相关疑难解决方法(0)

我正在创建一个https用于与服务器通信的android应用程序.我正在使用retrofit并OkHttp提出请求.这些适用于标准http请求.以下是我遵循的步骤.

步骤1: 使用该命令从服务器获取cert文件

echo -n | openssl s_client -connect api.****.tk:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > gtux.cert

步骤2: 使用以下命令将证书转换为BKS格式

keytool -importcert -v -trustcacerts -file "gtux.cert" -alias imeto_alias -keystore "my_keystore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "bcprov-jdk16-146.jar" -storetype BKS

它问我密码并且文件已成功创建.

第3步:

创建一个OkHttpClient并使用它来发出https请求

public class MySSLTrust {
public static OkHttpClient trustcert(Context context){
    OkHttpClient okHttpClient = new OkHttpClient();
    try {
        KeyStore ksTrust = KeyStore.getInstance("BKS");
        InputStream instream = context.getResources().openRawResource(R.raw.my_keystore);
        ksTrust.load(instream, "secret".toCharArray());
        // TrustManager decides which certificate authorities to …

最近我在实施SSL的项目上工作.

SSL证书每年到期一次.在我更新服务器上的证书后,它在android中抛出异常.

06-13 11:20:27.709:D/allenj(30076):javax.net.ssl.SSLHandshakeException:java.security.cert.CertPathValidatorException:未找到证书路径的信任锚.

在查看项目代码后,我看到有一个bks文件,所以,这是否意味着每年必须更新一次bks文件,我还必须将应用程序重新上传到Google Play.

问题是应对SSL证书更新的标准方法是什么？谢谢你的帮助.

代码提取

nnable Register_runnable = new Runnable(){
        @Override
        public void run() {
            EditText emailText = (EditText) findViewById(R.id.editText1regist);

            EditText pwText = (EditText) findViewById(R.id.editText2registpw);

            String end = "\r\n";
            String twoHyphens = "--";
            String boundary = "*****";
            try {
                KeyStore keyStore = KeyStore.getInstance("BKS");
                InputStream in =  
                getResources().openRawResource(R.raw.ballooncardbks);
                keyStore.load(in, "".toCharArray());
                TrustManagerFactory tmf = 
                TrustManagerFactory.getInstance("X509");
                tmf.init(keyStore);

                SSLContext context = SSLContext.getInstance("TLS");
                context.init(null, tmf.getTrustManagers(), null);

                String actionUrl = "https://app.ballooncard.com/api/client/register/format/json";
                URL url = new URL(actionUrl);
                HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
             //   con.setDoInput(true); …

我在Android下面获得了证书固定代码

CertificatePinner certificatePinner = new CertificatePinner.Builder()
.add("publicobject.com", "sha1/DmxUShsZuNiqPQsX2Oi9uv2sCnw=")
.add("publicobject.com", "sha1/SXxoaOSEzPC6BgGmxAt/EAcsajw=")
.add("publicobject.com", "sha1/blhOM3W9V/bVQhsWAcLYwPU6n24=")
.add("publicobject.com", "sha1/T5x9IXmcrQ7YuQxXnxoCmeeQ84c=")
.build();

如何使用NSURLSession方法在IOS中实现相同的任务？

这里有一些参考代码

- (void)connection:(NSURLConnection *)connection willSendRequestForAuthenticationChallenge:(NSURLAuthenticationChallenge *)challenge
{
SecTrustRef serverTrust = challenge.protectionSpace.serverTrust;
SecCertificateRef certificate = SecTrustGetCertificateAtIndex(serverTrust, 0);
NSData *remoteCertificateData = CFBridgingRelease(SecCertificateCopyData(certificate));
NSString *cerPath = [[NSBundle mainBundle] pathForResource:@"MyLocalCertificate" ofType:@"cer"];
NSData *localCertData = [NSData dataWithContentsOfFile:cerPath];
if ([remoteCertificateData isEqualToData:localCertData]) {
NSURLCredential *credential = [NSURLCredential credentialForTrust:serverTrust];
[[challenge sender] useCredential:credential forAuthenticationChallenge:challenge];
}
else {
[[challenge sender] cancelAuthenticationChallenge:challenge];
}

编辑部分

我得到了以下解决方案,在NSURLSession中自动调用委托函数,有人可以解释它是如何工作的吗？还需要发送乘数证书我该怎么做？

 (void)URLSession:(NSURLSession *)session task:(NSURLSessionTask *)task didReceiveChallenge:(NSURLAuthenticationChallenge *)challenge …

代码和输入

我正在尝试建立 SSL 连接，但收到400 No required SSL certificate was sent了服务器的响应。我正在以标准方式执行此操作，例如此处描述的那样；我运行 Java 8。

我的代码示例是：

    OkHttpClient client     = new OkHttpClient();
    KeyStore keyStoreClient = getClientKeyStore();
    KeyStore keyStoreServer = getServerKeyStore();
    String algorithm        = ALGO_DEFAULT;//this is defined as "PKIX"

    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(algorithm);
    keyManagerFactory.init(keyStoreClient, PASSWORD_SERVER.toCharArray());

    SSLContext sslContext = SSLContext.getInstance("TLS");

    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(algorithm);
    trustManagerFactory.init(keyStoreServer);

    sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());

    client.setSslSocketFactory(sslContext.getSocketFactory());
    client.setConnectTimeout(32, TimeUnit.SECONDS); // connect timeout
    client.setReadTimeout(32, TimeUnit.SECONDS);    // socket timeout

    return client;

这是我用来发送 GET 请求的代码：

public String get(String url) throws IOException
{ …

我正在尝试导入我自己的BKS文件,其中包含我的自签名证书,但我遇到了okHTTP的问题.我想用bks文件做这个,我也通过sha512 /得到它.

我从几个教程中得到了这个代码,我知道问题在于,但无法修复它.

import android.content.Context;
import android.util.Log;

import java.io.InputStream;
import java.security.KeyStore;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;

import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;

public class Pinning
{
    Context context;
    public static String TRUST_STORE_PASSWORD = "your_secret";
    private static final String ENDPOINT = "https://api.yourdomain.com/";

public Pinning(Context c) {
    this.context = c;
}

private SSLSocketFactory getPinnedCertSslSocketFactory(Context context) {
    try {
        KeyStore trusted = KeyStore.getInstance("BKS");
        InputStream in = context.getResources().openRawResource(R.raw.mytruststore);
        trusted.load(in, "mypass".toCharArray());
        SSLContext sslContext = SSLContext.getInstance("TLS");
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
                TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(trusted);
        sslContext.init(null, trustManagerFactory.getTrustManagers(), null); …

我正在创建一个应用程序来控制商店，我正在尝试通过开放的 wifi 使用本地服务器 (192.168.0.56)。

有没有办法让我的应用程序使用 HTTPS 和自签名证书连接到我的服务器？

我正在使用改造，如果它的问题。

我在互联网上尝试了很多教程但没有成功，它总是返回此消息

Hostname '192.168.0.56' was not verified

创建证书我使用了这个代码：

openssl genrsa -out san_server.key 2048
openssl req -new -key san_server.key -out san_server.csr -config openssl.cnf -subj "/C=BR/ST=Mato Grosso do Sul/L=Iguatemi/O=Talski/CN=192.168.0.56"
openssl req -text -noout -in san_server.csr

openssl genrsa -out rootCA.key 4096
openssl req -x509 -new -nodes -key rootCA.key -days 3650 -out rootCA.pem -config openssl.cnf -subj "/C=BR/ST=Mato Grosso do Sul/L=Iguatemi/O=Talski/CN=192.168.0.56"
openssl x509 -req -in san_server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out san_server-rootCA.crt -days 3649
openssl x509 -in …