0
私はサーバーとのSSL接続を追加しようとしていますが、残念ながらそれはうまくいかず、まだまだ受け取ります。 javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.SSLクライアント証明書okhttp3を添付してください。ハンドシェイクが失敗しました
操作の順序:
は、アプリ側で要求では、サーバ
に証明書を作成した
送信する証明書を作成し、我々は、例えば使用する証明書を得ました
MIIEpzCCAo+gAwIBAgICALQwDQYJKoZIhvcNAQELBQAwgYAxCzAJBgNVBAYTAlBM[...]6AlW6gjevIU7ZP2lIZWmA9f5uPc3Js1aft3UHmVfdiTaG+rcAVsw+ck7aQ==(ROOT_CA)次のリクエストは添付の証明書(
ROOT_CA)で送信されます。
証明書を使用して送信するための責任を負うコード:
private void retrofitConfiguration(Context context){
OkHttpClient.Builder client = new OkHttpClient.Builder();
ProviderInstaller.installIfNeeded(context);
X509Certificate ca = loadCertificate();
KeyStore keyStore = createKeyStore(ca);
TrustManager[] trustManagers = createTrustManager(keyStore);
SSLContext sslContext = null;
sslContext = createSSLContext(trustManagers, keyStore);
X509TrustManager _trustManager = (X509TrustManager) trustManagers[0];
client.sslSocketFactory(sslContext.getSocketFactory(), _trustManager);
client.hostnameVerifier(getHostnameVerifier());
buildRetrofit(client.build());
}
private X509Certificate loadCertificate() throws CertificateException {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
String ca = ROOT_CA;
byte[] decoded = Base64.decode(ca);
return (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(decoded));
}
private KeyStore createKeyStore(X509Certificate ca) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
return keyStore;
}
private TrustManager[] createTrustManager(KeyStore keyStore) throws NoSuchAlgorithmException, KeyStoreException {
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
return tmf.getTrustManagers();
}
private SSLContext createSSLContext(TrustManager[] trustManagers, KeyStore keyStore) throws KeyManagementException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException {
SSLContext sslContext = SSLContext.getInstance("TLS");
KeyManagerFactory kmf = KeyManagerFactory.getInstance("X509");
kmf.init(keyStore, new char[]{0});
KeyManager[] keyManagers = kmf.getKeyManagers();
sslContext.init(keyManagers, trustManagers, null);
return sslContext;
}
private HostnameVerifier getHostnameVerifier() {
return (hostname, session) -> {
return true;
};
}
私は同じ結果とhttps://github.com/rfreedman/android-sslからCustomTrustManagerを使用しようとしました。
それはその時点では動作しませんなぜ私は本当に得ることはありません...(このような他の話題の多くを経て)
任意の助けいただければ幸いです!
UPDATE
今、私はこの方法で使用しています:
private SSLSocketFactory getSSLSocketFactory()
throws CertificateException, KeyStoreException, IOException,
NoSuchAlgorithmException, KeyManagementException, UnrecoverableKeyException {
Certificate clientCA = parseClientCertificate();
KeyStore clientKeyStore = KeyStore.getInstance("BKS");
clientKeyStore.load(null, null);
clientKeyStore.setCertificateEntry("clientCA", clientCA);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("X509");
keyManagerFactory.init(clientKeyStore, null);
KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
Certificate rootCA = parseRootCertificate();
KeyStore rootKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
rootKeyStore.load(null, null);
rootKeyStore.setCertificateEntry("rootCA", rootCA);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(rootKeyStore);
TrustManager[] managers = tmf.getTrustManagers();
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, managers, null);
return sslContext.getSocketFactory();
}
をそしてjavax.net.ssl.SSLHandshakeException: Handshake failedを得ます。この接続はhttpsに接続されており、クライアント証明書を要求に添付しようとしています。 (okhttp3とアンドロイド7.1.1でテスト済み)。私はスタックで多くのトピックを調べていて、実際の解決策を見つけることはできません。
のフルスタックトレース:
W: javax.net.ssl.SSLHandshakeException: Handshake failed
W: at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(:[email protected]:54)
W: at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:267)
W: at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:237)
W: at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:148)
W: at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:186)
W: at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
W: at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
W: at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W: at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W: at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W: at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W: at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:212)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W: at com.network.ApiClient.lambda$retrofitConfiguration$0(ApiClient.java:127)
W: at com.network.ApiClient$$Lambda$1.intercept(Unknown Source)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W: at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:179)
W: at okhttp3.RealCall.execute(RealCall.java:63)
W: at retrofit2.OkHttpCall.execute(OkHttpCall.java:174)
W: at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:40)
W: at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:24)
W: at retrofit2.adapter.rxjava.BodyOnSubscribe.call(BodyOnSubscribe.java:33)
W: at retrofit2.adapter.rxjava.BodyOnSubscribe.call(BodyOnSubscribe.java:25)
W: at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
W: at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
W: at rx.Observable.unsafeSubscribe(Observable.java:10346)
W: at rx.internal.operators.OperatorSubscribeOn$SubscribeOnSubscriber.call(OperatorSubscribeOn.java:100)
W: at rx.internal.schedulers.CachedThreadScheduler$EventLoopWorker$1.call(CachedThreadScheduler.java:230)
W: at rx.internal.schedulers.ScheduledAction.run(ScheduledAction.java:55)
W: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:428)
W: at java.util.concurrent.FutureTask.run(FutureTask.java:237)
W: at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:272)
W: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
W: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
W: at java.lang.Thread.run(Thread.java:761)
W: Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7f8f068740: Failure in SSL library, usually a protocol error
W: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (third_party/openssl/boringssl/src/ssl/tls_record.cc:575 0x7f8f0fb180:0x00000001)
W: at com.google.android.gms.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W: at com.google.android.gms.org.conscrypt.SslWrapper.doHandshake(:[email protected]:2)
W: at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(:[email protected]:19)
W: ... 43 more
W: com.network.errors.RetrofitException: Handshake failed
W: at com.network.RxErrorHandlingCallAdapterFactory$RxCallAdapterWrapper.asRetrofitException(RxErrorHandlingCallAdapterFactory.java:93)
W: at com.network.RxErrorHandlingCallAdapterFactory$RxCallAdapterWrapper.access$000(RxErrorHandlingCallAdapterFactory.java:51)
W: at com.network.RxErrorHandlingCallAdapterFactory$RxCallAdapterWrapper$1.call(RxErrorHandlingCallAdapterFactory.java:71)
W: at com.network.RxErrorHandlingCallAdapterFactory$RxCallAdapterWrapper$1.call(RxErrorHandlingCallAdapterFactory.java:68)
W: at rx.internal.operators.OperatorOnErrorResumeNextViaFunction$4.onError(OperatorOnErrorResumeNextViaFunction.java:140)
W: at retrofit2.adapter.rxjava.BodyOnSubscribe$BodySubscriber.onError(BodyOnSubscribe.java:64)
W: at retrofit2.adapter.rxjava.CallArbiter.emitError(CallArbiter.java:141)
W: at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:43)
W: at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:24)
W: at retrofit2.adapter.rxjava.BodyOnSubscribe.call(BodyOnSubscribe.java:33)
W: at retrofit2.adapter.rxjava.BodyOnSubscribe.call(BodyOnSubscribe.java:25)
W: at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:48)
W: at rx.internal.operators.OnSubscribeLift.call(OnSubscribeLift.java:30)
W: at rx.Observable.unsafeSubscribe(Observable.java:10346)
W: at rx.internal.operators.OperatorSubscribeOn$SubscribeOnSubscriber.call(OperatorSubscribeOn.java:100)
W: at rx.internal.schedulers.CachedThreadScheduler$EventLoopWorker$1.call(CachedThreadScheduler.java:230)
W: at rx.internal.schedulers.ScheduledAction.run(ScheduledAction.java:55)
W: at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:428)
W: at java.util.concurrent.FutureTask.run(FutureTask.java:237)
W: at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:272)
W: at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1133)
W: at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:607)
W: at java.lang.Thread.run(Thread.java:761)
W: Caused by: javax.net.ssl.SSLHandshakeException: Handshake failed
W: at com.google.android.gms.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(:[email protected]:54)
W: at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:267)
W: at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:237)
W: at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:148)
W: at okhttp3.internal.connection.StreamAllocation.findConnection(StreamAllocation.java:186)
W: at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(StreamAllocation.java:121)
W: at okhttp3.internal.connection.StreamAllocation.newStream(StreamAllocation.java:100)
W: at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:42)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W: at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:93)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W: at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W: at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:120)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W: at okhttp3.logging.HttpLoggingInterceptor.intercept(HttpLoggingInterceptor.java:212)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W: at com.network.ApiClient.lambda$retrofitConfiguration$0(ApiClient.java:127)
W: at com.network.ApiClient$$Lambda$1.intercept(Unknown Source)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:92)
W: at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:67)
W: at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:179)
W: at okhttp3.RealCall.execute(RealCall.java:63)
W: at retrofit2.OkHttpCall.execute(OkHttpCall.java:174)
W: at retrofit2.adapter.rxjava.CallExecuteOnSubscribe.call(CallExecuteOnSubscribe.java:40)
W: ... 15 more
W: Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x7f8f068740: Failure in SSL library, usually a protocol error
W: error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (third_party/openssl/boringssl/src/ssl/tls_record.cc:575 0x7f8f0fb180:0x00000001)
W: at com.google.android.gms.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
W: at com.google.android.gms.org.conscrypt.SslWrapper.doHandshake(:[email protected]:2)
ITSはhttps://stackoverflow.com/questions/9249158/why-do-i-get-a-handshake-failure-java-のように見えますsslしかし、それのための解決策はありません。クライアント証明書はローカルで生成され、サーバーに送信され、サーバーによって署名され、応答として返されます。しかし、キーストアはそれを無視してサーバーに送信しないように見えます。 – Ikazuchi
getCertificateChain( "clientCA")return null – Ikazuchi