1. 首页
  2. 问答
  3. 即使使用CA签名证书,证书锁定也会失败

即使使用CA签名证书,证书锁定也会失败

2017-07-27 210 views
0

我正尝试使用Android上的证书锁定进行修改。我正在评估一个有效的Verisign签名证书。即使使用CA签名证书,证书锁定也会失败

我得到以下错误:

HTTP FAILED: javax.net.ssl.SSLPeerUnverifiedException: Failed to find a trusted cert that signed Certificate.

为什么不能证书平纳不评估对设备的CA根证书?它是否无法访问设备信任?或者,设备信任可能不包含整个证书链。但是为什么我的SSL通信不会失败?

// Pin Certificate 
CertificatePinner certificatePinner = new CertificatePinner.Builder() 
     .add("www.mydomain.com", "sha256/somerandompublickeystring") 
     .build(); 

// To handle self-signed cert 
OkHttpClient.Builder clientBuilder = new OkHttpClient.Builder(); 

OkHttpClient client = clientBuilder.connectTimeout(120, TimeUnit.SECONDS) 
     .writeTimeout(120, TimeUnit.SECONDS) 
     .readTimeout(120, TimeUnit.SECONDS) 
     .certificatePinner(certificatePinner) 
     .build();

来源

2017-07-27 dutchman711

回答

0

找到了答案。我可以如下所示获得Root信任,并在sslSocketFactory调用中使用它。这对我有效。

OkHttpClient client = clientBuilder.connectTimeout(120, TimeUnit.SECONDS) 
     .writeTimeout(120, TimeUnit.SECONDS) 
     .readTimeout(120, TimeUnit.SECONDS) 
     .sslSocketFactory(getSystemDefaultSSLSocketFactory(app)) 
     .certificatePinner(certificatePinner) 
     .build(); 

private static SSLSocketFactory getSystemDefaultSSLSocketFactory(Application app) { 
    SSLContext sslContext = null; 
    try 
    { 
     TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
       TrustManagerFactory.getDefaultAlgorithm()); 
     trustManagerFactory.init((KeyStore) null); 
     TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); 
     if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) { 
      throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers)); 
     } 
     sslContext = SSLContext.getInstance("TLS"); 
     sslContext.init(null, trustManagers, null); 

    } 
    catch(Exception ex) 
    { 
     Log.e("TAG",ex.getMessage()); 
    } 
    return sslContext.getSocketFactory();

}

来源

2017-07-27 14:23:23 dutchman711

+0

考虑给OkHttp两个证书平纳和信任管理器。否则,OkHttp需要用反射来查找信任管理器,而且速度较慢。 –

相关问题

 相关问题