我正在尝试学习如何在Android应用程序中执行证书固定。我找到了教程here。我想澄清一下,我怀疑我是基于我对这段代码的测试。
我使用了以下代码:
public class CertificatePinning {
static SSLSocketFactory constructSSLSocketFactory(Context context) {
SSLSocketFactory sslSocketFactory = null;
try {
AssetManager assetManager = context.getAssets();
InputStream keyStoreInputStream = assetManager.open("myapp.store");
KeyStore trustStore = KeyStore.getInstance("BKS");
trustStore.load(keyStoreInputStream, "somepass".toCharArray());
sslSocketFactory = new SSLSocketFactory(trustStore);
sslSocketFactory.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
}
catch(Exception e){
Log.d("Exception", e.getLocalizedMessage());
}
return sslSocketFactory;
}
public static HttpClient getNewHttpClient(Context context) {
DefaultHttpClient httpClient = null;
try {
SSLSocketFactory sslSocketFactory = constructSSLSocketFactory(context);
HttpParams params = new BasicHttpParams();
HttpProtocolParams.setVersion(params, HttpVersion.HTTP_1_1);
HttpProtocolParams.setContentCharset(params, HTTP.UTF_8);
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
registry.register(new Scheme("https", sslSocketFactory, 443));
ClientConnectionManager ccm = new ThreadSafeClientConnManager(params, registry);
httpClient = new DefaultHttpClient(ccm, params);
} catch (Exception e) {
Log.d("Exception", e.getLocalizedMessage() );
return null;
}
return httpClient;
}
}
引用该教程中的声明:
On the client side, you simply need to distribute the signing certificate
with your app and validate against it.
在我的网络服务器上,我有自己的CA,我使用开放式SSL创建,并用于为我的应用程序使用的不同域名签署证书。
此声明表明本教程适用于我拥有的CA证书。我使用ca.pem(来自我的CA的crt文件)测试了代码,它运行正常。
但我也使用我与该CA签署的证书测试了相同的代码,例如server.pem(来自签名的server.crt),但仍然有效。
我做错了什么,或者这段代码是否用于固定:
1)CA证书(涵盖该CA签署的所有证书)或
2)特定证书(由某些CA签名)?