X.509", "BC");
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} catch (NoSuchProviderException e) {
e.printStackTrace();
} finally {
caInput.close();
}
caInput.close();
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType); //KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
TrustManager[] wrappedTrustManagers = getWrappedTrustManagers(tmf.getTrustManagers());
// Create an SSLContext that uses our TrustManager
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, wrappedTrustManagers, null);
return sslContext.getSocketFactory();
}
private TrustManager[] getWrappedTrustManagers(TrustManager[] trustManagers) {
final X509TrustManager originalTrustManager = (X509TrustManager) trustManagers[0];
return new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return originalTrustManager.getAcceptedIssuers();
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
try {
originalTrustManager.checkClientTrusted(certs, authType);
} catch (CertificateException e) {
e.printStackTrace();
}
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
try {
originalTrustManager.checkServerTrusted(certs, authType);
} catch (CertificateException e) {
// THIS IS THE EXCEPTION I GET WITH EACH REQUEST MADE
e.printStackTrace();
}
}
}
};
}
提前致谢!
编辑:调用 Google 时会发生此异常,因为我使用的是 google 地图。此调用不使用来自我的服务器的已验证证书,因此会导致未找到证书路径的信任锚异常。
我可以通过始终返回 true 来规避这种情况,但这是否正确?我应该返回我的服务器的域吗?
private HostnameVerifier getHostnameVerifier() {
return new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
// instead should I return back hv.verify("https:myserver.com", session);
return true;
}
};
}
【问题讨论】:
-
请在stackoverflow.com/questions/32673568/…使用我的新更新答案
-
另外,如果您在Android中使用的证书与Web服务中的证书相同,那么您可以使用“tmf.getTrustManagers”而不是getWrapp...
-
@BNK 您的答案与我实施的非常相似,但是,我仍然不确定要返回什么主机名。您评论说“验证始终返回 true,由于信任 TLS/SSL 服务器证书以获取错误的主机名,这可能会导致不安全的网络流量”。这是否意味着我应该指定我的服务器主机名?
-
HostnameVerifier 不会导致异常“信任锚...”,我认为。它用于“java.io.IOException: Hostname 'example.com' was not verifyed”,如 Google 文档中所述
-
请告诉我如果您使用 verify(...) 而不是“return true”,logcat 中是否有任何错误?
标签: android ssl android-volley x509certificate