使用 .crt 而不是 .p12
Using .crt instead of a .p12
我正在尝试通过我的 Android 客户端与我的服务器建立连接。服务器是 HTTPS。为了使客户端连接到服务器,我使用了 client.key 和 client.crt,它们通过与服务器相同的 CA .crt 文件签名并转换为 .p12 格式。客户端应该有私钥和 public 密钥。但是客户端不应该有服务器私钥。让 Android 工作的唯一方法是从服务器加载一个 p12 文件到 TrustManagerFactory。但这不是正确的方法,因为来自服务器的私钥在该文件中。 TrustManagerFactory 不允许我加载 .crt 文件。
我的问题是:如何将 .crt 文件加载到 KeyStore 而不是我现在使用的 p12。或者我需要使用其他东西然后 KeyStore.
Directly from google dev guide working solution for ya:
// Load CAs from an InputStream
// (could be from a resource or ByteArrayInputStream or ...)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// From https://www.washington.edu/itconnect/security/ca/load-der.crt
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
// Tell the URLConnection to use a SocketFactory from our SSLContext
URL url = new URL("https://certs.cac.washington.edu/CAtest/");
HttpsURLConnection urlConnection =
(HttpsURLConnection)url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();
copyInputStreamToOutputStream(in, System.out);
我正在尝试通过我的 Android 客户端与我的服务器建立连接。服务器是 HTTPS。为了使客户端连接到服务器,我使用了 client.key 和 client.crt,它们通过与服务器相同的 CA .crt 文件签名并转换为 .p12 格式。客户端应该有私钥和 public 密钥。但是客户端不应该有服务器私钥。让 Android 工作的唯一方法是从服务器加载一个 p12 文件到 TrustManagerFactory。但这不是正确的方法,因为来自服务器的私钥在该文件中。 TrustManagerFactory 不允许我加载 .crt 文件。
我的问题是:如何将 .crt 文件加载到 KeyStore 而不是我现在使用的 p12。或者我需要使用其他东西然后 KeyStore.
Directly from google dev guide working solution for ya:
// Load CAs from an InputStream
// (could be from a resource or ByteArrayInputStream or ...)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// From https://www.washington.edu/itconnect/security/ca/load-der.crt
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
caInput.close();
}
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
// Tell the URLConnection to use a SocketFactory from our SSLContext
URL url = new URL("https://certs.cac.washington.edu/CAtest/");
HttpsURLConnection urlConnection =
(HttpsURLConnection)url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();
copyInputStreamToOutputStream(in, System.out);