android 开启Https单向认证

android 开启Https单项认证,有两种方法:

第一种方法是将根证书内置到系统中:

Android管理根证书的方式比较简单,将证书放入指定位置编译系统即可,证书的具体路径是:

~/libcore/luni/src/main/files/cacerts$ ls
00673b5b.0  124bbd54.0  21855f49.0  399e7759.0  450c6e38.0  57692373.0  67495436.0  7a819ef2.0  895cad1a.0  9ab62355.0  add67345.0  c491639e.0  d18e9066.0  e60bf0c0.0  fac084d7.0
02b73561.0  12d55845.0  219d9499.0  3a3b02ce.0  455f1b52.0  58a44af1.0  69105f4f.0  7d3cd826.0  89c02a45.0  9d6523ce.0  aeb67534.0  c51c224c.0  d4c339cb.0  e775ed2d.0  facacbc6.0
03f2b8cf.0  1676090a.0  23f4c490.0  3ad48a91.0  48a195d8.0  594f1775.0  6c80ef1b.0  7d453d8f.0  8d6437c3.0  9dbefe7b.0  b0ed035a.0  c527e4ab.0  d59297b8.0  e8651083.0  fb126c6d.0
04f60c28.0  17b51fe6.0  27af790d.0  3c58f906.0  4be590e0.0  5a250ea7.0  6e8bf996.0  81b9768f.0  91739615.0  9f533518.0  b0f3e76e.0  c7e2a638.0  d64f06f3.0  ea169617.0  fde84897.0
052e396b.0  1dac3003.0  2add47b6.0  3c6676aa.0  4d654d1d.0  5a3f0ff8.0  6fcc125d.0  82223c44.0  9282e51c.0  a0bc6fbb.0  b3fb433b.0  c90bc37d.0  d66b55d9.0  ed39abd0.0  ff783690.0
08aef7bb.0  1dcd6f4c.0  2d9dafe4.0  3c860d51.0  4e18c148.0  5cf9d536.0  72f369af.0  8470719d.0  9339512a.0  a2c66da8.0  b7db1890.0  cb156124.0  d6e6eab9.0  ed524cf5.0
0d5a4e1c.0  1df5a75f.0  2fa87019.0  3c9a4d3b.0  4fbd6bfa.0  5e4e69e7.0  75680d2e.0  84cba82f.0  9576d26b.0  a2df7ad7.0  b872f2b4.0  ccc52f49.0  d7746a63.0  ee7cd6fb.0
0d69c7e1.0  1e1eab7c.0  33815e15.0  3d441de8.0  5046c355.0  5f47b495.0  7651b327.0  85cde254.0  95aff9e3.0  a3896b44.0  bc3f2570.0  cdaebb72.0  dbc54cab.0  ee90b008.0
10531352.0  1e8e7201.0  33815e15.1  3e7271e8.0  524d9b43.0  60afe812.0  76579174.0  86212b19.0  961f5451.0  a7605362.0  bdacca6f.0  cf701eeb.0  e268a4c5.0  f58a60fe.0
111e6273.0  1eb37bdf.0  343eb6cb.0  40dc992e.0  52b525c7.0  63a2c897.0  7672ac4b.0  87753b0d.0  9685a493.0  a7d2cf64.0  bf64f35b.0  d06393bb.0  e442e424.0  f61bff45.0
119afc2e.0  1f58a078.0  35105088.0  418595b9.0  56b8a0b6.0  6645de82.0  7999be0d.0  882de061.0  9772ca32.0  ab5346f4.0  c3a6a9ad.0  d16a5865.0  e48193cf.0  f80cc7f6.0

名字的生成方式可以参考如下文档:

libcore/luni/src/main/files$ cat README.cacerts 
The filenames in the cacerts directory are in the format of .
where "hash" is the subject hash produced by:

    openssl x509 -subject_hash_old -in filename

and the "n" is a unique integer identifier starting at 0 to deal
with collisions. See OpenSSL's c_rehash manpage for details.

第二种方法参考谷歌示例代码

// Load CAs from an InputStream
// (could be from a resource or ByteArrayInputStream or ...)
CertificateFactory cf = CertificateFactory.getInstance("X.509");
// From https://www.washington.edu/itconnect/security/ca/load-der.crt
InputStream caInput = new BufferedInputStream(new FileInputStream("load-der.crt"));
Certificate ca;
try {
    ca = cf.generateCertificate(caInput);
    System.out.println("ca=" + ((X509Certificate) ca).getSubjectDN());
} finally {
    caInput.close();
}

// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);

// Create a TrustManager that trusts the CAs in our KeyStore
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);

// Create an SSLContext that uses our TrustManager
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, tmf.getTrustManagers(), null);

// Tell the URLConnection to use a SocketFactory from our SSLContext
URL url = new URL("https://certs.cac.washington.edu/CAtest/");
HttpsURLConnection urlConnection =
    (HttpsURLConnection)url.openConnection();
urlConnection.setSSLSocketFactory(context.getSocketFactory());
InputStream in = urlConnection.getInputStream();
copyInputStreamToOutputStream(in, System.out);

参考网站
https://developer.android.google.cn/training/articles/security-ssl.html

你可能感兴趣的:(android)