certificatePinner不适用于okhttp并抛出SSLHandshakeException:CertPathValidatorException找不到证书路径的信任锚

时间:2019-05-09 18:44:40

标签: android okhttp3

我已经从Square's own github Readme:中获取了代码

 @Throws(Exception::class)
 fun run() {
      val client = OkHttpClient.Builder()
                .certificatePinner(CertificatePinner.Builder()
                          .add("mijn.beterdichtbij.nl", "sha256/x4QzPSC810K5/cMjb05Qm4k3Bw5zBn4lTdO/nEW/Td4=")
                          .build())
                .build()

      val request = Request.Builder()
                .url("https://mijn.beterdichtbij.nl")
                .build()

      try {
           val response = client.newCall(request).execute()
           if (!response.isSuccessful) {
                Log.i("TestCode","is Not Successful")
                throw IOException("Unexpected code $response")
           } else {
                Log.i("TestCode","is Successful")
           }

           for (certificate in response.handshake()!!.peerCertificates()) {
                println(CertificatePinner.pin(certificate))
           }

      } catch (e: SSLHandshakeException) {
           e.printStackTrace()
      }
 }

使用Chrome转到该网站时,它可以正常工作,表明该应用在特定手机上具有Comodo CA证书。对于SHA256引脚值,我使用了to this sitethis excellent walkthrough中也提到了此站点。

我使用了这些库的最新版本:

implementation "com.squareup.retrofit2:retrofit:2.5.0"
implementation "com.squareup.retrofit2:converter-moshi:2.5.0"
implementation "com.squareup.okhttp3:okhttp:3.14.1"

这是日志记录:

 E/Conscrypt: ------------------Untrusted chain: ----------------------
 E/Conscrypt: == Chain0 == 
     Version:   3
 E/Conscrypt:  Serial Number:   a628ae0d70cef71c99f75aafcfeb58e4
 E/Conscrypt:  SubjectDN:   CN=*.beterdichtbij.nl, OU=PremiumSSL Wildcard, OU=IT, O=BeterDichtbij B.V., STREET=Oudlaan 4, L=Utrecht, ST=Utrecht, OID.2.5.4.17=3515GA, C=NL
 E/Conscrypt:  IssuerDN:   CN=Sectigo RSA Organization Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB
 E/Conscrypt:  Get not before:   Mon May 06 02:00:00 GMT+02:00 2019
 E/Conscrypt:  Get not after:   Mon Jul 05 01:59:59 GMT+02:00 2021
 E/Conscrypt:  Sig ALG name:   SHA256withRSA
 E/Conscrypt:  Signature:   7461bfd058a956d73f85e923e3fe346946a392ad44ae1c293a060c95f495a7150610bc98bcbcfb8cef80d4b64745e18d76c32ca06e0a068e111a7b31678c4f5de6deacc7e64f35a322268947fa1f4765b90f2f7509e45283ae3ffd55ad39db9ffb9d094ccfcf79e81ed54e3034eefec4d518e5aed9991ed8b4d608edcdfbb73eb16b56500ddff7c1354ecb66f7a7234a46596dca7c0b45112ac19d889de2d35dcf96180a1089b426acdb4d27015c7ff2f63672947f6ecd3120e8f736f2208d950825a8d99e2b60a43103399cc22ee3d1de9eaf09d21b64c42117afd5b2cf00dc760eb7587c6fd97f4c62339d5308a94fb085afda92d7a4871af8e9d698e60936
 E/Conscrypt:  Public key:

     30 82 01 22 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 00 03
     82 01 0f 00 30 82 01 0a 02 82 01 01 00 e7 f7 69 13 1e 71 6a
     c2 6f df 54 fa cc 12 66 d2 0e c3 e6 bd c4 a5 f2 d9 d3 21 f1
     9b 43 ba 4f 14 15 74 d6 9f 91 41 75 14 e3 48 01 da 73 08 da
     c2 f0 0f ab dd bb c3 72 72 b4 a2 57 50 71 53 f9 5f 63 1e 43
     00 59 c3 f4 bb 23 8e 55 93 ad 10 a0 12 4b ca 6b 1e f8 cd c4
     c3 d9 2f ec 49 e8 85 5c 3d 62 bc 90 f3 23 8a 54 6f 5d c6 3d
     d4 b2 ea 1c 49 d5 43 53 80 bf 40 48 ca 09 96 fd a3 de a4 fa
     92 df 0e 55 c4 b4 a8 98 d5 7d 33 0f 1e c3 9c e1 61 7d e2 86
     58 60 73 4d 86 75 0e f6 be a9 9c 61 dd 92 7c c0 18 78 91 bb
     ce f9 8e ce 75 1a 79 93 cd 0c 16 90 06 8b f4 f1 44 84 10 ec
     f7 6a 3c 25 e4 f2 15 d2 3d 58 1c fd b7 a7 6b 9d d6 d5 a9 94
     fd 41 67 71 57 12 27 e7 ad b9 17 52 9a bb c9 48 7e 0e 73 c1
     54 27 12 4f b6 92 f8 f1 00 56 e7 71 b2 68 8e 87 f6 93 2e 15
     80 f8 fd 74 38 fb 7f 40 8b 02 03 01 00 01
 W/System.err: javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
 W/System.err:     at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:361)
 W/System.err:     at okhttp3.internal.connection.RealConnection.connectTls(RealConnection.java:336)
 W/System.err:     at okhttp3.internal.connection.RealConnection.establishProtocol(RealConnection.java:300)
 W/System.err:     at okhttp3.internal.connection.RealConnection.connect(RealConnection.java:185)
 W/System.err:     at okhttp3.internal.connection.ExchangeFinder.findConnection(ExchangeFinder.java:224)
 W/System.err:     at okhttp3.internal.connection.ExchangeFinder.findHealthyConnection(ExchangeFinder.java:107)
 W/System.err:     at okhttp3.internal.connection.ExchangeFinder.find(ExchangeFinder.java:87)
 W/System.err:     at okhttp3.internal.connection.Transmitter.newExchange(Transmitter.java:169)
 W/System.err:     at okhttp3.internal.connection.ConnectInterceptor.intercept(ConnectInterceptor.java:41)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
 W/System.err:     at okhttp3.internal.cache.CacheInterceptor.intercept(CacheInterceptor.java:94)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
 W/System.err:     at okhttp3.internal.http.BridgeInterceptor.intercept(BridgeInterceptor.java:93)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
 W/System.err:     at okhttp3.internal.http.RetryAndFollowUpInterceptor.intercept(RetryAndFollowUpInterceptor.java:88)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:142)
 W/System.err:     at okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.java:117)
 W/System.err:     at okhttp3.RealCall.getResponseWithInterceptorChain(RealCall.java:221)
 W/System.err:     at okhttp3.RealCall.execute(RealCall.java:81)

1 个答案:

答案 0 :(得分:0)

尝试修改OkHttpClient.Builder对象:请参见this解决方案