我在树莓派上搭建了一个简单的 Web API,它位于同一台树莓派上的 Nginx 服务器后面。我使用自签名客户端证书来验证 Android 应用程序的调用。这在过去完全正常运行,但最近在重新构建硬件后回到这个项目时,在我的 Pixel 2 上运行 Android 8.1 时,会出现以下异常:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:219)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:268)
...
我根据http://nategood.com/client-side-certificate-authentication-in-ngi生成了证书和密钥。
使用curl
测试没有问题。
我使用以下命令为应用程序创建了密钥库:
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
我按照以下文章设置了Android客户端证书并连接到服务器:http://chariotsolutions.com/blog/post/https-with-client-certificates-on/
但是我使用了Kotlin和OkHttp进行了重写:
private const val SERVER = "https://my.server"
/**
* trustManagers is used to authorize the server's self-signed cert
*/
private val trustManagers by lazy {
val cert = CertificateFactory.getInstance("X.509")
.generateCertificate(appCtx.assets.open("ca.crt")) as X509Certificate
val trustStore = KeyStore.getInstance(KeyStore.getDefaultType()).apply {
load(null, null)
setCertificateEntry(cert.subjectX500Principal.name, cert)
}
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()).apply {
init(trustStore)
}.trustManagers
}
/**
* keyManagers is used to load the client-authentication cert
*/
private val keyManagers by lazy {
// assuming this can only be called after Application is created
val keyStore = KeyStore.getInstance("PKCS12").apply {
load(appCtx.assets.open("client.p12"), "".toCharArray())
}
KeyManagerFactory.getInstance("X509").apply {
init(keyStore, "".toCharArray())
}.keyManagers
}
/**
* sslContext for opening TLS connection to server
*/
private val sslContext by lazy {
SSLContext.getInstance("TLS").apply {
init(keyManagers, trustManagers, null)
}
}
/**
* pass an HTTPS request to server
*/
suspend fun request(url: String): ByteArray? {
return try {
val request = Request.Builder()
.url(url)
.build()
val client = OkHttpClient.Builder()
.sslSocketFactory(sslContext.socketFactory, trustManagers[0] as X509TrustManager)
.build()
client.newCall(request).await().body().byteStream().readBytes()
} catch (e: Exception) {
err(e) { "failed to send request" }
null
}
}
这个程序以前是可以工作的,但现在不行了。我花了一天半的时间寻找答案,并尝试了以下方法:
- 尝试使用HttpURLConnection而不是OkHttp。
- 尝试从头开始重新创建所有证书/密钥。
- 尝试使用新的“网络安全配置”:
<?xml version="1.0" encoding="utf-8"?>
<network-security-config>
<base-config>
<trust-anchors>
<!-- 另外信任用户添加的CA -->
<certificates src="user" />
<certificates src="@raw/ca"/>
</trust-anchors>
</base-config>
</network-security-config>
我已经阅读了所有关于创建自定义信任管理器的示例,它们几乎都是相同的,甚至包括https://developer.android.com/training/articles/security-ssl.html#UnknownCa。
我尝试的每件事都产生了相同的异常,我错过了什么吗?