okhttp 實現 https 訪問,支持 Android 4.X 系統 https 訪問
去年在將公司項目進行組件化重構的時候使用了 Retrofit+OkHttp 做網絡請求,由于我們公司的網絡請求都是使用https訪問,因此在封裝好適用于我們項目的Retrofit+OkHttp網絡請求框架后,就開始著手解決Https網絡傳輸的問題。剛開始看了很多博文,也借鑒了這些博文的方法,結果沒有一個能夠實現Https訪問。直到看到 鴻洋_ 的 Android 一個改善的okHttp封裝庫 這篇博文的時候,我就很好奇他是怎么解決okhttp實現https訪問的,然后我就在 okhttputils 主頁,找到了 HttpsUtils 這個方法,不得不說還是大神的代碼厲害,使用了這個工具后真的就請求成功了。
后來我又在這個工具中添加了主機名校驗方法:
/**
* 主機名校驗方法
*/
public static HostnameVerifier getHostnameVerifier() {
return new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return hostname.equalsIgnoreCase(session.getPeerHost());
}
};
}
于是這個工具的使用方法就變成了這樣:
HttpsUtil.SSLParams sslParams = HttpsUtil.getSslSocketFactory(Utils.getContext(), new int[0], R.raw.xxxx, "password");
okHttpClient = new OkHttpClient.Builder()
.connectTimeout(10000L, TimeUnit.MILLISECONDS)
.sslSocketFactory(sslParams.sSLSocketFactory, sslParams.trustManager)
.hostnameVerifier(HttpsUtil.getHostnameVerifier())
.addInterceptor(new LoggerInterceptor(null, true))
.build();
但是,有一天一個哥們在Android4.3的系統上運行了下我們的APP,發現網絡請求失敗了,并且報了如下錯誤:
System.err: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x5ff1c438: Failure in SSL library, usually a protocol error
System.err: error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure (external/openssl/ssl/s23_clnt.c:741 0x5cb66770:0x00000000)
我一看到這個錯誤就知道我們HttpsUtils不管用了,因為在我沒有解決Https網絡請求的時候經常碰到handshake aborted,所以我就開始找https訪問在Android4.3上為什么不管用了的原因,結果找到了這篇博文: 關于Android4.x系統支持TLS1.2的解決方案 ,搞了半天原來是Android 4.X系統不支持TLSv1.1和TLSv1.2協議,于是我迅速的把這篇博文中的解決辦法添加到了我的HttpsUtils中,并且做了Android系統判斷,于是這個工具最終就成了下面這樣:
import android.annotation.SuppressLint;
import android.content.Context;
import android.os.Build;
import android.support.annotation.RawRes;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.Socket;
import java.net.UnknownHostException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
/**
* HttpsUtils來自于鴻洋的: https://github.com/hongyangAndroid/okhttputils;
* 增加了主機名校驗方法getHostnameVerifier();
* 其他參考的文章有:http://android.jobbole.com/83787/;
*
* Android 4.X 對TLS1.1、TLS1.2的支持參考了http://blog.csdn.net/joye123/article/details/53888252
*/
public class HttpsUtil {
/**
* 包裝的 SSL(Secure Socket Layer)參數類
*/
public static class SSLParams {
public SSLSocketFactory sSLSocketFactory;
public X509TrustManager trustManager;
}
/**
* @param context 上下文
* @param certificatesId "XXX.cer" 文件 (文件位置res/raw/XXX.cer)
* @param bksFileId "XXX.bks"文件(文件位置res/raw/XXX.bks)
* @param password The certificate's password.
* @return SSLParams
*/
public static SSLParams getSslSocketFactory(Context context, @RawRes int[] certificatesId, @RawRes int bksFileId, String password) {
if (context == null) {
throw new NullPointerException("context == null");
}
SSLParams sslParams = new SSLParams();
try {
TrustManager[] trustManagers = prepareTrustManager(context, certificatesId);
KeyManager[] keyManagers = prepareKeyManager(context, bksFileId, password);
//創建TLS類型的SSLContext對象,that uses our TrustManager
SSLContext sslContext = SSLContext.getInstance("TLS");
X509TrustManager x509TrustManager;
if (trustManagers != null) {
x509TrustManager = new MyTrustManager(chooseTrustManager(trustManagers));
} else {
x509TrustManager = new UnSafeTrustManager();
}
//用上面得到的trustManagers初始化SSLContext,這樣sslContext就會信任keyStore中的證書
sslContext.init(keyManagers, new TrustManager[]{x509TrustManager}, null);
//通過sslContext獲取SSLSocketFactory對象
if (Build.VERSION.SDK_INT < Build.VERSION_CODES.LOLLIPOP) {
/*Android 4.X 對TLS1.1、TLS1.2的支持*/
sslParams.sSLSocketFactory = new Tls12SocketFactory(sslContext.getSocketFactory());
sslParams.trustManager = x509TrustManager;
return sslParams;
}
sslParams.sSLSocketFactory = sslContext.getSocketFactory();
sslParams.trustManager = x509TrustManager;
return sslParams;
} catch (NoSuchAlgorithmException | KeyManagementException | KeyStoreException e) {
throw new AssertionError(e);
}
}
/**
* 主機名校驗方法
*/
public static HostnameVerifier getHostnameVerifier() {
return new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return hostname.equalsIgnoreCase(session.getPeerHost());
}
};
}
private static TrustManager[] prepareTrustManager(Context context, int[] certificatesId) {
if (certificatesId == null || certificatesId.length <= 0) {
return null;
}
try {
//創建X.509格式的CertificateFactory
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
// 創建一個默認類型的KeyStore,存儲我們信任的證書
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
int index = 0;
for (int certificateId : certificatesId) {
//從本地資源中獲取證書的流
InputStream cerInputStream = context.getResources().openRawResource(certificateId);
String certificateAlias = Integer.toString(index++);
//certificate是java.security.cert.Certificate,而不是其他Certificate
//證書工廠根據證書文件的流生成證書Certificate
Certificate certificate = certificateFactory.generateCertificate(cerInputStream);
//將證書certificate作為信任的證書放入到keyStore中
keyStore.setCertificateEntry(certificateAlias, certificate);
try {
if (cerInputStream != null)
cerInputStream.close();
} catch (IOException e) {
e.printStackTrace();
}
}
//TrustManagerFactory是用于生成TrustManager的,這里創建一個默認類型的TrustManagerFactory
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
//用我們之前的keyStore實例初始化TrustManagerFactory,這樣trustManagerFactory就會信任keyStore中的證書
trustManagerFactory.init(keyStore);
return trustManagerFactory.getTrustManagers();
} catch (Exception e) {
e.printStackTrace();
}
return null;
}
private static KeyManager[] prepareKeyManager(Context context, @RawRes int bksFileId, String password) {
try {
KeyStore clientKeyStore = KeyStore.getInstance("BKS");
clientKeyStore.load(context.getResources().openRawResource(bksFileId), password.toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(clientKeyStore, password.toCharArray());
return keyManagerFactory.getKeyManagers();
} catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | IOException e) {
e.printStackTrace();
}
return null;
}
private static X509TrustManager chooseTrustManager(TrustManager[] trustManagers) {
for (TrustManager trustManager : trustManagers) {
if (trustManager instanceof X509TrustManager) {
return (X509TrustManager) trustManager;
}
}
return null;
}
/**
* 客戶端不對證書做任何檢查;
* 客戶端不對證書做任何驗證的做法有很大的安全漏洞。
*/
private static class UnSafeTrustManager implements X509TrustManager {
@SuppressLint("TrustAllX509TrustManager")
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
}
@SuppressLint("TrustAllX509TrustManager")
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[]{};
}
}
private static class MyTrustManager implements X509TrustManager {
private X509TrustManager defaultTrustManager;
private X509TrustManager localTrustManager;
private MyTrustManager(X509TrustManager localTrustManager) throws NoSuchAlgorithmException, KeyStoreException {
//TrustManagerFactory是用于生成TrustManager的,創建一個默認類型的TrustManagerFactory
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
defaultTrustManager = chooseTrustManager(trustManagerFactory.getTrustManagers());
this.localTrustManager = localTrustManager;
}
@SuppressLint("TrustAllX509TrustManager")
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
try {
defaultTrustManager.checkServerTrusted(chain, authType);
} catch (CertificateException ce) {
localTrustManager.checkServerTrusted(chain, authType);
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
/**
* 自行實現SSLSocketFactory ,實現Android 4.X 對TLSv1.1、TLSv1.2的支持
*/
private static class Tls12SocketFactory extends SSLSocketFactory {
private static final String[] TLS_SUPPORT_VERSION = {"TLSv1.1", "TLSv1.2"};
final SSLSocketFactory delegate;
private Tls12SocketFactory(SSLSocketFactory base) {
this.delegate = base;
}
@Override
public String[] getDefaultCipherSuites() {
return delegate.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return delegate.getSupportedCipherSuites();
}
@Override
public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException {
return patch(delegate.createSocket(s, host, port, autoClose));
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return patch(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException {
return patch(delegate.createSocket(host, port, localHost, localPort));
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return patch(delegate.createSocket(host, port));
}
@Override
public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException {
return patch(delegate.createSocket(address, port, localAddress, localPort));
}
private Socket patch(Socket s) {
//代理SSLSocketFactory在創建一個Socket連接的時候,會設置Socket的可用的TLS版本。
if (s instanceof SSLSocket) {
((SSLSocket) s).setEnabledProtocols(TLS_SUPPORT_VERSION);
}
return s;
}
}
}
當然了,因為只是調整內部邏輯,所以這個工具的使用方法還是不變:
HttpsUtil.SSLParams sslParams = HttpsUtil.getSslSocketFactory(Utils.getContext(), new int[0], R.raw.xxxx, "password");
okHttpClient = new OkHttpClient.Builder()
.connectTimeout(10000L, TimeUnit.MILLISECONDS)
.sslSocketFactory(sslParams.sSLSocketFactory, sslParams.trustManager)
.hostnameVerifier(HttpsUtil.getHostnameVerifier())
.addInterceptor(new LoggerInterceptor(null, true))
.build();
來自:http://blog.csdn.net/guiying712/article/details/56301736
本文由用戶 cysk_zhang 自行上傳分享,僅供網友學習交流。所有權歸原作者,若您的權利被侵害,請聯系管理員。
轉載本站原創文章,請注明出處,并保留原始鏈接、圖片水印。
本站是一個以用戶分享為主的開源技術平臺,歡迎各類分享!