一尘不染

Android-如何以编程方式将证书存储在密钥库中?

tomcat

我正在制作金融交易Android应用。它需要SSL身份验证,并且我能够成功完成它(Android和Tomcat之间的握手)。我使用keytool和openSSL生成服务器和客户端证书。Tomcat证书格式为JKS,Android格式为BKS。我将此BKS文件存储在Raw文件夹中,并按以下方式使用它:

public class NetworkCallSecure extends AsyncTask<String, Void, String> {

ResponseListener responseListener;
Activity activity;
ResultCodes code;

public NetworkCallSecure(Activity activity, ResponseListener responseListener, ResultCodes code) {
    this.responseListener = responseListener;
    this.activity = activity;
    this.code = code;
}

@Override
protected String doInBackground(String... params) {

    try{

        System.setProperty("http.keepAlive", "false");
        HttpsURLConnection .setDefaultHostnameVerifier(new HostnameVerifier() {

                    public boolean verify(String hostname,
                                          SSLSession session) {
                        Log.d("HTTPS",hostname+":"+session);
                        return true;
                    }
                });

        char[] passwKey = "mypass".toCharArray();
        KeyStore ks = KeyStore.getInstance("BKS");
        InputStream in = activity.getResources().openRawResource(
                R.raw.client);
        InputStream is = activity.getResources().openRawResource(
                R.raw.client);
        ks.load(in, passwKey);
        KeyManagerFactory kmf = KeyManagerFactory.getInstance("X509");
        kmf.init(ks, passwKey);

        SSLContext context = SSLContext.getInstance("TLS");
        context.init(kmf.getKeyManagers(),
                new X509TrustManager[] { new MyX509TrustManager(is,
                        passwKey) }, new SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(context
                .getSocketFactory());

        URL url = new URL(params[0]);

        HttpsURLConnection connection = (HttpsURLConnection) url
                .openConnection();
        connection.setRequestMethod("POST");
        connection.setRequestProperty("Content-Type", "application/json");
        connection.setRequestProperty("Content-Length", "" + Integer.toString(params[1].getBytes().length));
        connection.setDoOutput(true);

        byte[] outputInBytes = params[1].getBytes("UTF-8");
        OutputStream os = connection.getOutputStream();
        os.write( outputInBytes );
        os.close();

        BufferedReader bin = new BufferedReader(new InputStreamReader(
                connection.getInputStream()));

        StringBuffer sb = new StringBuffer();
        String line;
        while ((line = bin.readLine()) != null) {
            sb.append(line);
        }
        in.close();
        is.close();
        return sb.toString();
    } catch (Exception e) { // should never happen
        e.printStackTrace();
        Log.d("Err", e.toString());
    }
    return "no result";
}

@Override
protected void onPostExecute(String result) {
    responseListener.getResponse(result,code);
}
}

我的Trustmanager类是:

public class MyX509TrustManager implements X509TrustManager {
X509TrustManager pkixTrustManager;

public MyX509TrustManager(InputStream trustStore, char[] password)
        throws Exception {
    // create a "default" JSSE X509TrustManager.

    KeyStore ks = KeyStore.getInstance("BKS");

    ks.load(trustStore, password);

    TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
    tmf.init(ks);

    TrustManager tms[] = tmf.getTrustManagers();

    /*
     * Iterate over the returned trustmanagers, look for an instance of
     * X509TrustManager. If found, use that as our "default" trust manager.
     */
    for (int i = 0; i < tms.length; i++) {
        if (tms[i] instanceof X509TrustManager) {
            pkixTrustManager = (X509TrustManager) tms[i];
            return;
        }
    }

    /*
     * Find some other way to initialize, or else we have to fail the
     * constructor.
     */
    throw new Exception("Couldn't initialize");
}

public void checkClientTrusted(X509Certificate[] arg0, String arg1)
        throws CertificateException {
    // TODO Auto-generated method stub
    try {
        pkixTrustManager.checkClientTrusted(arg0, arg1);
    } catch (CertificateException excep) {
        // do any special handling here, or rethrow exception.
    }

}

public void checkServerTrusted(X509Certificate[] arg0, String arg1)
        throws CertificateException {
    // TODO Auto-generated method stub
    try {
        pkixTrustManager.checkServerTrusted(arg0, arg1);
    } catch (CertificateException excep) {
        /*
         * Possibly pop up a dialog box asking whether to trust the cert
         * chain.
         */
    }
}

public X509Certificate[] getAcceptedIssuers() {
    // TODO Auto-generated method stub
    return pkixTrustManager.getAcceptedIssuers();
}
}

现在,我想使用此HTTPS连接注册用户。该过程是从用户获取详细信息并将其发送到服务器。服务器将验证这些详细信息,并在用户移动设备上发送确认PIN(在用户详细信息中获得此MSISDN)。用户将输入此PIN,服务器将验证PIN是否相同。验证用户身份后,客户端应用程序(用户移动设备)将生成CSR并将其发送到服务器。服务器将使用此CSR生成证书,并将其发送到客户端(移动应用程序)。
现在我的问题是我想将此证书存储在只有我的应用可以访问此证书的地方。 我正在尝试使用以下方法将此文件保存在原始文件夹的BKS文件中:

private boolean storeCertInKeystore(byte[] cert) {
    try {
        InputStream is = getResources().openRawResource(
                R.raw.client);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        InputStream certstream = new ByteArrayInputStream(cert);
        X509Certificate certificate = (X509Certificate) cf.generateCertificate(certstream);
        KeyStore keyStore = KeyStore.getInstance("BKS");
        keyStore.load(is, "mypass".toCharArray());
        keyStore.setCertificateEntry("mycert", certificate);


        Log.d("My App Cert: ", "true");
        return true;
    } catch(Exception e) {
            e.printStackTrace();
    }
    return false;
}

此代码成功运行,但无法将证书存储在BKS文件中。我尝试了另一种描述方式但未能成功。(我以后想在我的应用程序中使用此证书进行客户端身份验证)我的问题是:如何存储此证书,以便只能由我的应用程序访问?当用户注册到期时,我也可以删除此证书。

请帮助并提前致谢。


阅读 248

收藏
2020-06-16

共1个答案

一尘不染

  • 您的问题不在于密钥库本身,而在于您试图存储新客户端证书的文件位置!

  • “ RAW文件夹”是已安装的应用程序包的一部分。因此,您可以“虚拟”访问它,并且只能读取而不是写入!

  • 如果希望密钥库是私有的,最好的选择是将应用程序沙盒化-私有文件夹(内部存储)。
    您不能在RAW文件夹中写入,但可以在应用程序专用文件夹中写入。

  • 在您提供的链接中,存储/写入位置实际上是专用文件夹。因此它对您不起作用,因为您正在尝试“ 用原始文件夹写

  • 您可能已经知道这一点,但是您可以将文件(R.raw.client)从“原始文件夹”复制到应用程序专用文件夹中。这样,您仅使用一个密钥库文件(可读和可写)。
2020-06-16