Android HTTPS 使用证书

最新推荐文章于 2024-07-02 13:38:49 发布

儿大不由爷

最新推荐文章于 2024-07-02 13:38:49 发布

阅读量1k

点赞数

分类专栏： Android 文章标签： android import command scheme exception path

Android 专栏收录该内容

254 篇文章 0 订阅

订阅专栏

The following main steps are required to achieve a secured connection from Certification Authorities which are not considered as trusted by the android platform.

As requested by many users, I've mirrored the most important parts from my blog article here:

Grab all required certificates (root and any intermediate CA’s)
Create a keystore with keytool and the BouncyCastle provider and import the certs
Load the keystore in your android app and use it for the secured connections (I recommend to use theApache HttpClient instead of the standard java.net.ssl.HttpsURLConnection (easier to understand, more performant)

Grab the certs

You have to obtain all certificates that build a chain from the endpoint certificate the whole way up to the Root CA. This means, any (if present) Intermediate CA certs and also the Root CA cert. You don’t need to obtain the endpoint certificate.

Create the keystore

Download the BouncyCastle Provider and store it to a known location. Also ensure that you can invoke the keytool command (usually located under the bin folder of your JRE installation).

Now import the obtained certs (don’t import the endpoint cert) into a BouncyCastle formatted keystore.

I didn’t tested it, but I think the order of importing the certificates is important. This means, import the lowermost Intermediate CA certificate first and then all the way up to the Root CA certificate.

With the following command a new keystore (if not already present) with the passwordmysecret will be created and the Intermediate CA certificate will be imported. I also defined the BouncyCastle provider, where it can be found on my file system and the keystore format. Execute this command for each certificate in the chain.

keytool -importcert -v -trustcacerts -file "path_to_cert/interm_ca.cer" -alias IntermediateCA -keystore "res/raw/myKeystore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "path_to_bouncycastle/bcprov-jdk16-145.jar" -storetype BKS -storepass mysecret

Verify if the certificates were imported correctly into the keystore:

keytool -list -keystore "res/raw/myKeystore.bks" -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath "path_to_bouncycastle/bcprov-jdk16-145.jar" -storetype BKS -storepass mysecret

Should output the whole chain:

RootCA, 22.10.2010, trustedCertEntry, Thumbprint (MD5): 24:77:D9:A8:91:D1:3B:FA:88:2D:C2:FF:F8:CD:33:93 
IntermediateCA, 22.10.2010, trustedCertEntry, Thumbprint (MD5): 98:0F:C3:F8:39:F7:D8:05:07:02:0D:E3:14:5B:29:43

Now you can copy the keystore as a raw resource in your android app under res/raw/

Use the keystore in your app

First of all we have to create a custom Apache HttpClient that uses our keystore for HTTPS connections:

public class MyHttpClient extends DefaultHttpClient { 
 
  final Context context; 
 
  public MyHttpClient(Context context) { 
      this.context = context; 
  } 
 
  @Override 
  protected ClientConnectionManager createClientConnectionManager() { 
      SchemeRegistry registry = new SchemeRegistry(); 
      registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80)); 
      // Register for port 443 our SSLSocketFactory with our keystore 
      // to the ConnectionManager 
      registry.register(new Scheme("https", newSslSocketFactory(), 443)); 
      return new SingleClientConnManager(getParams(), registry); 
  } 
 
  private SSLSocketFactory newSslSocketFactory() { 
      try { 
          // Get an instance of the Bouncy Castle KeyStore format 
          KeyStore trusted = KeyStore.getInstance("BKS"); 
          // Get the raw resource, which contains the keystore with 
          // your trusted certificates (root and any intermediate certs) 
          InputStream in = context.getResources().openRawResource(R.raw.mykeystore); 
          try { 
              // Initialize the keystore with the provided trusted certificates 
              // Also provide the password of the keystore 
              trusted.load(in, "mysecret".toCharArray()); 
          } finally { 
              in.close(); 
          } 
          // Pass the keystore to the SSLSocketFactory. The factory is responsible 
          // for the verification of the server certificate. 
          SSLSocketFactory sf = new SSLSocketFactory(trusted); 
          // Hostname verification from certificate 
          // http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506 
          sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER); 
          return sf; 
      } catch (Exception e) { 
          throw new AssertionError(e); 
      } 
  } 
}

We have created our custom HttpClient, now we can just use it for secure connections. For example when we make a GET call to a REST resource.

// Instantiate the custom HttpClient 
DefaultHttpClient client = new MyHttpClient(getApplicationContext()); 
HttpGet get = new HttpGet("https://www.mydomain.ch/rest/contacts/23"); 
// Execute the GET call and obtain the response 
HttpResponse getResponse = client.execute(get); 
HttpEntity responseEntity = getResponse.getEntity();