问题:
OkHttp带客户端证书(crt, p12):java.security.cert.CertPathValidatorException:未找到认证路径的信任锚
梁学真
我正试图通过OKHttp和改装2提出请求。该请求应通过发送证书(必须是p12或crt)完成。我们尝试过不同的方法,但没有人允许我成功。我正在用badssl进行测试。com,它允许我请求此URL:https://client.badssl.com您可以在这里找到证书:https://badssl.com/download/
我尝试将p12和crt包含在项目的assets文件夹和raw文件夹中,并创建一个密钥库、SSLSocketFactory和TrustManager。由于这不起作用,我还尝试创建一个不安全的OkHttpClient,它可以发出任何请求,但我没有成功。在这两种情况下,我都得到了:“javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorException:Trust anchor for certification path not found”
public static SSLContext getSSLConfig(Context context) throws CertificateException, IOException,
KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
// Loading CAs from an InputStream
CertificateFactory cf = null;
cf = CertificateFactory.getInstance("X.509");
Certificate ca;
// I'm using Java7. If you used Java6 close it manually with finally.
try (InputStream cert = context.getResources().openRawResource(R.raw.somecert)) {
ca = cf.generateCertificate(cert);
}
// Creating a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Creating a TrustManager that trusts the CAs in our KeyStore.
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Creating an SSLSocketFactory that uses our TrustManager
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), null);
return sslContext;
}
val client: OkHttpClient = OkHttpClient.Builder()
.sslSocketFactory(SSLConfigUtils.getSSLConfig(MyClass.getContext()).socketFactory)
.hostnameVerifier { _, _ -> true }
.build()
val retrofit = Retrofit.Builder()
.addCallAdapterFactory(
RxJava2CallAdapterFactory.create())
.addConverterFactory(
GsonConverterFactory.create(gson))
.baseUrl("https://client.badssl.com/")
.client(client)
.build()
我希望提出正确的改装请求,但每次请求都会返回以下错误:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(:com.google.android.gms@17122040@17.1.22 (100700-245988633):43)
at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:319)
at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:283)
at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:168)
at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:257)
at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:135)
at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:114)
at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:126)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:147)
at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:121)
at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:254)
at okhttp3.RealCall.execute(RealCall.java:92)
at retrofit2.OkHttpCall.execute(OkHttpCall.java:186)
at retrofit2.adapter.rxjava2.CallExecuteObservable.subscribeActual(CallExecuteObservable.java:41)
at io.reactivex.Observable.subscribe(Observable.java:12267)
at retrofit2.adapter.rxjava2.BodyObservable.subscribeActual(BodyObservable.java:34)
at io.reactivex.Observable.subscribe(Observable.java:12267)
at io.reactivex.internal.operators.observable.ObservableSubscribeOn$SubscribeTask.run(ObservableSubscribeOn.java:96)
at io.reactivex.Scheduler$DisposeTask.run(Scheduler.java:578)
at io.reactivex.internal.schedulers.ScheduledRunnable.run(ScheduledRunnable.java:66)
at io.reactivex.internal.schedulers.ScheduledRunnable.call(ScheduledRunnable.java:57)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:301)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:919)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:656)
at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:615)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:505)
at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:424)
at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:352)
at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:89)
at java.lang.reflect.Method.invoke(Native Method)
at com.google.android.gms.org.conscrypt.Platform.checkTrusted(:com.google.android.gms@17122040@17.1.22 (100700-245988633):2)
2019-05-23 11:37:15.389 5640-5640/it.sogetel.agtcs E/Errore: at com.google.android.gms.org.conscrypt.Platform.checkServerTrusted(:com.google.android.gms@17122040@17.1.22 (100700-245988633):1)
at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(:com.google.android.gms@17122040@17.1.22 (100700-245988633):12)
at com.google.android.gms.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.google.android.gms.org.conscrypt.NativeSsl.doHandshake(:com.google.android.gms@17122040@17.1.22 (100700-245988633):7)
at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(:com.google.android.gms@17122040@17.1.22 (100700-245988633):14)
... 33 more
Caused by: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
... 47 more
共有1个答案
唐涛
OkHttp中有一个配置客户端身份验证的测试用例。它可能需要作为一个有用的例子,尽管您应该注意它在内存中生成证书,而不是从文件中加载它们。
相关代码在okhttp tls模块中。
还请注意,您的TrustManager必须包含服务器的证书,或签署该证书的证书颁发机构根证书之一。
类似资料:
-
问题内容: android应用有三台主机进行身份验证和授权。最终主机是REST API。首次使用Oauth身份验证和授权过程,它可以正常工作。 但是,如果 用户 在登录并访问REST API提供的服务后 杀死了该应用程序 ,然后再次打开该应用程序,则会出现此问题。 在这段时间内,身份验证和授权过程不会发生,只有REST API会发生。 这是造成原因, 但在首次使用(登录然后使用该应用程序)期间正在
-
我正在Android上开发一个客户端应用程序,它连接到我的服务器,它在负载均衡器后面的AWS上,我在GoDaddy上创建了一个SSL证书,并将其添加到负载均衡器上。 浏览器上的一切都很顺利,它可以识别证书,但是当我试图用Android调用API时,我遇到了一个例外: 我找到了一些讨论谁说在app上添加证书,但是在证书服务器端是不是就没有办法修复了呢?这不是证书的问题吗?
-
问题内容: 在我的服务器(生产服务器)中,我具有goDaddy ssl证书。我有iOS和Android应用程序都与服务器连接,iOS都没有问题连接,Android版本为4. 一切都很好,但是设备版本为2.3。我总是收到SSLHandshakeException。 我在Android开发人员页面(https://developer.android.com/training/articles/secu
-
所以我整晚都在努力让它发挥作用,但似乎没有任何效果。。。我一直在获取未找到的证书路径的信任锚点。 下面是我如何构建okhttpClient(我遵循https://medium.com/@sreekumar_av/certificate-public-key-pinning-in-android-using-Reformation-2-0-74140800025b) 我得到的sha是这样的:open
-
我遇到了Android4设备的一个问题,它在连接到服务器时收到以下异常: 但出于某种原因,我不明白它在Android4版本中开始失败了。 我尝试了信任所有证书的解决方案[LINK],它起作用了,但这显然存在安全问题,比如将您的应用程序暴露于“中间人”攻击 如何实现具有默认行为但仅将服务器的证书白名单的TrustManager。 在证书链给了我两个证书的格式: 用获得的url和证书替换了示例中的ur