如果不需要验证服务器端证书,直接照这里做。
复制代码
如果需要验证服务器端证书(这样能够防钓鱼),我是这样做的,还有些问题问大牛:
a. 导出公钥。在浏览器上用https访问tomcat,查看其证书,并另存为一个文件(存成了X.509格式:xxxx.cer)
b. 导入公钥。把xxxx.cer放在Android的assets文件夹中,以方便在运行时通过代码读取此证书,留了两个问题给大牛:
复制代码
问1:这里用"PKCS12"不行
答1:PKCS12和JKS是keystore的type,不是Certificate的type,所以X.509不能用PKCS12代替
问2:这里用"JKS"不行。
答2:android平台上支持的keystore type好像只有PKCS12,不支持JKS,所以不能用JKS代替在PKCS12,不过在windows平台上是可以代替的
原文地址:http://blog.youkuaiyun.com/about58238/article/details/7498213#
-
-
public class Demo extends Activity {
-
/** Called when the activity is first created. */
-
private TextView text;
-
@Override
-
public void onCreate(Bundle savedInstanceState) {
-
super.onCreate(savedInstanceState);
-
setContentView(R.layout.main);
-
text = (TextView)findViewById(R.id.text);
-
GetHttps();
-
}
-
-
private void GetHttps(){
-
String https = " https://800wen.com/";
-
try{
-
SSLContext sc = SSLContext.getInstance("TLS");
-
sc.init(null, new TrustManager[]{new MyTrustManager()}, new SecureRandom());
-
HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
-
HttpsURLConnection.setDefaultHostnameVerifier(new MyHostnameVerifier());
-
HttpsURLConnection conn = (HttpsURLConnection)new URL(https).openConnection();
-
conn.setDoOutput(true);
-
conn.setDoInput(true);
-
conn.connect();
-
-
BufferedReader br = new BufferedReader(new InputStreamReader(conn.getInputStream()));
-
StringBuffer sb = new StringBuffer();
-
String line;
-
while ((line = br.readLine()) != null)
-
sb.append(line);
-
-
text.setText(sb.toString());
-
-
}catch(Exception e){
-
Log.e(this.getClass().getName(), e.getMessage());
-
}
-
-
}
-
-
private class MyHostnameVerifier implements HostnameVerifier{
-
-
@Override
-
public boolean verify(String hostname, SSLSession session) {
-
// TODO Auto-generated method stub
-
return true;
-
}
-
}
-
-
private class MyTrustManager implements X509TrustManager{
-
-
@Override
-
public void checkClientTrusted(X509Certificate[] chain, String authType)
-
throws CertificateException {
-
// TODO Auto-generated method stub
-
-
}
-
-
@Override
-
public void checkServerTrusted(X509Certificate[] chain, String authType)
-
throws CertificateException {
-
// TODO Auto-generated method stub
-
-
}
-
-
@Override
-
public X509Certificate[] getAcceptedIssuers() {
-
// TODO Auto-generated method stub
-
return null;
-
}
-
}
-
}
a. 导出公钥。在浏览器上用https访问tomcat,查看其证书,并另存为一个文件(存成了X.509格式:xxxx.cer)
b. 导入公钥。把xxxx.cer放在Android的assets文件夹中,以方便在运行时通过代码读取此证书,留了两个问题给大牛:
-
-
AssetManager am = context.getAssets();
-
InputStream ins = am.open("robusoft.cer");
-
try {
-
//读取证书
-
CertificateFactory cerFactory = CertificateFactory.getInstance("X.509"); //问1
-
Certificate cer = cerFactory.generateCertificate(ins);
-
//创建一个证书库,并将证书导入证书库
-
KeyStore keyStore = KeyStore.getInstance("PKCS12", "BC"); //问2
-
keyStore.load(null, null);
-
keyStore.setCertificateEntry("trust", cer);
-
return keyStore;
-
} finally {
-
ins.close();
-
}
-
//把咱的证书库作为信任证书库
-
SSLSocketFactory socketFactory = new SSLSocketFactory(keystore);
-
Scheme sch = new Scheme("https", socketFactory, 443);
-
//完工
-
HttpClient mHttpClient = new DefaultHttpClient();
-
mHttpClient.getConnectionManager().getSchemeRegistry().register(sch);
答1:PKCS12和JKS是keystore的type,不是Certificate的type,所以X.509不能用PKCS12代替
问2:这里用"JKS"不行。
答2:android平台上支持的keystore type好像只有PKCS12,不支持JKS,所以不能用JKS代替在PKCS12,不过在windows平台上是可以代替的
原文地址:http://blog.youkuaiyun.com/about58238/article/details/7498213#