我想我需要创建一个新的SSL套接字工厂? 另外,出于显而易见的原因,我不想使用全局SSL上下文(https://github.com/square/okhttp/issues/184)。
谢谢!
修改
从okhttp 2.1.0开始,您可以非常轻松地修复证书。
请参阅the source code here开始使用
答案 0 :(得分:68)
OKHTTP 3.0有built-in support用于固定证书。首先粘贴以下代码:
String hostname = "yourdomain.com";
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(hostname, "sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")
.build();
OkHttpClient client = OkHttpClient.Builder()
.certificatePinner(certificatePinner)
.build();
Request request = new Request.Builder()
.url("https://" + hostname)
.build();
client.newCall(request).execute();
这将失败,因为AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA不是证书的有效哈希。抛出的异常将具有证书的正确哈希值:
javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure!
Peer certificate chain:
sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=publicobject.com, OU=PositiveSSL
sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA
sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=: CN=COMODO RSA Certification Authority
sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=: CN=AddTrust External CA Root
Pinned certificates for publicobject.com:
sha256/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=
at okhttp3.CertificatePinner.check(CertificatePinner.java)
at okhttp3.Connection.upgradeToTls(Connection.java)
at okhttp3.Connection.connect(Connection.java)
at okhttp3.Connection.connectAndSetOwner(Connection.java)
确保将这些内容添加到CertificatePinner对象中,并且您已成功固定证书:
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add("publicobject.com", "sha256/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=")
.add("publicobject.com", "sha256/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=")
.add("publicobject.com", "sha256/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=")
.add("publicobject.com", "sha256/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=")
.build();
阅读this blog post后,我能够修改与OkHttp一起使用的概念。如果要避免使用全局SSL上下文,则应至少使用2.0版。
此修改仅适用于当前OkHttp实例,并更改该实例,以便仅接受来自指定证书的证书。如果您想要接受其他证书(例如来自Twitter的证书),您只需创建一个新的OkHttp实例,而不需要进行下述修改。
为了固定证书,首先需要创建包含此证书的信任库。为了创建信任库,我们将使用nelenkov的这个方便的脚本为我们的目的略微修改:
#!/bin/bash
if [ "$#" -ne 3 ]; then
echo "Usage: importcert.sh <CA cert PEM file> <bouncy castle jar> <keystore pass>"
exit 1
fi
CACERT=$1
BCJAR=$2
SECRET=$3
TRUSTSTORE=mytruststore.bks
ALIAS=`openssl x509 -inform PEM -subject_hash -noout -in $CACERT`
if [ -f $TRUSTSTORE ]; then
rm $TRUSTSTORE || exit 1
fi
echo "Adding certificate to $TRUSTSTORE..."
keytool -import -v -trustcacerts -alias $ALIAS \
-file $CACERT \
-keystore $TRUSTSTORE -storetype BKS \
-providerclass org.bouncycastle.jce.provider.BouncyCastleProvider \
-providerpath $BCJAR \
-storepass $SECRET
echo ""
echo "Added '$CACERT' with alias '$ALIAS' to $TRUSTSTORE..."
要运行此脚本,您需要做三件事:
现在运行脚本
keytool键入“是”以信任证书,并在您当前目录中生成完整./gentruststore.sh your_cert.pem bcprov-jdk15on-150.jar your_secret_pass
时。
在mytruststore.bks文件夹下创建目录raw。在此处复制res。
现在这是一个非常简单的类,它将你的证书固定到OkHttp
mytruststore.bks正如您所看到的,我们实例化import android.content.Context;
import android.util.Log;
import com.squareup.okhttp.OkHttpClient;
import com.squareup.okhttp.Request;
import com.squareup.okhttp.Response;
import java.io.InputStream;
import java.io.Reader;
import java.security.KeyStore;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
/**
* Created by martin on 02/06/14.
*/
public class Pinning {
Context context;
public static String TRUST_STORE_PASSWORD = "your_secret";
private static final String ENDPOINT = "https://api.yourdomain.com/";
public Pinning(Context c) {
this.context = c;
}
private SSLSocketFactory getPinnedCertSslSocketFactory(Context context) {
try {
KeyStore trusted = KeyStore.getInstance("BKS");
InputStream in = context.getResources().openRawResource(R.raw.mytruststore);
trusted.load(in, TRUST_STORE_PASSWORD.toCharArray());
SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trusted);
sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
return sslContext.getSocketFactory();
} catch (Exception e) {
Log.e("MyApp", e.getMessage(), e);
}
return null;
}
public void makeRequest() {
try {
OkHttpClient client = new OkHttpClient();
client.setSslSocketFactory(getPinnedCertSslSocketFactory(context));
Request request = new Request.Builder()
.url(ENDPOINT)
.build();
Response response = client.newCall(request).execute();
Log.d("MyApp", response.body().string());
} catch (Exception e) {
Log.e("MyApp", e.getMessage(), e);
}
}
}
的新实例并调用OkHttpClient,并使用我们的自定义信任库传递setSslSocketFactory。确保将SSLSocketFactory设置为传递给shell脚本的密码。您的OkHttp实例现在应该只接受您指定的证书。
答案 1 :(得分:25)
这比用OkHttp想象的要容易。
请按照以下步骤操作:
<强> 1。获取公共sha1键。 OkHttp documentation为我们提供了一个明确的方法来完成示例代码。如果它消失了,这里贴在下面:
例如,要固定https://publicobject.com,请先打破 配置:
String hostname = "publicobject.com";
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add(hostname, "sha1/BOGUSPIN")
.build();
OkHttpClient client = new OkHttpClient();
client.setCertificatePinner(certificatePinner);
Request request = new Request.Builder()
.url("https://" + hostname)
.build();
client.newCall(request).execute();
正如预期的那样,这会因证书固定异常而失败:
javax.net.ssl.SSLPeerUnverifiedException:证书钉扎失败!
同行证书链: sha1 / DmxUShsZuNiqPQsX2Oi9uv2sCnw =:CN = publicobject.com,OU = PositiveSSL sha1 / SXxoaOSEzPC6BgGmxAt / EAcsajw =:CN = COMODO RSA域验证安全服务器CA sha1 / blhOM3W9V / bVQhsWAcLYwPU6n24 =:CN = COMODO RSA认证中心 sha1 / T5x9IXmcrQ7YuQxXnxoCmeeQ84c =:CN = AddTrust外部CA根
publicobject.com的固定证书:
SHA1 / BOGUSPIN
在com.squareup.okhttp.CertificatePinner.check(CertificatePinner.java)
在com.squareup.okhttp.Connection.upgradeToTls(Connection.java)
在com.squareup.okhttp.Connection.connect(Connection.java)
在com.squareup.okhttp.Connection.connectAndSetOwner(Connection.java)
通过将异常中的公钥哈希粘贴到证书pinner的配置中来跟进:
旁注:如果您在Android上执行此操作,如果您在UI线程上执行此操作,则会出现单独的异常,因此请确保在后台线程上执行此操作。
<强> 2。配置您的OkHttp客户端:
OkHttpClient client = new OkHttpClient();
client.setCertificatePinner(new CertificatePinner.Builder()
.add("publicobject.com", "sha1/DmxUShsZuNiqPQsX2Oi9uv2sCnw=")
.add("publicobject.com", "sha1/SXxoaOSEzPC6BgGmxAt/EAcsajw=")
.add("publicobject.com", "sha1/blhOM3W9V/bVQhsWAcLYwPU6n24=")
.add("publicobject.com", "sha1/T5x9IXmcrQ7YuQxXnxoCmeeQ84c=")
.build());
这就是它的全部内容!
答案 2 :(得分:9)
如果您无法访问域(例如限制访问)并且无法测试虚假哈希,但是您有证书文件,则可以使用openssl来检索它:
openssl x509 -in cert.pem -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
答案 3 :(得分:6)
为了扩展示例source code @ Michael-barany共享,我做了一些测试,似乎是一个误导性的代码示例。在示例中,异常注释的代码是来自证书链异常的4个sha1哈希:
javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure!
Peer certificate chain:
sha1/DmxUShsZuNiqPQsX2Oi9uv2sCnw=: CN=publicobject.com, OU=PositiveSSL
sha1/SXxoaOSEzPC6BgGmxAt/EAcsajw=: CN=COMODO RSA Domain Validation Secure Server CA
sha1/blhOM3W9V/bVQhsWAcLYwPU6n24=: CN=COMODO RSA Certification Authority
sha1/T5x9IXmcrQ7YuQxXnxoCmeeQ84c=: CN=AddTrust External CA Root
然后将所有4个sha1公钥哈希添加到CertificatePinner Builder。
CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add("publicobject.com", "sha1/DmxUShsZuNiqPQsX2Oi9uv2sCnw=")
.add("publicobject.com", "sha1/SXxoaOSEzPC6BgGmxAt/EAcsajw=")
.add("publicobject.com", "sha1/blhOM3W9V/bVQhsWAcLYwPU6n24=")
.add("publicobject.com", "sha1/T5x9IXmcrQ7YuQxXnxoCmeeQ84c=")
.build();
但是,鉴于我已经执行并检查了代码的测试,只会解释第一个有效的代码,因此您最适合仅包含返回的一个哈希值。你可以使用最具体的哈希&#34; DmxUShsZuNiqPQsX2Oi9uv2sCnw&#34;对于精确的站点证书...或者你可以使用最广泛的哈希&#34; T5x9IXmcrQ7YuQxXnxoCmeeQ84c&#34;根据您所需的安全状态确定CA Root。
答案 4 :(得分:0)
我发现此链接developer.android.com/training/articles/security-ssl的未知证书颁发机构部分中提到的示例非常有用。
然后可以使用context.getSocketFactory()中返回的SSLSocketFactory在setSslSocketFactory()方法中设置为OkHttpClient。
注意:“未知证书颁发机构”部分还提到了下载要使用的证书文件的链接,并检查此代码。
以下是我为获取SSLSocketFactory而编写的示例方法
private SSLSocketFactory getSslSocketFactory() {
try {
// Load CAs from an InputStream
// (could be from a resource or ByteArrayInputStream or ...)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// From https://www.washington.edu/itconnect/security/ca/load-der.crt
InputStream caInput = getApplicationContext().getResources().openRawResource(R.raw.loadder);
Certificate ca = null;
try {
ca = cf.generateCertificate(caInput);
System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} catch (CertificateException e) {
e.printStackTrace();
} finally {
caInput.close();
}
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
if (ca == null)
return null;
keyStore.setCertificateEntry("ca", ca);
// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);
return context.getSocketFactory();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
后来我只是将它设置为OkHttpClient,就像这样
httpClient.setSslSocketFactory(sslSocketFactory);
然后进行https调用
httpClient.newCall(requestBuilder.build()).enqueue(callback);