1 page.title= 2 page.keywords=androidn, , 3 page.image=images/cards/card-nyc_2x.jpg 4 5 @jd:body 6 7 <div id="tb-wrapper"> 8 <div id="tb"> 9 10 <h2> </h2> 11 <ol> 12 <li><a href="#manifest"> </a></li> 13 <li><a href="#CustomTrust"> CA </a> 14 <ol> 15 <li><a href="#ConfigCustom"> CA </a></li> 16 <li><a href="#LimitingCas"> CA </a></li> 17 <li><a href="#TrustingAdditionalCas"> CA </a></li> 18 </ol> 19 </li> 20 <li><a href="#TrustingDebugCa"> CA</a></li> 21 <li><a href="#UsesCleartextTraffic"> </a></li> 22 <li><a href="#CertificatePinning"> </a></li> 23 <li><a href="#ConfigInheritance"> </a></li> 24 <li><a href="#FileFormat"> </a></li> 25 </ol> 26 </div> 27 </div> 28 29 30 <p> 31 Android N 32 33 . 34 . 35 : 36 </p> 37 38 <ul> 39 <li> 40 <b> :</b> (CA) 41 . , 42 43 CA . 44 </li> 45 46 <li> 47 <b> :</b> , 48 . 49 </li> 50 51 <li> 52 <b> :</b> 53 . 54 </li> 55 56 <li> 57 <b> :</b> 58 . 59 </li> 60 </ul> 61 62 63 <h2 id="manifest"> </h2> 64 65 <p> 66 XML 67 . 68 . 69 . 70 </p> 71 72 <pre> 73 <?xml version="1.0" encoding="utf-8"?> 74 <manifest ... > 75 <application ... > 76 <meta-data android:name="android.security.net.config" 77 android:resource="@xml/network_security_config" /> 78 ... 79 </application> 80 </manifest> 81 </pre> 82 83 <h2 id="CustomTrust"> CA </h2> 84 85 <p> 86 CA 87 . . 88 </p> 89 90 <ul> 91 <li> ( , 92 CA ) . 93 </li> 94 95 <li> CA CA 96 CA . 97 </li> 98 99 <li> CA . 100 </li> 101 </ul> 102 103 <p> 104 (: TLS, HTTPS) CA , 105 API 23(Android M) 106 CA . 107 {@code base-config}( 108 ) {@code domain-config}( 109 ) . 110 </p> 111 112 113 <h3 id="ConfigCustom"> CA </h3> 114 115 <p> 116 117 CA(: CA) SSL 118 . 119 </p> 120 121 <p> 122 <code>res/xml/network_security_config.xml</code>: 123 <pre> 124 <?xml version="1.0" encoding="utf-8"?> 125 <network-security-config> 126 <domain-config> 127 <domain includeSubdomains="true">example.com</domain> 128 <trust-anchors> 129 <certificates src="@raw/my_ca"/> 130 </trust-anchors> 131 </domain-config> 132 </network-security-config> 133 </pre> 134 </p> 135 136 <p> 137 CA PEM DER 138 {@code res/raw/my_ca} . 139 </p> 140 141 142 <h3 id="LimitingCas"> CA </h3> 143 144 <p> 145 CA , 146 CA . 147 CA . 148 </p> 149 150 <p> 151 CA <a href="#TrustingACustomCa"> CA </a> 152 CA . 153 </p> 154 155 <p> 156 <code>res/xml/network_security_config.xml</code>: 157 <pre> 158 <?xml version="1.0" encoding="utf-8"?> 159 <network-security-config> 160 <domain-config> 161 <domain includeSubdomains="true">secure.example.com</domain> 162 <domain includeSubdomains="true">cdn.example.com</domain> 163 <trust-anchors> 164 <certificates src="@raw/trusted_roots"/> 165 </trust-anchors> 166 </domain-config> 167 </network-security-config> 168 </pre> 169 </p> 170 171 <p> 172 CA PEM DER {@code res/raw/trusted_roots} . 173 PEM PEM <em></em> 174 . 175 <a href="#certificates"><code><certificates></code></a> 176 . 177 </p> 178 179 180 <h3 id="TrustingAdditionalCas"> 181 CA 182 </h3> 183 184 <p> 185 CA , 186 CA CA Android 187 . 188 189 CA . 190 </p> 191 <p> 192 <code>res/xml/network_security_config.xml</code>: 193 <pre> 194 <?xml version="1.0" encoding="utf-8"?> 195 <network-security-config> 196 <base-config> 197 <trust-anchors> 198 <certificates src="@raw/extracas"/> 199 <certificates src="system"/> 200 </trust-anchors> 201 </base-config> 202 </network-security-config> 203 </pre> 204 </p> 205 206 207 <h2 id="TrustingDebugCa"> CA </h2> 208 209 <p> 210 HTTPS 211 SSL 212 . , 213 {@code debug-overrides} 214 <i></i> <a href="{@docRoot}guide/topics/manifest/application-element.html#debug"> 215 android:debuggable</a> 216 {@code true} CA . IDE 217 . 218 </p> 219 220 <p> 221 222 223 . 224 </p> 225 226 <p> 227 <code>res/xml/network_security_config.xml</code>: 228 <pre> 229 <?xml version="1.0" encoding="utf-8"?> 230 <network-security-config> 231 <debug-overrides> 232 <trust-anchors> 233 <certificates src="@raw/debug_cas"/> 234 </trust-anchors> 235 </debug-overrides> 236 </network-security-config> 237 </pre> 238 </p> 239 240 241 <h2 id="UsesCleartextTraffic"> </h2> 242 243 <p> 244 245 (HTTPS HTTP 246 ) . 247 URL 248 . 249 {@link android.security.NetworkSecurityPolicy#isCleartextTrafficPermitted 250 NetworkSecurityPolicy.isCleartextTrafficPermitted()} . 251 </p> 252 253 <p> 254 , {@code 255 secure.example.com} HTTPS 256 . 257 </p> 258 259 <p> 260 <code>res/xml/network_security_config.xml</code>: 261 <pre> 262 <?xml version="1.0" encoding="utf-8"?> 263 <network-security-config> 264 <domain-config usesCleartextTraffic="false"> 265 <domain includeSubdomains="true">secure.example.com</domain> 266 </domain-config> 267 </network-security-config> 268 </pre> 269 </p> 270 271 272 <h2 id="CertificatePinning"> </h2> 273 274 <p> 275 CA . CA 276 MiTM 277 . CA 278 . 279 </p> 280 281 <p> 282 283 (X.509 SubjectPublicKeyInfo) . 284 285 . 286 </p> 287 288 <p> 289 290 CA ( 291 CA CA CA ) 292 . 293 . 294 </p> 295 296 <p> 297 , 298 . 299 . 300 . 301 </p> 302 303 <p> 304 <code>res/xml/network_security_config.xml</code>: 305 <pre> 306 <?xml version="1.0" encoding="utf-8"?> 307 <network-security-config> 308 <domain-config> 309 <domain includeSubdomains="true">example.com</domain> 310 <pin-set expiration="2018-01-01"> 311 <pin digest="SHA-256">7HIpactkIAq2Y49orFOOQKurWxmmSFZhBCoQYcRhJ3Y=</pin> 312 <!-- backup pin --> 313 <pin digest="SHA-256">fwza0LRMXouZHRC8Ei+4PyuldPDcf3UKgO/04cDM1oE=</pin> 314 </pin-set> 315 </domain-config> 316 </network-security-config> 317 </pre> 318 </p> 319 320 321 <h2 id="ConfigInheritance"> </h2> 322 323 <p> 324 . 325 . 326 </p> 327 328 <p> 329 330 . {@code domain-config} 331 {@code domain-config} {@code 332 base-config} . {@code base-config} 333 . 334 </p> 335 336 <p> 337 , {@code 338 example.com} CA . , 339 {@code 340 secure.example.com} <em></em> . {@code example.com} {@code 341 secure.example.com} 342 {@code trust-anchors} . 343 </p> 344 345 <p> 346 <code>res/xml/network_security_config.xml</code>: 347 <pre> 348 <?xml version="1.0" encoding="utf-8"?> 349 <network-security-config> 350 <domain-config> 351 <domain includeSubdomains="true">example.com</domain> 352 <trust-anchors> 353 <certificates src="@raw/my_ca"/> 354 </trust-anchors> 355 <domain-config cleartextTrafficPermitted="false"> 356 <domain includeSubdomains="true">secure.example.com</domain> 357 </domain-config> 358 </domain-config> 359 </network-security-config> 360 </pre> 361 </p> 362 363 364 <h2 id="FileFormat"> </h2> 365 366 <p> 367 XML . 368 . 369 </p> 370 371 <pre> 372 <?xml version="1.0" encoding="utf-8"?> 373 <network-security-config> 374 <base-config> 375 <trust-anchors> 376 <certificates src="..."/> 377 ... 378 </trust-anchors> 379 </base-config> 380 381 <domain-config> 382 <domain>android.com</domain> 383 ... 384 <trust-anchors> 385 <certificates src="..."/> 386 ... 387 </trust-anchors> 388 <pin-set> 389 <pin digest="...">...</pin> 390 ... 391 </pin-set> 392 </domain-config> 393 ... 394 <debug-overrides> 395 <trust-anchors> 396 <certificates src="..."/> 397 ... 398 </trust-anchors> 399 </debug-overrides> 400 </network-security-config> 401 </pre> 402 403 <p> 404 405 . 406 </p> 407 408 <h3 id="network-security-config"> 409 <network-security-config> 410 </h3> 411 412 <dl class="xml"> 413 <dt> 414 . 415 </dt> 416 417 <dd> 418 <code><a href="#base-config"><base-config></a></code> 0 1<br> 419 <code><a href= 420 "#domain-config"><domain-config></a></code> <br> 421 <code><a href="#debug-overrides"><debug-overrides></a></code> 0 1 422 </dd> 423 </dl> 424 425 <h3 id="base-config"> 426 <base-config> 427 </h3> 428 429 <dl class="xml"> 430 <dt> 431 : 432 </dt> 433 </dl> 434 435 <pre class="stx"> 436 <base-config <a href= 437 "#usesCleartextTraffic">usesCleartextTraffic</a>=["true" | "false"]> 438 ... 439 </base-config> 440 </pre> 441 <dl class="xml"> 442 <dt> 443 . 444 </dt> 445 446 <dd> 447 <code><a href="#trust-anchors"><trust-anchors></a></code> 448 </dd> 449 450 <dt> 451 : 452 </dt> 453 454 <dd> 455 456 <a href="#domain-config"><code>domain-config</code></a> . 457 458 <p> 459 . API 24 460 : 461 </p> 462 463 <pre> 464 <base-config usesCleartextTraffic="true"> 465 <trust-anchors> 466 <certificates src="system" /> 467 </trust-anchors> 468 </base-config> 469 </pre> 470 API 23 : 471 <pre> 472 <base-config usesCleartextTraffic="true"> 473 <trust-anchors> 474 <certificates src="system" /> 475 <certificates src="user" /> 476 </trust-anchors> 477 </base-config> 478 </pre> 479 480 </dd> 481 </dl> 482 483 <h3 id="domain-config"><domain-config></h3> 484 <dl class="xml"> 485 <dt>:</dt> 486 <dd> 487 <pre class="stx"><domain-config <a href="#usesCleartextTraffic">usesCleartextTraffic</a>=["true" | "false"]> 488 ... 489 </domain-config></pre> 490 </dd> 491 492 <dt> .</dt> 493 494 <dd> 495 <code><a href="#domain"><domain></a></code> 1 496 <br/><code><a href="#trust-anchors"><trust-anchors></a></code> 0 1 497 <br/><code><a href="#pin-set"><pin-set></code></a> 0 1 498 <br/> <code><domain-config></code> </dd> 499 500 <dt></dt> 501 <dd>{@code domain} . 502 503 <p> {@code domain-config} () 504 .</p></dd> 505 </dl> 506 507 508 <h3 id="domain"><domain></h3> 509 510 <dl class="xml"> 511 <dt> 512 : 513 </dt> 514 515 <dd> 516 <pre class="stx"> 517 <domain includeSubdomains=["true" | "false"]>example.com</domain> 518 </pre> 519 </dd> 520 521 <dt> 522 : 523 </dt> 524 525 <dd> 526 <dl class="attr"> 527 <dt> 528 {@code includeSubdomains} 529 </dt> 530 531 <dd> 532 {@code "true"} ( ) 533 . 534 . 535 </dd> 536 </dl> 537 </dd> 538 539 <dt> 540 : 541 </dt> 542 </dl> 543 544 <h3 id="debug-overrides"><debug-overrides></h3> 545 546 <dl class="xml"> 547 <dt> 548 : 549 </dt> 550 551 <dd> 552 <pre class="stx"> 553 <debug-overrides> 554 ... 555 </debug-overrides> 556 </pre> 557 </dd> 558 559 <dt> 560 . 561 </dt> 562 563 <dd> 564 <code><a href="#trust-anchors"><trust-anchors></a></code> 0 1 565 </dd> 566 567 <dt> 568 : 569 </dt> 570 571 <dd> 572 <a href="{@docRoot}guide/topics/manifest/application-element.html#debug">android:debuggable</a> 573 {@code "true"} . 574 IDE . {@code 575 debug-overrides} , 576 577 . <a href="{@docRoot}guide/topics/manifest/application-element.html#debug">android:debuggable</a> 578 {@code "false"} . 579 </dd> 580 </dl> 581 582 <h3 id="trust-anchors"><trust-anchors></h3> 583 <dl class="xml"> 584 <dt> 585 : 586 </dt> 587 588 <dd> 589 <pre class="stx"> 590 <trust-anchors> 591 ... 592 </trust-anchors> 593 </pre> 594 </dd> 595 596 <dt> 597 . 598 </dt> 599 600 <dd> 601 <code><a href="#certificates"><certificates></a></code> 602 </dd> 603 604 <dt> 605 : 606 </dt> 607 608 <dd> 609 . 610 </dd> 611 </dl> 612 613 614 <h3 id="certificates"><certificates></h3> 615 <dl class="xml"> 616 <dt>:</dt> 617 <dd><pre class="stx"><certificates src=["system" | "user" | "<i>raw resource</i>"] 618 overridePins=["true" | "false"] /> 619 </pre></dd> 620 <dt>:</dt> 621 <dd>{@code trust-anchors} X.509 .</dd> 622 623 <dt>:</dt> 624 <dd><dl class="attr"> 625 <dt>{@code src}</dt> 626 <dd> 627 CA . 628 <ul> 629 <li>X.509 ID. 630 DER PEM . PEM , 631 PEM 632 <em> </em>. 633 </li> 634 635 <li> CA {@code "system"} 636 </li> 637 638 <li> CA {@code "user"} 639 </li> 640 </ul> 641 </dd> 642 643 <dt>{@code overridePins}</dt> 644 <dd> 645 <p> 646 CA . {@code 647 "true"} CA 648 . CA 649 MiTM . 650 </p> 651 652 <p> 653 {@code debug-overrides} 654 {@code "false"}. {@code "true"}. 655 </p> 656 </dd> 657 </dl> 658 </dd> 659 660 661 <h3 id="pin-set"><pin-set></h3> 662 663 <dl class="xml"> 664 <dt> 665 : 666 </dt> 667 668 <dd> 669 <pre class="stx"> 670 <pin-set expiration="date"> 671 ... 672 </pin-set> 673 </pre> 674 </dd> 675 676 <dt> 677 . 678 </dt> 679 680 <dd> 681 <code><a href="#pin"><pin></a></code> 682 </dd> 683 684 <dt> 685 : 686 </dt> 687 688 <dd> 689 . 690 . 691 <code><a href="#pin"><pin></a></code> . 692 </dd> 693 694 <dt> 695 : 696 </dt> 697 698 <dd> 699 <dl class="attr"> 700 <dt> 701 {@code expiration} 702 </dt> 703 704 <dd> 705 {@code yyyy-MM-dd} , 706 . 707 . 708 <p> 709 ( ) 710 PIN 711 . 712 </p> 713 </dd> 714 </dl> 715 </dd> 716 </dl> 717 718 <h3 id="pin"><pin></h3> 719 <dl class="xml"> 720 <dt> 721 : 722 </dt> 723 724 <dd> 725 <pre class="stx"> 726 <pin digest=["SHA-256"]>base64 encoded digest of X.509 727 SubjectPublicKeyInfo (SPKI)</pin> 728 </pre> 729 </dd> 730 731 <dt> 732 : 733 </dt> 734 735 <dd> 736 <dl class="attr"> 737 <dt> 738 {@code digest} 739 </dt> 740 741 <dd> 742 PIN . 743 {@code "SHA-256"} . 744 </dd> 745 </dl> 746 </dd> 747 </dl> 748
