gpt4 book ai didi

java - 信任/白名单 OkHttp 中的证书(未找到证书路径的信任 anchor )

转载 作者:太空宇宙 更新时间:2023-11-03 14:29:02 29 4
gpt4 key购买 nike

我遇到了 android 4 设备的问题,这些设备在连接到服务器时收到以下异常:

java.security.cert.CertPathValidatorException: Trust anchor for certification path not found. at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:410) at okhttp3.internal.connection.RealConnection.connectTls(SourceFile:319) at okhttp3.internal.connection.RealConnection.establishProtocol(SourceFile:283) at okhttp3.internal.connection.RealConnection.connect(SourceFile:168) at okhttp3.internal.connection.StreamAllocation.findConnection(SourceFile:257) at okhttp3.internal.connection.StreamAllocation.findHealthyConnection(SourceFile:135) at okhttp3.internal.connection.StreamAllocation.newStream(SourceFile:114) at okhttp3.internal.connection.ConnectInterceptor.intercept(SourceFile:42) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:147) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:121) at okhttp3.internal.cache.CacheInterceptor.intercept(SourceFile:93) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:147) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:121) at okhttp3.internal.http.BridgeInterceptor.intercept(SourceFile:93) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:147) at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(SourceFile:126) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:147) at okhttp3.internal.http.RealInterceptorChain.proceed(SourceFile:121) at okhttp3.RealCall.getResponseWithInterceptorChain(SourceFile:254) at okhttp3.RealCall.execute(SourceFile:92)

服务器证书来自 Cloudflare,我用 https://www.digicert.com/help/ 等工具检查过它看起来还不错。

但出于某种原因我不明白它在 Android 4 版本中开始失败。

尝试了信任所有证书的方案[LINK]它有效,但这显然存在安全问题,例如将您的应用程序暴露给“中间人”攻击

final TrustManager[] trustAllCerts = new TrustManager[]{
new X509TrustManager() {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
}

@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
}

@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return new java.security.cert.X509Certificate[]{};
}
}
};
final SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
okHttpBuilder.sslSocketFactory(sslSocketFactory, (X509TrustManager) trustAllCerts[0]);

如何实现具有默认行为但仅将服务器证书列入白名单的 TrustManager。

谢谢

编辑:按照 OkHttp@CustomTrust 中的示例进行操作(感谢 CommonsWare)

使用命令:

openssl s_client -showcerts -servername www.serverdomain.com -connect www.serverdomain.com:443

在证书链上给了我两个格式的证书:

-----BEGIN CERTIFICATE-----
....
-----END CERTIFICATE-----

用获得的替换了示例中的 url 和证书,但它仍然不起作用,有什么想法吗?

最佳答案

然后您需要将您的证书存储到原始文件夹中:

CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream instream = context.getResources().openRawResource(R.raw.gtux_cert);
Certificate ca;
try {
ca = cf.generateCertificate(instream);
} finally {
caInput.close();
}

KeyStore kStore = KeyStore.getInstance(KeyStore.getDefaultType());
kStore.load(null, null);
kStore.setCertificateEntry("ca", ca);

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm(););
tmf.init(kStore);

SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);

okHttpClient.setSslSocketFactory(context.getSocketFactory());

更多信息在这里:Security SSL

关于java - 信任/白名单 OkHttp 中的证书(未找到证书路径的信任 anchor ),我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/54348292/

29 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com