0

我是安卓新手。我已经为 ios 编写了代码,并希望在 android 中使用类似的算法。

这里是场景。我有 2 种类型的服务器 - 1. 带有自签名证书 2. 带有签名证书。

现在在 ios 中,我使用以下步骤来确定它是否已签名。

STACK_OF(X509) *stX509Certificate = SSL_get_peer_cert_chain(ssl); int cert_num = sk_X509_num(stX509Certificate);

CFMutableArrayRef certArray = CFArrayCreateMutable(NULL, cert_num, NULL);

for (int i = 0; i < cert_num; i++) {
    unsigned char *raw = NULL;

    X509 *x509Certificate = sk_X509_value(stX509Certificate, i);
    int rawlen = i2d_X509(x509Certificate, &raw);
    CFDataRef cfcert = CFDataCreate(NULL, raw, rawlen);
    free(raw);

    SecCertificateRef secCertRef = SecCertificateCreateWithData(NULL, cfcert);
    CFRelease(cfcert);

    CFArrayAppendValue(certArray, secCertRef);
}

CFStringRef servAddr = CFStringCreateWithCString(NULL, [[srvSplit objectAtIndex:0] cStringUsingEncoding:NSUTF8StringEncoding], kCFStringEncodingUTF8);
SecPolicyRef secPolRef = SecPolicyCreateSSL(YES, servAddr);
CFRelease(servAddr);

SecTrustRef secTruRef ;
SecTrustResultType secTrustRes;
Boolean isCertTrusted = NO;
if(SecTrustCreateWithCertificates(certArray, secPolRef, &secTruRef) == errSecSuccess) {
    SecTrustSetAnchorCertificatesOnly(secTruRef, NO);
    if (SecTrustEvaluate(secTruRef,&secTrustRes) == errSecSuccess) {
        switch (secTrustRes) {
            case kSecTrustResultInvalid:
            case kSecTrustResultDeny:
            case kSecTrustResultRecoverableTrustFailure:
            case kSecTrustResultFatalTrustFailure:
            case kSecTrustResultOtherError:
                isCertTrusted = NO;
                break;
            case kSecTrustResultUnspecified:
            case kSecTrustResultProceed:
                isCertTrusted = YES;
                break;
        }
    }
}

在android中我找不到这样TrustEvaluate的方法。我试过getBasicConstraintsgetKeyUsage。但我无法区分签名证书和其他证书。

请帮我。

4

1 回答 1

0

试试这个代码,它可能与你的 IOS 算法不相似,但它工作正常。

  • 在 /res/raw 中添加您的自签名证书
  • 首先,此代码检查 android 系统证书(受信任的凭据),在这种情况下,如果您连接到 CA 认证的服务器,它会验证您的证书并允许您连接服务器
  • 如果您尝试连接自签名服务器,它会检查 /res/raw 中的自签名证书

  • 如果您尝试使用 IP 地址连接自签名服务器,则您的证书应包含subjectAltName

    public class CheckCertificate{

private static class NewCustomTrustManager implements X509TrustManager{

private X509TrustManager defaultTrustManager;
private X509TrustManager localTrustManager;
public NewCustomTrustManager(KeyStore localKeyStore) throws KeyStoreException {
    try {
        this.defaultTrustManager = createNewTrustManager(null);
        this.localTrustManager = createNewTrustManager(localKeyStore);
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
}
private X509TrustManager createNewTrustManager(KeyStore store) throws NoSuchAlgorithmException, KeyStoreException {           
    String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();            
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
    tmf.init(store);            
    TrustManager[] trustManagers = tmf.getTrustManagers();
    return (X509TrustManager) trustManagers[0];
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    try {
        //Checks system certificate
        defaultTrustManager.checkServerTrusted(chain, authType);
    } catch (CertificateException ce) {
        //Checks your self signed certificate
        localTrustManager.checkServerTrusted(chain, authType);
    }
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}



@Override
public X509Certificate[] getAcceptedIssuers() {
    X509Certificate[] first = defaultTrustManager.getAcceptedIssuers();
    X509Certificate[] second = localTrustManager.getAcceptedIssuers();
    X509Certificate[] result = Arrays.copyOf(first, first.length + second.length);
    return result;
  }
 }
 public static void setCustomCertificate(Context cn) {

try {
    // Load CAs from an InputStream
    // (could be from a resource or ByteArrayInputStream or ...)
    CertificateFactory cf = CertificateFactory.getInstance("X.509");          
    InputStream caInput = new BufferedInputStream(cn.getResources().openRawResource(R.raw.apache_25));

    try {
        ca = cf.generateCertificate(caInput);

    }catch (Exception e){
        e.printStackTrace();
    }finally {
        caInput.close();
    }

    // Create a KeyStore containing our trusted CAs
    String keyStoreType = KeyStore.getDefaultType();
    KeyStore keyStore = KeyStore.getInstance(keyStoreType);
    keyStore.load(null, null);
    keyStore.setCertificateEntry("cacertificate", ca);

    // Create a TrustManager that trusts the CAs in our KeyStore and system CA
    NewCustomTrustManager trustManager = new NewCustomTrustManager(keyStore);

    // Create an SSLContext that uses our TrustManager
    SSLContext context = SSLContext.getInstance("TLS");
    context.init(null, new TrustManager[]{trustManager}, null);

    // Tell the URLConnection to use a SocketFactory from our SSLContext
    HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());

} catch (CertificateException e) {
    e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
    e.printStackTrace();
} catch (KeyStoreException e) {
    e.printStackTrace();
} catch (KeyManagementException e) {
    e.printStackTrace();
} catch (MalformedURLException e) {
    e.printStackTrace();
} catch (IOException e) {
    e.printStackTrace();
}
}

}
于 2018-04-20T07:16:57.640 回答