将自定义证书添加到 OkHttp 客户端
Adding a custom certificate to an OkHttp Client
我正在尝试制作 Android 应用程序,我可以在其中获取和解析 HTML(来自没有 API 的站点)。我正在使用 OkHttp。该站点具有不受信任(但有效)的证书。我得到:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
我已经设置了官方方式(https://developer.android.com/training/articles/security-ssl#java),现在我需要link它与OkHttpClient。
我试过了
OkHttpClient client = new OkHttpClient;
OkHttpClient.Builder builder = client.newBuilder();
builder.sslSocketFactory(sslcontext.getSocketFactory()).build();
但是它不起作用,而且它也被弃用了。
谢谢
仅用于调试。使用此代码意味着信任任何证书,这与根本不使用 https 一样好。
您需要使用未弃用的 sslSocketFactory(SSLSocketFactory sslSocketFactory, X509TrustManager trustManager)。
使用此变量(创建不验证证书链的信任管理器):
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[]{};
}
}
};
并以这种方式传递给 sslSocketFactory():
builder.sslSocketFactory(sslSocketFactory, (X509TrustManager)trustAllCerts[0]);
也应用此来验证每个主机:
builder.hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
请参阅此文档示例以添加已知的受信任证书
public CustomTrust() {
X509TrustManager trustManager;
SSLSocketFactory sslSocketFactory;
try {
trustManager = trustManagerForCertificates(trustedCertificatesInputStream());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { trustManager }, null);
sslSocketFactory = sslContext.getSocketFactory();
} catch (GeneralSecurityException e) {
throw new RuntimeException(e);
}
client = new OkHttpClient.Builder()
.sslSocketFactory(sslSocketFactory, trustManager)
.build();
}
OkHttp 4.7.1 仅支持用于开发的特定不安全主机
https://square.github.io/okhttp/changelog/
val clientCertificates = HandshakeCertificates.Builder()
.addPlatformTrustedCertificates()
.addInsecureHost(server.hostName)
.build()
val client = OkHttpClient.Builder()
.sslSocketFactory(clientCertificates.sslSocketFactory(), clientCertificates.trustManager)
.build()
我正在尝试制作 Android 应用程序,我可以在其中获取和解析 HTML(来自没有 API 的站点)。我正在使用 OkHttp。该站点具有不受信任(但有效)的证书。我得到:
java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
我已经设置了官方方式(https://developer.android.com/training/articles/security-ssl#java),现在我需要link它与OkHttpClient。
我试过了
OkHttpClient client = new OkHttpClient;
OkHttpClient.Builder builder = client.newBuilder();
builder.sslSocketFactory(sslcontext.getSocketFactory()).build();
但是它不起作用,而且它也被弃用了。 谢谢
仅用于调试。使用此代码意味着信任任何证书,这与根本不使用 https 一样好。
您需要使用未弃用的 sslSocketFactory(SSLSocketFactory sslSocketFactory, X509TrustManager trustManager)。
使用此变量(创建不验证证书链的信任管理器):
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[]{};
}
}
};
并以这种方式传递给 sslSocketFactory():
builder.sslSocketFactory(sslSocketFactory, (X509TrustManager)trustAllCerts[0]);
也应用此来验证每个主机:
builder.hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
请参阅此文档示例以添加已知的受信任证书
public CustomTrust() {
X509TrustManager trustManager;
SSLSocketFactory sslSocketFactory;
try {
trustManager = trustManagerForCertificates(trustedCertificatesInputStream());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { trustManager }, null);
sslSocketFactory = sslContext.getSocketFactory();
} catch (GeneralSecurityException e) {
throw new RuntimeException(e);
}
client = new OkHttpClient.Builder()
.sslSocketFactory(sslSocketFactory, trustManager)
.build();
}
OkHttp 4.7.1 仅支持用于开发的特定不安全主机
https://square.github.io/okhttp/changelog/
val clientCertificates = HandshakeCertificates.Builder()
.addPlatformTrustedCertificates()
.addInsecureHost(server.hostName)
.build()
val client = OkHttpClient.Builder()
.sslSocketFactory(clientCertificates.sslSocketFactory(), clientCertificates.trustManager)
.build()