无法在三星 android 上初始化密钥库

【问题标题】:Can't initialise keystore on Samsung android无法在三星 android 上初始化密钥库
【发布时间】:2018-03-26 15:21:06
【问题描述】:

编辑:我现在在非三星 KitKat 4.4.3 设备(Gigabyte/Zebra TC55)上看到了这个错误。

我正在尝试在我的自定义 X509TrustManager 类中初始化一个 null KeyStore。 在构造函数中,我执行以下操作:

public EasyX509TrustManager(KeyStore keystore) throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException {
    super();
    //keystore.load(null);
    TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    factory.init((KeyStore) null); <--- ERROR HERE
    TrustManager[] trustmanagers = factory.getTrustManagers();
    if (trustmanagers.length == 0) {
        throw new NoSuchAlgorithmException("no trust manager found");
    }
    this.standardTrustManager = (X509TrustManager) trustmanagers[0];
}

并获得以下堆栈跟踪:

 java.security.KeyStoreException: initialization failed
    at org.spongycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit(ProvTrustManagerFactorySpi.java:127)
    at javax.net.ssl.TrustManagerFactory.init(TrustManagerFactory.java:191)
    at my.android.app.http.EasyX509TrustManager.<init>(EasyX509TrustManager.java:51)
    at my.android.app.http.EasySSLSocketFactory.createEasySSLContext(EasySSLSocketFactory.java:53)
    at my.android.app.http.EasySSLSocketFactory.getSSLContext(EasySSLSocketFactory.java:83)
    at my.android.app.http.EasySSLSocketFactory.createSocket(EasySSLSocketFactory.java:133)
    at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
    at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
    at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
    at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:670)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:509)
    at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
    at my.android.app.util.LoginUtils.loginOnline(LoginUtils.java:184)
    at my.android.app.util.LoginUtils.login(LoginUtils.java:95)
    at my.android.app.LoginActivity$UserLoginTask.doInBackground(LoginActivity.java:336)
    at my.android.app.LoginActivity$UserLoginTask.doInBackground(LoginActivity.java:320)
    at android.os.AsyncTask$2.call(AsyncTask.java:287)
    at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:305)
    at java.util.concurrent.FutureTask.run(FutureTask.java:137)
    at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:230)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1076)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:569)
    at java.lang.Thread.run(Thread.java:856)
 Caused by: java.security.InvalidAlgorithmParameterException: trustAnchors.isEmpty()
    at java.security.cert.PKIXParameters.checkTrustAnchors(PKIXParameters.java:588)
    at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:84)
    at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:58)
    at org.spongycastle.jsse.provider.ProvX509TrustManager.<init>(ProvX509TrustManager.java:34)
    at org.spongycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit(ProvTrustManagerFactorySpi.java:122)
    ... 23 more

如果我尝试如下初始化工厂,我也会得到相同的堆栈跟踪:

factory.init(KeyStore.getInstance(KeyStore.getDefaultType()));

从堆栈跟踪中可以看出,我正在使用SpongyCastle,Android 版本的BouncyCastle 来处理我的安全/密钥库等,但是,这个问题只出现在带有 Android JellyBean -> KitKat 的三星设备上.我有多个三星,它影响了他们所有人。我还有其他运行 JellyBean 的设备,它们能够很好地连接到服务器,所以这似乎是三星独有的问题。

谁能告诉我如何解决这个密钥库初始化问题? 我没有使用自己的密钥库,所以如果可能的话,我想使用 null 密钥库或内置的 android 密钥库。

以下是来自非三星 4.4.3 设备的 logcat 的更多日志,可能会有所帮助:

03-28 15:10:06.357 8084-8423/my.android.app W/dalvikvm: Unable to resolve superclass of Lorg/spongycastle/jsse/provider/ProvX509ExtendedTrustManager; (377)
03-28 15:10:06.367 8084-8423/my.android.app W/dalvikvm: Link of class 'Lorg/spongycastle/jsse/provider/ProvX509ExtendedTrustManager;' failed
03-28 15:10:06.367 8084-8423/my.android.app E/dalvikvm: Could not find class 'org.spongycastle.jsse.provider.ProvX509ExtendedTrustManager', referenced from method org.spongycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit
03-28 15:10:06.367 8084-8423/my.android.app W/dalvikvm: VFY: unable to resolve new-instance 3263 (Lorg/spongycastle/jsse/provider/ProvX509ExtendedTrustManager;) in Lorg/spongycastle/jsse/provider/ProvTrustManagerFactorySpi;
03-28 15:10:06.367 8084-8423/my.android.app D/dalvikvm: VFY: replacing opcode 0x22 at 0x006e
03-28 15:10:06.377 8084-8423/my.android.app W/dalvikvm: Unable to resolve superclass of Lorg/spongycastle/jsse/provider/ProvX509ExtendedTrustManager; (377)
    Link of class 'Lorg/spongycastle/jsse/provider/ProvX509ExtendedTrustManager;' failed
03-28 15:10:06.377 8084-8423/my.android.app E/dalvikvm: Could not find class 'org.spongycastle.jsse.provider.ProvX509ExtendedTrustManager', referenced from method org.spongycastle.jsse.provider.ProvTrustManagerFactorySpi.engineInit
03-28 15:10:06.377 8084-8423/my.android.app W/dalvikvm: VFY: unable to resolve new-instance 3263 (Lorg/spongycastle/jsse/provider/ProvX509ExtendedTrustManager;) in Lorg/spongycastle/jsse/provider/ProvTrustManagerFactorySpi;
03-28 15:10:06.377 8084-8423/my.android.app D/dalvikvm: VFY: replacing opcode 0x22 at 0x001e
03-28 15:10:06.387 8084-8423/my.android.app W/dalvikvm: Unable to resolve superclass of Lorg/spongycastle/jsse/provider/ProvX509ExtendedTrustManager; (377)
    Link of class 'Lorg/spongycastle/jsse/provider/ProvX509ExtendedTrustManager;' failed
03-28 15:10:06.387 8084-8423/my.android.app D/dalvikvm: DexOpt: unable to opt direct call 0x3ea1 at 0x77 in Lorg/spongycastle/jsse/provider/ProvTrustManagerFactorySpi;.engineInit
03-28 15:10:06.397 8084-8423/my.android.app W/dalvikvm: Unable to resolve superclass of Lorg/spongycastle/jsse/provider/ProvX509ExtendedTrustManager; (377)
    Link of class 'Lorg/spongycastle/jsse/provider/ProvX509ExtendedTrustManager;' failed
03-28 15:10:06.397 8084-8423/my.android.app D/dalvikvm: DexOpt: unable to opt direct call 0x3ea1 at 0x27 in Lorg/spongycastle/jsse/provider/ProvTrustManagerFactorySpi;.engineInit

谢谢。

【问题讨论】:

  • 您似乎无法向 TrustManagerFactory 提供空的密钥库。这对我来说很有意义,否则您将拒绝 所有 SSL 连接尝试。
  • 如果你想使用android keystore,你不需要做任何事情,因为这是默认处理的。
  • 可能是这样的stackoverflow.com/questions/30736787/…
  • @JamesKPolk 你想回答吗?
  • @Jax297 你要回答吗?

标签: android bouncycastle samsung-mobile spongycastle


【解决方案1】:

我想通了,所以会发布答案,但我需要赠送赏金,所以第一个回答的人会得到它。

从代码中可以看出,对于 Lollipop 下的设备,您不能将 null 密钥库默认传递给系统密钥库,您必须通过引用 AndroidCAStore 获取实例。见这里:

if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {
    context = SSLContext.getInstance("TLSv1.2", new BouncyCastleJsseProvider());
    KeyStore keyStore = KeyStore.getInstance("AndroidCAStore");//KeyStore.getDefaultType());
    keyStore.load(null, null);
    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keyStore, null);

    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    trustManagerFactory.init(keyStore);

    context.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
} else {
    context = SSLContext.getInstance("TLSv1.2");
    context.init(null, null, null);
}

我不确定为什么必须这样做。也许是因为我使用了SpongyCastle,或者三星在他们的 SocketFactory 实现中改变了一些东西。

【讨论】:

    猜你喜欢
    • 1970-01-01
    • 1970-01-01
    • 2019-05-19
    • 1970-01-01
    • 2018-06-23
    • 2015-09-13
    • 1970-01-01
    • 1970-01-01
    • 2014-03-11
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode