无声安装PFX到Android系统可信CA用户密钥库

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了无声安装PFX到Android系统可信CA用户密钥库相关的知识,希望对你有一定的参考价值。

我的公司正在使用android平板电脑开发一个信息亭。我们正在使用TLS与私人服务器进行通信。我们有平台密钥来为我们的客户提供应用程序系统权限。如果客户端使用授权的客户端证书进行连接,则服务器将仅允许客户端连接。为了制造平板电脑,我们需要将PFX格式的客户端证书和私钥加载到Android系统可信CA用户密钥库中。多个应用程序需要从User密钥库中检索PrivateKey和Certificate链。我们的制造过程是一个自动化过程,没有人可以单击是和确定屏幕提示。我们还需要静默证书安装过程,以便在将来过期时替换客户端证书。

如何在没有用户交互的情况下从平台签名应用程序中静默加载PFX文件到系统可信CA用户存储?

答案

这仅适用于企业wifi配置。以下方法将使用CA证书和用户证书配置WPA / EAP-TLS wifi配置。

public static void createEapConfig(Context context, String ssid, String password, boolean connectAutomatically, boolean hiddenNetwork,
                                   Integer eapMethod, Integer phase2, String identity, String anonymousIdentity, String caCertificateData,
                                   String clientCertificateData, String clientCertPass) {
    if (ssid == null || eapMethod == null) {
        return;
    }
    WifiManager wifiManager = (WifiManager) context.getSystemService(Context.WIFI_SERVICE);
    boolean connect = connectAutomatically;
    boolean isWifiReceiverRegistered = false;
    try {
        Logger.logEnteringOld();

        WifiConfiguration config = new WifiConfiguration();
        config.SSID = """ + ssid + """;
        config.hiddenSSID = hiddenNetwork;//false; //hidden network is always set to false.
        config.status = WifiConfiguration.Status.ENABLED;
        config.priority = 40;
        try {
            wifiManager.getClass().getMethod("setWifiApEnabled", WifiConfiguration.class, boolean.class).invoke(wifiManager, config, false);
        } catch (Exception e) {
            Logger.logError(e);
        }
        Settings.isWifiHotspotEnabled(false);
        if (!wifiManager.isWifiEnabled()) {
            wifiManager.setWifiEnabled(true);
            Thread.sleep(5000);
        }

        if (connect) {
            lastActNetId = wifiManager.getConnectionInfo().getNetworkId();
            wifiManager.disableNetwork(lastActNetId);
            wifiManager.disconnect();
        }
        config.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.WPA_EAP);
        config.allowedKeyManagement.set(WifiConfiguration.KeyMgmt.IEEE8021X);

        // Set defaults
        if (phase2 == null) phase2 = WifiEnterpriseConfig.Phase2.NONE;
        if (identity == null) identity = "";
        if (anonymousIdentity == null) anonymousIdentity = "";
        if (caCertificateData == null) caCertificateData = "";
        if (clientCertificateData == null) clientCertificateData = "";
        if (Build.VERSION.SDK_INT >= 18) {
            if (Util.isNullOrEmpty(password)) {
                config.enterpriseConfig.setPassword(password);
            }

            config.enterpriseConfig.setEapMethod(eapMethod);

            if (phase2 != null) {
                config.enterpriseConfig.setPhase2Method(phase2);
            }
            if (!Util.isNullOrEmpty(identity)) {
                config.enterpriseConfig.setIdentity(identity);
            }
            if (!Util.isNullOrEmpty(anonymousIdentity)) {
                config.enterpriseConfig.setAnonymousIdentity(anonymousIdentity);
            }
            InputStream is = null;
            if (!Util.isNullOrEmpty(caCertificateData)) {
                try {
                    byte[] decodedCaCert = Base64.decode(caCertificateData);
                    //is = new FileInputStream(Environment.getExternalStorageDirectory()+"/local-root(1).cer" );
                    CertificateFactory cf = CertificateFactory.getInstance("X.509");
                    try {

                        is = new ByteArrayInputStream(decodedCaCert);
                        X509Certificate caCert = (X509Certificate) cf.generateCertificate(is);
                        config.enterpriseConfig.setCaCertificate(caCert);
                    } catch (CertificateException ex) {
                        Logger.logError(ex);
                    } finally {
                        if (is != null) {
                            is.close();
                        }
                    }
                } catch (Throwable t) {
                    Logger.logError(t);
                }
            }
            if (!Util.isNullOrEmpty(clientCertificateData) && !Util.isNullOrEmpty(clientCertPass)) {
                try {
                    byte[] decodedClientCert = Base64.decode(clientCertificateData);
                    KeyStore p12 = KeyStore.getInstance("pkcs12");
                    is = new ByteArrayInputStream(decodedClientCert);
                    //is = new FileInputStream(Environment.getExternalStorageDirectory()+"/createdDERCert(1).pfx");
                    p12.load(is, clientCertPass.toCharArray());
                    Enumeration aliases = p12.aliases();
                    for (String alias : Collections.list(aliases)) {

                        if (alias == null) {
                            continue;
                        }

                        PrivateKey privateKey = (PrivateKey) p12.getKey(alias, clientCertPass.toCharArray());
                        if (privateKey == null) {
                            continue;
                        }

                        X509Certificate clientCert = (X509Certificate) p12.getCertificate(alias);

                        if (clientCert != null) {
                            config.enterpriseConfig.setClientKeyEntry(privateKey, clientCert);
                        }
                    }
                } catch (Throwable t) {
                    Logger.logError(t);
                } finally {
                    if (is != null) {
                        try {
                            is.close();
                        } catch (IOException e) {
                            e.printStackTrace();
                        }
                    }
                }
            }
        }

        int networkId = -1;
        networkId = wifiManager.addNetwork(config);

        wifiManager.enableNetwork(networkId, true);
        wifiManager.saveConfiguration();

        if (connect) {
            wifiManager.reconnect();
            IntentFilter filter = new IntentFilter();
            filter.addAction(ConnectivityManager.CONNECTIVITY_ACTION);
            Settings.cntxt.registerReceiver(wifiReceiver, filter);
            isWifiReceiverRegistered = true;
            Thread.sleep(15000);
        }
    } catch (InterruptedException ie) {
        if (NetworkStateReceiver.activeConnection(Settings.cntxt)) {
            lastActNetId = wifiManager.getConnectionInfo().getNetworkId();
        }
    } catch (Exception ex) {
        Logger.logError(ex);
    } finally {
        // unregister wifi state receiver
        if (connect && isWifiReceiverRegistered) {
            isWifiReceiverRegistered = false;
            Settings.cntxt.unregisterReceiver(wifiReceiver);
        }
    }

    Logger.logEnteringOld();
}

以上是关于无声安装PFX到Android系统可信CA用户密钥库的主要内容,如果未能解决你的问题,请参考以下文章

使用 PFX 进行强命名

如何对PFX证书转换成PEM格式证书

请问Windows系统的平板电脑可以安装pfx格式的数字证书吗?

证书私钥不能导出pfx格式,只能cer等格式

iOS:我的 iPhone 应用程序可以访问 iPhone 设备/设备信任存储的可信 CA 证书吗?

从 .pfx 文件中提取证书和私钥文件