2022.1.12
- 问题澄清;
- 构建版本验证cmc;
- 塞尔维亚证书替换,公网终端下载证书预研;
- 可信变革开发澄清;
okhttp作为Android主要的网络请求框架之一,对okhttp的使用介绍网上资料也是一堆一堆的。
okhttp一个简单的网络请求:
Request request = new Request.Builder().get().url("https://www.baidu.com").build();
OkHttpClient.Builder builder = new OkHttpClient.Builder();
OkHttpClient client = builder.build();
client.newCall(request).enqueue(new Callback() {undefined
@Override
public void onFailure(Call call, IOException e) {undefined
}
@Override
public void onResponse(Call call, Response response) throws IOException {undefined
}
});
这段代码没啥技术难度。
在开发中,为了网络安全,一般会使用https,数字验证,加强网络安全。
okhttp提供了sslSocketFactory(SSLSocketFactory sslSocketFactory, X509TrustManager trustManager)方法,验证数字签名。
我先获取数字证书,这里使用百度数字证书。
获取到证书,把证书拷贝到asset文件下。
private SSLSocketFactory getSSLSocketFactory() throws NoSuchAlgorithmException, KeyManagementException {
SSLContext context = SSLContext.getInstance("TLS");
TrustManager[] trustManagers = {new MyX509TrustManager()};
context.init(null, trustManagers, new SecureRandom());
return context.getSocketFactory();
}
private class MyX509TrustManager implements X509TrustManager {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
if (chain == null) {
throw new CertificateException("checkServerTrusted: X509Certificate array is null");
}
if (chain.length < 1) {
throw new CertificateException("checkServerTrusted: X509Certificate is empty");
}
if (!(null != authType && authType.equals("ECDHE_RSA"))) {
throw new CertificateException("checkServerTrusted: AuthType is not ECDHE_RSA");
}
//检查所有证书
try {
TrustManagerFactory factory = TrustManagerFactory.getInstance("X509");
factory.init((KeyStore) null);
for (TrustManager trustManager : factory.getTrustManagers()) {
((X509TrustManager) trustManager).checkServerTrusted(chain, authType);
}
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (KeyStoreException e) {
e.printStackTrace();
}
//获取本地证书中的信息
String clientEncoded = "";
String clientSubject = "";
String clientIssUser = "";
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
InputStream inputStream = getAssets().open("baidu.cer");
X509Certificate clientCertificate = (X509Certificate) certificateFactory.generateCertificate(inputStream);
clientEncoded = new BigInteger(1, clientCertificate.getPublicKey().getEncoded()).toString(16);
clientSubject = clientCertificate.getSubjectDN().getName();
clientIssUser = clientCertificate.getIssuerDN().getName();
} catch (IOException e) {
e.printStackTrace();
}
//获取网络中的证书信息
X509Certificate certificate = chain[0];
PublicKey publicKey = certificate.getPublicKey();
String serverEncoded = new BigInteger(1, publicKey.getEncoded()).toString(16);
if (!clientEncoded.equals(serverEncoded)) {
throw new CertificateException("server's PublicKey is not equals to client's PublicKey");
}
String subject = certificate.getSubjectDN().getName();
if (!clientSubject.equals(subject)) {
throw new CertificateException("server's subject is not equals to client's subject");
}
String issuser = certificate.getIssuerDN().getName();
if (!clientIssUser.equals(issuser)) {
throw new CertificateException("server's issuser is not equals to client's issuser");
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
代码中使用 builder.sslSocketFactory(getSSLSocketFactory(), new MyX509TrustManager())启用数字证书验证
本文暂时没有评论,来添加一个吧(●'◡'●)