SSL钢钉使用谷歌凌空
问题描述:
我提一下我迄今试图开始我的问题:SSL钢钉使用谷歌凌空
我没有在我的应用程序的证书,我使用SHA256键而已,大部分互联网上的答案需要物理证书在应用程序中加载它在密钥库中,我没有。
我收到以下错误:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
1)TrustKit它不需要编译SDK 24及以上,但我有23和许多支持库都与SDK 23同步,所以我不能改变这一切他们,它可能会在某个时候崩溃我的应用程序。
2)CWAC-NetSecurity我已经在我的代码中实现了这个功能,但没有使用Android N安全设置,我也遵循git页面给出的指令,但无法将sslSocketfactory从它传递给Volley,它有OkHTTP示例。所以它也给出了上述错误。
我已经用OKHttp的CertificatePinner试过了,它也不适合我。同样的错误。我也尝试将hostNameVerifier和sslSocketFactory传递给HttpsUrlConnection,但是发生同样的错误。
JsonObjectRequestSolaire jsonRequest = new JsonObjectRequestSolaire(method, URL, object, headers, responseListener, errorListener);
RetryPolicy policy = new DefaultRetryPolicy(TIMEOUT, DefaultRetryPolicy.DEFAULT_MAX_RETRIES, DefaultRetryPolicy.DEFAULT_BACKOFF_MULT);
jsonRequest.setRetryPolicy(policy);
jsonRequest.setShouldCache(false);
OkHttpClient okHttpClient = new OkHttpClient.Builder()
.certificatePinner(new CertificatePinner.Builder()
.add("my_domain", "sha256/shaKey")//example.com
.add("my_domain", "sha256/shaKey")//also tried *.example.com
.build())
.build();
//HttpsURLConnection.setDefaultHostnameVerifier(okHttpClient.hostnameVerifier());
//HttpsURLConnection.setDefaultSSLSocketFactory(okHttpClient.sslSocketFactory());
RequestQueue requestQueue = Volley.newRequestQueue(activity.getApplicationContext(), new HurlStack(null, okHttpClient.sslSocketFactory()));
requestQueue.add(jsonRequest);
通过使用trustKit我们的iOS人员实施,它是为他工作。
在此先感谢。
请在这里分享您的宝贵意见,以便我能理解这个SSL固定概念。
答
使用此VolleySingleton:
public class VolleySingleton {
private static VolleySingleton mInstance;
private RequestQueue mRequestQueue;
private static Context mCtx;
private VolleySingleton(Context context) {
mCtx = context;
mRequestQueue = getRequestQueue();
}
public static synchronized VolleySingleton getInstance(Context context) {
if (mInstance == null) {
mInstance = new VolleySingleton(context);
}
return mInstance;
}
public RequestQueue getRequestQueue() {
if (mRequestQueue == null) {
// getApplicationContext() is key, it keeps you from leaking the
// Activity or BroadcastReceiver if someone passes one in.
mRequestQueue = Volley.newRequestQueue(mCtx.getApplicationContext(), new HurlStack(null, newSslSocketFactory()));
}
return mRequestQueue;
}
public <T> void addToRequestQueue(Request<T> req) {
int socketTimeout = 90000;
RetryPolicy policy = new DefaultRetryPolicy(socketTimeout,
DefaultRetryPolicy.DEFAULT_MAX_RETRIES,
DefaultRetryPolicy.DEFAULT_BACKOFF_MULT);
req.setRetryPolicy(policy);
getRequestQueue().add(req);
}
private SSLSocketFactory newSslSocketFactory() {
try {
// Get an instance of the Bouncy Castle KeyStore format
KeyStore trusted = KeyStore.getInstance("BKS");
// Get the raw resource, which contains the keystore with
// your trusted certificates (root and any intermediate certs)
InputStream in = mCtx.getApplicationContext().getResources().openRawResource(R.raw.trusted);
try {
// Initialize the keystore with the provided trusted certificates
// Provide the password of the keystore
trusted.load(in, mCtx.getString(R.string.KEYSTORE_PASS).toCharArray());
} finally {
in.close();
}
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(trusted);
SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(null, tmf.getTrustManagers(), null);
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
Log.i("Volley","Verifing host:"+hostname);
return true;
}
});
SSLSocketFactory sf = context.getSocketFactory();
return sf;
} catch (Exception e) {
throw new AssertionError(e);
}
}
}
是所用的服务器证书是否有效?固定意味着定期检查证书+固定根,中间或离开证书。顺便说一句:如果你有sha256散列和域名,你可以简单地从服务器上下载证书来验证它是否是正确的。 – Robert
也请查看[此链接](http://blog.ostorlab.co/2016/05/ssl-pinning-in-android-networking.html)。 –
也检查[this](https://developer.android.com/training/articles/security-ssl.html#CommonProblems),可能是CA的问题。 –