okhttp支持https双向认证

2024-01-24 15:11:00

 

搭建环境

服务端:dropwizard-jetty

准备文件:服务端秘钥d_server.jks,客户端公钥证书d_client_for_server.jks

客户端:retrofit / okhttp

准备文件:需要服务端证书d_server.cer,客户端私钥d_client.jks

生成证书

服务端,准备d_server.jks,d_client_for_server.jks

//生成服务端d_server.jks文件

1.keytool -genkey -alias d_server -keyalg RSA -keystore d_server.jks -validity 720 -storepass 123456

//生成公钥证书文件d_server.cer
2.keytool -export -alias d_server -file d_server.cer -keystore d_server.jks -storepass 123456

客户端:

1.keytool -genkey -alias d_client -keyalg RSA -keystore d_client.jks -validity 720 -storepass 654321
2.keytool -export -alias d_client -file d_client.cer -keystore d_client.jks -storepass 654321

//生成服务端d_client_for_server.jks文件
3.keytool -import -alias d_client -file d_client.cer -keystore d_client_for_server.jks

 

 

 Okhttp代码

InputStream insCer = new Buffer().writeUtf8(httpClientConf.getCer()).inputStream();
InputStream[] insCerArry = new InputStream[]{insCer};
InputStream insJksDir = new FileInputStream(httpClientConf.getJksDir());
SSLParams sslParams = HttpsUtils.getSslSocketFactory(insCerArry,insJksDir,httpClientConf.getJkspwd());
OkHttpClient.Builder builder = new OkHttpClient.Builder().sslSocketFactory(sslParams.sSLSocketFactory, sslParams.trustManager)

 

HttpUtils代码

import java.io.IOException;
import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

public class HttpsUtils {
	public static class SSLParams {
		public SSLSocketFactory sSLSocketFactory;
		public X509TrustManager trustManager;
	}

	public static SSLParams getSslSocketFactory(InputStream[] certificates, InputStream jksFile, String password) {
		SSLParams sslParams = new SSLParams();
		try {
			TrustManager[] trustManagers = prepareTrustManager(certificates);
			KeyManager[] keyManagers = prepareKeyManager(jksFile, password);
			SSLContext sslContext = SSLContext.getInstance("TLS");
			X509TrustManager trustManager = null;
			if (trustManagers != null) {
				trustManager = new MyTrustManager(chooseTrustManager(trustManagers));
			} else {
				trustManager = new UnSafeTrustManager();
			}
			sslContext.init(keyManagers, new TrustManager[] { trustManager }, null);
			sslParams.sSLSocketFactory = sslContext.getSocketFactory();
			sslParams.trustManager = trustManager;
			return sslParams;
		} catch (NoSuchAlgorithmException e) {
			throw new AssertionError(e);
		} catch (KeyManagementException e) {
			throw new AssertionError(e);
		} catch (KeyStoreException e) {
			throw new AssertionError(e);
		}
	}

	private class UnSafeHostnameVerifier implements HostnameVerifier {
		@Override
		public boolean verify(String hostname, SSLSession session) {
			return true;
		}
	}

	private static class UnSafeTrustManager implements X509TrustManager {
		@Override
		public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
		}

		@Override
		public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
		}

		@Override
		public X509Certificate[] getAcceptedIssuers() {
			return new X509Certificate[] {};
		}
	}

	private static TrustManager[] prepareTrustManager(InputStream... certificates) {
		if (certificates == null || certificates.length <= 0)
			return null;
		try {

			CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
			KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
			keyStore.load(null);
			int index = 0;
			for (InputStream certificate : certificates) {
				String certificateAlias = Integer.toString(index++);
				keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate));
				try {
					if (certificate != null)
						certificate.close();
				} catch (IOException e)

				{
				}
			}
			TrustManagerFactory trustManagerFactory = null;

			trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
			trustManagerFactory.init(keyStore);

			TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();

			return trustManagers;
		} catch (NoSuchAlgorithmException e) {
			e.printStackTrace();
		} catch (CertificateException e) {
			e.printStackTrace();
		} catch (KeyStoreException e) {
			e.printStackTrace();
		} catch (Exception e) {
			e.printStackTrace();
		}
		return null;

	}

	private static KeyManager[] prepareKeyManager(InputStream jksFile, String password) {
		try {
			if (jksFile == null || password == null)
				return null;

			KeyStore clientKeyStore = KeyStore.getInstance("JKS");
			clientKeyStore.load(jksFile, password.toCharArray());
			KeyManagerFactory keyManagerFactory = KeyManagerFactory
					.getInstance(KeyManagerFactory.getDefaultAlgorithm());
			keyManagerFactory.init(clientKeyStore, password.toCharArray());
			return keyManagerFactory.getKeyManagers();

		} catch (KeyStoreException e) {
			e.printStackTrace();
		} catch (NoSuchAlgorithmException e) {
			e.printStackTrace();
		} catch (UnrecoverableKeyException e) {
			e.printStackTrace();
		} catch (CertificateException e) {
			e.printStackTrace();
		} catch (IOException e) {
			e.printStackTrace();
		} catch (Exception e) {
			e.printStackTrace();
		}
		return null;
	}

	private static X509TrustManager chooseTrustManager(TrustManager[] trustManagers) {
		for (TrustManager trustManager : trustManagers) {
			if (trustManager instanceof X509TrustManager) {
				return (X509TrustManager) trustManager;
			}
		}
		return null;
	}

	private static class MyTrustManager implements X509TrustManager {
		private X509TrustManager defaultTrustManager;
		private X509TrustManager localTrustManager;

		public MyTrustManager(X509TrustManager localTrustManager) throws NoSuchAlgorithmException, KeyStoreException {
			TrustManagerFactory var4 = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
			var4.init((KeyStore) null);
			defaultTrustManager = chooseTrustManager(var4.getTrustManagers());
			this.localTrustManager = localTrustManager;
		}

		@Override
		public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {

		}

		@Override
		public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
			try {
				defaultTrustManager.checkServerTrusted(chain, authType);
			} catch (CertificateException ce) {
				localTrustManager.checkServerTrusted(chain, authType);
			}
		}

		@Override
		public X509Certificate[] getAcceptedIssuers() {
			return new X509Certificate[0];
		}
	}
}

 

d_server.cer转换为字符串

>keytool -printcert -rfc -file d_server.cer
-----BEGIN CERTIFICATE-----\r\n
MIIDQzCCAiugAwIBAgIEBQTLUDANBgkqhkiG9w0BAQsFADBSMQswCQYDVQQGEwJjbjELMAkGA1UECBMCY2QxCzAJBgNVBAcTAmNkMQwwCgYDVQQKEwN6dGUxDDAKBgNVBAsTA3p0ZTENMAsGA1UEAxMEZHV5bDAeFw0xOTA4MTIwNjQ4NTlaFw0yMTA4MDEwNjQ4NTlaMFIxCzAJBgNVBAYTAmNuMQswCQYDVQQIEwJjZDELMAkGA1UEBxMCY2QxDDAKBgNVBAoTA3p0ZTEMMAoGA1UECxMDenRlMQ0wCwYDVQQDEwRkdXlsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAk7YjCiZKUZM2Xnz2KPq5pnkoJUyCxbQ3cGHRJI2Zsw2FqW4Ed7nenx0NNfP2TeDYTFT3Xtgw93E98p5EGUsgkFjromeQsMKw5vuxUFu5wvQ1PrPWqc6m5b4fAnhL+Es9vAaLl2KCmeRjMztec/Syg3LWys3yMbOz51UkyDb1aSstauTFkdNYqCupxSKHQRELeY/qZuiOdTGA6+UAniQymQpy04/skGLKs246RNiKJI4XVCbHaQacpLHK2lXpyA+VpXXJmCShLESgPfI/x20P8BWf0uNH941Grd1yOxIgAXptTJ1KkJuwMKBBxuJoj1cADDeBxN5/CuxkaeCiggsvuQIDAQABoyEwHzAdBgNVHQ4EFgQUGkWEqxcEV/mBDaFQKb2/5wUYWTMwDQYJKoZIhvcNAQELBQADggEBAESD0R7fZHYpGlYv9svojiv0HOCnxXqVYFvustvWNx4gnlenf8iIV58wwGlOfIkrjA84hoknnAiyPim9zZ8GWAPQVh36CRq60SntzlD4P9H1WXdrnsl2knhNHwvLpQU0w8BUIOeBp0Wqbcc5eRMkqIo1sPFCGqeR3K6tkT2WFVhGNVX32Z0UbwJXUP3EQhv+yiK5B6w2K2ulFexDLsljWsory81X385iAdGnlPd7S0z+OgRfDqkTy7WEdZRYnIQLdDHI+ZVqiv5vkxLnxWbpj5eqT+812ubiLzGY6kV6/yoYNDPFW2BwAIY7VQIkWUU3QPHII12M4Gi8KmcV6wp0KM0=
-----END CERTIFICATE-----

 

jetty服务端配置

server:
  type: default
  rootPath: '/rest/*'
  applicationContextPath: /
  maxThreads: 20
  minThreads: 1
  applicationConnectors: 
    - type: https
      port: 8443
      acceptorThreads: 1
      selectorThreads: 1
      acceptQueueSize: 1024
      keyStorePath: D:\project-spring\https\d_server.jks
      keyStorePassword: 123456
      keyStoreType: JKS
      trustStorePath: D:\project-spring\https\d_client_for_server.jks
      trustStorePassword: 654321
      trustStoreType: JKS
      needClientAuth: true
      enableCRLDP: false
      enableOCSP: false
      validateCerts: false
      validatePeers: false
      excludedProtocols: [SSL, SSLv2, SSLv2Hello, SSLv3] # (Jetty's default)
      excludedCipherSuites: [.*_(MD5|SHA|SHA1)$] # (Jetty's default)
      allowRenegotiation: true
上一篇:android – 使用带有OkHttp和Retrofit 2的CookieHandler


下一篇:android – 有没有内置的方法来检测okhttp中没有连接的互联网.