Android HTTPS之自签名证书认证(三)
2017-12-14 15:09
169 查看
Okhttp从2.4升级到3.9.1对HTTPS认证的影响
严格意义上讲,本文不应属于这个系列,但由于前面两篇博客的代码是参考《Android Https相关完全解析 当OkHttp遇到Https》改写的,当时的okhttp框架的版本为2.4.0,但现在okhttp版本升级到了3.9.1,并且查了一下相关资料,发现okhttp从2.x到3.x版本的api变化比较大,因此我也尝试着将okhttp版本进行升级,并做简要记录与大家分享。1.1 okhttp Jar包升级
将compile 'com.squareup.okhttp:okhttp:2.4.0'更新为
compile 'com.squareup.okhttp3:okhttp:3.9.1',Android Studio会自动下载3.9.1的okhttp jar包。
1.2 更新Api及修正相关编译错误
Rebuild project,会发现有许多错误1.2.1 包名更新
Okhttp2.x的包名为com.squareup.okhttpimport com.squareup.okhttp.Call; import com.squareup.okhttp.Callback; import com.squareup.okhttp.OkHttpClient; import com.squareup.okhttp.Request; import com.squareup.okhttp.Response;
但okhttp3.x已经变为okhttp3,如上面的包名则相对应变为:
import okhttp3.Call; import okhttp3.Callback; import okhttp3.OkHttpClient; import okhttp3.Request; import okhttp3.Response;
1.2.2 OkHttpClient创建方式不同
okhttp2.x直接new OkHttpClient,而okhttp3.x 中提供了Builder,很好的使用了创建者设计模式OkHttpClient.Builder okHttpClient = new OkHttpClient.Builder();
1.2.3 OkHttpClient参数的配置变化
之前okhttp2.x参数可以直接OkHttpClient.setConnectTimeout()设置,现在OkHttpClient使用创建者模式,需要在OkHttpClient.Builder上设置可配置的参数:okHttpClient.connectTimeout(5, TimeUnit.SECONDS); okHttpClient.readTimeout(5, TimeUnit.SECONDS);
1.2.4 setCookieHandler变为cookieJar
okhttp2.x调用OkHttpClient的setCookieHandler方法,CookieHandler 的子类CookieManager实现了cookie的具体管理方法,mOkHttpClient.setCookieHandler(new CookieManager(null, CookiePolicy.ACCEPT_ORIGINAL_SERVER));
okhttp3中已经没有setCookieHandler方法了,而改成了cookieJar,需要在OkHttpClient的Builder的cookieJar方法中设置。
okHttpClient.cookieJar(new CookieJar() { private final HashMap<HttpUrl, List<Cookie>> cookieStore = new HashMap<>(); @Override public void saveFromResponse(HttpUrl url, List<Cookie> cookies) { cookieStore.put(url, cookies); } @Override public List<Cookie> loadForRequest(HttpUrl url) { return null; } });
1.2.5 改造setSslSocketFactory
okhttp2.x的sslSocketFactory(SSLSocketFactory sslSocketFactory)已不推荐使用,取而代之的public Builder sslSocketFactory(SSLSocketFactory sslSocketFactory, X509TrustManager trustManager)
因此我们可以将其改造为
mOkHttpClient = new OkHttpClient.Builder() .sslSocketFactory(sslContext.getSocketFactory(), trustManager) .build();
trustManager是X509TrustManager 的一个实例
trustManager = trustManagerForCertificates(certificates);
private X509TrustManager trustManagerForCertificates(InputStream in) throws GeneralSecurityException { CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); Collection<? extends Certificate> certificates = certificateFactory.generateCertificates(in); if (certificates.isEmpty()) { throw new IllegalArgumentException("expected non-empty set of trusted certificates"); } // Put the certificates a key store. char[] password = "123456".toCharArray(); // Any password will work. KeyStore keyStore = newEmptyKeyStore(password); int index = 0; for (Certificate certificate : certificates) { String certificateAlias = Integer.toString(index++); keyStore.setCertificateEntry(certificateAlias, certificate); } // Use it to build an X509 trust manager. KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, password); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keyStore); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) { throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers)); } return (X509TrustManager) trustManagers[0]; }
所以
/****************************** * 单向认证 ******************************/ public void setOneWayCertificates(InputStream... certificates) /****************************** * 双向认证 ******************************/ public void setTwoWayCertificates(InputStream clientcertificates, InputStream... certificates)
可分别改造为:
/******************************
* 单向认证
******************************/
public void setOneWayCertificates(InputStream certificates){
X509TrustManager trustManager;
try{
trustManager = trustManagerForCertificates(certificates);
SSLContext sslContext = SSLContext.getInstance("TLS");
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
sslContext.init(
null,
new TrustManager[] { trustManager },
new SecureRandom());
mOkHttpClient = new OkHttpClient.Builder() .sslSocketFactory(sslContext.getSocketFactory(), trustManager) .build();
} catch (Exception e){
Log.e("OkHttpClientManager", e.getMessage());
}
}
/******************************
* 双向认证
******************************/
public void setTwoWayCertificates(InputStream clientCertificates, InputStream certificates) {
X509TrustManager trustManager;
try {
trustManager = trustManagerForCertificates(certificates);
SSLContext sslContext = SSLContext.getInstance("TLS");
//初始化keystore
KeyStore clientKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
clientKeyStore.load(clientCertificates, "123456".toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(clientKeyStore, "123456".toCharArray());
sslContext.init(
keyManagerFactory.getKeyManagers(),
new TrustManager[] { trustManager },
new SecureRandom());
mOkHttpClient = new OkHttpClient.Builder() .sslSocketFactory(sslContext.getSocketFactory(), trustManager) .build();
} catch (Exception e) {
e.printStackTrace();
}
}
1.2.6 Callback实现的接口和call的变化
okhttp2.x的callback方法是void onFailure(Request request, IOException e);void onResponse(Response response) throws IOException;okhttp3.x 的Callback方法为
void onFailure(Call call, IOException e);void onResponse(Call call, Response response) throws IOException;okhttp3对Call做了更简洁的封装,okhttp3.x Call是个接口,okhttp的call是个普通class,一定要注意,无论哪个版本,call都不能执行多次,多次执行需要重新创建。于是
private void deliveryResult(final ResultCallback callback, Request request) { mOkHttpClient.newCall(request).enqueue(new Callback() { @Override public void onFailure(Request request, IOException e) { sendFailedStringCallback(request, e, callback); } @Override public void onResponse(Response response) throws IOException { try { final String string = response.body().string(); if (callback.mType == String.class) { sendSuccessResultCallback(string, callback); } else { Object o = mGson.fromJson(string, callback.mType); sendSuccessResultCallback(o, callback); } } catch (IOException e) { sendFailedStringCallback(response.request(), e, callback); } catch (JsonParseException e) { //Json解析的错误 sendFailedStringCallback(response.request(), e, callback); } } a6d8 }); }
就变为:
private void deliveryResult(final ResultCallback callback, Request request) { mOkHttpClient.newCall(request).enqueue(new Callback() { @Override public void onFailure(Call call, IOException e) { sendFailedStringCallback(call.request(), e, callback); } @Override public void onResponse(Call call, Response response) throws IOException { try { final String string = response.body().string(); if (callback.mType == String.class) { sendSuccessResultCallback(string, callback); } else { Object o = mGson.fromJson(string, callback.mType); sendSuccessResultCallback(o, callback); } } catch (IOException e) { sendFailedStringCallback(response.request(), e, callback); } catch (JsonParseException e) { //Json解析的错误 sendFailedStringCallback(response.request(), e, callback); } } }); }
至此,改造完毕,我们分验证单向认证及双向认证均可得到如下log:
12-14 02:08:20.698 30391-30391/? D/MainActivity: Response is Hello world!
证明已可以正常通讯,说明我们okhttp3.x版本升级成功。
参考:
https://github.com/square/okhttp/blob/3f7a3344a4c85aa3bbb879dabac5ee625ab987f3/samples/guide/src/main/java/okhttp3/recipes/CustomTrust.java#L54
okhttp3与旧版本okhttp的区别分析
okhttp3 使用详解及简单封装
完整代码可到我的github下载:
server: https://github.com/onroadtech/SpringbootBase/tree/springboot_https_self_signed_certificate_one_two_way_certificate
android:https://github.com/onroadtech/Android4HTTPS/tree/88aa11a9b224df1fd19a5120ff387e81dcd23867
本博文已同步发表于我的个人博客网站,欢迎转载指正并注明出处。
个人博客: www.onroad.tech
指正邮箱: onroad_tech@163.com
相关文章推荐
- Android HTTPS之自签名证书认证(二)
- Android实现https单双向认证及自签名证书生成方法
- Android HTTPS之自签名证书认证(一)
- Android 用自签名证书实现https请求
- android_https踩坑(3)android webview无法访问自签名证书的服务器
- 非对称加密、https加密和android apk证书签名
- nginx配置https及Android客户端访问自签名证书
- 关于android使用okhttpUtils使用请求https请求证书签名问题
- 客户端认证自签名HTTPS证书
- https自签名证书_浏览器_Android_Tomcat实践
- Android开发WebView加载自签名认证的https网址
- android_https踩坑(2)android自签名证书Glide加载不出图片
- Cordova下自签名证书无法访问https问题(IOS和Android)
- android https遇到自签名证书/信任证书
- Android3种访问https的方法(管理证书认证)
- Android HTTPS 自制证书实现双向认证(OkHttp + Retrofit + Rxjava)
- react-native for android https证书认证
- Android HTTPS 自制证书实现双向认证(OkHttp + Retrofit + Rxjava)
- https 单向认证和双向认证及tomcat配置及各种证书类型之间的转换,适用ios,Android,网页端
- [转]Android上实现带自签名客户端证书的双向校验HTTPS连接