https自签名证书验证相关代码

import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import okhttp3.OkHttpClient;

public class SafeOkHttp {
/**
* 访问在认证机构有认证的https访问
* @param hostHome 需要访问的地址
* @return OkHttpClient
*/
public static OkHttpClient getUnsafeOkHttpClient(final String hostHome) {
try {
// Create a trust manager that does not validate certificate chains
final TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager() {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
}};
// Install the all-trusting trust manager
final SSLContext sslContext = SSLContext.getInstance("SSL");
sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
// Create an ssl socket factory with our all-trusting manager
final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
OkHttpClient okHttpClient = new OkHttpClient.Builder().sslSocketFactory(sslSocketFactory).hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
if (hostname.equals(hostHome))
return true;
else
return false;
}
}).build();
return okHttpClient;
} catch (Exception e) {
throw new RuntimeException(e);
}
}

/**
* 获取带有制定输入流的认证证书的 OkHttpClient
* 构造CertificateFactory对象，通过它的generateCertificate(is)方法得到Certificate。
* 然后讲得到的Certificate放入到keyStore中。
* 接下来利用keyStore去初始化我们的TrustManagerFactory
* 由trustManagerFactory.getTrustManagers获得TrustManager[]初始化我们的SSLContext
* 最后，设置我们mOkHttpClient.setSslSocketFactory即可。
* @param certificates 证书输入流
* @return OkHttpClient
* @throws Exception
*/
public static OkHttpClient setCertificates(final URL url,InputStream... certificates) throws Exception {
CertificateFactory factory = CertificateFactory.getInstance("X.509");
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
int index = 0;
for (InputStream is : certificates) {
String certificateAlias = Integer.toString(index++);
keyStore.setCertificateEntry(certificateAlias, factory.generateCertificate(is));
try {
if (is != null) {
is.close();
}
} catch (IOException e) {
e.printStackTrace();
}
}
SSLContext sslContent = SSLContext.getInstance("TLS");
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
sslContent.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());
OkHttpClient client = new OkHttpClient.Builder().sslSocketFactory(sslContent.getSocketFactory()).hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
if (hostname.equals(url.getHost())){
return true;
}
return false;
}
}).build();
return client;
}

/**
* 双向证书验证
* 详见：Https的证书生成和相关代码
* 获取带有制定输入流的认证证书的 OkHttpClient
* @param certificates 证书输入流
* @return OkHttpClient
* @throws Exception
*/
public static OkHttpClient setCertificatesTwo(final URL url,InputStream keyClient,String password,InputStream... certificates) throws Exception {
//初始化公钥
CertificateFactory factory = CertificateFactory.getInstance("X.509");
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
int index = 0;
for (InputStream is : certificates) {
String certificateAlias = Integer.toString(index++);
keyStore.setCertificateEntry(certificateAlias, factory.generateCertificate(is));
try {
if (is != null) {
is.close();
}
} catch (IOException e) {
e.printStackTrace();
}
}

TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);

//初始化Android端的密钥
KeyStore keyClientStore = KeyStore.getInstance("PKCS12");
keyClientStore.load(keyClient, password.toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyClientStore,password.toCharArray());
//        KeyManager keyManager = new MyX509KeyManager(keyClientStore,password,keyManagerFactory.getKeyManagers());
//        KeyManager[] keyManagerArray = keyManagerFactory.getKeyManagers();
//        keyManagerArray[0] = keyManager;

SSLContext sslContent = SSLContext.getInstance("TLS");
sslContent.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
OkHttpClient client = new OkHttpClient.Builder().sslSocketFactory(sslContent.getSocketFactory()).hostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
if (hostname.equals(url.getHost())){
return true;
}
return false;
}
}).build();
return client;
}
}

Java平台默认识别jks格式的证书文件，但是android平台只识别bks格式的证书文件

去Portecle下载Download portecle-1.9.zip (3.4
MB)。

解压后，里面包含

bcprov.jar

文件，使用jave -jar bcprov.jar即可打开GUI界面
张鸿洋https详解，包含如何生成自签名证书