在 Android java 中执行 https 是否需要私有证书
我需要从与我的 Android 应用程序进行 https 通信的服务器检索数据。 我像这样动态获取服务器证书:
KeyStore store = KeyStore.getInstance(KeyStore.getDefaultType());
store.load(null);
URLConnection uc = new URL("https://duckduckgo.com/").openConnection();
uc.connect();
Certificate certs[] = ((HttpsURLConnection) uc).getServerCertificates();
for (int i = 0; i < certs.length; i++) store.setCertificateEntry("cert_"+ i, certs[i]);
((HttpsURLConnection) uc).disconnect();
我有一个自定义 HttpClient:
public class MyHttpClient extends DefaultHttpClient {
final KeyStore store;
public MyHttpClient(KeyStore store) {
this.store = store;
}
@Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory
.getSocketFactory(), 80));
registry.register(new Scheme("https", newSslSocketFactory(), 443));
return new SingleClientConnManager(getParams(), registry);
}
private SSLSocketFactory newSslSocketFactory() {
try {
return new SSLSocketFactory(store);
} catch (Exception e) {
throw new AssertionError(e);
}
}
}
并像这样从服务器检索数据:
HttpEntity responseEntity;
URI url = new URI("https://duckduckgo.com/?q=android+java");
HttpGet httpGet = new HttpGet(url );
HttpClient client = new MyHttpClient(store);
httpGet.addHeader("Content-Type", "text/xml");
HttpConnectionParams.setConnectionTimeout(client.getParams(), 15000);
HttpResponse getResponse = client.execute(httpGet);
我发送和接收的所有内容是否都已加密?
我在想也许我必须向服务器提供我的公钥?
I need to retrive data from a server talking https to my Android App.
I get the server certificate dynamically like this:
KeyStore store = KeyStore.getInstance(KeyStore.getDefaultType());
store.load(null);
URLConnection uc = new URL("https://duckduckgo.com/").openConnection();
uc.connect();
Certificate certs[] = ((HttpsURLConnection) uc).getServerCertificates();
for (int i = 0; i < certs.length; i++) store.setCertificateEntry("cert_"+ i, certs[i]);
((HttpsURLConnection) uc).disconnect();
I have a custom HttpClient:
public class MyHttpClient extends DefaultHttpClient {
final KeyStore store;
public MyHttpClient(KeyStore store) {
this.store = store;
}
@Override
protected ClientConnectionManager createClientConnectionManager() {
SchemeRegistry registry = new SchemeRegistry();
registry.register(new Scheme("http", PlainSocketFactory
.getSocketFactory(), 80));
registry.register(new Scheme("https", newSslSocketFactory(), 443));
return new SingleClientConnManager(getParams(), registry);
}
private SSLSocketFactory newSslSocketFactory() {
try {
return new SSLSocketFactory(store);
} catch (Exception e) {
throw new AssertionError(e);
}
}
}
And retrieves data form the server like this:
HttpEntity responseEntity;
URI url = new URI("https://duckduckgo.com/?q=android+java");
HttpGet httpGet = new HttpGet(url );
HttpClient client = new MyHttpClient(store);
httpGet.addHeader("Content-Type", "text/xml");
HttpConnectionParams.setConnectionTimeout(client.getParams(), 15000);
HttpResponse getResponse = client.execute(httpGet);
Is everything I send and receive encrypted?
I was thinking maybe I had to provide the server with my public key?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
您可能指的是 公钥加密术 如果是这种情况,那么是的,另一方需要拥有您的公钥才能对响应进行加密(为您)。
但回答你的问题:是的,你发送和接收的所有内容(在这种情况下)都是加密的。就
duckduckgo.com而言,您正在与已验证 SSL 证书的公共网络服务器进行通信,因此一切都应该没问题。另请参阅此答案,简要概述证书颁发机构和 SSL 的实际工作原理。
You're probably referring to Public Key Cryptography and if that were the case, then yes, the other party would need to have your public key in order for the response to be encrypted (for you).
But to answer your question: Yes, everything you send and receive (in this context) is encrypted. In the case of
duckduckgo.com, you're communicating with a public webserver that has its SSL certificate verified so everything should be fine.See also this answer for a brief overview of how certificate authorities and SSL actually works.
简短的回答:不,您不需要证书即可安全地与服务器通信。
长答案:证书的全部意义在于,客户端和服务器可以就私有加密密钥达成一致,而其他人不知道该密钥是什么。服务器证书将由一些主要证书颁发机构(Verisign 等)颁发。您可以检查权威机构以确保他们确实已向相关域名颁发了证书。一旦您根据权威机构验证了证书,您就可以使用证书中的公共加密密钥,并且只有证书的所有者才能解密您加密的任何内容。对于 SSL,您可以使用证书上的公钥来加密会话加密密钥,您将使用该密钥与服务器进行安全通信。
做这些事情时,不要忽略在使用证书之前验证证书!!!
Short answer: No you don't need a cert to communicate with a server securely.
Long answer: The whole point of certificates is so a client and server can agree on a private encryption key without someone else knowing what that key is. The server certificate will have been issued by some major certificate authority (Verisign, etc.). You can check the authority to make sure they have actually issued a certificate to the domain name in question. Once you have verified the cert against the authority you can use the public encryption key from the cert and only the owner of the cert will be able to decrypt whatever it is you encrypt. In the case of SSL you use the public key on the cert to encrypt a session encryption key you will use to communicate securely with the server.
When doing this stuff do not omit validating the cert before using it!!!