我正在尝试使用Moxie Marlinspike的示例project在我的Android应用中固定CA证书。
我必须做更改,例如更改gradle版本,目标sdk版本。在他的build.gradle中,我有一个error。我注释掉uploadAcrhives
块来解决它。
我在app中使用了以下内容:
public class CAPinning {
public static DefaultHttpClient getHttpClient(Context context) {
DefaultHttpClient httpClient = null;
try {
// I created my own CA using open SSL - I converted the ca.crt file to .pem
// using cat ca.crt > ca.pem, and then used the python script provided by
// the author to generate the hash, which is used as a pin here
String[] pins = new String[]{"14cafa386cb573635ec05c3d93f9117968ac5d71"};
SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
schemeRegistry.register(new Scheme("https", new PinningSSLSocketFactory(context, pins, 0), 443));
HttpParams httpParams = new BasicHttpParams();
ClientConnectionManager connectionManager = new ThreadSafeClientConnManager(httpParams, schemeRegistry);
httpClient = new DefaultHttpClient(connectionManager, httpParams);
}
catch(Exception e) {
Log.d("EXP", e.getLocalizedMessage());
return null;
}
return httpClient;
}
}
我使用httpClient向我的服务器发送请求:
HttpClient httpClient = CAPinning.getHttpClient(getApplicationContext());
httpClient.execute(new HttpGet("https://www.example.com"));
我收到以下异常:
W/System.err﹕ javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
W/System.err﹕ at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146)
W/System.err﹕ at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:93)
W/System.err﹕ at org.thoughtcrime.ssl.pinning.PinningSSLSocketFactory.createSocket(PinningSSLSocketFactory.java:147)
W/System.err﹕ at org.apache.http.impl.conn.DefaultClientConnectionOperator.openConnection(DefaultClientConnectionOperator.java:165)
W/System.err﹕ at org.apache.http.impl.conn.AbstractPoolEntry.open(AbstractPoolEntry.java:164)
W/System.err﹕ at org.apache.http.impl.conn.AbstractPooledConnAdapter.open(AbstractPooledConnAdapter.java:119)
W/System.err﹕ at org.apache.http.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:360)
W/System.err﹕ at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:555)
W/System.err﹕ at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:487)
W/System.err﹕ at org.apache.http.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:465)
W/System.err﹕ at com.android.sslsampleapp.MainActivity$LoginTask.doInBackground(MainActivity.java:173)
W/System.err﹕ at com.android.sslsampleapp.MainActivity$LoginTask.doInBackground(MainActivity.java:131)
W/System.err﹕ at android.os.AsyncTask$2.call(AsyncTask.java:288)
W/System.err﹕ at java.util.concurrent.FutureTask.run(FutureTask.java:237)
W/System.err﹕ at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:231)
W/System.err﹕ at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1112)
W/System.err﹕ at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:587)
任何人都可以提出解决方法吗?
我确定我使用的是正确的pem文件,并且该网站的证书已与该CA签名。
Certificate chain
0 s:/C=US/ST=**/L=****/O=***/OU=***/CN=www.example.com/emailAddress=*****
i:/C=US/ST=**/L=****/O=myCA/OU=myCA/CN=myCA/emailAddress=*****