Https系列之四：https的SSL證書在Android端基於okhttp，Retrofit的使用

Https系列會在下麵幾篇文章中分別作介紹：

一：https的簡單介紹及SSL證書的生成
二：https的SSL證書在伺服器端的部署，基於tomcat,spring boot
三：讓伺服器同時支持http、https，基於spring boot
四：https的SSL證書在Android端基於okhttp，Retrofit的使用

所有文章會優先在：
微信公眾號“顏家大少”中發佈
轉載請標明出處

先來回顧一下

前面已分別介紹了https,SSL證書的生成，並完成了伺服器端的https的部署
並提到一個重要的用於客戶端的證書：公鑰證書
在前面文章中，自簽名SSL證書對應的公鑰證書為：mycer.cer（當然這名字是自己隨便定的）;在阿裡雲申請的CA證書中對應的公鑰證書為：*.pem
如果有不清楚的，請看我之前介紹過的文章

Android自帶的可信任的CA公鑰證書

還要說明一下，Android系統有自帶的安卓認可的證書頒發機構（如:Wosign)頒發的可信任的CA公鑰證書，大概有100多個，
可自己查看，各個手機的查看方法可能不一樣，在我的手機中，能在下麵的位置中找到：
“設置”->”更多設置“->”系統安全“->”信任的憑據”
也就是說，如果你伺服器的證書是安卓認可的證書頒發機構頒發的，那麼你並不需要在Android端額外安裝公鑰證書，否則，你就需要安裝。
註：在不同版本的Android系統上，可信任的CA證書可能是不一樣的，如果你擔心在別人的Android系統上可能此CA證書不被信任，那你統一都安裝也是沒問題的
我在阿裡雲上申請的免費型DV SSL證書，是屬於安卓認可的證書頒發機構頒發的，不需要額外安裝，當然我們的自簽名證書，是必需要安裝的
其實我在測試的過程中，把自簽名證書和阿裡雲上申請的免費型DV SSL證書都用同樣的方法安裝了，都是OK的

我們下麵就開始基於okhttp來安裝公鑰證書了

先看看我的okhttp和retrofit的gradle版本

compile 'com.squareup.okhttp3:okhttp:3.8.1'
compile 'com.squareup.retrofit2:retrofit:2.3.0'

增加一個OkhttpManager類

統一處理OkHttpClient的證書，完整的代碼如下：

import android.content.Context;
import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.Arrays;
import java.util.Collection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import okhttp3.OkHttpClient;

public class OkhttpManager {
    static private OkhttpManager mOkhttpManager=null;
    private InputStream mTrustrCertificate;
    static public OkhttpManager getInstance()
    {
        if(mOkhttpManager==null)
        {
            mOkhttpManager=new OkhttpManager();
        }
        return mOkhttpManager;
    }

    private KeyStore newEmptyKeyStore(char[] password) throws GeneralSecurityException {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            InputStream in = null; // By convention, 'null' creates an empty key store.
            keyStore.load(in, password);
            return keyStore;
        } catch (IOException e) {
            throw new AssertionError(e);
        }
    }

    private X509TrustManager trustManagerForCertificates(InputStream in)
            throws GeneralSecurityException {
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        Collection<? extends Certificate> certificates = certificateFactory.generateCertificates(in);
        if (certificates.isEmpty()) {
            throw new IllegalArgumentException("expected non-empty set of trusted certificates");
        }

        // Put the certificates a key store.
        char[] password = "password".toCharArray(); // Any password will work.
        KeyStore keyStore = newEmptyKeyStore(password);
        int index = 0;
        for (Certificate certificate : certificates) {
            String certificateAlias = Integer.toString(index++);
            keyStore.setCertificateEntry(certificateAlias, certificate);
        }

        // Use it to build an X509 trust manager.
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, password);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
            throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
        }
        return (X509TrustManager) trustManagers[0];
    }

    public void setTrustrCertificates(InputStream in)
    {
        mTrustrCertificate=in;
    }

    public InputStream getTrustrCertificates()
    {
        return mTrustrCertificate;
    }

    public OkHttpClient build()
    {
        OkHttpClient okHttpClient=null;
        if(getTrustrCertificates()!=null)
        {
            X509TrustManager trustManager;
            SSLSocketFactory sslSocketFactory;
            try {
                trustManager = trustManagerForCertificates(getTrustrCertificates());
                SSLContext sslContext = SSLContext.getInstance("TLS");
                sslContext.init(null, new TrustManager[] { trustManager }, null);
                sslSocketFactory = sslContext.getSocketFactory();
            } catch (GeneralSecurityException e) {
                throw new RuntimeException(e);
            }
            okHttpClient=new OkHttpClient.Builder()
                    .sslSocketFactory(sslSocketFactory, trustManager)
                    .build();
        }
        else
        {
            okHttpClient=new OkHttpClient.Builder()
                                         .build();
        }
        return okHttpClient;
    }

}

代碼解釋

代碼不少，其實最核心的代碼為：

public OkHttpClient build()
{
.......
 trustManager = trustManagerForCertificates(getTrustrCertificates());
 .......
  okHttpClient=new OkHttpClient.Builder()
                    .sslSocketFactory(sslSocketFactory, trustManager)
                    .build();
 ..........
 return okHttpClient;
}

也就是通過

void setTrustrCertificates(InputStream in)

把自己的證書對應的文件set進去

然後通過

trustManager =trustManagerForCertificates(getTrustrCertificates());

再

okHttpClient=new OkHttpClient.Builder()
                    .sslSocketFactory(sslSocketFactory, trustManager)
                    .build();

就能生成安裝好了可信任證書的okHttpClient

OkhttpManager說完了，接下來，就是：

Activity中使用OkhttpManager

1：先把公鑰證書文件（如：自簽名的mycer.cer或CA證書的：*.pem)放到assets下，
如果使用AndroidStudio的同學，可能沒有assets文件夾，自己建此文件夾，如我的為：app\src\main\assets

2：直接貼Activity主要的代碼：

public class MyActivity extends AppCompatActivity {
@Override
    protected void onCreate(@Nullable Bundle savedInstanceState) {
       super.onCreate(savedInstanceState);
       try {
            OkhttpManager.getInstance().setTrustrCertificates(getAssets().open("mycer.cer");
            OkHttpClient mOkhttpClient= OkhttpManager.getInstance().build();
        } catch (IOException e) {
            e.printStackTrace();
        }
}

簡單吧，主要代碼就那兩句，就生成了已安裝公鑰證書”mycer.cer”的mOkhttpClient
接下來的mOkhttpClient怎樣使用，大家都應該清楚了吧，如果不清楚只能看OkHttpClient的基礎內容了

好了，OkHttpClient搞掂了

接下來就到Retrofit了

大家應該知到Retrofit預設是以OkHttpClient來作為傳輸的，既然OkHttpClient搞掂了，那Retrofit就簡單了
還是直接貼代碼：

 Retrofit retrofit = new Retrofit.Builder()
                .client(mOkhttpClient)
                .baseUrl("your_serverl_url")
                .build();

看，只需在Retrofit中多加一句

.client(mOkhttpClient)

就把已安裝了證書的mOkhttpClient作為Retrofit的傳輸了

更多內容，請關註微信公眾號：顏家大少