接收&验证来自服务器 HTTPS 的证书 - android
我正在通过 https 从 Android 客户端调用 Web 服务。我必须验证从服务器端收到的证书。我该怎么做?目前,这是我用来调用网络服务的代码。
private static String SendPost(String url, ArrayList<NameValuePair> pairs) { // url = "https://....."
errorMessage = "";
String response = "";
DefaultHttpClient hc=new DefaultHttpClient();
ResponseHandler <String> res=new BasicResponseHandler();
HttpPost postMethod=new HttpPost(url);
try {
postMethod.setEntity(new UrlEncodedFormEntity(pairs));
response = hc.execute(postMethod, res);
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return response;
}
如何验证在执行 Post 期间从服务器收到的自签名证书?我必须通过公钥/私钥进行测试。客户端将有一个 CA 文件。我只需要客户端使用CA验证服务器证书,该服务是公共的。这与公钥/私钥有关。在调用post之前如何从服务器接收证书?
stackoverflow 上提供了几个选项和代码片段。我发现有多个答案的几个链接是: 接受 Android 上的 HTTP 证书 使用 Android 和自签名服务器进行 HTTPS GET (SSL)证书
但我不知道哪个对我来说是好的/适用的!我不想禁用所有或接受任何。必须检查公钥/私钥/
非常感谢任何帮助。
I am calling web service from my android client via https. I got to validate the certificate receive from server side. How do I do that ? At present this is my code that I use to call a web service.
private static String SendPost(String url, ArrayList<NameValuePair> pairs) { // url = "https://....."
errorMessage = "";
String response = "";
DefaultHttpClient hc=new DefaultHttpClient();
ResponseHandler <String> res=new BasicResponseHandler();
HttpPost postMethod=new HttpPost(url);
try {
postMethod.setEntity(new UrlEncodedFormEntity(pairs));
response = hc.execute(postMethod, res);
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
} catch (ClientProtocolException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
}
return response;
}
How do I validate a self-signed certificate received from server during performing Post ? I got to do testing via public/private keys. Client will have a CA file. Ijust need the client to verify the server certificate using the CA, the service is public .This has to do with public/private key. How can I receive the certificate from the server before calling the post ?
Their are several options and code snippets available on stackoverflow. Couple of links I found with multiple answers is :
Accepting a certificate for HTTPs on Android
HTTPS GET (SSL) with Android and self-signed server certificate
But I can't make out which is good/applicable for me ! I don't want to disable all or accept any. Have to check the public/private keys/
Any help is highly appreciated.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
Bob Lee 写了一篇关于如何在 Android 中使用 SSL 证书的精彩博客文章。我认为它适用于您的情况: http://blog. crazybob.org/2010/02/android-trusting-ssl-certificates.html
您只需创建一个包含自签名证书的
KeyStore并使用自定义HttpClient< /code> 该帖子中描述的实现。更新:
主机名验证可以通过在
SSLSocketFactory上设置自定义X509HostnameVerifier。 Android 中已经提供了一些实现:AllowAllHostnameVerifier、BrowserCompatHostnameVerifier、StrictHostnameVerifierBob Lee wrote a nice blog post on how using SSL certificates with Android. I think it is applicable to your case: http://blog.crazybob.org/2010/02/android-trusting-ssl-certificates.html
You just have to create a
KeyStorecontaining your self-signed certificate and use the customHttpClientimplementation described in that post.UPDATE:
Host name validation can be customizez by setting a custom
X509HostnameVerifieron theSSLSocketFactory. Some implementations are already available in android:AllowAllHostnameVerifier,BrowserCompatHostnameVerifier,StrictHostnameVerifier