小贝子编程

查找 SSL 证书是否已签名



我是安卓新手。我已经为 ios 编写了代码,并希望在 android 中实现类似的算法。

这是现场。我有 2 种类型的服务器 - 1。带有自签名证书 2。带有签名证书。

现在在ios中,我使用以下步骤来确定它是否已签名。

STACK_OF(X509( *stX509证书 = SSL_get_peer_cert_chain(ssl(; int cert_num = sk_X509_num(stX509Certificate(;

CFMutableArrayRef certArray = CFArrayCreateMutable(NULL, cert_num, NULL);
for (int i = 0; i < cert_num; i++) {
    unsigned char *raw = NULL;
    X509 *x509Certificate = sk_X509_value(stX509Certificate, i);
    int rawlen = i2d_X509(x509Certificate, &raw);
    CFDataRef cfcert = CFDataCreate(NULL, raw, rawlen);
    free(raw);
    SecCertificateRef secCertRef = SecCertificateCreateWithData(NULL, cfcert);
    CFRelease(cfcert);
    CFArrayAppendValue(certArray, secCertRef);
}
CFStringRef servAddr = CFStringCreateWithCString(NULL, [[srvSplit objectAtIndex:0] cStringUsingEncoding:NSUTF8StringEncoding], kCFStringEncodingUTF8);
SecPolicyRef secPolRef = SecPolicyCreateSSL(YES, servAddr);
CFRelease(servAddr);
SecTrustRef secTruRef ;
SecTrustResultType secTrustRes;
Boolean isCertTrusted = NO;
if(SecTrustCreateWithCertificates(certArray, secPolRef, &secTruRef) == errSecSuccess) {
    SecTrustSetAnchorCertificatesOnly(secTruRef, NO);
    if (SecTrustEvaluate(secTruRef,&secTrustRes) == errSecSuccess) {
        switch (secTrustRes) {
            case kSecTrustResultInvalid:
            case kSecTrustResultDeny:
            case kSecTrustResultRecoverableTrustFailure:
            case kSecTrustResultFatalTrustFailure:
            case kSecTrustResultOtherError:
                isCertTrusted = NO;
                break;
            case kSecTrustResultUnspecified:
            case kSecTrustResultProceed:
                isCertTrusted = YES;
                break;
        }
    }
}

在安卓中,我找不到这样的TrustEvaluate方法。我尝试了getBasicConstraintsgetKeyUsage.但我无法区分签名证书和其他证书。

请帮助我。

试试这段代码,它可能与你的IOS算法不同,但它工作正常。

  • 在/res/raw 中添加您的自签名证书
  • 首先,此代码检查android系统证书(受信任凭据(,在这种情况下,如果您要连接到CA认证的服务器,它会验证您的证书并允许您连接服务器
  • 如果您尝试连接自签名服务器,它会检查您的自签名证书,该证书位于/res/raw 中

  • 如果您尝试使用IP地址连接自签名服务器,则您的证书应包含subjectAltName

    public class CheckCertificate{
private static class NewCustomTrustManager implements X509TrustManager{
private X509TrustManager defaultTrustManager;
private X509TrustManager localTrustManager;
public NewCustomTrustManager(KeyStore localKeyStore) throws KeyStoreException {
    try {
        this.defaultTrustManager = createNewTrustManager(null);
        this.localTrustManager = createNewTrustManager(localKeyStore);
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    }
}
private X509TrustManager createNewTrustManager(KeyStore store) throws NoSuchAlgorithmException, KeyStoreException {           
    String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();            
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
    tmf.init(store);            
    TrustManager[] trustManagers = tmf.getTrustManagers();
    return (X509TrustManager) trustManagers[0];
}
public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    try {
        //Checks system certificate
        defaultTrustManager.checkServerTrusted(chain, authType);
    } catch (CertificateException ce) {
        //Checks your self signed certificate
        localTrustManager.checkServerTrusted(chain, authType);
    }
}
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
}

@Override
public X509Certificate[] getAcceptedIssuers() {
    X509Certificate[] first = defaultTrustManager.getAcceptedIssuers();
    X509Certificate[] second = localTrustManager.getAcceptedIssuers();
    X509Certificate[] result = Arrays.copyOf(first, first.length + second.length);
    return result;
  }
 }
 public static void setCustomCertificate(Context cn) {
try {
    // Load CAs from an InputStream
    // (could be from a resource or ByteArrayInputStream or ...)
    CertificateFactory cf = CertificateFactory.getInstance("X.509");          
    InputStream caInput = new BufferedInputStream(cn.getResources().openRawResource(R.raw.apache_25));
    try {
        ca = cf.generateCertificate(caInput);
    }catch (Exception e){
        e.printStackTrace();
    }finally {
        caInput.close();
    }
    // Create a KeyStore containing our trusted CAs
    String keyStoreType = KeyStore.getDefaultType();
    KeyStore keyStore = KeyStore.getInstance(keyStoreType);
    keyStore.load(null, null);
    keyStore.setCertificateEntry("cacertificate", ca);
    // Create a TrustManager that trusts the CAs in our KeyStore and system CA
    NewCustomTrustManager trustManager = new NewCustomTrustManager(keyStore);
    // Create an SSLContext that uses our TrustManager
    SSLContext context = SSLContext.getInstance("TLS");
    context.init(null, new TrustManager[]{trustManager}, null);
    // Tell the URLConnection to use a SocketFactory from our SSLContext
    HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());
} catch (CertificateException e) {
    e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
    e.printStackTrace();
} catch (KeyStoreException e) {
    e.printStackTrace();
} catch (KeyManagementException e) {
    e.printStackTrace();
} catch (MalformedURLException e) {
    e.printStackTrace();
} catch (IOException e) {
    e.printStackTrace();
}
}
}

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium