Caused by: java.security.cert.CertificateException: Signature uses an insecure hash function: 1.2.840.113549.1.1.5
根据堆栈信息找到报错的代码,抛异常的地方是在org.conscrypt.ChainStrengthAnalyzer类下检查证书签名算法的方法。
private static void checkSignatureAlgorithm(
X509Certificate cert) throws CertificateException {
String oid = cert.getSigAlgOID();
for (String blacklisted : SIGNATURE_ALGORITHM_OID_BLACKLIST) {
if (oid.equals(blacklisted)) {
throw new CertificateException("Signature uses an insecure hash function: " + oid);
}
}
}
调用cert.getSigAlgOID取得老的签名算法,遍历本地的签名算法版本,找到了就会抛出Caused by: java.security.cert.CertificateException: Signature uses an insecure hash function异常。从命名上也能看到这些是不再支持的算法。
private static final String[] SIGNATURE_ALGORITHM_OID_BLACKLIST = {
"1.2.840.113549.1.1.2", // md2WithRSAEncryption
"1.2.840.113549.1.1.3", // md4WithRSAEncryption
"1.2.840.113549.1.1.4", // md5WithRSAEncryption
"1.2.840.113549.1.1.5", // sha1WithRSAEncryption
"1.2.840.10040.4.3", //dsa-with-sha1
"1.2.840.10045.4.1", //ecdsa-with-sha1
};
在Android10及以上的版本上使用老签名算法就会抛出这个异常,解决方案就是使用其他签名算法的证书。
