當(dāng)安卓客戶端與服務(wù)器建立https連接時(shí)叛买,需要驗(yàn)證服務(wù)器是否具備平臺(tái)已知的CA證書砂代。由于服務(wù)器的CA證書可能無(wú)法被安卓系統(tǒng)識(shí)別,有可能出現(xiàn)下面的異常:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
谷歌官方也給出了這個(gè)問(wèn)題的詳細(xì)介紹率挣,解決的方法是通過(guò)加載證書文件刻伊,創(chuàng)建一個(gè)KeyStore,用來(lái)初始化TrustManager椒功,用來(lái)信任加載的CA證書捶箱。再通過(guò)SSLContext將這個(gè)證書集替換默認(rèn)的sslSocketFactory。
今天提出一個(gè)簡(jiǎn)單的證書集工具類动漾,可方便管理自己的證書集丁屎。
public class CustomTrustManager {
protected static X509TrustManager trustManager;
protected static SSLSocketFactory sslSocketFactory;
private CustomTrustManager() {
try {
//讀取證書文件,可用字符串流或文件
trustManager = trustManagerForCertificates(trustedCertificatesInputStream());
SSLContext sslContext = SSLContext.getInstance("TLS");
//使用sslContext將自定義證書集初始化
sslContext.init(null, new TrustManager[]{trustManager}, null);
sslSocketFactory = sslContext.getSocketFactory();
} catch (GeneralSecurityException e) {
throw new RuntimeException(e);
}
}
//內(nèi)部靜態(tài)類的單例模式
private static class CustomTrustHolder {
private static final CustomTrustManager INSTANCE = new CustomTrustManager();
}
public X509TrustManager getTrustManager(){
return CustomTrustHolder.INSTANCE.trustManager;
}
public SSLSocketFactory getSSLSocketFactory(){
return CustomTrustHolder.INSTANCE.sslSocketFactory;
}
public static CustomTrustManager getInstance() {
return CustomTrustHolder.INSTANCE;
}
//用來(lái)創(chuàng)建證書和證書集旱眯,替換當(dāng)前平臺(tái)的證書集
//如果需要補(bǔ)授信某些服務(wù)器悦屏,可是使用CertificatePinner
private static X509TrustManager trustManagerForCertificates(InputStream in) throws
GeneralSecurityException {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
Collection<? extends Certificate> certificates = certificateFactory.generateCertificates
(in);
if (certificates.isEmpty()) {
throw new IllegalArgumentException("expected non-empty set of trusted certificates");
}
//指定一個(gè)密碼
char[] password = "password".toCharArray();
KeyStore keyStore = newEmptyKeyStore(password);
int index = 0;
for (Certificate certificate : certificates) {
String certificateAlias = Integer.toString(index++);
keyStore.setCertificateEntry(certificateAlias, certificate);
}
//初始化X509TrustManager
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, password);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
throw new IllegalStateException("Unexpected default trust managers:"
+ Arrays.toString(trustManagers));
}
return (X509TrustManager) trustManagers[0];
}
private static KeyStore newEmptyKeyStore(char[] password) throws GeneralSecurityException {
try {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream in = null; // By convention, 'null' creates an empty key store.
keyStore.load(in, password);
return keyStore;
} catch (IOException e) {
throw new AssertionError(e);
}
}
//使用jdk的keytool命令讀取證書內(nèi)容 keytool -printcert -rfc -file 證書名.cer
private static InputStream trustedCertificatesInputStream() {
//示例节沦,此處替換從網(wǎng)站下載的CA證書
String certA =
"-----BEGIN CERTIFICATE-----\n" +
“dLZzF2JaIn4LAmtQrFSM2sNRis\n" +
"-----END CERTIFICATE-----";
String certB = ...
return new Buffer()
.writeUtf8(CertA)
//可指定多個(gè)證書
.writeUtf8(CertB)
.inputStream();
}
}
在Chrome瀏覽器的開(kāi)發(fā)者模式中,可以下載到https網(wǎng)站的證書础爬。
1509959119(1).png
然后使用jdk的keytool命令復(fù)制證書內(nèi)容甫贯,替換trustedCertificatesInputStream方法中的字符串。
1509959437(1).png
使用這個(gè)工具類看蚜,可以非常方便的使用自簽名或者非認(rèn)證的證書與服務(wù)器進(jìn)行https連接叫搁。
