我正在尝试连接到运行godaddy 256位SSL证书的IIS6盒子,我收到错误:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
一直试图确定可能导致这种情况的原因,但现在正在绘制空白.
这是我如何连接:
HttpsURLConnection conn;
conn = (HttpsURLConnection) (new URL(mURL)).openConnection();
conn.setConnectTimeout(20000);
conn.setDoInput(true);
conn.setDoOutput(true);
conn.connect();
String tempString = toString(conn.getInputStream());
出于测试目的,我正在尝试将套接字工厂添加到我的okHttp客户端,该客户端在设置代理时信任所有内容.这已经完成了很多次,但是我对一个信任套接字工厂的实现似乎缺少了一些东西:
class TrustEveryoneManager implements X509TrustManager {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { }
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { }
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
}
OkHttpClient client = new OkHttpClient();
final InetAddress ipAddress = InetAddress.getByName("XX.XXX.XXX.XXX"); // some IP
client.setProxy(new Proxy(Proxy.Type.HTTP, new InetSocketAddress(ipAddress, 8888)));
SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManager[] trustManagers = new TrustManager[]{new TrustEveryoneManager()};
sslContext.init(null, trustManagers, null);
client.setSslSocketFactory(sslContext.getSocketFactory);
没有请求从我的应用程序发出,并且没有异常被记录,因此它似乎在okHttp中无声地失败.经过进一步调查,似乎Connection.upgradeToTls()在强制握手时,okHttp中有一个异常被吞没.我得到的例外是:javax.net.ssl.SSLException: SSL handshake terminated: ssl=0x74b522b0: SSL_ERROR_ZERO_RETURN occurred. You …
我正在编写一个需要SSL客户端身份验证的Android应用.我知道如何为桌面Java应用程序创建JKS密钥库,但Android仅支持BKS格式.我试图创建密钥库的每一种方式都会导致以下错误:
handling exception: javax.net.ssl.SSLHandshakeException: null cert chain
所以看起来客户端永远不会发送正确的证书链,可能是因为我没有正确创建密钥库.我无法在桌面上启用SSL调试,因此这使得它比应该更加困难.
作为参考,以下是IS用于创建BKS 信任库的命令:
keytool -importcert -v -trustcacerts -file "cacert.pem" -alias ca -keystore "mySrvTruststore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-145.jar" -storetype BKS -storepass testtest
这是我尝试过的命令,它无法创建BKS客户端密钥库:
cat clientkey.pem clientcert.pem cacert.pem > client.pem
keytool -import -v -file <(openssl x509 -in client.pem) -alias client -keystore "clientkeystore" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-145.jar" -storetype BKS -storepass testtest
SSLSocketFactoryjava 中的类在使用时扮演什么角色HttpsURLConnection?java文档没有多大帮助.
有没有办法将密钥库和信任库绑定到sslsocketfactory对象,使其指向密钥库和信任库?
否则,连接将如何知道密钥库和信任库的位置(我不想使用java System Properties)?
我的应用程序有一个个人密钥库,其中包含用于本地网络的可信自签名证书 - 比如说mykeystore.jks.我希望能够使用已在本地配置的自签名证书连接到公共站点(例如google.com)以及本地网络中的站点.
这里的问题是,当我连接到https://google.com时,路径构建失败,因为设置我自己的密钥库会覆盖包含与JRE捆绑在一起的根CA的默认密钥库,报告异常
sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
但是,如果我将CA证书导入我自己的密钥库(mykeystore.jks),它可以正常工作.有没有办法支持两者?
我有自己的TrustManger用于此目的,
public class CustomX509TrustManager implements X509TrustManager {
X509TrustManager defaultTrustManager;
public MyX509TrustManager(KeyStore keystore) {
TrustManagerFactory trustMgrFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustMgrFactory.init(keystore);
TrustManager trustManagers[] = trustMgrFactory.getTrustManagers();
for (int i = 0; i < trustManagers.length; i++) {
if (trustManagers[i] instanceof X509TrustManager) {
defaultTrustManager = (X509TrustManager) trustManagers[i];
return;
}
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
try …我想将多个证书从Resource文件添加到Android KeyStore:
if (sslContext==null) {
// loading CA from an InputStream
InputStream is = AVApplication.getContext().getResources().openRawResource(R.raw.wildcard);
String certificates = Converter.convertStreamToString(is);
String certificateArray[] = certificates.split("-----BEGIN CERTIFICATE-----");
for (int i = 1; i < certificateArray.length; i++) {
certificateArray[i] = "-----BEGIN CERTIFICATE-----" + certificateArray[i];
//LogAV.d("cert:" + certificateArray[i]);
// generate input stream for certificate factory
InputStream stream = IOUtils.toInputStream(certificateArray[i]);
// CertificateFactory
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// certificate
Certificate ca;
try {
ca = cf.generateCertificate(stream);
} finally {
is.close();
}
// creating a KeyStore containing our …我知道有很多关于 Android 中固定证书的问题,但我找不到我要找的东西......
我继承SSLSocketFactory并重写该checkServerTrusted()方法。在此方法中,我执行以下操作:
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate ca = (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(PUB_KEY.getBytes("UTF-8")));
for (X509Certificate cert : chain) {
// Verifing by public key
cert.verify(ca.getPublicKey());
}
链中的一项进行了验证,而另一项则没有进行验证(这会抛出Exception)。我想我无法理解证书链是如何工作的。
是否应该使用同一个公共证书来验证链中的所有证书?