我的公司正在开发一个使用安卓平板电脑的信息亭。我们正在使用 TLS 与私有服务器进行通信。我们有平台密钥来赋予我们的客户端应用系统权限。如果客户端使用授权的客户端证书进行连接,服务器将只允许客户端连接。为了制造平板电脑,我们需要将 PFX 格式的客户端证书和私钥加载到 Android System Trusted CA User 密钥库中。多个应用程序将需要从用户密钥库中检索 PrivateKey 和证书链。我们的制造过程是一个自动化过程,没有人可以单击“是”和“确定”来筛选提示。我们还需要静默证书安装过程来替换将来到期的客户端证书。
如何将 PFX 文件从 Platform Signed App 静默加载到 System Trusted CA User store,无需用户交互?
【问题讨论】:
标签: java android ssl-certificate x509 pfx
这仅适用于企业 wifi 配置。以下方法将使用 CA 证书和用户证书配置 WPA/EAP-TLS wifi 配置。
公共静态无效createEapConfig(上下文上下文,字符串ssid,字符串密码,布尔自动连接,布尔隐藏网络, 整数 eapMethod、整数 phase2、字符串身份、字符串匿名身份、字符串 caCertificateData、 字符串 clientCertificateData,字符串 clientCertPass) { if (ssid == null || eapMethod == null) { 返回; } WifiManager wifiManager = (WifiManager) context.getSystemService(Context.WIFI_SERVICE); 布尔连接 = 自动连接; 布尔 isWifiReceiverRegistered = false; 尝试 { Logger.logEnteringOld(); WifiConfiguration 配置 = 新 WifiConfiguration(); 配置.SSID = "\"" + ssid + "\""; config.hiddenSSID = hiddenNetwork;//false; //隐藏网络总是设置为假。 config.status = WifiConfiguration.Status.ENABLED; config.priority = 40; 尝试 { wifiManager.getClass().getMethod("setWifiApEnabled", WifiConfiguration.class, boolean.class).invoke(wifiManager, config, false); } 捕捉(异常 e){ Logger.logError(e); } Settings.isWifiHotspotEnabled(false); 如果(!wifiManager.isWifiEnabled()){ wifiManager.setWifiEnabled(true); 线程.sleep(5000); } 如果(连接){ lastActNetId = wifiManager.getConnectionInfo().getNetworkId(); wifiManager.disableNetwork(lastActNetId); wifiManager.disconnect(); } config.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.WPA_EAP); config.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.IEEE8021X); // 设置默认值 if (phase2 == null) phase2 = WifiEnterpriseConfig.Phase2.NONE; 如果(身份==空)身份=“”; if (anonymousIdentity == null) 匿名身份 = ""; if (caCertificateData == null) caCertificateData = ""; if (clientCertificateData == null) clientCertificateData = ""; if (Build.VERSION.SDK_INT >= 18) { 如果(Util.isNullOrEmpty(密码)){ config.enterpriseConfig.setPassword(密码); } config.enterpriseConfig.setEapMethod(eapMethod); 如果(阶段2!= null){ config.enterpriseConfig.setPhase2Method(phase2); } if (!Util.isNullOrEmpty(identity)) { config.enterpriseConfig.setIdentity(identity); } 如果(!Util.isNullOrEmpty(anonymousIdentity)){ config.enterpriseConfig.setAnonymousIdentity(anonymousIdentity); } 输入流是 = null; 如果(!Util.isNullOrEmpty(caCertificateData)){ 尝试 { byte[] decodedCaCert = Base64.decode(caCertificateData); //is = new FileInputStream(Environment.getExternalStorageDirectory()+"/local-root(1).cer" ); CertificateFactory cf = CertificateFactory.getInstance("X.509"); 尝试 { is = new ByteArrayInputStream(decodedCaCert); X509Certificate caCert = (X509Certificate) cf.generateCertificate(is); config.enterpriseConfig.setCaCertificate(caCert); } 捕捉(CertificateException ex){ Logger.logError(ex); } 最后 { 如果(是!= null){ is.close(); } } } 捕捉(可投掷的 t){ Logger.logError(t); } } if (!Util.isNullOrEmpty(clientCertificateData) && !Util.isNullOrEmpty(clientCertPass)) { 尝试 { byte[] decodeClientCert = Base64.decode(clientCertificateData); KeyStore p12 = KeyStore.getInstance("pkcs12"); is = new ByteArrayInputStream(decodedClientCert); //is = new FileInputStream(Environment.getExternalStorageDirectory()+"/createdDERCert(1).pfx"); p12.load(is, clientCertPass.toCharArray()); 枚举别名 = p12.aliases(); for(字符串别名:Collections.list(别名)){ 如果(别名 == null){ 继续; } PrivateKey privateKey = (PrivateKey) p12.getKey(alias, clientCertPass.toCharArray()); if (privateKey == null) { 继续; } X509Certificate clientCert = (X509Certificate) p12.getCertificate(alias); if (clientCert != null) { config.enterpriseConfig.setClientKeyEntry(privateKey, clientCert); } } } 捕捉(可投掷的 t){ Logger.logError(t); } 最后 { 如果(是!= null){ 尝试 { is.close(); } 捕捉(IOException e){ e.printStackTrace(); } } } } } int networkId = -1; networkId = wifiManager.addNetwork(config); wifiManager.enableNetwork(networkId, true); wifiManager.saveConfiguration(); 如果(连接){ wifiManager.reconnect(); IntentFilter filter = new IntentFilter(); filter.addAction(ConnectivityManager.CONNECTIVITY_ACTION); Settings.cntxt.registerReceiver(wifiReceiver, filter); isWifiReceiverRegistered = true; 线程.sleep(15000); } } 捕捉(InterruptedException 即){ if (NetworkStateReceiver.activeConnection(Settings.cntxt)) { lastActNetId = wifiManager.getConnectionInfo().getNetworkId(); } } 捕捉(异常前){ Logger.logError(ex); } 最后 { //注销wifi状态接收器 if (connect && isWifiReceiverRegistered) { isWifiReceiverRegistered = 假; Settings.cntxt.unregisterReceiver(wifiReceiver); } } Logger.logEnteringOld(); }【讨论】: