https请求之绕过证书安全校验工具类(原)

Posted hmhhz

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了https请求之绕过证书安全校验工具类(原)相关的知识,希望对你有一定的参考价值。

package com.isoftstone.core.util;

import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Map;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;
import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang.StringUtils;


/**
 * https post发送工具
 * 
 * @author 超神之巅
 *
 */
public class HttpsTool {
    private static final String LINE_SEPARATOR = System.getProperty("line.separator");
    
    static HostnameVerifier hv = new HostnameVerifier() {
        public boolean verify(String urlHostName, SSLSession session) {
            System.out.println("Warning: URL Host: " + urlHostName + " vs. "
                    + session.getPeerHost());
            return true;
        }
    };
    
    private static void trustAllHttpsCertificates() throws Exception {
        javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
        javax.net.ssl.TrustManager tm = new miTM();
        trustAllCerts[0] = tm;
        javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext
                .getInstance("SSL");
        sc.init(null, trustAllCerts, null);
        javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc
                .getSocketFactory());
    }

    static class miTM implements javax.net.ssl.TrustManager,
            javax.net.ssl.X509TrustManager {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        public boolean isServerTrusted(
                java.security.cert.X509Certificate[] certs) {
            return true;
        }

        public boolean isClientTrusted(
                java.security.cert.X509Certificate[] certs) {
            return true;
        }

        public void checkServerTrusted(
                java.security.cert.X509Certificate[] certs, String authType)
                throws java.security.cert.CertificateException {
            return;
        }

        public void checkClientTrusted(
                java.security.cert.X509Certificate[] certs, String authType)
                throws java.security.cert.CertificateException {
            return;
        }
    }
    
    /**
     * 发送报文
     * 
     * 通信失败时返回分两种:一种是抛异常,一种是返回"",本方法取前者
     * 
     * @param requestData
     *            请求报文
     * @param headMap
     *            head请求头参数 conn.setRequestProperty(key,value)
     * @param urlStr
     *            请求地址
     * @param sendEncoding
     *            请求编码
     * @param recvEncoding
     *            返回编码
     * @param connectionTimeout
     *            链接超时时间 1000代表 1秒
     * @param readTimeout
     *            读取超时时间 1000代表1秒
     * @return
     * @throws IOException
     * @author 超神之巅
     */
    public static String send(String requestData,Map<String,String> headMap, String urlStr, String sendEncoding, String recvEncoding, int connectionTimeout, int readTimeout,String contentType) throws Exception {
        URL url = null;
        HttpsURLConnection conn = null;
        ByteArrayOutputStream byteOut = null;
        BufferedReader readInfo = null;
        StringBuilder retBuilder = new StringBuilder();// 这里用不着多线程安全的StringBuffer
        OutputStream out = null;
        String line = null;
        StringBuilder reqDetailProcedure = new StringBuilder();// 这里用不着多线程安全的StringBuffer
        Date startTime = new Date();
        reqDetailProcedure.append("请求时间:【" + DATE_FORMATER.format(startTime) + "】").append("
");
        reqDetailProcedure.append("请求地址:【" + urlStr + "】").append("
");
        reqDetailProcedure.append("真实请求方式及编码:【post " + sendEncoding + "】").append("
");
        reqDetailProcedure.append("期望返回编码:【" + recvEncoding + "】").append("
");
        reqDetailProcedure.append("请求超时时间:【" + readTimeout / 1000 + "s】").append("
");
        reqDetailProcedure.append("请求报文:【" + requestData + "】").append("
");
        try {
//            如有必要,给?后的参数加encode(xxx,"UTF-8"),不然目标系统可能收到的request.getParameter()是乱码
//            String arg = java.net.URLEncoder.encode("中国","UTF-8");
//            url = new URL(urlStr+"?deptname="+arg);
            
            url = new URL(urlStr);
            
            trustAllHttpsCertificates();
            HttpsURLConnection.setDefaultHostnameVerifier(hv);
            
            conn = (HttpsURLConnection) url.openConnection();
            conn.setRequestMethod("POST");
            // 新增部分
            //conn.setHostnameVerifier(new TrustAnyHostnameVerifier());
            conn.setRequestProperty("SOAPAction", """");
            conn.setRequestProperty("Accept", "application/xml, application/json,application/dime, multipart/related, text/*");

            // 如果没有下面这一行代码,服务器端可以通过request.getParameter()和request.getInputStream()都接收到相同信息

            // Content-Type相关知识链接: http://www.cnblogs.com/whatlonelytear/p/6187575.html
            // conn如果不设Content-Type,则默认成application/x-www-form-urlencoded
            // 当然也可以配置成application/x-www-form-urlencoded;charset=UTF-8,此时要求服务端返回UTF-8编码,如果本地还用gbk去解码,有可能得到乱码
            conn.setRequestProperty("Content-Type", contentType);
            // 如果把Content-Type的类型改变成非application/x-www-form-urlencoded,如改成text/xml,
            // 则目标服务器端仅能通过request.getInputStream()接收信息, 如conn.setRequestProperty("Content-Type", "text/xml;charset=GBK");
            // Content-Type各类型解释: http://blog.csdn.net/blueheart20/article/details/45174399
            
            // conn.setRequestProperty("Accept-Charset", "utf-8");//未知
            
            //Cache-Control说明链接:http://huangyunbin.iteye.com/blog/1943310http://www.cnblogs.com/whatlonelytear/articles/6385390.html
            conn.setRequestProperty("Cache-Control", "no-cache");
            
            //设置head头,如果已存在,则覆盖之前的head配置
            if(headMap != null){
                for(Map.Entry<String, String > entry : headMap.entrySet()){
                    conn.setRequestProperty(entry.getKey(),entry.getValue());
                }
                
            }
            
            // conn.setRequestProperty("appName", appName);//各系统需要设置应用系统名,如电销为telesales(无意义,本人自定义)
            conn.setUseCaches(false); // 忽略缓存
            // get请求用不到conn.getOutputStream(),因为参数直接追加在地址后面,因此默认是false.
            // post请求(比如:文件上传)需要往服务区传输大量的数据,这些数据是放在http的body里面的,因此需要在建立连接以后,往服务端写数据.
            // 因为总是使用conn.getInputStream()获取服务端的响应,因此默认值是true.
            conn.setDoOutput(true); // 使用 URL
                                    // 连接进行输出,允许使用conn.getOutputStream().write()
            conn.setDoInput(true); // 使用 URL
                                    // 连接进行输入,允许使用conn.getInputStream().read();
            conn.setConnectTimeout(connectionTimeout);// 链接超时
            conn.setReadTimeout(readTimeout);// 读取超时
            conn.connect();// 建立链接
            byteOut = new ByteArrayOutputStream();
            byteOut.write(requestData.getBytes(sendEncoding));// 以指定编码发送,如果有乱码,修改之
            byte[] buf = byteOut.toByteArray();
            out = conn.getOutputStream();
            out.write(buf);
            out.flush();
            reqDetailProcedure.append("响应码和状态:【" + conn.getResponseCode() + "/" + conn.getResponseMessage() + "】").append("
");
            if (HttpURLConnection.HTTP_OK == conn.getResponseCode()) {// 正确返回
                InputStream tempStream = conn.getInputStream();
                readInfo = new BufferedReader(new java.io.InputStreamReader(tempStream, recvEncoding));// 以指定编码读取返回信息,如果有乱码,修改之
                while ((line = readInfo.readLine()) != null) {
                    retBuilder.append(line).append(LINE_SEPARATOR);
                }
            } else {// 没有正确返回
                // 这个else分支有冗余代码,一来代码不多,二来这个分支是经过长时间思考,还是保留了下来,方便我以后对错误做不抛异常处理等
                InputStream tempStream = conn.getInputStream();// 如果响应码不是200,一般在这里就开始报异常,不会走到下面几行中去的.
                readInfo = new BufferedReader(new java.io.InputStreamReader(tempStream, recvEncoding));// cannotReach
                while ((line = readInfo.readLine()) != null) {// cannotReach
                    retBuilder.append(line);// cannotReach
                }// cannotReach
                reqDetailProcedure.append("@@返回异常报文:【" + retBuilder + "】").append("
");// cannotReach
            }
        } catch (IOException e) {
            e.printStackTrace();
            throw e;
        } finally {
            // 目标服务端用response.setContentType("text/html;charset=UTF-8");然后源调用方可以用conn.getContentType()获取到[猜测,暂未测试]
            // conn.getContentType()包含在Head返回的内容中.
            // 返回如果带编码,可以做成动态编码去把流转成字符串,暂不优化.这是极好的l优化点.
            reqDetailProcedure.append("返回内容类型及编码:【" + conn.getContentType() + "】").append("
");
            reqDetailProcedure.append("返回HEAD头信息:【" + conn.getHeaderFields() + "】").append("
");
            reqDetailProcedure.append("返回报文:【" + retBuilder.toString() + "】").append("
");
            Date endTime = new Date();
            reqDetailProcedure.append("返回时间:【" + DATE_FORMATER.format(endTime) + "】").append("
");
            long diffMilliSecond = endTime.getTime() - startTime.getTime();
            long diffSecond = (diffMilliSecond / 1000);
            reqDetailProcedure.append("耗时:【" + diffMilliSecond + "】毫秒,大约" + "【" + diffSecond + "】秒").append("
");
            System.out.println(reqDetailProcedure.toString());
            //ThreadLocalListContainer.put(reqDetailProcedure.toString());
            // ThreadLocalMapContainer.put(KingConstants.REQ_DETAIL_PROCEDURE,reqDetailProcedure.toString())
            try {
                if (readInfo != null) {
                    readInfo.close();
                }
                if (byteOut != null) {
                    byteOut.close();
                }
                if (out != null) {
                    out.close();
                }
                if (conn != null) {
                    conn.disconnect();
                }
            } catch (Exception e) {
                System.out.println("关闭链接出错!" + e.getMessage());
            }

        }
        return retBuilder.toString();
    }
    
    /**
     * 发送报文
     * 
     * 通信失败时返回分两种:一种是抛异常,一种是返回"",本方法取前者
     * 
     * @param requestData
     *            请求报文
     * @param urlStr
     *            请求地址
     * @param sendEncoding
     *            请求编码
     * @param recvEncoding
     *            返回编码
     * @param connectionTimeout
     *            链接超时时间 1000代表 1秒
     * @param readTimeout
     *            读取超时时间 1000代表1秒
     * @return
     * @throws IOException
     * @author 超神之巅
     */
    public static String send(String requestData, String urlStr, String sendEncoding, String recvEncoding, int connectionTimeout, int readTimeout) throws Exception {
        boolean flag = isJson(requestData);//是否JSON
        String contentType="application/soap+xml";
        if(flag) {
            contentType = "application/json";
        }
        return send( requestData,null, urlStr, sendEncoding, recvEncoding, connectionTimeout, readTimeout,contentType);
    }

    /**
     * 
     * @param filePath
     *            文件绝对路径
     * @param encoding
     *            读取文件的编码
     * @return
     * @author 超神之巅
     * @throws Exception
     */
    public static String readStringFromFile(String filePath, String encoding) {
        File file = new File(filePath);
        // System.out.println("文件 "+filePath+"存在与否?: "+ file.exists());
        String tempLine = null;
        String retStr = "";
        InputStreamReader isr = null;// way1:
        // FileReader fr = null;//way2
        StringBuilder sb = new StringBuilder();
        try {
            if (file.exists()) {
                isr = new InputStreamReader(new FileInputStream(file), encoding);// way1:
                // fr = new FileReader(file);//way2
                BufferedReader br = new BufferedReader(isr);// way1:
                // BufferedReader br = new BufferedReader(fr);;//way2:
                tempLine = br.readLine();
                while (tempLine != null) {
                    sb.append(tempLine).append(System.getProperty("line.separator"));
                    tempLine = br.readLine();
                }
                retStr = sb.toString();
            }
        } catch (UnsupportedEncodingException e) {
            e.printStackTrace();
        } catch (FileNotFoundException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } finally {
            try {
                if (isr != null)
                    isr.close();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
        // System.out.println("读到的文件内容如下:");
        // System.out.println(retStr);
        return retStr;
    }
    /**
     * 判断字符串是否为JSON格式
     * @param str
     * @return
     */
    public static boolean isJson(String str){
        if (StringUtils.isBlank(str)) {
            return false;
        }
        
        boolean flag1 = (str.startsWith("{") && str.endsWith("}"));
        boolean flag2 = (str.startsWith("[") && str.endsWith("]"));
        
        return (flag1 || flag2);
    }

    /*public static final void writeInfo(HttpServletResponse resp, String errorCode, String respInfo, Map<String, Object> map) {
        map.put("errorCode", errorCode);
        map.put("respInfo", respInfo);
        String detail = ThreadLocalListContainer.getAll();
        map.put(KingConstants.DETAIL_PROCEDURE, detail);
        ThreadLocalListContainer.clearAll();
        // map.put(KingConstants.DETAIL_PROCEDURE, detail);
        try {
//            String gsonInfo = new Gson().toJson(map);//old
            Gson gson = new GsonBuilder().setPrettyPrinting().create();//new
            String gsonInfo = gson.toJson(map);
            PrintWriter pw = resp.getWriter();
            pw.print(gsonInfo);
            pw.flush();
            pw.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }*/

    /**
     * 
     * @param resp
     * @param errorCode
     * @param respInfo
     * @param map
     * ......
     * @time 2017年4月23日 上午9:12:43
     * @author 超神之巅
     */
    /*public static final void writeInfo(HttpServletResponse resp, KingResp result) {
        String detail = ThreadLocalListContainer.getAll();
        result.setDetailProcedure(detail);
        ThreadLocalListContainer.clearAll();
        try {
//            String gsonInfo = new Gson().toJson(map);//old
            Gson gson = new GsonBuilder().setPrettyPrinting().create();//new
            String gsonInfo = gson.toJson(result);
            FileTool.writeStringToFile("d:/temp/myinfo.txt", gsonInfo, "gbk", false);
            PrintWriter pw = resp.getWriter();
            pw.print(gsonInfo);
            pw.flush();
            pw.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }*/
    
    public static final void writeInfo(HttpServletResponse resp, String respInfo) {
        try {
            PrintWriter pw = resp.getWriter();
            pw.print(respInfo);
            pw.flush();
            pw.close();
        } catch (IOException e) {
            e.printStackTrace();
        }
    }
    
    public static final SimpleDateFormat DATE_FORMATER = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss:sss");

    public static void main(String[] args) throws Exception {
        String requestUrl  = "https://bx.zhcgs.gov.cn:8060/NewBxInfo/BxInfo.asmx";
        //把cacerts20181015文到该目录
        System.setProperty("javax.net.ssl.trustStore",
                "K:\\myprogram\\jdk\\jdk8\\jdk1.8.0_141\\jre\\lib\\security\\cacerts20181015");
        String requestData = readStringFromFile("d:/file/send.xml", "UTF-8");// 有乱码,请修改指定编码
        String sencXml = HttpsTool.send(requestData, requestUrl, "utf-8", "utf-8", 300 * 1000, 300 * 1000);// 大家最终只要使用这一句代码就可调用
    }
}

 

以上是关于https请求之绕过证书安全校验工具类(原)的主要内容,如果未能解决你的问题,请参考以下文章

如何绕过安卓SSL证书的强校验

App防抓包的四种绕过方法(详细)

移动端https抓包那些事--进阶篇

post请求https安全证书问题

如何在 .Net C# 中绕过 SSL 证书进行 HTTPS SOAP 请求?

iOS内置证书,校验https请求