在 Android 上以编程方式安装/访问 VPN/WIFI 证书
情况是这样的:
我正在开发一个允许自动管理网络连接的应用程序。用户可以通过应用程序配置 WiFi/VPN 配置文件,应用程序将管理他们与这些配置文件的连接。
这一切都相当简单(嗯,VPN 端需要一些反射黑客技术),除非我需要管理这些与需要证书身份验证的网络的连接。问题在于,这些网络总体上使用自签名证书,而且与我在 Android 中遇到的情况相比,在我看来,这些证书需要从根证书存储中访问。我尝试创建一个私人应用程序密钥库并在那里安装证书,但据我所知,android 的 WiFi 和 VPN 部分无法访问它。
有没有办法在应用程序密钥库中安装选定的证书,根据此密钥库创建配置文件,然后将完整的配置文件发送到 android wifi/vpn 管理器以允许预配置的连接?
这看起来应该是可能的,但我只是还没有足够聪明来让它发挥作用。
更新:
当我尝试创建 wifi 和 vpn 配置时,我尝试引用本地应用程序密钥库中已安装的证书。看来,一旦配置被推送到操作系统,它就无法找到它们。据我了解,一旦安装了证书,它就会成为通用密钥库的一部分,无论是在应用程序还是操作系统级别。
我必须保留对内部证书的访问权限,因此无法将它们推送到 SD 卡。即使我将它们推送到 SD 卡,我也无法要求用户手动安装证书,我需要在后台处理此操作以简化配置。我一直在挖掘源代码,但没有找到任何明显的解决方案,但我只是希望有人之前偶然发现过这个问题,而我只是错过了它。
预先感谢您的帮助!
更新 2
对于那些仍然对如何执行此操作感兴趣的人,这里是您需要查看的包/类。
com.android.certinstaller.* android.security.Credentials
通过一点点挖掘,您可以找到适当的方法来构建安装所需证书的意图。
另外,作为旁注,如果尚未在设备上设置凭证存储密码,则您启动安装证书的初始意图将仅提示用户提供凭证存储密码。将不会安装证书。可能有办法解决这个问题,但我还没有找到。
Here's the situation:
I'm working on an application which allows automated management of network connections. Users are able to configure WiFi/VPN profiles through the application and the application will manage their connectivity to these profiles.
This was all fairly straight forward (well, the VPN side required some reflection hackery) except when I got to the point of managing these connections to networks which required certificate authentication. The trouble is that these networks by and large use self-signed certificates, and as far from what I've been running up against in android it seems to me that these certificates need to be accessible from the root cert store. I tried to create a private app keystore and install the certificates there, but as far as I can tell the WiFi and VPN segments of android can't get access to this.
Is there a way to install a chosen certificate in the application keystore, create profiles based upon this keystore, then send the completed profile to the android wifi/vpn manager to allow the preconfigured connection?
This seems like it should be possible, but I just haven't yet managed to be clever enough to get it to work.
Update:
When I try to create the wifi and vpn configurations I've attempted to reference installed certificates in the local application keystore. It's unable to find them once the configs are pushed to the OS, it seems. To my understanding once a certificate is installed it becomes part of a general keystore, either at the app or the os level.
I have to keep access to the certificates internal, so I can't push them to the SD card. Even if I were to push them to the SD card I wouldn't be able to require the user to manually install the certificate, I need this to be handled in the background to simplify the configuration. I've been digging through the source and haven't found any obvious solution to this, but I was just hoping someone had stumbled across this before and I was just missing it.
Thanks in advance for the help!
Update 2
For those of you still interested in how to do this, here are the packages/classes which you will need to take a look at.
com.android.certinstaller.*
android.security.Credentials
With a little bit of digging you can find the appropriate ways to construct intents to install the certs you need.
Also, as a side note, If the credential storage password has not been set on the device the initial intent you fire to install a certificate will instead only prompt the user to provide a credential storage password. The certificate will not be installed. There may be a way to work around this but I have yet to find it.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
这不是一个问题,可以考虑拆分一下。你具体尝试过什么? VPN 和 WiFi 不使用常规 Java
KeyStore,即通过密钥库守护程序访问密钥和证书。实际的密钥和证书作为文件存储在/data/misc/keystore中。据我所知,此 API 不是公开的,但您可能可以启动证书安装程序意图,它会扫描 SD 卡中的证书和 PFX 文件,并安装它们(这也可能不是公开的)。设置->位置和安全->“从 SD 卡安装”执行相同的操作。简而言之,我认为仅使用 SDK API 无法完成您想要做的事情,您必须查看源代码,并冒着应用程序在下一个 Android 版本中崩溃的风险。
更新:安装程序意图现在在 ICS 中公开,您可以通过 KeyChain< 访问它们/a> 类。
That's more than one question, consider splitting it. What exactly have you tried? VPN and WiFi don't use regular Java
KeyStore's, the access keys and certificates via the keystore daemon. The actual keys and certificates are stored as files in/data/misc/keystore. AFAIK the API for this is not public, but you could probably launch the certificate installer intent, which scans the SD card for certificates and PFX files, and installs them (this is may not be public either). Settings->Location and security->'Install from SD card' does the same thing.In short, I don't think you can do what you are trying to do using just the SDK APIs, you'll have to look at the source, and take the risk of your app breaking in the next Android version.
Update: the installer intents are now public in ICS, you can access them via the KeyChain class.