{var%20f='http://v.t.sina.com.cn/share/share.php?appkey=1515056452',u=z||d.location,p=['&url=',e(u),'&title=',e(t||d.title),'&source=',e(r),'&sourceUrl=',e(l),'&content=',c||'gb2312','&pic=',e(p||'')].join('');function%20a(){if(!window.open([f,p].join(''),'mb',['toolbar=0,status=0,resizable=1,width=440,height=430,left=',(s.width-440)/2,',top=',(s.height-430)/2].join('')))u.href=[f,p].join('');};if(/Firefox/.test(navigator.userAgent))setTimeout(a,0);else%20a();})(screen,document,encodeURIComponent,'','','https://www.manongdao.com/data/attach/logo/logo.png', '推荐 我欲成王,谁敢阻挡 的问题《Apache HttpClient on Android producing CertPathVal》','https://www.manongdao.com/q-40865.html','页面编码gb2312|utf-8默认gb2312'));){kind=link}
I'm developing an Android application for accessing some battle.net (https://eu.battle.net) account data (for World of Warcraft) and I'm using the org.apache.http.client.HttpClient to do so.
This is the code I'm using:
public static final String USER_AGENT = "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 (.NET CLR 3.5.30729)";
public static class MyHttpClient extends DefaultHttpClient {
final Context context;
public MyHttpClient(Context context) {
super();
this.context = context;
}
@Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
// Register for port 443 our SSLSocketFactory with our keystore
// to the ConnectionManager
registry.register(new Scheme("https", newSslSocketFactory(), 443));
return new SingleClientConnManager(getParams(), registry);
}
private SSLSocketFactory newSslSocketFactory() {
try {
// Get an instance of the Bouncy Castle KeyStore format
KeyStore trusted = KeyStore.getInstance("BKS");
// Get the raw resource, which contains the keystore with
// your trusted certificates (root and any intermediate certs)
InputStream in = context.getResources().openRawResource(R.raw.battlenetkeystore);
try {
// Initialize the keystore with the provided trusted certificates
// Also provide the password of the keystore
trusted.load(in, "mysecret".toCharArray());
} finally {
in.close();
}
// Pass the keystore to the SSLSocketFactory. The factory is responsible
// for the verification of the server certificate.
SSLSocketFactory sf = new SSLSocketFactory(trusted);
// Hostname verification from certificate
// http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
return sf;
} catch (Exception e) {
throw new AssertionError(e);
}
}
}
private static void maybeCreateHttpClient(Context context) {
if (mHttpClient == null) {
mHttpClient = new MyHttpClient(context);
final HttpParams params = mHttpClient.getParams();
HttpConnectionParams.setConnectionTimeout(params, REGISTRATION_TIMEOUT);
HttpConnectionParams.setSoTimeout(params, REGISTRATION_TIMEOUT);
ConnManagerParams.setTimeout(params, REGISTRATION_TIMEOUT);
Log.d(TAG, LEAVE + "maybeCreateHttpClient()");
}
}
public static boolean authenticate(String username, String password, Handler handler,
final Context context) {
final HttpResponse resp;
final ArrayList<NameValuePair> params = new ArrayList<NameValuePair>();
params.add(new BasicNameValuePair(PARAM_USERNAME, username));
params.add(new BasicNameValuePair(PARAM_PASSWORD, password));
HttpEntity entity = null;
try {
entity = new UrlEncodedFormEntity(params);
} catch (final UnsupportedEncodingException e) {
// this should never happen.
throw new AssertionError(e);
}
final HttpPost post = new HttpPost(THE_URL);
post.addHeader(entity.getContentType());
post.addHeader("User-Agent", USER_AGENT);
post.setEntity(entity);
maybeCreateHttpClient(context);
if (mHttpClient == null) {
return false;
}
try {
resp = mHttpClient.execute(post);
} catch (final IOException e) {
Log.e(TAG, "IOException while authenticating", e);
return false;
} finally {
}
}
The keystore is retrieved (by OpenSSL) like this:
openssl s_client -connect eu.battle.net:443 -showcerts
I have compared the certificates that command produced (http://vipsaran.webs.com/openssl_output.txt) with ones I exported from Firefox (http://vipsaran.webs.com/Firefox_output.zip) and they are the same.
By following advice on this blog, I have setup the above code and imported the (root and intermediate) certs to a keystore (battlenetkeystore.bks) which is used for HttpClient.
This are the commands I used for importing the certs to the keystore:
keytool -importcert -v -file ~/lib/ThawteSSLCA.crt -alias thawtesslca -keystore ~/lib/battlenetkeystore.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath ~/lib/bcprov-jdk16-145.jar -storetype BKS -storepass mysecret -keypass mysecret -keyalg "RSA" -sigalg "SHA1withRSA"
keytool -importcert -v -file ~/lib/thawtePrimaryRootCA.crt -alias thawteprimaryrootca -keystore ~/lib/battlenetkeystore.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath ~/lib/bcprov-jdk16-145.jar -storetype BKS -storepass mysecret -keypass mysecret -keyalg "RSA" -sigalg "SHA1withRSA"
Btw. I have also tried keytool -import without the -keyalg "RSA" -sigalg "SHA1withRSA", but with no change.
The problem is that I'm getting this error:
javax.net.ssl.SSLException: Not trusted server certificate
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:371)
at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:92)
at org.apache.http.conn.ssl.SSLSocketFactory.createSocket(SSLSocketFactory.java:381)
at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:164)
at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:348)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
at org.homedns.saran.android.wowcalendarsync.network.NetworkUtilities.authenticateWithPass(NetworkUtilities.java:346)
at org.homedns.saran.android.wowcalendarsync.network.NetworkUtilities$1.run(NetworkUtilities.java:166)
at org.homedns.saran.android.wowcalendarsync.network.NetworkUtilities$5.run(NetworkUtilities.java:278)
Caused by: java.security.cert.CertificateException: java.security.cert.CertPathValidatorException: IssuerName(CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US) does not match SubjectName(CN=Thawte SSL CA, O="Thawte, Inc.", C=US) of signing certificate
at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:168)
at org.apache.harmony.xnet.provider.jsse.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:366)
... 12 more
Caused by: java.security.cert.CertPathValidatorException: IssuerName(CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US) does not match SubjectName(CN=Thawte SSL CA, O="Thawte, Inc.", C=US) of signing certificate
at org.bouncycastle.jce.provider.PKIXCertPathValidatorSpi.engineValidate(PKIXCertPathValidatorSpi.java:373)
at java.security.cert.CertPathValidator.validate(CertPathValidator.java:202)
at org.apache.harmony.xnet.provider.jsse.TrustManagerImpl.checkServerTrusted(TrustManagerImpl.java:164)
... 13 more
and I can't figure a way to solve it. Tried importing the certs into the keystore in different order, aso. but nothing worked.
Please help (and please focus on the solutions based on the Android's Apache HttpClient only).
I expect you've got your own solution by now, but if not:
By combining insights from
I managed to achieve a secure connection to https://eu.battle.net/login/en/login.xml with just the following classes. Note that there is no need to build a keystore since the root CA is trusted by android - the problem is simply that the certs are returned in the wrong order.
(Disclaimer: Didn't spend any time cleaning the code up though.)
EasyX509TrustManager:
EasySSLSocketFactory
MyHttpClient
TrustMe (activity)
Looking at "openssl s_client -connect eu.battle.net:443", I see the following cert chain:
Note that is out of order. the issuer of cert "n" in the chain should match the subject of cert "n+1". The issuer of the last cert should be be self signed (subject==issuer) and technically not included.
The correct chain would be ordered like this:
The Android browser copes with out of order chain by have its android.net.http.CertificateChainValidator code reorder the cert chain before passing it for validation.
To deal with this in your own app, you want to create your own javax.net.ssl.SSLSocketFactory from an SSLContext that was initialized with a X509TrustManager that reorders the chain before calling the default TrustManagerFactory provided TrustManager.
I haven't recently looked at the Apache HTTP Client code to see how to provide your custom javax.net.ssl.SSLSocketFactory to their SSLSocketFactory wrapper, but it should be possible (or just don't use Apache HTTP Client and just use new URL("https://..").openConnection() which allows you to specify the custom javax.net.ssl.SSLSocketFactory on the HttpsURLConnection.
Finally, note that you should only need to import the self-signed root CA into your keystore (and only if its not already in the system store, but I just checked and this CA is not present in froyo). The CA you want in this case has subject:
I guess your problem is solved right now, but I had the same one and I also struggled some time to find the correct solution. Maybe it helps someone.
I've also used the code from Antoine's Blog but I changed the constructor used for the SSLSocketFactory.
So I use
therefor i created two KeyStores
I created the BKS Stores with Portecle. In the signature_truststore.bks I imported the root Certificate and in the signature_certstore.bks you have to import one or more intermediate certificates.
The rest of the code is exactly the same as the one from the blog.
this may help: http://blog.antoine.li/index.php/2010/10/android-trusting-ssl-certificates/ , Do u have trusted certificates from a CA (like versign or Geotrust)? or you are using self signed certificate... i was facing similar problem and solved it today...
Btw, I'm the author from the mentioned blog above ;) I try to answer your question here.
I've looked at your certificate outputs from firefox and openssl and found something interesting.
Look the root ca certificate (index 1) at your openssl output. The issuer name is: Thawte Premium Server CA The subject name is: thawte Primary Root CA The subject and issuer names are different. Therefore, this certificate is not considered as the Root CA, because it was issued by another instance. Therefore, the bouncycastle provider is considering this certificate as the Root CA but it complains because issues and subject are different.
I have no idea how you obtained the "wrong" Root CA certificate. When I look at the Root CA certificate in firefox, the subject and issuer are the same, as it should be.
Try to get the right Root CA and try again.
Hope this helps. Greetings and good luck ;)
I have finally solved my same "IssuerName does not match SubjectName" exception. I've followed the same blog by Antoine and what's described here numerous times, and here's how to make it finally work:
1) Our website uses two certificates from GeoTrust: the intermediate CA is issued to us by GeoTrust SSL CA, and the root CA is issued to GeoTrust SSL CA by GeoTrust Global CA;
2) If only the root CA or both the root and the intermediate CAs in 1) are used, I get the mismatch exception, because Android only supports a limited number of trusted root CA, and GeoTrust Global CA is not in the list;
3) In the support page of www.geotrust.com, there's a page called GeoTrust Cross Root CA, simply download it, save it to a name like crossroot.pem, and use this command to generate the keystore:
C:\Program Files\Java\jdk1.6.0_24\bin>keytool -importcert -v -trustcacerts -file c:\ssl\crossroot.pem -alias newroot -keystore c:\ssl\crossroot.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "c:\downloads\bcprov-jdk16-145.jar" -storetype BKS -storepass mysecret
Step 2 of the blog by Antonie has a link to download the BouncyCastleProvider;
4) Add the keystore file to the Android project, and it works - this makes sense because now Android finds a trusted root Equifax Secure Certificate Authority (see the list above 1) whose SubjectName GeoTrust Global CA matches our site's root IssuerName.
5) The code in the step 3 of blog works fine, and just to make it more complete, I copied my test code below:
The tough part of this problem is if your root CA's issuer is not in the Android's trusted list, you'll have to get it from the company who issues you the certificates - ask them to provide you with a cross root CA that has the root issuer as one of the trusted root CAs of Android.