导读:在进行多证书验证的过程中,会出现握手失败的情况
2020-12-31 10:43:26.673 4415-4415/? W/System.err: Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:229)
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at org.eclipse.paho.client.mqttv3.internal.SSLNetworkModule.start(SSLNetworkModule.java:97)
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at org.eclipse.paho.client.mqttv3.internal.ClientComms$ConnectBG.run(ClientComms.java:676)
2020-12-31 10:43:26.673 4415-4415/? W/System.err: ... 1 more
2020-12-31 10:43:26.673 4415-4415/? W/System.err: Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at com.android.org.conscrypt.TrustManagerImpl.verifyChain(TrustManagerImpl.java:661)
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:539)
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrustedRecursive(TrustManagerImpl.java:605)
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:495)
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at com.android.org.conscrypt.TrustManagerImpl.checkTrusted(TrustManagerImpl.java:418)
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at com.android.org.conscrypt.TrustManagerImpl.getTrustedChainForServer(TrustManagerImpl.java:339)
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at android.security.net.config.NetworkSecurityTrustManager.checkServerTrusted(NetworkSecurityTrustManager.java:94)
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at android.security.net.config.RootTrustManager.checkServerTrusted(RootTrustManager.java:88)
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at com.android.org.conscrypt.Platform.checkServerTrusted(Platform.java:208)
2020-12-31 10:43:26.673 4415-4415/? W/System.err: at com.android.org.conscrypt.ConscryptFileDescriptorSocket.verifyCertificateChain(ConscryptFileDescriptorSocket.java:404)
2020-12-31 10:43:26.674 4415-4415/? W/System.err: at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
2020-12-31 10:43:26.674 4415-4415/? W/System.err: at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:375)
2020-12-31 10:43:26.674 4415-4415/? W/System.err: at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:224)
场景:MQTT Android 端与服务端Mosquitto作传输通讯过程,需要用到:
mMqttConnectOptions = new MqttConnectOptions();
InputStream caCrtFileI = getResources().openRawResource(R.raw.ca_c88);
InputStream crtFile = getResources().openRawResource(R.raw.crt_c88);
InputStream keyFile = getResources().openRawResource(R.raw.key_c88);
mMqttConnectOptions.setSocketFactory(getSocketFactory(caCrtFileI, crtFile, keyFile, ""));
/**
* 多证书认证
* @param caCrtFile ca.crt
* @param crtFile 92e89e010253a4ab2e430f6254850c88.crt
* @param keyFile 92e89e010253a4ab2e430f6254850c88.key
* @param password " "
* @return
* @throws Exception
*/
public static SSLSocketFactory getSocketFactory(InputStream caCrtFile, InputStream crtFile, InputStream keyFile, String password) throws Exception {
Security.addProvider(new BouncyCastleProvider());
// load CA certificate
X509Certificate caCert = null;
BufferedInputStream bis = new BufferedInputStream(caCrtFile);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
while (bis.available() > 0) {
caCert = (X509Certificate) cf.generateCertificate(bis);
}
// load client certificate
BufferedInputStream bis1 = new BufferedInputStream(crtFile);
X509Certificate cert = null;
while (bis1.available() > 0) {
cert = (X509Certificate) cf.generateCertificate(bis1);
}
// load client private cert
PEMParser pemParser = new PEMParser(new InputStreamReader(keyFile));
Object object = pemParser.readObject();
JcaPEMKeyConverter converter = new JcaPEMKeyConverter().setProvider("BC");
KeyPair key = converter.getKeyPair((PEMKeyPair) object);
KeyStore caKs = KeyStore.getInstance(KeyStore.getDefaultType());
caKs.load(null, null);
caKs.setCertificateEntry("cert-certificate", caCert);
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(caKs);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(null, null);
ks.setCertificateEntry("certificate", cert);
ks.setKeyEntry("private-cert", key.getPrivate(), password.toCharArray(),
new java.security.cert.Certificate[]{cert});
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, password.toCharArray());
SSLContext context = SSLContext.getInstance("TLSv1.2");
// SSLContext context = SSLContext.getInstance("TLS");
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
return context.getSocketFactory();
}
解决方法:
这是由于当前证书:ca.crt cert.crt cert.key 其中ca.crt cert.crt需要在运行设备上的系统设置里进行证书信任。
当前证书申请时针对设备,一机一证书。
信任步骤:
1.将证书放到设备的SD卡或者内置存储的某个文件夹下
预先将证书放到设备文件夹下
2.打开设备的系统设置:【安全性和位置信息】(不同品牌或者系统略有不同)。找到该位置下的【加密与凭据】-【从SD卡安装】-选择放置证书的那个文件夹找到其中.crt证书依次点击信任即可。
微信图片_20201231171249.jpg
微信图片_20201231171258.jpg
微信图片_20201231171302.jpg
3.证书信任之后,【用户凭据】中即可查看已信任的证书。【信任的凭据】中可以查看用户层级的信任证书【BSJ】
微信图片_20201231171305.jpg
微信图片_20201231172137.jpg
Screenshot_20201231-155702.png
至此,MQTT中认证服务端mosquitto三个证书认证的问题即已解决,但是情况不同,还需依据具体的情况分析,此篇文章仅提供其中一种情况参考。
