參考文章
Android Https相關(guān)完全解析 當(dāng)OkHttp遇到Https
Aandroid中https請(qǐng)求的單向認(rèn)證和雙向認(rèn)證
okhttp實(shí)現(xiàn)https請(qǐng)求
以上文章都有說(shuō)明單向認(rèn)證和雙向認(rèn)證的方法
最后參考了開(kāi)源項(xiàng)目
okhttputils
初始化okhttp時(shí)添加以下設(shè)置
addUnSafeSslSocketAndHostnameVerifier信任所有證書(shū)不做校驗(yàn)(大部分簡(jiǎn)單項(xiàng)目做法)
/**
* 通過(guò)所有https的認(rèn)證。不做判斷灯荧,不安全
* @param builder
* @return
*/
private static Builder addUnSafeSslSocketAndHostnameVerifier(Builder builder) {
//如果設(shè)置了sslSocketFactory卻沒(méi)有配置對(duì)應(yīng)的hostnameVerifier翘瓮,那么Https請(qǐng)求是無(wú)法成功的
//不設(shè)置會(huì)報(bào):javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
HttpsSslFactroy.SSLParams sslParams = HttpsSslFactroy.getSslSocketFactory(); //獲取默認(rèn)的SSLParams,通過(guò)所有認(rèn)證
addSSLSocketFactory(builder, sslParams.mSSLSocketFactory, sslParams.mTrustManager);
//不設(shè)置請(qǐng)求https會(huì)報(bào)錯(cuò):javax.net.ssl.SSLPeerUnverifiedException: Hostname xxx地址的host not verified:
//設(shè)置ip授權(quán)認(rèn)證:如果已經(jīng)安裝該證書(shū)磺樱,可以不設(shè)置,否則需要設(shè)置??????????????不設(shè)置會(huì)報(bào)錯(cuò)。台腥。投放。待處理
HostnameVerifier hostnameVerifier = HttpsSslFactroy.getHostnameVerifierUnSafe();
return addHostnameVerifier(builder, hostnameVerifier);
}
/**
* 單向認(rèn)證
* @param builder
* @param context
* @param certificates 服務(wù)器需要驗(yàn)證的證書(shū) 把證書(shū)放到raw目錄下
* @return
*/
public static Builder addSSLSocketFactory(Builder builder, Context context, @RawRes int[] certificates) {
HttpsSslFactroy.SSLParams sslParams = HttpsSslFactroy.getSslSocketFactory(context, certificates);
return addSSLSocketFactory(builder, sslParams.mSSLSocketFactory, sslParams.mTrustManager);
}
/**
* 雙向認(rèn)證
* @param builder
* @param context
* @param certificates 服務(wù)器需要驗(yàn)證的證書(shū) 把證書(shū)放到raw目錄下
* @param clientKeyStoreBksFile 本地驗(yàn)證證書(shū)奈泪。一般雙向驗(yàn)證才需要 把證書(shū)放到raw目錄下
* @param password 本地驗(yàn)證證書(shū)的密碼
* @return
*/
public static Builder addSSLSocketFactory(Builder builder, Context context, @RawRes int[] certificates, @RawRes int clientKeyStoreBksFile, String password) {
HttpsSslFactroy.SSLParams sslParams = HttpsSslFactroy.getSslSocketFactory(context, certificates, clientKeyStoreBksFile, password);
return addSSLSocketFactory(builder, sslParams.mSSLSocketFactory, sslParams.mTrustManager);
}
/**
* 雙向認(rèn)證
* @param builder
* @param certificates 服務(wù)器需要驗(yàn)證的證書(shū) 把證書(shū)放到raw目錄下
* @param bksFile 本地驗(yàn)證證書(shū)。一般雙向驗(yàn)證才需要 把證書(shū)放到raw目錄下
* @param password 本地驗(yàn)證證書(shū)的密碼
* @return
*/
public static Builder addSSLSocketFactory(Builder builder, InputStream[] certificates, InputStream bksFile, String password) {
HttpsSslFactroy.SSLParams sslParams = HttpsSslFactroy.getSslSocketFactory(certificates, bksFile, password);
return addSSLSocketFactory(builder, sslParams.mSSLSocketFactory, sslParams.mTrustManager);
}
public static Builder addSSLSocketFactory(Builder builder, SSLSocketFactory sslSocketFactory, X509TrustManager trustManager) {
builder.sslSocketFactory(sslSocketFactory, trustManager);
return builder;
}
//http://www.reibang.com/p/16994e49e2f6
//http://blog.csdn.net/sk719887916/article/details/51597816
/**
* 指定支持的host
* hostnameVerifier對(duì)服務(wù)端返回的一些信息進(jìn)行相關(guān)校驗(yàn)灸芳,用于客戶端判斷所連接的服務(wù)端是否可信涝桅,通常默認(rèn)return true,或者簡(jiǎn)單校驗(yàn)hostname是否正確,默認(rèn)不使用的話會(huì)調(diào)用okhttp的OkHostnameVerifier:
http://www.reibang.com/p/1373889e74b2
* @param builder
* @param hosts 指定支持的host
* @return
*/
public static Builder addHostnameVerifier(Builder builder, String[] hosts) {
HostnameVerifier hostnameVerifier = HttpsSslFactroy.getHostnameVerifierSafe(hosts);
return addHostnameVerifier(builder, hostnameVerifier);
}
public static Builder addHostnameVerifier(Builder builder, HostnameVerifier hostnameVerifier) {
builder.hostnameVerifier(hostnameVerifier);
return builder;
}
添加 HttpsSslFactroy .jva
/**
* 參考github項(xiàng)目okhttputils
* https://github.com/hongyangAndroid/okhttputils
* <p>
* 服務(wù)器端需要驗(yàn)證的客戶端證書(shū)烙样,其實(shí)就是客戶端的keystore
* 1冯遂、設(shè)置可訪問(wèn)所有的https網(wǎng)站
* HttpsSslFactroy.SSLParams sslParams = HttpsSslFactroy.getSslSocketFactory(null, null, null);
* <p>
* 2、設(shè)置具體的證書(shū)
* HttpsSslFactroy.SSLParams sslParams = HttpsSslFactroy.getSslSocketFactory(服務(wù)器證書(shū)的inputstream, null, null);
* <p>
* 3谒获、雙向認(rèn)證
* HttpsSslFactroy.getSslSocketFactory(服務(wù)器證書(shū)的inputstream, 本地證書(shū)的inputstream,本地證書(shū)的密碼)
* <p>
* 使用
* new OkHttpClient.Builder().sslSocketFactory(sslParams.mSSLSocketFactory, sslParams.mTrustManager)).build();
*/
public class HttpsSslFactroy {
public static class SSLParams {
public SSLSocketFactory mSSLSocketFactory;
public X509TrustManager mTrustManager;
}
/**
* 默認(rèn)通過(guò)人所有證書(shū)
* @return
*/
public static SSLParams getSslSocketFactory() {
return getSslSocketFactory(null, null, null);
}
/**
* 單向認(rèn)證
* @param context
* @param certificates 服務(wù)器需要驗(yàn)證的證書(shū) 把證書(shū)放到raw目錄下
* @return
*/
public static SSLParams getSslSocketFactory(Context context, @RawRes int[] certificates) {
InputStream[] certificatesInputStream = getInputStreamOfRaw(context, certificates);
return getSslSocketFactory(certificatesInputStream, null, null);
}
/**
* 雙向認(rèn)證
* @param context
* @param certificates 服務(wù)器需要驗(yàn)證的證書(shū) 把證書(shū)放到raw目錄下
* @param clientKeyStoreBksFile 本地驗(yàn)證證書(shū)蛤肌。一般雙向驗(yàn)證才需要 把證書(shū)放到raw目錄下
* @param password 本地驗(yàn)證證書(shū)的密碼
* @return
*/
public static SSLParams getSslSocketFactory(Context context, @RawRes int[] certificates, @RawRes int clientKeyStoreBksFile, String password) {
InputStream[] certificatesInputStream = getInputStreamOfRaw(context, certificates);
InputStream clientKeyStoreIs = context.getResources().openRawResource(clientKeyStoreBksFile);
return getSslSocketFactory(certificatesInputStream, clientKeyStoreIs, password);
}
/**
* @param certificates 服務(wù)器證書(shū)
* @param bksFile 客戶端證書(shū)文件
* @param password 客戶端證書(shū)密碼
* @return
*/
public static SSLParams getSslSocketFactory(InputStream[] certificates, InputStream bksFile, String password) {
SSLParams sslParams = new SSLParams();
try {
//雙向認(rèn)證- 驗(yàn)證客戶端證書(shū)-通過(guò)本地證書(shū)和密碼本地認(rèn)證的keyManagers
KeyManager[] keyManagers = prepareKeyManager(bksFile, password);
//單向認(rèn)證-只驗(yàn)證服務(wù)器證書(shū)
TrustManager[] trustManagers = prepareTrustManager(certificates);
X509TrustManager trustManager;
if (trustManagers != null) {
trustManager = new MyTrustManager(chooseTrustManager(trustManagers));
} else {
trustManager = new UnSafeTrustManager(); //不校驗(yàn)、認(rèn)證所有證書(shū)
}
//初始化SSLContext實(shí)例
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, new TrustManager[]{trustManager}, null);
//設(shè)置對(duì)外使用的參數(shù)
sslParams.mSSLSocketFactory = sslContext.getSocketFactory();
sslParams.mTrustManager = trustManager;
return sslParams;
} catch (NoSuchAlgorithmException e) {
throw new AssertionError(e);
} catch (KeyManagementException e) {
throw new AssertionError(e);
} catch (KeyStoreException e) {
throw new AssertionError(e);
}
}
private static TrustManager[] prepareTrustManager(InputStream... certificates) {
if (certificates == null || certificates.length <= 0) {
return null;
}
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
//使用默認(rèn)證書(shū)
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
//去掉系統(tǒng)默認(rèn)證書(shū)
keyStore.load(null);
int index = 0;
//遍歷證書(shū)
for (InputStream certificate : certificates) {
String certificateAlias = Integer.toString(index++);
//設(shè)置自己的證書(shū)
keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate));
try {
if (certificate != null) {
certificate.close();
}
} catch (IOException e) {
}
}
//通過(guò)信任管理器獲取一個(gè)默認(rèn)的算法
String algorithm = TrustManagerFactory.getDefaultAlgorithm();
//算法工廠創(chuàng)建
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(algorithm);
trustManagerFactory.init(keyStore);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
return trustManagers;
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
/**
* Java平臺(tái)默認(rèn)識(shí)別jks格式的證書(shū)文件批狱,但是android平臺(tái)只識(shí)別bks格式的證書(shū)文件裸准。所以導(dǎo)入的流應(yīng)該是bks的文件
*
* @param bksFile
* @param password
* @return
*/
private static KeyManager[] prepareKeyManager(InputStream bksFile, String password) {
try {
if (bksFile == null || password == null) return null;
KeyStore clientKeyStore = KeyStore.getInstance("BKS");
clientKeyStore.load(bksFile, password.toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(clientKeyStore, password.toCharArray());
return keyManagerFactory.getKeyManagers();
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (UnrecoverableKeyException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
private static X509TrustManager chooseTrustManager(TrustManager[] trustManagers) {
for (TrustManager trustManager : trustManagers) {
if (trustManager instanceof X509TrustManager) {
return (X509TrustManager) trustManager;
}
}
return null;
}
private static class MyTrustManager implements X509TrustManager {
private X509TrustManager defaultTrustManager;
private X509TrustManager localTrustManager;
public MyTrustManager(X509TrustManager localTrustManager) throws NoSuchAlgorithmException, KeyStoreException {
TrustManagerFactory var4 = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
var4.init((KeyStore) null);
defaultTrustManager = chooseTrustManager(var4.getTrustManagers());
this.localTrustManager = localTrustManager;
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
try {
defaultTrustManager.checkServerTrusted(chain, authType);
} catch (CertificateException ce) {
localTrustManager.checkServerTrusted(chain, authType);
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
private static class UnSafeTrustManager implements X509TrustManager {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[]{};
}
}
/**
* https請(qǐng)求才會(huì)判斷獲取host校驗(yàn)HostnameVerifier
* 信任所有host
*/
public static HostnameVerifier getHostnameVerifierUnSafe() {
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
/**
* @param hostname 請(qǐng)求地址的host
* @param session 包括了從服務(wù)端返回的證書(shū)鏈
*/
@Override
public boolean verify(String hostname, SSLSession session) {
Log.i("lch", "證書(shū)校驗(yàn):" + hostname);
return true;
}
};
return hostnameVerifier;
}
/**
* 獲取host校驗(yàn)HostnameVerifier
* 需要校驗(yàn)host
* {@link HostnameVerifier}
* 有證書(shū)認(rèn)證,貌似不用設(shè)置這個(gè)
* hostnameVerifier則是對(duì)服務(wù)端返回的一些信息進(jìn)行相關(guān)校驗(yàn)的地方赔硫,用于客戶端判斷所連接的服務(wù)端是否可信炒俱,通常默認(rèn)return true,或者簡(jiǎn)單校驗(yàn)hostname是否正確,默認(rèn)不使用的話會(huì)調(diào)用okhttp的OkHostnameVerifier:
*/
public static HostnameVerifier getHostnameVerifierSafe(final String[] hostUrls) {
HostnameVerifier hostnameVerifier = new HostnameVerifier() {
/**
* @param hostname 請(qǐng)求地址的host
* @param session 包括了從服務(wù)端返回的證書(shū)鏈
*/
@Override
public boolean verify(String hostname, SSLSession session) {
boolean ret = false;
for (String host : hostUrls) {
if (host.equalsIgnoreCase(hostname)) {
ret = true;
}
}
return ret;
}
};
return hostnameVerifier;
}
public static InputStream[] getInputStreamOfRaw(Context context, @RawRes int[] certificates) {
InputStream[] certificatesInputStream = null;
if (certificates != null && certificates.length > 0) {
certificatesInputStream = new InputStream[]{};
for (int i = 0; i < certificates.length; i++) {
certificatesInputStream[i] = context.getResources().openRawResource(certificates[i]);
}
}
return certificatesInputStream;
}
}
