情景描述:由于公司申请的https证书问题,导致Android客户端app部分手机无法通过https请求,导致无法登录。
SSL证书的作用 = 防窃听 + 防篡改 + 防伪装
证书分为信任的和非信任的,比如以前的12306网站。
一般我们使用的证书都是信任的,不需要本地App存放一份证书。
public OkHttpClient initCustomOkHttpClient() {
OkHttpClient.Builder client = new OkHttpClient.Builder()
.connectTimeout(30 * 1000, TimeUnit.MILLISECONDS)
.readTimeout(30 * 1000, TimeUnit.MILLISECONDS)
.writeTimeout(30 * 1000, TimeUnit.MILLISECONDS)
.cookieJar(new ReactCookieJarContainer());
client.addNetworkInterceptor(new StethoInterceptor());
client.addInterceptor(new HttpLoggingInterceptor().setLevel(HttpLoggingInterceptor.Level.BODY));
try {
//你的证书文件,放在android的assets文件夹下
setCertificates(client, getAssets().open("CA.crt"));
client.hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
} catch (IOException e) {
e.printStackTrace();
}
OkHttpClient.Builder builder = OkHttpClientProvider.enableTls12OnPreLollipop(client);
return builder.build();
}
public void setCertificates(OkHttpClient.Builder client, InputStream... certificates) {
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
int index = 0;
for (InputStream certificate : certificates) {
String certificateAlias = Integer.toString(index++);
keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate));
try {
if (certificate != null)
certificate.close();
} catch (IOException e) {
}
}
SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
sslContext.init(
null,
trustManagerFactory.getTrustManagers(),
new SecureRandom()
);
client.sslSocketFactory(sslContext.getSocketFactory());
} catch (Exception e) {
e.printStackTrace();
}
}
上方代码是将证书存放app本地,这种操作很无聊,万一那天证书过期了,那不是也需要同时再次发布app。
方案都是修改RN原生代码进行处理,RN中的网络请求用的是okhttp。代码改好了如何使用呢?将React-Android和react-common打包成aar,这种代价成本比较高,而且比较复杂。尾部有介绍。
一、将证书下载到app本地按照上方代码
需要替换掉默认的httpclient,然后为其添加上证书认证就可以了,我们打开 OkHttpClientProvider,OkHttpClientProvider这个工具类就是为我们提供了一个修改默认okhttpclient的方法,
public static void replaceOkHttpClient(OkHttpClient client) {
sClient = client;
}
那么我们的目标就是替换掉rn中网络请求默认的okhttpclient方法。
步骤:
1、在MainApplication中的onCreate中加入
OkHttpClientProvider.replaceOkHttpClient(initRNOkHttpClient());
2、定义initRNOkHttpClient
public OkHttpClient initRNOkHttpClient() {
OkHttpClient.Builder client = new OkHttpClient.Builder()
.connectTimeout(30 * 1000, TimeUnit.MILLISECONDS)
.readTimeout(30 * 1000, TimeUnit.MILLISECONDS)
.writeTimeout(30 * 1000, TimeUnit.MILLISECONDS)
.cookieJar(new ReactCookieJarContainer());
client.addNetworkInterceptor(new StethoInterceptor());
client.addInterceptor(new HttpLoggingInterceptor().setLevel(HttpLoggingInterceptor.Level.BODY));
try {
//你的证书文件,放在android的assets文件夹下
setCertificates(client, getAssets().open("CA.crt"));
client.hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
} catch (IOException e) {
e.printStackTrace();
}
OkHttpClient.Builder builder = OkHttpClientProvider.enableTls12OnPreLollipop(client);
return builder.build();
}
3、定义方法
public void setCertificates(OkHttpClient.Builder client, InputStream... certificates) {
try {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
int index = 0;
for (InputStream certificate : certificates) {
String certificateAlias = Integer.toString(index++);
keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate));
try {
if (certificate != null)
certificate.close();
} catch (IOException e) {
}
}
SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
sslContext.init(
null,
trustManagerFactory.getTrustManagers(),
new SecureRandom()
);
client.sslSocketFactory(sslContext.getSocketFactory());
} catch (Exception e) {
e.printStackTrace();
}
}
4、最后一步
修改NetworkingModule.java文件
public NetworkingModule(ReactApplicationContext context) {
this(context, (String)null, OkHttpClientProvider.createClient(), (List)null);
}
public NetworkingModule(ReactApplicationContext context, List
this(context, (String)null, OkHttpClientProvider.createClient(), networkInterceptorCreators);
}
public NetworkingModule(ReactApplicationContext context, String defaultUserAgent) {
this(context, defaultUserAgent, OkHttpClientProvider.createClient(), (List)null);
}
OkHttpClientProvider.createClient()---->>OkHttpClientProvider.getOkHttpClient()
二、修改代码改为信任全部所有证书
1、信任所有方式一---NetworkingModule
在NetWorkingModule中加入下面方法
private SSLContextgetSSLContext() {
X509TrustManager xtm =new X509TrustManager() {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType)
throws CertificateException {
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType)
throws CertificateException {
}
@Override
public X509Certificate[]getAcceptedIssuers() {
X509Certificate[] x509Certificates =new X509Certificate[0];
return x509Certificates;
}
};
SSLContext sslContext =null;
try {
sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, new TrustManager[]{xtm}, new SecureRandom());
}catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}catch (KeyManagementException e) {
e.printStackTrace();
}
return sslContext;
}
2、信任所有方式二----OkHttpClientProvider
具体介绍适合使用,我们可以将react-android中的组件network整个包和MainReactPackage都拷贝到我们项目中,再进行修改。
然后就可以打包了。