android - 服务器中没有客户端证书的 SSLPeerUnverifiedException

标签 android ssl

我正在尝试使用相同的 keystore 连接客户端和服务器。 客户端套接字可以获得对等证书,而服务器套接字无法获得对等证书但端口。 获取证书失败,报SSLPeerUnverifiedException异常。 修改问题困扰了我好几天,请帮忙解决,谢谢

我的android代码如下:

客户:

    java.security.Security.addProvider(
        new org.bouncycastle.jce.provider.BouncyCastleProvider());

SSLContext sslcontext = SSLContext.getInstance("TLS");
           sslcontext.init(getKeyManagers(), {new DummyTrustManager()}, null);
SocketFactory socketFactory = sslcontext.getSocketFactory();

SSLSocket socket = (SSLSocket) socketFactory.createSocket("127.0.0.1", 8080); 
socket.getSession().getLocalCertificates();
socket.getSession().getPeerHost();
socket.getSession().getPeerPort();
socket.getSession().getPeerCertificates();`

服务器:

    SSLContext sslcontext = SSLContext.getInstance("TLS");
    sslcontext.init(getKeyManagers(), {new DummyTrustManager()}, null);
ServerSocketFactory   mFactory = sslcontext.getServerSocketFactory();
ServerSocket serverSocket =mFactory.createServerSocket(8080);
SSLSocket clientSocket = serverSocket.accept();
socket.getSession().getLocalCertificates();
socket.getSession().getPeerHost();
socket.getSession().getPeerPort();
socket.getSession().getPeerCertificates();`

信任管理器:

import java.security.cert.X509Certificate;
import javax.net.ssl.X509TrustManager;
public class DummyTrustManager implements X509TrustManager {
  public void checkClientTrusted(X509Certificate[] chain, String authType) {
    // Does not throw CertificateException: all chains trusted
    return;
  }
  public void checkServerTrusted(X509Certificate[] chain, String authType) {
    // Does not throw CertificateException: all chains trusted
    return;
  }
  public X509Certificate[] getAcceptedIssuers() {
    return new X509Certificate[0];
  }
}

keystore :

public void initializeKeyStore(String id) {
try {
  Log.v(LOG_TAG, "Generating key pair ...");
  KeyPairGenerator kg = KeyPairGenerator.getInstance("RSA");
  KeyPair keyPair = kg.generateKeyPair();


  Log.v(LOG_TAG, "Generating certificate ...");
  String name = getCertificateName(id);
  X509Certificate cert = SslUtil.generateX509V3Certificate(keyPair, name);
  Certificate[] chain = {cert};


  Log.v(LOG_TAG, "Adding key to keystore  ...");
  mKeyStore.setKeyEntry(
      LOCAL_IDENTITY_ALIAS, keyPair.getPrivate(), null, chain);


  Log.d(LOG_TAG, "Key added!");
} catch (GeneralSecurityException e) {
  throw new IllegalStateException("Unable to create identity KeyStore", e);
}
store(mKeyStore);}




public synchronized KeyManager[] getKeyManagers()
  throws GeneralSecurityException {
if (mKeyStore == null) {
  throw new NullPointerException("null mKeyStore");
}
KeyManagerFactory factory =
    KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
factory.init(mKeyStore, "".toCharArray());
return factory.getKeyManagers();

证书:

public static X509Certificate generateX509V3Certificate(KeyPair pair,
  String name) throws GeneralSecurityException {
Calendar calendar = Calendar.getInstance();
calendar.set(2009, 0, 1);
Date notBefore  = new Date(calendar.getTimeInMillis());
calendar.set(2099, 0, 1);
Date notAfter = new Date(calendar.getTimeInMillis());

BigInteger serialNumber = BigInteger.valueOf(Math.abs(
    System.currentTimeMillis()));

return generateX509V3Certificate(pair, name, notBefore, notAfter,
    serialNumber);


public static X509Certificate generateX509V3Certificate(KeyPair pair,
  String name, Date notBefore, Date notAfter, BigInteger serialNumber)
    throws GeneralSecurityException {
java.security.Security.addProvider(
    new org.bouncycastle.jce.provider.BouncyCastleProvider());
X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();
X509Name dnName = new X509Name(name);

certGen.setSerialNumber(serialNumber);
certGen.setIssuerDN(dnName);
certGen.setSubjectDN(dnName);   // note: same as issuer
certGen.setNotBefore(notBefore);
certGen.setNotAfter(notAfter);
certGen.setPublicKey(pair.getPublic());
certGen.setSignatureAlgorithm("SHA256WithRSAEncryption");


certGen.addExtension(X509Extensions.BasicConstraints, true,
    new BasicConstraints(false));

certGen.addExtension(X509Extensions.KeyUsage, true, new KeyUsage(KeyUsage.digitalSignature
    | KeyUsage.keyEncipherment | KeyUsage.keyCertSign));
certGen.addExtension(X509Extensions.ExtendedKeyUsage, true, new ExtendedKeyUsage(
    KeyPurposeId.id_kp_serverAuth));


AuthorityKeyIdentifier authIdentifier = createAuthorityKeyIdentifier(
    pair.getPublic(), dnName, serialNumber);

certGen.addExtension(X509Extensions.AuthorityKeyIdentifier, true,
    authIdentifier);
certGen.addExtension(X509Extensions.SubjectKeyIdentifier, true,
    new SubjectKeyIdentifierStructure(pair.getPublic()));


certGen.addExtension(X509Extensions.SubjectAlternativeName, false, new GeneralNames(
    new GeneralName(GeneralName.rfc822Name, "googletv@test.test")));


// This method is deprecated, but Android Eclair does not provide the 
// generate() methods.
X509Certificate cert = certGen.generateX509Certificate(pair.getPrivate(), "BC");
return cert;


enter code here

最佳答案

您可能需要调用 SSLServerSocket.setNeedClientAuth() 让服务器端要求客户端身份验证。客户端随后将发送其证书,您应该能够使用 getPeerCertificates() 获取它。

引用:

http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/SSLServerSocket.html#setNeedClientAuth%28boolean%29

关于android - 服务器中没有客户端证书的 SSLPeerUnverifiedException,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/10006070/

上一篇:apache - 有人可以告诉我为什么这个 apache 配置会导致 404 错误吗?

下一篇:.htaccess - htaccess 与通配符 SSL

相关文章:

powershell - 有没有办法用我自己的根证书生成自签名证书(X509 v3 与主题备用名称)来替换 MakeCert.exe

c - 在 Linux 上使用 Easy Curl 通过 SSL 进行 FTP 上传

ios - iOS SDK 中的 MDM iPCU 配置文件安装失败

android - 修改位图非常慢...还有其他方法吗?

java - 如何在单击 TextView 中的文本链接时打开浏览器

android - 从android中的X509Certificate中提取组织名称

java - 浏览器如何请求 SSL 证书?

android - 过滤掉其他对象 - Android Open CV library

android - 即使 recyclerview 为空,工具栏仍可滚动

google-app-engine - Google Cloud Platform 续订 SSL 证书停止应用程序服务

©2024 IT工具网  联系我们