CA 颁发的仅信任特定证书 - Android
Posted
技术标签:
【中文标题】CA 颁发的仅信任特定证书 - Android【英文标题】:Trust Only Particular Certificate Issued by CA - Android 【发布时间】:2014-03-17 17:48:38 【问题描述】:我正在开发一个 android 应用程序,该应用程序仅在服务器具有由 CA 颁发的特定证书(例如:GoDaddy)时才需要进行 SSL 握手。我参考了Android developer website 上的文档,但它只说明了验证自签名证书或不受 Android 信任的证书。在我的情况下,我应该获取客户端证书并将其添加到我的密钥库中。我使用 apache HttpClient 作为我的网络服务请求。非常感谢任何帮助。
【问题讨论】:
你检查过this 吗? 不,你能告诉我一些与 Android 相关的东西吗? 查看link 或this。希望对您有所帮助。 @TGMCians 我不想绕过证书验证。我想确保我的应用不容易受到中间人攻击。 SSL TrustManager setup on lower Android APIs的可能重复 【参考方案1】:你需要
-
将对等证书添加到您的信任库,以便您信任它。
从您的信任库中删除 CA 证书,因此您不信任他签署的任何其他证书。
【讨论】:
谢谢。您能告诉我,谁提供此对等证书吗?这与服务器中存在的相同吗?我不明白您的第二点。为什么要删除 CA 证书?证书由公认的 CA 提供,例如 goDaddy .com. @androidGuy 对端证书由对端提供。由于我已经给出的原因,您应该删除 CA 证书。【参考方案2】:其实很简单。如果颁发者不是 GoDaddy,您必须覆盖 X509TrustManager 中的 checkServerTrusted 并抛出 CertificateException。在我提供的代码中,我使用了“bla bla”,您可能应该得到确切的名称。
您必须首先为您的 Http 请求使用提供程序:该提供程序将用于使用 provider.execute 函数执行请求:
private static AbstractHttpClient provider;
static
try
BasicHttpParams httpParameters = new BasicHttpParams();
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null, null);
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
registry.register(new Scheme("https", new EasySSLSocketFactory(), 443));
ClientConnectionManager ccm = new ThreadSafeClientConnManager(httpParameters, registry);
provider = new DefaultHttpClient(ccm, httpParameters);
catch (Exception e)
e.printStackTrace();
provider = new DefaultHttpClient();
现在你需要你的 EasySSLSocketFactory:
public class EasySSLSocketFactory implements SocketFactory, LayeredSocketFactory
private SSLContext sslcontext = null;
private static SSLContext createEasySSLContext() throws IOException
try
SSLContext context = SSLContext.getInstance("TLS");
context.init(null, new TrustManager[] new EasyX509TrustManager(null) , null);
return context;
catch (Exception e)
throw new IOException(e.getMessage());
private SSLContext getSSLContext() throws IOException
if (this.sslcontext == null)
this.sslcontext = createEasySSLContext();
return this.sslcontext;
/**
* @see org.apache.http.conn.scheme.SocketFactory#connectSocket(java.net.Socket, java.lang.String, int,
* java.net.InetAddress, int, org.apache.http.params.HttpParams)
*/
public Socket connectSocket(Socket sock,
String host,
int port,
InetAddress localAddress,
int localPort,
HttpParams params)
throws IOException, UnknownHostException, ConnectTimeoutException
int connTimeout = HttpConnectionParams.getConnectionTimeout(params);
int soTimeout = HttpConnectionParams.getSoTimeout(params);
InetSocketAddress remoteAddress = new InetSocketAddress(host, port);
SSLSocket sslsock = (SSLSocket) ((sock != null) ? sock : createSocket());
if ((localAddress != null) || (localPort > 0))
// we need to bind explicitly
if (localPort < 0)
localPort = 0; // indicates "any"
InetSocketAddress isa = new InetSocketAddress(localAddress, localPort);
sslsock.bind(isa);
sslsock.connect(remoteAddress, connTimeout);
sslsock.setSoTimeout(soTimeout);
return sslsock;
/**
* @see org.apache.http.conn.scheme.SocketFactory#createSocket()
*/
public Socket createSocket() throws IOException
return getSSLContext().getSocketFactory().createSocket();
/**
* @see org.apache.http.conn.scheme.SocketFactory#isSecure(java.net.Socket)
*/
public boolean isSecure(Socket socket) throws IllegalArgumentException
return true;
/**
* @see org.apache.http.conn.scheme.LayeredSocketFactory#createSocket(java.net.Socket, java.lang.String, int,
* boolean)
*/
public Socket createSocket(Socket socket,
String host,
int port,
boolean autoClose) throws IOException,
UnknownHostException
return getSSLContext().getSocketFactory().createSocket(socket, host, port, autoClose);
// -------------------------------------------------------------------
// javadoc in org.apache.http.conn.scheme.SocketFactory says :
// Both Object.equals() and Object.hashCode() must be overridden
// for the correct operation of some connection managers
// -------------------------------------------------------------------
public boolean equals(Object obj)
return ((obj != null) && obj.getClass().equals(EasySSLSocketFactory.class));
public int hashCode()
return EasySSLSocketFactory.class.hashCode();
最后,这是工作,你需要 EasyX509TrustManager,它不接受 GoDaddy 颁发的证书:
public class EasyX509TrustManager implements X509TrustManager
private X509TrustManager standardTrustManager = null;
/**
* Constructor for EasyX509TrustManager.
*/
public EasyX509TrustManager(KeyStore keystore) throws NoSuchAlgorithmException, KeyStoreException
super();
TrustManagerFactory factory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
factory.init(keystore);
TrustManager[] trustmanagers = factory.getTrustManagers();
if (trustmanagers.length == 0)
throw new NoSuchAlgorithmException("no trust manager found");
this.standardTrustManager = (X509TrustManager) trustmanagers[0];
/**
* @see javax.net.ssl.X509TrustManager#checkClientTrusted(X509Certificate[],String authType)
*/
public void checkClientTrusted(X509Certificate[] certificates, String authType) throws CertificateException
standardTrustManager.checkClientTrusted(certificates, authType);
/**
* @see javax.net.ssl.X509TrustManager#checkServerTrusted(X509Certificate[],String authType)
*/
public void checkServerTrusted(X509Certificate[] certificates, String authType) throws CertificateException
X509Certificate c = certificates[0];
String name = c.getIssuerDN().getName();
if(!"bla bla".equals(name))
throw new CertificateException("OMG! it is not bla bla!");
standardTrustManager.checkServerTrusted(certificates, authType);
/**
* @see javax.net.ssl.X509TrustManager#getAcceptedIssuers()
*/
public X509Certificate[] getAcceptedIssuers()
return this.standardTrustManager.getAcceptedIssuers();
【讨论】:
谢谢。在 checkServerTrusted() 中检查证书提供者是否是个好主意,如果不是还应该检查什么?c.getIssuerDN().getName() 返回一个包含大量其他内容的大字符串信息,那么如何检查名称是否相同? 老实说,我不确定这个想法有多好。出于我不知道的原因,您可能想要信任正确的发行人。然而,getIssuerDN() 还有许多与 getName() 不同的调用:您可能想检查它们并使用它们。 感谢您提供宝贵的意见。有一个简单的问题。这是正确的方法还是我应该创建自己的信任库并检查证书?我正在尝试所有这些来制作我的应用安全且不易受到中间人攻击。 由于提供者名称在应用程序中是硬编码的,它不是完全证明的解决方案,在这种情况下(上面示例源代码中给出的“bla bla”),黑客可以轻松绕过它。因此,什么是完整的证明解决方案。 危险:这不是验证证书的方式。任何人都可以轻松生成具有任意名称(“GoDaddy Inc.”或其他名称)的证书,从而绕过此检查。【参考方案3】:您可以通过以下方式轻松做到这一点: 1. 将您想要的 CA 证书添加到您的信任库。 2. 从您的信任库中删除所有其他 CA 证书(默认)并捕获 SSLHandshakeException。 或者创建一个仅包含您的 CA 证书的新信任库。
【讨论】:
【参考方案4】:这就是我在代码中检查 SSL 证书的方式。 我只验证 CAcert 证书。但是您可以轻松地将证书替换为 Go Daddy 的根证书。
在 API14+(可能从 11+)上非常简单和安全。 需要做一些额外的工作才能使其在较旧的 API 级别上运行。 基本上,我在 APIValidate X509 certificates using Java APis
// der formated certificate as byte[]
private static final byte[] CACERTROOTDER = new byte[]
48, -126, 7, 61, 48, -126, 5, 37, -96, 3, 2, 1, 2, 2, 1, 0,
// ...
;
/**
* Read x509 certificated file from byte[].
*
* @param bytes certificate in der format
* @return certificate
*/
private static X509Certificate getCertificate(final byte[] bytes)
throws IOException, CertificateException
CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate ca;
ByteArrayInputStream is = new ByteArrayInputStream(bytes);
try
ca = (X509Certificate) cf.generateCertificate(is);
Log.d(TAG, "ca=", ca.getSubjectDN());
finally
is.close();
return ca;
/**
* Trust only CAcert's CA. CA cert is injected as byte[]. Following best practices from
* https://developer.android.com/training/articles/security-ssl.html#UnknownCa
*/
private static void trustCAcert()
throws KeyStoreException, IOException,
CertificateException, NoSuchAlgorithmException,
KeyManagementException
// Create a KeyStore containing our trusted CAs
String keyStoreType = KeyStore.getDefaultType();
final KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("CAcert-root", getCertificate(CACERTROOTDER));
// if your HTTPd is not sending the full chain, add class3 cert to the key store
// keyStore.setCertificateEntry("CAcert-class3", getCertificate(CACERTCLASS3DER));
// Create a TrustManager that trusts the CAs in our KeyStore
final TrustManagerFactory tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
// Create an SSLContext that uses our TrustManager
SSLContext sslContext = SSLContext.getInstance("TLS");
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.ICE_CREAM_SANDWICH)
// may work on HC+, but there is no AVD or device to test it
sslContext.init(null, tmf.getTrustManagers(), null);
else
// looks like CLR is broken in lower APIs. implement out own checks here :x
// see https://***.com/q/18713966/2331953
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier()
public boolean verify(final String hostname, final SSLSession session)
try
// check if hostname matches DN
String dn = session.getPeerCertificateChain()[0].getSubjectDN().toString();
Log.d(TAG, "DN=", dn);
if (Build.VERSION.SDK_INT >= Build.VERSION_CODES.GINGERBREAD)
return dn.equals("CN=" + hostname);
else
// no SNI on API<9, but I know the first vhost's hostname
return dn.equals("CN=" + hostname)
|| dn.equals("CN=" + hostname.replace("jsonrpc", "rest"));
catch (Exception e)
Log.e(TAG, "unexpected exception", e);
return false;
);
// build our own trust manager
X509TrustManager tm = new X509TrustManager()
public X509Certificate[] getAcceptedIssuers()
// nothing to do
return new X509Certificate[0];
@Override
public void checkClientTrusted(final X509Certificate[] chain,
final String authType)
throws CertificateException
// nothing to do
@Override
public void checkServerTrusted(final X509Certificate[] chain,
final String authType) throws CertificateException
// nothing to do
Log.d(TAG, "checkServerTrusted(", chain, ")");
X509Certificate cert = chain[0];
cert.checkValidity();
CertificateFactory cf = CertificateFactory.getInstance("X.509");
ArrayList<X509Certificate> list = new ArrayList<X509Certificate>();
list.add(cert);
CertPath cp = cf.generateCertPath(list);
try
PKIXParameters params = new PKIXParameters(keyStore);
params.setRevocationEnabled(false); // CLR is broken, remember?
CertPathValidator cpv = CertPathValidator
.getInstance(CertPathValidator.getDefaultType());
cpv.validate(cp, params);
catch (KeyStoreException e)
Log.d(TAG, "invalid key store", e);
throw new CertificateException(e);
catch (InvalidAlgorithmParameterException e)
Log.d(TAG, "invalid algorithm", e);
throw new CertificateException(e);
catch (NoSuchAlgorithmException e)
Log.d(TAG, "no such algorithm", e);
throw new CertificateException(e);
catch (CertPathValidatorException e)
Log.d(TAG, "verification failed");
throw new CertificateException(e);
Log.d(TAG, "verification successful");
;
sslContext.init(null, new X509TrustManager[]tm, null);
HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
我编写了一个小脚本来从任何给定的 .der 文件创建 byte[]:
#! /bin/sh
if [ $# -lt 1 ] ; then
echo "usage: $0 file" >&2
exit 1
fi
echo "private static final byte[] $(echo "$(basename $1)" | tr -Cd 'a-zA-Z0-9' | tr 'a-z' 'A-Z' ) = new byte[]"
od -t d1 $1 | head -n -1 | cut -d\ -f2- | sed -e 's:^ *::' -e 's: *: :g' -e 's: :, :g' -e 's:$:,:' -e 's:^: :'
echo ";"
无论如何,如果你愿意的话,你可以使用一个完整的信任库和一个充满可信证书的手。
【讨论】:
以上是关于CA 颁发的仅信任特定证书 - Android的主要内容,如果未能解决你的问题,请参考以下文章