java 我有一个密钥库文件,如何在 Android 应用程序中为 sslContext 提供密钥管理器?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/28919797/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
I have a keystore file, how do I provide keyManagers to sslContext in Android app?
提问by Jaroslav Záruba
UPDATE: As for my original question, it turns out that call to java.security.KeyStore.getCertificate(alias) does actually return X509Certiciate. That wasn't the issue though.
更新:至于我最初的问题,事实证明对 java.security.KeyStore.getCertificate(alias) 的调用确实返回 X509Certiciate。但这不是问题。
(Bear with me please, I'm new to this certificate stuff.)
(请耐心等待,我是这个证书的新手。)
I managed to connect to my (self-signed) SSL-enabled server, as long as I don't require authenticated clients. When I do require clientAuth my app yields "routines:SSL3_READ_BYTES:sslv3 alert handshake failure (external/openssl/ssl/s3_pkt.c"...(also described here)... For some the cure was to switch from BKS to PKCS12, that did not work for me.
我设法连接到我的(自签名)启用 SSL 的服务器,只要我不需要经过身份验证的客户端。当我确实需要 clientAuth 时,我的应用程序会产生“routines:SSL3_READ_BYTES:sslv3 警报握手失败(external/openssl/ssl/s3_pkt.c”...(也在这里描述)...对于某些人来说,治愈方法是从 BKS 切换到 PKCS12 ,这对我不起作用。
So now I am trying to implement my own X509KeyManager(as suggested here), to hand it to sslContext.init([keyManager], trustManagers, null).
所以现在我正在尝试实现我自己的X509KeyManager(如这里建议的),将它交给sslContext.init([keyManager], trustManagers, null).
If I understand it correctly the sslContext will ask my keyManager(s) for either a certificate chain and/or a private key for a given alias. (Whenever it asks what alias to choose I provide my hard-coded one.)
如果我理解正确,sslContext 将向我的 keyManager(s) 询问证书链和/或给定别名的私钥。(每当它询问选择什么别名时,我都会提供我的硬编码。)
But according to the X509KeyManagerinterface I am supposed to return X509Certificate. How do I create one using the keystore?
但是根据X509KeyManager我应该返回的界面X509Certificate。如何使用密钥库创建一个?
回答by Tomik
You can use a KeyStorewith your client certificate for client authentication without explicitly creating a KeyManager. The code should be something like this:
您可以将 aKeyStore与您的客户端证书一起用于客户端身份验证,而无需显式创建KeyManager. 代码应该是这样的:
KeyStore keyStore = KeyStore.getInstance("BKS");
InputStream is = getResources().openRawResource(R.raw.client);
keyStore.load(is, "yourKeyStorePassword".toCharArray());
is.close();
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("X509");
keyManagerFactory.init(keyStore, "yourKeyStorePassword".toCharArray());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagers, null);
Also make sure that your server trusts your client certificate.
还要确保您的服务器信任您的客户端证书。
