android 上的 libcurl CURLE_SSL_CACERT_BADFILE 错误
libcurl CURLE_SSL_CACERT_BADFILE error on android
所以我尝试将 libcurl 与 JNI 一起使用,但它 returns CURLE_SSL_CACERT_BADFILE 错误。这是我的代码。
JNI 端:
static size_t WriteCallback(void *contents, size_t size, size_t nmemb, void *userp)
{
((string*)userp)->append((char*)contents, size * nmemb);
return size * nmemb;
}
//jList is an array containing the certificate.
Java_packageName_MainActivity_Test(JNIEnv *env, jobject thiz, jobject jList)
{
vector<string> certificatesPinning;
// Convert jobject to jobjectArray
// retrieve the java.util.List interface class
jclass cList = env->FindClass("java/util/List");
// retrieve the toArray method and invoke it
jmethodID mToArray = env->GetMethodID(cList, "toArray", "()[Ljava/lang/Object;");
jobjectArray stringArray = (jobjectArray)env->CallObjectMethod(jList, mToArray);
// Add each certificate to the list
int stringCount = (env)->GetArrayLength(stringArray);
for (int i=0; i < stringCount; i++)
{
jstring certificateString = (jstring)(env)-> GetObjectArrayElement(stringArray, i);
const char *cert = (env)->GetStringUTFChars(certificateString, 0);
const jsize len = env->GetStringUTFLength(certificateString);
string certificatePinningObj(cert,len);
certificatesPinning.push_back(certificatePinningObj);
(env)->ReleaseStringUTFChars( certificateString, cert);
}
string readBuffer;
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(curl, CURLOPT_URL, "https://theapi.com");
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, WriteCallback);// Fill the response in the readBuffer
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &readBuffer);
curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 120); // 120 s connect timeout
curl_easy_setopt(curl, CURLOPT_ENCODING, GZIP);
curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"der");
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER , 1);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST , 2L);
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
curl_easy_setopt(curl, CURLOPT_CAINFO,certificatesPinning[0].c_str());//buf
CURLcode res;
res = curl_easy_perform(curl);
if(!readBuffer.empty())
{
printf("success \n");
}
else
{
printf("error \n");
int a = (int)res;// this is 77 = CURLE_SSL_CACERT_BADFILE
}
}
JAVA 边:
// Define the function
native void Test(ArrayList<String> certificates);
// Prepare the certificate
ArrayList<String> certificatesPinning = new ArrayList<String>();
certificatesPinning.add(saveCertPemFile());
// Call the function
Test(certificatesPinning);
// Helpers
private String saveCertPemFile()
{
Context context=getApplicationContext();
String assetFileName="certificateName.der";
if(context==null || !FileExistInAssets(assetFileName,context))
{
Log.i("TestActivity", "Context is null or asset file doesnt exist");
return null;
}
//destination path is data/data/packagename
String destPath=getApplicationContext().getApplicationInfo().dataDir;
String CertFilePath =destPath + "/" +assetFileName;
File file = new File(CertFilePath);
if(file.exists())
{
//delete file
file.delete();
}
//copy to internal storage
if(CopyAssets(context,assetFileName,CertFilePath)==1) return CertFilePath;
return CertFilePath=null;
}
private int CopyAssets(Context context,String assetFileName, String toPath)
{
AssetManager assetManager = context.getAssets();
InputStream in = null;
OutputStream out = null;
try {
in = assetManager.open(assetFileName);
new File(toPath).createNewFile();
out = new FileOutputStream(toPath);
byte[] buffer = new byte[1024];
int read;
while ((read = in.read(buffer)) != -1)
{
out.write(buffer, 0, read);
}
in.close();
in = null;
out.flush();
out.close();
out = null;
return 1;
} catch(Exception e) {
Log.e("tag", "CopyAssets"+e.getMessage());
}
return 0;
}
private boolean FileExistInAssets(String fileName,Context context)
{
try {
return Arrays.asList(context.getResources().getAssets().list("")).contains(fileName);
} catch (IOException e) {
// TODO Auto-generated catch block
Log.e("tag", "FileExistInAssets"+e.getMessage());
}
return false;
}
"certificateName.der"是存放在assets文件夹中的证书。
这是发送到 jni 的证书路径:
/data/data/packageName/certificateName.der
您没有完全解释您在这里使用的是什么,但我会猜测您有一个针对 OpenSSL 构建的 libcurl。 CURLOPT_CAINFO 选项应该是使用 PEM 格式标识 CA 证书包的文件名。该捆绑包是您信任的 CA 的所有证书。
你的描述听起来像是你有一个 DER 文件,但你不能将 DER 用于带有 OpenSSL 的 CA 证书包。
获得像样的 CA 包的常见方法是下载 Firefox 中包含的 PEM version of the bundle that Mozilla ships。
所以我尝试将 libcurl 与 JNI 一起使用,但它 returns CURLE_SSL_CACERT_BADFILE 错误。这是我的代码。
JNI 端:
static size_t WriteCallback(void *contents, size_t size, size_t nmemb, void *userp)
{
((string*)userp)->append((char*)contents, size * nmemb);
return size * nmemb;
}
//jList is an array containing the certificate.
Java_packageName_MainActivity_Test(JNIEnv *env, jobject thiz, jobject jList)
{
vector<string> certificatesPinning;
// Convert jobject to jobjectArray
// retrieve the java.util.List interface class
jclass cList = env->FindClass("java/util/List");
// retrieve the toArray method and invoke it
jmethodID mToArray = env->GetMethodID(cList, "toArray", "()[Ljava/lang/Object;");
jobjectArray stringArray = (jobjectArray)env->CallObjectMethod(jList, mToArray);
// Add each certificate to the list
int stringCount = (env)->GetArrayLength(stringArray);
for (int i=0; i < stringCount; i++)
{
jstring certificateString = (jstring)(env)-> GetObjectArrayElement(stringArray, i);
const char *cert = (env)->GetStringUTFChars(certificateString, 0);
const jsize len = env->GetStringUTFLength(certificateString);
string certificatePinningObj(cert,len);
certificatesPinning.push_back(certificatePinningObj);
(env)->ReleaseStringUTFChars( certificateString, cert);
}
string readBuffer;
CURL *curl = curl_easy_init();
curl_easy_setopt(curl, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(curl, CURLOPT_URL, "https://theapi.com");
curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, WriteCallback);// Fill the response in the readBuffer
curl_easy_setopt(curl, CURLOPT_WRITEDATA, &readBuffer);
curl_easy_setopt(curl, CURLOPT_CONNECTTIMEOUT, 120); // 120 s connect timeout
curl_easy_setopt(curl, CURLOPT_ENCODING, GZIP);
curl_easy_setopt(curl,CURLOPT_SSLCERTTYPE,"der");
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYPEER , 1);
curl_easy_setopt(curl, CURLOPT_SSL_VERIFYHOST , 2L);
curl_easy_setopt(curl, CURLOPT_SSLVERSION, CURL_SSLVERSION_TLSv1_2);
curl_easy_setopt(curl, CURLOPT_CAINFO,certificatesPinning[0].c_str());//buf
CURLcode res;
res = curl_easy_perform(curl);
if(!readBuffer.empty())
{
printf("success \n");
}
else
{
printf("error \n");
int a = (int)res;// this is 77 = CURLE_SSL_CACERT_BADFILE
}
}
JAVA 边:
// Define the function
native void Test(ArrayList<String> certificates);
// Prepare the certificate
ArrayList<String> certificatesPinning = new ArrayList<String>();
certificatesPinning.add(saveCertPemFile());
// Call the function
Test(certificatesPinning);
// Helpers
private String saveCertPemFile()
{
Context context=getApplicationContext();
String assetFileName="certificateName.der";
if(context==null || !FileExistInAssets(assetFileName,context))
{
Log.i("TestActivity", "Context is null or asset file doesnt exist");
return null;
}
//destination path is data/data/packagename
String destPath=getApplicationContext().getApplicationInfo().dataDir;
String CertFilePath =destPath + "/" +assetFileName;
File file = new File(CertFilePath);
if(file.exists())
{
//delete file
file.delete();
}
//copy to internal storage
if(CopyAssets(context,assetFileName,CertFilePath)==1) return CertFilePath;
return CertFilePath=null;
}
private int CopyAssets(Context context,String assetFileName, String toPath)
{
AssetManager assetManager = context.getAssets();
InputStream in = null;
OutputStream out = null;
try {
in = assetManager.open(assetFileName);
new File(toPath).createNewFile();
out = new FileOutputStream(toPath);
byte[] buffer = new byte[1024];
int read;
while ((read = in.read(buffer)) != -1)
{
out.write(buffer, 0, read);
}
in.close();
in = null;
out.flush();
out.close();
out = null;
return 1;
} catch(Exception e) {
Log.e("tag", "CopyAssets"+e.getMessage());
}
return 0;
}
private boolean FileExistInAssets(String fileName,Context context)
{
try {
return Arrays.asList(context.getResources().getAssets().list("")).contains(fileName);
} catch (IOException e) {
// TODO Auto-generated catch block
Log.e("tag", "FileExistInAssets"+e.getMessage());
}
return false;
}
"certificateName.der"是存放在assets文件夹中的证书。
这是发送到 jni 的证书路径:
/data/data/packageName/certificateName.der
您没有完全解释您在这里使用的是什么,但我会猜测您有一个针对 OpenSSL 构建的 libcurl。 CURLOPT_CAINFO 选项应该是使用 PEM 格式标识 CA 证书包的文件名。该捆绑包是您信任的 CA 的所有证书。
你的描述听起来像是你有一个 DER 文件,但你不能将 DER 用于带有 OpenSSL 的 CA 证书包。
获得像样的 CA 包的常见方法是下载 Firefox 中包含的 PEM version of the bundle that Mozilla ships。