默默的点滴 – 智障儿童欢乐多

之所以研究这个，本来的目的是为了让Gradle支持离线编译，但是由于Gradle目录组织的缺陷，如.gradle/caches/modules-2/metadata-2.23(metadata-xx跟使用的gradle版本有关)目录下module-artifacts.bin等bin文件中存的是本机的绝对路径，导致就算将.gradle拷贝给另一台机器，还是需要联网验证。

将gradle的jcenter重定向的方法见我的另一篇文章：[android]gradle下载加速 - 知乎专栏，例如阿里云的jcenter是Index of /repositories/jcenter

我在内网中搭建了jcenter仓库。然而我不想搭建一个大而全的jcenter的仓库，搭建大而全的仓库可以使用nexus来搭建，阿里云也是那么搭的，由于公司的网络需要上网认证，时不时会断一下，所以我的做法是通过利用.gradle目录来创建jcenter仓库。

下面先介绍.gradle目录的组织。

1 .gradle顶级目录

目录| 功能
caches | gradle缓存目录
daemon | daemon日志目录
native | gradle平台相关目录
wrapper | gradle-wrapper下载目录

2 caches目录

目录 | 功能
2.14.1 | gradle程序的脚本（gradle程序版本）
3.2.1 | gradle程序的脚本（gradle程序版本）
jars-1 | ?
jars-2 | ?
modules-2 | 下载缓存目录

2.1 caches/modules-2目录

目录 | 功能
files-2.1 | gradle下载的jar/aar目录
metadata-2.16 | gradle-2.14.1的描述文件？
metadata-2.23 | gradle-3.2.1的描述文件？

2.1.1 files-2.1的目录组织（jar/aar都下载到这里）

${org}/${package}/${version}/${shanum1}/${package-version}.pom 
${org}/${package}/${version}/${shanum2}/${package-version}.jar

1 2	${org}/${package}/${version}/${shanum1}/${package-version}.pom ${org}/${package}/${version}/${shanum2}/${package-version}.jar

例如：

#jcenter上jar的路径
https://jcenter.bintray.com/com/android/tools/lint/lint-api/25.1.3/lint-api-25.1.3.jar
#对应的缓存目录为
.gradle/caches/modules-2/files-2.1/com.android.tools.lint/lint-api/25.1.3/${shasum1}/lint-api-25.1.3.jar

#看下这个目录下有什么？
~ find .gradle/caches/modules-2/files-2.1/com.android.tools.lint/lint-api/25.1.3/ -type f
#除了jar包还有pom，用于描述jar。
.gradle/caches/modules-2/files-2.1/com.android.tools.lint/lint-api/25.1.3/14c6a94811fb8114a61b8f3ab29214f9466b5c59/lint-api-25.1.3.jar
.gradle/caches/modules-2/files-2.1/com.android.tools.lint/lint-api/25.1.3/c4844e26d84dd1f450f90d89d7e2d2d09f52760/lint-api-25.1.3.pom

#看下jar的shasum
~ shasum .gradle/caches/modules-2/files-2.1/com.android.tools.lint/lint-api/25.1.3/14c6a94811fb8114a61b8f3ab29214f9466b5c59/lint-api-25.1.3.jar

14c6a94811fb8114a61b8f3ab29214f9466b5c59  .gradle/caches/modules-2/files-2.1/com.android.tools.lint/lint-api/25.1.3/14c6a94811fb8114a61b8f3ab29214f9466b5c59/lint-api-25.1.3.jar
#即目录名。

#jcenter上jar的路径

https://jcenter.bintray.com/com/android/tools/lint/lint-api/25.1.3/lint-api-25.1.3.jar

#对应的缓存目录为

.gradle/caches/modules-2/files-2.1/com.android.tools.lint/lint-api/25.1.3/${shasum1}/lint-api-25.1.3.jar

#看下这个目录下有什么？

~ find .gradle/caches/modules-2/files-2.1/com.android.tools.lint/lint-api/25.1.3/ -type f

#除了jar包还有pom，用于描述jar。

.gradle/caches/modules-2/files-2.1/com.android.tools.lint/lint-api/25.1.3/14c6a94811fb8114a61b8f3ab29214f9466b5c59/lint-api-25.1.3.jar

.gradle/caches/modules-2/files-2.1/com.android.tools.lint/lint-api/25.1.3/c4844e26d84dd1f450f90d89d7e2d2d09f52760/lint-api-25.1.3.pom

#看下jar的shasum

~ shasum .gradle/caches/modules-2/files-2.1/com.android.tools.lint/lint-api/25.1.3/14c6a94811fb8114a61b8f3ab29214f9466b5c59/lint-api-25.1.3.jar

14c6a94811fb8114a61b8f3ab29214f9466b5c59 .gradle/caches/modules-2/files-2.1/com.android.tools.lint/lint-api/25.1.3/14c6a94811fb8114a61b8f3ab29214f9466b5c59/lint-api-25.1.3.jar

#即目录名。

注意：创建jcenter时，对于jar包，可以没有pom，但是如果使用aar，则必须有pom，所以最好是每个版本都有个pom。因为pom中也描述了依赖关系。

3 daemon目录（无需离线）

用于存放gradle daemon的运行日志。按gradle程序版本存放。

目录 | 功能
2.14.1 | gradle-2.14.1运行的日志
3.2.1 | gradle-3.2.1运行的日志

4 native目录（无需离线）

用于存放平台相关（Windows/Linux/Mac）的库。

目录 | 功能
19 | gradle-2.14.1对应的lib目录，按平台存放，如osx-amd64
21 | gradle-3.2.1对应的lib目录，按平台存放，如osx-amd64
jansi | ?

5 wrapper目录

用于存放gradle-wrapper下载gradle的zip包和解压后的文件夹。
wrapper的目录规则是
wrapper/dists/gradle-2.14.1-all/${base36}/gradle-2.14.1-all.zip
wrapper/dists/gradle-2.14.1-all/${base36}/gradle-2.14.1-all.zip.lck
wrapper/dists/gradle-2.14.1-all/${base36}/gradle-2.14.1-all.zip.ok

其中base36的规则为：

从gradle/wrapper/gradle-wrapper.properties中得到distributionUrl，即https://services.gradle.org/distributions/gradle-2.14.1-all.zip，注意文件中的\不算。
对distributionUrl计算md5。例如printf “https://services.gradle.org/distributions/gradle-2.14.1-all.zip” | md5
得到8c9a3200746e2de49722587c1108fe87。
利用0x8c9a3200746e2de49722587c1108fe87构造一个uint 128位整数。
将整数利用base36得到base36的值（取小写）。

从gradle-wrapper的jar包中提取的Java代码如下：

import java.math.BigInteger;
import java.security.MessageDigest;

public class Hash {

    public static void main(String[] args) {
        try {
            MessageDigest messageDigest = MessageDigest.getInstance("MD5");
            byte[] bytes = args[0].getBytes();
            messageDigest.update(bytes);
            String str = new BigInteger(1, messageDigest.digest()).toString(36);
            System.out.println(str);
        } catch (Exception e) {
            throw new RuntimeException("Could not hash input string.", e);
        }
    }
}

import java.math.BigInteger;

import java.security.MessageDigest;

public class Hash {

public static void main(String[] args) {

try {

MessageDigest messageDigest = MessageDigest.getInstance("MD5");

byte[] bytes = args[0].getBytes();

messageDigest.update(bytes);

String str = new BigInteger(1, messageDigest.digest()).toString(36);

System.out.println(str);

} catch (Exception e) {

throw new RuntimeException("Could not hash input string.", e);

}

c++跟java代码见http://github.com/xiaoyur347/gradlew/helper。

6. 使用.gradle/caches/modules-2创建jcenter的方法

以下是mirror.sh，我把它放在.gradle目录下。运行脚本会在.gradle目录下生成jcenter目录。把它移走或直接把jcenter目录加入http服务器即可。

目前我的做法是在本地使用gradle编译一次，然后把gradle下载下来的jar/aar/pom全部提交到版本管理，然后由持续集成去拉版本库上的.gradle目录，然后生成jcenter提供给内网编译服务器。

#!/bin/bash
#use .gradle/caches/modules-2/files-2.1/ to create jcenter
SHPATH=$(cd "$(dirname "$0")"; pwd)
DIR="${SHPATH}/caches/modules-2/files-2.1/"
DIR_LENGTH=${#DIR}
if [ `uname` = "Darwin" ]; then
#mac will add "/"
	DIR_LENGTH=$((DIR_LENGTH+1))
fi
rm -rf ${SHPATH}/jcenter/*
find ${DIR} -type f | grep -Ev "DS_Store" | while read line
do
	SRC=${line}
	URL=${line:${DIR_LENGTH}}

	ORG=${URL%%/*}
	URL=${URL#*/}

	MODULE=${URL%%/*}
	URL=${URL#*/}

	REVISION=${URL%%/*}
	URL=${URL#*/}

	SHA1=${URL%%/*}
	URL=${URL#*/}

	FILE=${URL}
#echo "ORG=$ORG, MODULE=$MODULE, REVISION=$REVISION, SHA1=$SHA1, FILE=$FILE"

	DST=${SHPATH}/jcenter/${ORG//.//}/${MODULE}/${REVISION}/${FILE}
echo "$DST"
	mkdir -p `dirname ${DST}`
	if [ ! -f ${DST} ]; then
		cp -a ${SRC} ${DST}
fi
done

#!/bin/bash

#use .gradle/caches/modules-2/files-2.1/ to create jcenter

SHPATH=$(cd "$(dirname "$0")"; pwd)

DIR="${SHPATH}/caches/modules-2/files-2.1/"

DIR_LENGTH=${#DIR}

if [ `uname` = "Darwin" ]; then

#mac will add "/"

DIR_LENGTH=$((DIR_LENGTH+1))

rm -rf ${SHPATH}/jcenter/*

find ${DIR} -type f | grep -Ev "DS_Store" | while read line

SRC=${line}

URL=${line:${DIR_LENGTH}}

ORG=${URL%%/*}

URL=${URL#*/}

MODULE=${URL%%/*}

URL=${URL#*/}

REVISION=${URL%%/*}

URL=${URL#*/}

SHA1=${URL%%/*}

URL=${URL#*/}

FILE=${URL}

#echo "ORG=$ORG, MODULE=$MODULE, REVISION=$REVISION, SHA1=$SHA1, FILE=$FILE"

DST=${SHPATH}/jcenter/${ORG//.//}/${MODULE}/${REVISION}/${FILE}

echo "$DST"

mkdir -p `dirname ${DST}`

if [ ! -f ${DST} ]; then

cp -a ${SRC} ${DST}

done

另外，上面提到aar有可能会因为缺失pom导致无法使用，我还写了一个脚本，也是放在.gradle目录下，用于修复aar问题。本地运行时，可以只运行这个脚本，因为它会顺路执行上面的脚本。

以下是fix_aar_cache.sh的内容：

#!/bin/bash
SHPATH=$(cd "$(dirname "$0")"; pwd)

SRC_DIR=${SHPATH}/jcenter
CACHE_DIR="${SHPATH}/caches/modules-2/files-2.1/"
${SHPATH}/mirror.sh > /dev/null

DIR_LENGTH=${#SRC_DIR}
if [ `uname` = "Darwin" ]; then
#mac will add "/"
	DIR_LENGTH=$((DIR_LENGTH+1))
fi
find ${SRC_DIR} -name "*.aar" | while read line
do
	SRC=${line}
	LOCAL_POM=${SRC/.aar/.pom}
if [ -f ${LOCAL_POM} ]; then
continue
fi
echo "$LOCAL_POM not found"

	URL=${line:${DIR_LENGTH}}
	URL=${URL/.aar/.pom}
	REMOTE_POM=http://maven.aliyun.com/nexus/content/repositories/jcenter/${URL}
	REMOTE_POM_SHA1=${REMOTE_POM}.sha1

	SHA1=`wget -q -O- ${REMOTE_POM_SHA1}`
	SHA1=${SHA1:2} #remove additional \r\n
echo $SHA1
#reverse to get it
	FILE=${URL##*/}
	URL=${URL%/*}

	REVISION=${URL##*/}
	URL=${URL%/*}

	MODULE=${URL##*/}
	URL=${URL%/*}

	ORG=${URL}
echo "ORG=$ORG, MODULE=$MODULE, REVISION=$REVISION, FILE=$FILE"
#org /->.
	DST=${CACHE_DIR}/${ORG//\//\.}/${MODULE}/${REVISION}/${SHA1}/${FILE}
echo "$DST"
	mkdir -p `dirname ${DST}`
	if [ ! -f ${DST} ]; then
		wget -O ${DST} ${REMOTE_POM}
fi
done

#!/bin/bash

SHPATH=$(cd "$(dirname "$0")"; pwd)

SRC_DIR=${SHPATH}/jcenter

CACHE_DIR="${SHPATH}/caches/modules-2/files-2.1/"

${SHPATH}/mirror.sh > /dev/null

DIR_LENGTH=${#SRC_DIR}

if [ `uname` = "Darwin" ]; then

#mac will add "/"

DIR_LENGTH=$((DIR_LENGTH+1))

find ${SRC_DIR} -name "*.aar" | while read line

SRC=${line}

LOCAL_POM=${SRC/.aar/.pom}

if [ -f ${LOCAL_POM} ]; then

continue

echo "$LOCAL_POM not found"

URL=${line:${DIR_LENGTH}}

URL=${URL/.aar/.pom}

REMOTE_POM=http://maven.aliyun.com/nexus/content/repositories/jcenter/${URL}

REMOTE_POM_SHA1=${REMOTE_POM}.sha1

SHA1=`wget -q -O- ${REMOTE_POM_SHA1}`

SHA1=${SHA1:2} #remove additional \r\n

echo $SHA1

#reverse to get it

FILE=${URL##*/}

URL=${URL%/*}

REVISION=${URL##*/}

URL=${URL%/*}

MODULE=${URL##*/}

URL=${URL%/*}

ORG=${URL}

echo "ORG=$ORG, MODULE=$MODULE, REVISION=$REVISION, FILE=$FILE"

#org /->.

DST=${CACHE_DIR}/${ORG//\//\.}/${MODULE}/${REVISION}/${SHA1}/${FILE}

echo "$DST"

mkdir -p `dirname ${DST}`

if [ ! -f ${DST} ]; then

wget -O ${DST} ${REMOTE_POM}

done

参考链接

debug/release 修改包名，取不同包名下的agconnect-services.json 文件

debug/release 修改包名，取不同包名下的agconnect-services.json 文件 V2 解决每次更换包名，都是要手动删除agconnect-services.json文件操作

问题描述

我在打多渠道包的时候，我需要区分debug版本，release版本，其中涉及到包名的不同，我使用release编译的时候，发现如下错误信息。这个原因是因为你的agconnect-services文件里面含有一个 package_name 参数，这个参数是需要指定包名的，如果 package_name 填写的报名，和目前你所使用的包名没有对应上就会出现这样的错误

修改过程中遇到的错误信息

* What went wrong:
Execution failed for task ':app:processDebugAGCPlugin'.
> ERROR: Failed to verify AGConnect-Config '/client/package_name', expected: 'com.gxx.fast', but was: 'com.gxx.fast.debug'

* What went wrong:

Execution failed for task ':app:processDebugAGCPlugin'.

> ERROR: Failed to verify AGConnect-Config '/client/package_name', expected: 'com.gxx.fast', but was: 'com.gxx.fast.debug'

不是很完美的解决问题

既然是需要区分包名的，我不如直接copy 2份出来，放到src下面，并新建一个类 pushservices 里面存放 debug/release 的类并存放 agconnect-services.json文件，这样我们想使用哪个版本的，就使用哪个版本的

继续阅读debug/release 修改包名，取不同包名下的agconnect-services.json 文件

android使用gradle实现资源自动拷贝

把下面的代码拷贝到module的gradle.build 文件内

android.applicationVariants.all{ variant ->
    delete "${buildDir}/intermediates/merged_assets/${variant.dirName}"  // buildDir是app下的build目录
    variant.mergeAssets.doLast{
        def sourceDir = "${buildDir}/../"   // 资源存放目录，这里是app下
        print "${buildDir} \n"  // 打印路径
        copy { // 将from目录下的资源拷贝到into 下目录去
            from "${sourceDir}/fromDir"
            into "${outputDir}/res"
        }
    }
}

android.applicationVariants.all{ variant ->

delete "${buildDir}/intermediates/merged_assets/${variant.dirName}" // buildDir是app下的build目录

variant.mergeAssets.doLast{

def sourceDir = "${buildDir}/../" // 资源存放目录，这里是app下

print "${buildDir} \n" // 打印路径

copy { // 将from目录下的资源拷贝到into 下目录去

from "${sourceDir}/fromDir"

into "${outputDir}/res"

}

继续阅读android使用gradle实现资源自动拷贝

使用pip安装模块时提示：No module named pip

系统输入cmd：
windows 解决方法：

python -m ensurepip

1	python -m ensurepip

升级pip版本:

pip install --upgrade pip

1	pip install --upgrade pip

linux解决方法：

$ python -m ensurepip

$ sudo easy_install pip

$ python -m pip install --upgrade pip

$ python -m ensurepip

$ sudo easy_install pip

$ python -m pip install --upgrade pip

参考链接

使用pip安装模块时提示： No module named pip

Windows泄露文件目录分析

1）种子链接：https://itorrents.org/torrent/3D8B16242B56A3AAFB8DA7B5FC83EF993EBCF35B.torrent?title=[limetorrents.info]Microsoft.leaked.source.code.archive_2020-09-24（你不会想用手敲吧？）也可本地下载

看了下大小是42.93GB（应该是对的~）

继续阅读Windows泄露文件目录分析

Android开源VPN客户端之ICS OpenVPN

1. 简介

Android API level 14+提供了VPNService服务框架，在不root的情况下，开发者可以创建自己的VPN服务应用。
目前主要有三种，分别为OpenVPN for Android（ICS OpenVPN），OpenVPN Connect，OpenVPN Settings。

OpenVPN for Android和OpenVPN Connect使用官方VPNService API (Android 4.0+)，不需要root权限，而OpenVPN Settings需要root权限。
OpenVPN for Android是一个开源的客户端，由Arne Schwabe开发，他定位于更高级的用户，提供更多的设置，它可以在app内导入配置文件。
OpenVPN Connect是一个不开源的客户端，它由OpenVPN Technologies , Inc. 开发，它定位于普通用户，它基于OpenVPN协议的C++实现。
OpenVPN Settings是最老的客户端，需要root权限，它并不使用VPNService API。

2. 编译OpenVPN for Android

2.1 开发环境搭建

Ubuntu16，Android Studio，NDK，SDK
首先在Ubuntu下安装Android studio，安装完毕后，使用sdk manager工具安装sdk。
关于NDK，可以使用sdk manager来下载，不过在编译源码的过程中出现了错误，经过尝试发现sdk manager下载的是14版本的ndk，而14版本的ndk编译OpenVPN for Android会出现错误，建议使用12版本的ndk。

2.2 配置环境变量

安装完Android studio，解压完ndk后，需要配置环境变量。

~/android-studio/bin Android studio安装目录
~/Android/android-ndk-r12b ndk解压目录

1 2	~/android-studio/bin Android studio安装目录 ~/Android/android-ndk-r12b ndk解压目录

进入用户目录（cd /home/bleach），打开配置文件（vim .bashrc），添加如下内容：

export PATH=$PATH:~/android-studio/bin:~/Android/android-ndk-r12b

1	export PATH=$PATH:~/android-studio/bin:~/Android/android-ndk-r12b

2.3 获取OpenVPN for Android源码

打开搜索引擎，输入ics openvpn，进行搜索，然后进入ics openvpn的github主页，选择master分支里的一个已经添加标签的版本，本文选择的是0.6.64版本的源码。

进入Ubuntu命令行，创建一个源码目录，然后使用git clone命令将源码下载到本地。

$ mkdir ics-openvpn-v0.6.64

$ cd ics-openvpn-v0.6.64

$ git clone https://github.com/schwabe/ics-openvpn.git

$ mkdir ics-openvpn-v0.6.64

$ cd ics-openvpn-v0.6.64

$ git clone https://github.com/schwabe/ics-openvpn.git

2.4 编译源码

step1：进入ics-openvpn-v0.6.64/ics-openvpn目录，修改.gitmodules文件。

$ cd ics-openvpn-v0.6.64/ics-openvpn

$ ls –a

$ vim .gitmodules

$ cd ics-openvpn-v0.6.64/ics-openvpn

$ ls –a

$ vim .gitmodules

将.gitmodules文件中的url更改掉。

[submodule "main/openvpn"]
path = main/openvpn
url = https://github.com/schwabe/openvpn.git

[submodule "main/openssl"]
path = main/openssl
url = https://github.com/schwabe/platform_external_openssl.git

[submodule "main/breakpad"]
path = main/breakpad
url = https://github.com/schwabe/breakpad.git

[submodule "main/openvpn"]

path = main/openvpn

url = https://github.com/schwabe/openvpn.git

[submodule "main/openssl"]

path = main/openssl

url = https://github.com/schwabe/platform_external_openssl.git

[submodule "main/breakpad"]

path = main/breakpad

url = https://github.com/schwabe/breakpad.git

step2：执行指令

$ git submodule sync

1	$ git submodule sync

step3：然后执行指令

$ git submodule init

1	$ git submodule init

step4：然后执行指令

$ git submodule update

1	$ git submodule update

upate指令会消耗一定的时间。
step5：最后进入ics-openvpn-v0.6.64/ics-openvpn/main目录，执行./misc/build-native.sh，等待编译完成，可能需要修改build-native.sh的执行权限。

$ cd main

$ chmod +x ./mics/build-native.sh

$ ./misc/build-native.sh

$ cd main

$ chmod +x ./mics/build-native.sh

$ ./misc/build-native.sh

3. 编译常见问题

3.1 ndk-build not found

未配置ndk环境变量，请参考2.2。

3.2 各种编译错误，比如unknown directive。

很有可能是ndk版本的问题，请使用12版本的ndk尝试编译。

3.3 cannot find .git directory in openvpn,aborting

不要在github上下载zip包的源码，请使用git clone指令将源码下载到本地。

4. 导入源码

将源码导入到Android studio中，目前OpenVPN for Android不支持导入到eclipse中，请使用Android studio开发环境。
打开Android studio，将源码导入，Android studio会自动更新gradle信息，更新完毕后，编译工程，就会生成对应apk包。

参考链接

Android开源VPN客户端之ICS OpenVPN

Java 实现TLS/SSL证书的自动安装校验

前言

最近实现Socks5 proxy与HTTP proxy中遇到了SSLSocket隧道的问题，当然，最终问题经过自动证书校验安装管理器实现了证书的管理，也解决了SSLSocket，但是目前的问题是浏览器对Socks5和HTTP proxy还有很多不足，目前实现的两个代理工具只能在程序中使用。当然，我们今天的主要话题如下：

Java 实现TLS/SSL证书的自动安装校验，主要经过ssl/tls握手，密钥交换，证书校验机制实现。我们这里模拟浏览器，实现自动校验和证书的检测。

主要实现如下功能：

1.自动检测，校验根证书，校验过期时间，校验签名的证书是否有效，校验证书和域名是否匹配

2.实现证书的自动存储，自动安装，加载

3.实现普通Socket自动升级为SSLSocket

一.实现配置类

首先，我们先添加2个配置类

package com.ssl.rx.http;

import java.security.KeyStore;

public class ConnectionConfiguration {

	/** 证书文件路径 */
private String truststorePath;
	/** 证书类型 */
private String truststoreType;
	/** 证书文件密码 */
private String truststorePassword;
	/** 是否验证证书链的签名有效性 */
private boolean verifyChainEnabled = true;
	/** 是否校验根证书，注意，自签名证书没有根证书 */
private boolean verifyRootCAEnabled = true;
	/** 是否允许通过自签名证书 */
private boolean selfSignedCertificateEnabled = false;
	/** 是否检查证书的有效期 */
private boolean expiredCertificatesCheckEnabled = true;
	/** 检查域名的匹配情况 */
private boolean notMatchingDomainCheckEnabled = true;

	private String server;
	private int port;

	public ConnectionConfiguration() {
		truststorePassword = "WlZSak5GcFVUbTlsVjJSNg==";
		truststorePath = "socket_tls_clientTrust.cert";
		truststoreType = "jks";
	}

	public int getPort() {
		return port;
	}

	public void setPort(int port) {
		this.port = port;
	}

	public String getServer() {
		return server;
	}

	public void setServer(String server) {
		this.server = server;
	}

	public boolean isExpiredCertificatesCheckEnabled() {
		return expiredCertificatesCheckEnabled;
	}

	public void setSelfSignedCertificateEnabled(boolean selfSignedCertificateEnabled) {
		this.selfSignedCertificateEnabled = selfSignedCertificateEnabled;
	}

	public void setExpiredCertificatesCheckEnabled(boolean expiredCertificatesCheckEnabled) {
		this.expiredCertificatesCheckEnabled = expiredCertificatesCheckEnabled;
	}

	public boolean isSelfSignedCertificateEnabled() {
		return selfSignedCertificateEnabled;
	}

	public boolean isNotMatchingDomainCheckEnabled() {
		return notMatchingDomainCheckEnabled;
	}

	public boolean isVerifyRootCAEnabled() {
		return verifyRootCAEnabled;
	}

	public void setVerifyRootCAEnabled(boolean verifyRootCAEnabled) {
		this.verifyRootCAEnabled = verifyRootCAEnabled;
	}

	public void setVerifyChainEnabled(boolean verifyChainEnabled) {
		this.verifyChainEnabled = verifyChainEnabled;
	}

	public boolean isVerifyChainEnabled() {

		return verifyChainEnabled;
	}

	public String getTruststoreType() {
		return truststoreType;
	}

	public void setTruststoreType(String truststoreType) {
		this.truststoreType = truststoreType;
	}

	public String getTruststorePassword() {
		return truststorePassword;
	}

	public void setTruststorePassword(String truststorePassword) {
		this.truststorePassword = truststorePassword;
	}

	public String getTruststorePath() {
		return truststorePath;
	}

	public void setTruststorePath(String truststorePath) {
		this.truststorePath = truststorePath;
	}

	public void setNotMatchingDomainCheckEnabled(boolean notMatchingDomainCheckEnabled) {
		this.notMatchingDomainCheckEnabled = notMatchingDomainCheckEnabled;
	}

}


然后增加一个用于存储keystore的javaBean

package com.ssl.rx.http;

public class KeyStoreOptions {
	private final String type;
	private final String path;
	private final String password;

	public KeyStoreOptions(String type, String path, String password) {
		super();
		this.type = type;
		this.path = path;
		this.password = password;
	}

	public String getType() {
		return type;
	}

	public String getPath() {
		return path;
	}

	public String getPassword() {
		return password;
	}

	@Override
public int hashCode() {
		final int prime = 31;
		int result = 1;
		result = prime * result + ((password == null) ? 0 : password.hashCode());
		result = prime * result + ((path == null) ? 0 : path.hashCode());
		result = prime * result + ((type == null) ? 0 : type.hashCode());
		return result;
	}

	@Override
public boolean equals(Object obj) {
		if (this == obj)
			return true;
		if (obj == null)
			return false;
		if (getClass() != obj.getClass())
			return false;
		KeyStoreOptions other = (KeyStoreOptions) obj;
		if (password == null) {
			if (other.password != null)
				return false;
		} else if (!password.equals(other.password))
			return false;
		if (path == null) {
			if (other.path != null)
				return false;
		} else if (!path.equals(other.path))
			return false;
		if (type == null) {
			if (other.type != null)
				return false;
		} else if (!type.equals(other.type))
			return false;
		return true;
	}
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

package com.ssl.rx.http;

import java.security.KeyStore;

public class ConnectionConfiguration {

/** 证书文件路径 */

private String truststorePath;

/** 证书类型 */

private String truststoreType;

/** 证书文件密码 */

private String truststorePassword;

/** 是否验证证书链的签名有效性 */

private boolean verifyChainEnabled = true;

/** 是否校验根证书，注意，自签名证书没有根证书 */

private boolean verifyRootCAEnabled = true;

/** 是否允许通过自签名证书 */

private boolean selfSignedCertificateEnabled = false;

/** 是否检查证书的有效期 */

private boolean expiredCertificatesCheckEnabled = true;

/** 检查域名的匹配情况 */

private boolean notMatchingDomainCheckEnabled = true;

private String server;

private int port;

public ConnectionConfiguration() {

truststorePassword = "WlZSak5GcFVUbTlsVjJSNg==";

truststorePath = "socket_tls_clientTrust.cert";

truststoreType = "jks";

}

public int getPort() {

return port;

}

public void setPort(int port) {

this.port = port;

}

public String getServer() {

return server;

}

public void setServer(String server) {

this.server = server;

}

public boolean isExpiredCertificatesCheckEnabled() {

return expiredCertificatesCheckEnabled;

}

public void setSelfSignedCertificateEnabled(boolean selfSignedCertificateEnabled) {

this.selfSignedCertificateEnabled = selfSignedCertificateEnabled;

}

public void setExpiredCertificatesCheckEnabled(boolean expiredCertificatesCheckEnabled) {

this.expiredCertificatesCheckEnabled = expiredCertificatesCheckEnabled;

}

public boolean isSelfSignedCertificateEnabled() {

return selfSignedCertificateEnabled;

}

public boolean isNotMatchingDomainCheckEnabled() {

return notMatchingDomainCheckEnabled;

}

public boolean isVerifyRootCAEnabled() {

return verifyRootCAEnabled;

}

public void setVerifyRootCAEnabled(boolean verifyRootCAEnabled) {

this.verifyRootCAEnabled = verifyRootCAEnabled;

}

public void setVerifyChainEnabled(boolean verifyChainEnabled) {

this.verifyChainEnabled = verifyChainEnabled;

}

public boolean isVerifyChainEnabled() {

return verifyChainEnabled;

}

public String getTruststoreType() {

return truststoreType;

}

public void setTruststoreType(String truststoreType) {

this.truststoreType = truststoreType;

}

public String getTruststorePassword() {

return truststorePassword;

}

public void setTruststorePassword(String truststorePassword) {

this.truststorePassword = truststorePassword;

}

public String getTruststorePath() {

return truststorePath;

}

public void setTruststorePath(String truststorePath) {

this.truststorePath = truststorePath;

}

public void setNotMatchingDomainCheckEnabled(boolean notMatchingDomainCheckEnabled) {

this.notMatchingDomainCheckEnabled = notMatchingDomainCheckEnabled;

}

然后增加一个用于存储keystore的javaBean

package com.ssl.rx.http;

public class KeyStoreOptions {

private final String type;

private final String path;

private final String password;

public KeyStoreOptions(String type, String path, String password) {

super();

this.type = type;

this.path = path;

this.password = password;

}

public String getType() {

return type;

}

public String getPath() {

return path;

}

public String getPassword() {

return password;

}

@Override

public int hashCode() {

final int prime = 31;

int result = 1;

result = prime * result + ((password == null) ? 0 : password.hashCode());

result = prime * result + ((path == null) ? 0 : path.hashCode());

result = prime * result + ((type == null) ? 0 : type.hashCode());

return result;

}

@Override

public boolean equals(Object obj) {

if (this == obj)

return true;

if (obj == null)

return false;

if (getClass() != obj.getClass())

return false;

KeyStoreOptions other = (KeyStoreOptions) obj;

if (password == null) {

if (other.password != null)

return false;

} else if (!password.equals(other.password))

return false;

if (path == null) {

if (other.path != null)

return false;

} else if (!path.equals(other.path))

return false;

if (type == null) {

if (other.type != null)

return false;

} else if (!type.equals(other.type))

return false;

return true;

}

最后，我们来实现核心部分，证书管理器

二.实现核心代码

package com.ssl.rx.http;


public class SSLX509CertificateManager {

	private static final Logger logger = Logger.getLogger("SSLX509CertificateManager");
	private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
	private static Pattern cnPattern = Pattern.compile("(?i)(cn=)([^,]*)");
	private static Map<KeyStoreOptions, KeyStore> stores = new HashMap<KeyStoreOptions, KeyStore>();

	private static String toHexString(byte[] bytes) {
		StringBuilder sb = new StringBuilder(bytes.length * 3);
		for (int b : bytes) {
			b &= 0xff;
			sb.append(HEXDIGITS[b >> 4]);
			sb.append(HEXDIGITS[b & 15]);
			sb.append(' ');
		}
		return sb.toString();
	}

	

	/**
	 * 开始握手等一系列密钥协商
	 * 
	 * @param socket
	 * @return
	 */
public static boolean startHandshake(SSLSocket socket) {
		try {
			logger.log(Level.INFO, "-开始握手，认证服务器证书-");
			socket.startHandshake();
			System.out.println();
			logger.log(Level.INFO, "-握手结束，结束认证服务器证书-");
		} catch (SSLException e) {
			e.printStackTrace();
			return false;
		} catch (IOException e) {
			e.printStackTrace();
			return false;
		}
		return true;
	}

	public static SSLSocket createTrustCASocket(String host, int port, ConnectionConfiguration config)
throws Exception {
		if (config == null) {
			config = new ConnectionConfiguration();
		}
		KeyStore ks = getKeyStore(config);
		SSLContext context = SSLContext.getInstance("TLS");
		TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
		tmf.init(ks);
		X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
		CAX509TrustManager tm = new CAX509TrustManager(defaultTrustManager, ks, config);

		context.init(null, new TrustManager[] { tm }, new SecureRandom());
		SSLSocketFactory factory = context.getSocketFactory();

		logger.log(Level.INFO, "开始连接： " + host + ":" + port + "...");
		SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
		socket.setSoTimeout(10000);

		config.setServer(host);
		config.setPort(port);
		// config.setTrustKeyStore(ks);
		X509Certificate certificate = (X509Certificate) ks.getCertificate(host + ":" + port);

		if (certificate != null && isValid(certificate)) {
			logger.log(Level.INFO, "-证书文件存在并且有效，无需进行握手-");
			return socket;
		}
		if (!startHandshake(socket)) {
			logger.log(Level.SEVERE, "-握手失败-");
			return null;
		}
		X509Certificate[] chain = tm.chain;
		if (chain == null || chain.length == 0) {
			logger.log(Level.SEVERE, "-证书链为空，认证失败-");
			return null;
		}

		if (config.isVerifyRootCAEnabled()) {
			boolean isValidRootCA = checkX509CertificateRootCA(ks, chain, config.isSelfSignedCertificateEnabled());
			if (!isValidRootCA) {
				return null;
			}
		}

		return socket;
	}

	/**
	 * 获取keystore，防治多次加载
	 * 
	 * @param config
	 * @return
	 * @throws KeyStoreException
	 * @throws IOException
	 * @throws NoSuchAlgorithmException
	 * @throws CertificateException
	 * @throws FileNotFoundException
	 */
private static KeyStore getKeyStore(ConnectionConfiguration config) throws KeyStoreException, IOException,
			NoSuchAlgorithmException, CertificateException, FileNotFoundException {
		KeyStore ks;
		synchronized (stores) {
			KeyStoreOptions options = new KeyStoreOptions(config.getTruststoreType(), config.getTruststorePath(),
					config.getTruststorePassword());
			if (stores.containsKey(options)) {
				logger.log(Level.INFO, "从缓存中获取trustKeystore");
				ks = stores.get(options);

			} else {
				File file = new File(config.getTruststorePath());
				char[] password = config.getTruststorePassword().toCharArray();

				logger.log(Level.INFO, "加载" + file + "证书文件");
				ks = KeyStore.getInstance(KeyStore.getDefaultType());
				if (!file.exists()) {
					logger.log(Level.INFO, "证书文件不存在，选择自动创建");
					ks.load(null, password);
				} else {
					logger.log(Level.INFO, "证书文件存在，开始加载");
					InputStream in = new FileInputStream(file);
					ks.load(in, password);
					in.close();
				}
				stores.put(options, ks);
			}

		}
		return ks;
	}

	public static SSLSocket createTrustCASocket(String host, int port) throws Exception {

		return createTrustCASocket(host, port, null);
	}

	public static SSLSocket createTrustCASocket(Socket s, ConnectionConfiguration config) throws Exception {
		if (config == null) {
			config = new ConnectionConfiguration();
		}

		KeyStore ks = getKeyStore(config);
		SSLContext context = SSLContext.getInstance("TLS");
		TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
		tmf.init(ks);
		X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
		CAX509TrustManager tm = new CAX509TrustManager(defaultTrustManager, ks, config);

		context.init(null, new TrustManager[] { tm }, new SecureRandom());
		SSLSocketFactory factory = context.getSocketFactory();

		String host = s.getInetAddress().getHostName();
		int port = s.getPort();
		logger.log(Level.INFO, "开始连接： " + host + ":" + port + "...");

		SSLSocket socket = (SSLSocket) factory.createSocket(s, host, port, true);
		socket.setSoTimeout(10000);

		config.setServer(s.getInetAddress().getHostName());
		config.setPort(s.getPort());

		X509Certificate certificate = (X509Certificate) ks.getCertificate(host + ":" + s.getPort());
		if (certificate != null && isValid(certificate)) {
			logger.log(Level.INFO, "-证书文件存在并且有效，无需进行握手-");
			return socket;
		}
		if (!startHandshake(socket)) {
			return null;
		}
		X509Certificate[] chain = tm.chain;
		if (chain == null || chain.length == 0) {
			logger.log(Level.SEVERE, "-证书链为空，认证失败-");
			return null;
		}
		if (config.isVerifyRootCAEnabled()) {
			boolean isValidRootCA = checkX509CertificateRootCA(ks, chain, config.isSelfSignedCertificateEnabled());
			if (!isValidRootCA) {
				logger.log(Level.SEVERE, "根证书校验无效");
				return null;
			}
		}
		return socket;

	}

	public static SSLSocket createTrustCASocket(Socket s) throws Exception {

		return createTrustCASocket(s, null);
	}

	public static class CAX509TrustManager implements X509TrustManager {

		private final X509TrustManager tm;
		private X509Certificate[] chain;
		private KeyStore keyStore;
		private ConnectionConfiguration config;
		public MessageDigest sha1 = null;
		public MessageDigest md5 = null;

		public CAX509TrustManager(X509TrustManager tm, KeyStore ks, ConnectionConfiguration config)
throws NoSuchAlgorithmException {
			this.tm = tm;
			this.keyStore = ks;
			sha1 = MessageDigest.getInstance("SHA1");
			md5 = MessageDigest.getInstance("MD5");
			this.config = config;
		}

		public X509Certificate[] getAcceptedIssuers() {
			return tm.getAcceptedIssuers(); // 生成证书数组，用于存储新证书
		}

		public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
			tm.checkClientTrusted(chain, authType); // 检查客户端
		}

		public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
			if (this.chain == null) {
				this.chain = getAcceptedIssuers();
			}
			if (chain != null && chain.length > 0) {
				if (!checkX509CertificateValid(chain, config)) {
					logger.log(Level.SEVERE, "证书校验未通过");
					return;
				}
				for (int i = 0; i < chain.length; i++) {
					X509Certificate certificate = chain[i];
					if (i == 0) {
						saveCAToKeyStore(certificate, config.getServer() + ":" + config.getPort());
					} else {
						saveCAToKeyStore(certificate, null);
					}
				}
			}
		}

		public void saveCAToKeyStore(X509Certificate certificate, String aliasKey) throws CertificateEncodingException {
			try {
				X509Certificate cert = certificate;
				System.out.println(" Subject " + cert.getSubjectDN());
				System.out.println("  Issuer  " + cert.getIssuerDN());
				sha1.update(cert.getEncoded());
				System.out.println("  sha1    " + toHexString(sha1.digest()));
				md5.update(cert.getEncoded());
				System.out.println("  md5     " + toHexString(md5.digest()));

				String alias = keyStore.getCertificateAlias(cert);
				if (alias == null || alias != null && !isValid(certificate)) {
					if (aliasKey == null || aliasKey.length() == 0) {
						alias = cert.getSubjectDN().getName();
					} else {
						alias = aliasKey;
						logger.log(Level.INFO, "设定指定证书别名:" + alias);
					}
					keyStore.setCertificateEntry(alias, certificate);
					OutputStream out = new FileOutputStream(config.getTruststorePath());
					keyStore.store(out, config.getTruststorePassword().toCharArray());
					out.close();
					chain = Arrays.copyOf(chain, chain.length + 1);
					chain[chain.length - 1] = certificate;
					logger.fine(certificate.toString());
				}

			} catch (KeyStoreException e) {
				e.printStackTrace();
			} catch (FileNotFoundException e) {
				e.printStackTrace();
			} catch (NoSuchAlgorithmException e) {
				e.printStackTrace();
			} catch (CertificateException e) {
				e.printStackTrace();
			} catch (IOException e) {
				e.printStackTrace();
			}
		}

	}

	public static boolean isValid(X509Certificate cert) {
		if (cert == null) {
			return false;
		}
		try {
			cert.checkValidity();
		} catch (CertificateExpiredException e) {
			e.printStackTrace();
			return false;
		} catch (CertificateNotYetValidException e) {
			e.printStackTrace();
			return false;
		}
		return true;
	}

	/**
	 * 校验证书的有效性
	 * 
	 * @param chain
	 * @param config
	 * @return
	 */
private static boolean checkX509CertificateValid(X509Certificate[] chain, ConnectionConfiguration config) {
		boolean result = true;
		if (config.isExpiredCertificatesCheckEnabled()) {
			result = result && checkX509CertificateExpired(chain);
		}

		if (config.isVerifyChainEnabled()) {
			result = result && checkX509CertificateChain(chain);
		}

		if (config.isNotMatchingDomainCheckEnabled()) {
			result = result && checkIsMatchDomain(chain, config.getServer());
		}

		return result;

	}

	/**
	 * 检查是否匹配域名
	 * 
	 * @param x509Certificates
	 * @param server
	 * @return
	 */
public static boolean checkIsMatchDomain(X509Certificate[] x509Certificates, String server) {
		server = server.toLowerCase();
		List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);
		if (peerIdentities.size() == 1 && peerIdentities.get(0).startsWith("*.")) {
			String peerIdentity = peerIdentities.get(0).replace("*.", "");
			if (!server.endsWith(peerIdentity)) {
				return false;
			}
		} else {
			for (int i = 0; i < peerIdentities.size(); i++) {
				String peerIdentity = peerIdentities.get(i).replace("*.", "");
				if (server.endsWith(peerIdentity)) {
					return true;
				}
			}
		}
		return false;
	}

	/**
	 * 校验根证书
	 * 
	 * @param trustStore
	 * @param x509Certificates
	 * @param isSelfSignedCertificate
	 *            是否自签名证书
	 * @return
	 */
public static boolean checkX509CertificateRootCA(KeyStore trustStore, X509Certificate[] x509Certificates,
			boolean isSelfSignedCertificate) {
		List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);
		boolean trusted = false;
		try {
			int size = x509Certificates.length;
			trusted = trustStore.getCertificateAlias(x509Certificates[size - 1]) != null;
			if (!trusted && size == 1 && isSelfSignedCertificate) {
				logger.log(Level.WARNING, "-强制认可自签名证书-");
				trusted = true;
			}
		} catch (KeyStoreException e) {
			e.printStackTrace();
		}
		if (!trusted) {
			logger.log(Level.SEVERE, "-根证书签名的网站：" + peerIdentities + "不能被信任");
		}

		return trusted;
	}

	/**
	 * 检查证书是否过期
	 * 
	 * @param x509Certificates
	 * @return
	 */
public static boolean checkX509CertificateExpired(X509Certificate[] x509Certificates) {
		Date date = new Date();
		for (int i = 0; i < x509Certificates.length; i++) {
			try {
				x509Certificates[i].checkValidity(date);
			} catch (GeneralSecurityException generalsecurityexception) {
				logger.log(Level.SEVERE, "-证书已经过期-");
				return false;
			}
		}
		return true;
	}

	/**
	 * 校验证书链的完整性
	 * 
	 * @param x509Certificates
	 * @return
	 */
public static boolean checkX509CertificateChain(X509Certificate[] x509Certificates) {
		Principal principalLast = null;
		List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);

		for (int i = x509Certificates.length - 1; i >= 0; i--) {
			X509Certificate x509certificate = x509Certificates[i];
			Principal principalIssuer = x509certificate.getIssuerDN();
			Principal principalSubject = x509certificate.getSubjectDN();
			if (principalLast != null) {
				if (principalIssuer.equals(principalLast)) {
					try {
						PublicKey publickey = x509Certificates[i + 1].getPublicKey();
						x509Certificates[i].verify(publickey);
					} catch (GeneralSecurityException generalsecurityexception) {

						logger.log(Level.SEVERE, "-无效的证书签名-" + peerIdentities);
						return false;
					}
				} else {
					logger.log(Level.SEVERE, "-无效的证书签名-" + peerIdentities);
					return false;
				}
			}
			principalLast = principalSubject;
		}

		return true;
	}

	/**
	 * 返回所有可用的签名方式 键值对 如CN=VeriSignMPKI-2-6
	 * 
	 * @param certificate
	 * @return
	 */
private static List<String> getSubjectAlternativeNames(X509Certificate certificate) {
		List<String> identities = new ArrayList<String>();
		try {
			Collection<List<?>> altNames = certificate.getSubjectAlternativeNames();
			if (altNames == null) {
				return Collections.emptyList();
			}

			Iterator<List<?>> iterator = altNames.iterator();
			do {
				if (!iterator.hasNext())
					break;
				List<?> altName = iterator.next();
				int size = altName.size();
				if (size >= 2) {
					identities.add((String) altName.get(1));
				}

			} while (true);
		} catch (CertificateParsingException e) {
			e.printStackTrace();
		}
		return identities;
	}

	/**
	 * 返回所有可用的签名方式的值
	 * 
	 * @param certificate
	 * @return
	 */
public static List<String> getPeerIdentity(X509Certificate x509Certificate) {
		List<String> names = getSubjectAlternativeNames(x509Certificate);
		if (names.isEmpty()) {
			String name = x509Certificate.getSubjectDN().getName();
			Matcher matcher = cnPattern.matcher(name);
			if (matcher.find()) {
				name = matcher.group(2);
			}
			names = new ArrayList<String>();
			names.add(name);
		}
		return names;
	}
}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438

439

440

441

442

443

444

445

446

447

448

449

450

451

452

453

454

455

456

457

458

459

460

461

462

463

464

465

466

467

468

469

470

471

472

473

474

475

476

477

478

479

480

481

482

483

484

485

package com.ssl.rx.http;

public class SSLX509CertificateManager {

private static final Logger logger = Logger.getLogger("SSLX509CertificateManager");

private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();

private static Pattern cnPattern = Pattern.compile("(?i)(cn=)([^,]*)");

private static Map<KeyStoreOptions, KeyStore> stores = new HashMap<KeyStoreOptions, KeyStore>();

private static String toHexString(byte[] bytes) {

StringBuilder sb = new StringBuilder(bytes.length * 3);

for (int b : bytes) {

b &= 0xff;

sb.append(HEXDIGITS[b >> 4]);

sb.append(HEXDIGITS[b & 15]);

sb.append(' ');

}

return sb.toString();

}

/**

* 开始握手等一系列密钥协商

* @param socket

* @return

public static boolean startHandshake(SSLSocket socket) {

try {

logger.log(Level.INFO, "-开始握手，认证服务器证书-");

socket.startHandshake();

System.out.println();

logger.log(Level.INFO, "-握手结束，结束认证服务器证书-");

} catch (SSLException e) {

e.printStackTrace();

return false;

} catch (IOException e) {

e.printStackTrace();

return false;

}

return true;

}

public static SSLSocket createTrustCASocket(String host, int port, ConnectionConfiguration config)

throws Exception {

if (config == null) {

config = new ConnectionConfiguration();

}

KeyStore ks = getKeyStore(config);

SSLContext context = SSLContext.getInstance("TLS");

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(ks);

X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];

CAX509TrustManager tm = new CAX509TrustManager(defaultTrustManager, ks, config);

context.init(null, new TrustManager[] { tm }, new SecureRandom());

SSLSocketFactory factory = context.getSocketFactory();

logger.log(Level.INFO, "开始连接： " + host + ":" + port + "...");

SSLSocket socket = (SSLSocket) factory.createSocket(host, port);

socket.setSoTimeout(10000);

config.setServer(host);

config.setPort(port);

// config.setTrustKeyStore(ks);

X509Certificate certificate = (X509Certificate) ks.getCertificate(host + ":" + port);

if (certificate != null && isValid(certificate)) {

logger.log(Level.INFO, "-证书文件存在并且有效，无需进行握手-");

return socket;

}

if (!startHandshake(socket)) {

logger.log(Level.SEVERE, "-握手失败-");

return null;

}

X509Certificate[] chain = tm.chain;

if (chain == null || chain.length == 0) {

logger.log(Level.SEVERE, "-证书链为空，认证失败-");

return null;

}

if (config.isVerifyRootCAEnabled()) {

boolean isValidRootCA = checkX509CertificateRootCA(ks, chain, config.isSelfSignedCertificateEnabled());

if (!isValidRootCA) {

return null;

}

return socket;

}

/**

* 获取keystore，防治多次加载

* @param config

* @return

* @throws KeyStoreException

* @throws IOException

* @throws NoSuchAlgorithmException

* @throws CertificateException

* @throws FileNotFoundException

private static KeyStore getKeyStore(ConnectionConfiguration config) throws KeyStoreException, IOException,

NoSuchAlgorithmException, CertificateException, FileNotFoundException {

KeyStore ks;

synchronized (stores) {

KeyStoreOptions options = new KeyStoreOptions(config.getTruststoreType(), config.getTruststorePath(),

config.getTruststorePassword());

if (stores.containsKey(options)) {

logger.log(Level.INFO, "从缓存中获取trustKeystore");

ks = stores.get(options);

} else {

File file = new File(config.getTruststorePath());

char[] password = config.getTruststorePassword().toCharArray();

logger.log(Level.INFO, "加载" + file + "证书文件");

ks = KeyStore.getInstance(KeyStore.getDefaultType());

if (!file.exists()) {

logger.log(Level.INFO, "证书文件不存在，选择自动创建");

ks.load(null, password);

} else {

logger.log(Level.INFO, "证书文件存在，开始加载");

InputStream in = new FileInputStream(file);

ks.load(in, password);

in.close();

}

stores.put(options, ks);

}

return ks;

}

public static SSLSocket createTrustCASocket(String host, int port) throws Exception {

return createTrustCASocket(host, port, null);

}

public static SSLSocket createTrustCASocket(Socket s, ConnectionConfiguration config) throws Exception {

if (config == null) {

config = new ConnectionConfiguration();

}

KeyStore ks = getKeyStore(config);

SSLContext context = SSLContext.getInstance("TLS");

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(ks);

X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];

CAX509TrustManager tm = new CAX509TrustManager(defaultTrustManager, ks, config);

context.init(null, new TrustManager[] { tm }, new SecureRandom());

SSLSocketFactory factory = context.getSocketFactory();

String host = s.getInetAddress().getHostName();

int port = s.getPort();

logger.log(Level.INFO, "开始连接： " + host + ":" + port + "...");

SSLSocket socket = (SSLSocket) factory.createSocket(s, host, port, true);

socket.setSoTimeout(10000);

config.setServer(s.getInetAddress().getHostName());

config.setPort(s.getPort());

X509Certificate certificate = (X509Certificate) ks.getCertificate(host + ":" + s.getPort());

if (certificate != null && isValid(certificate)) {

logger.log(Level.INFO, "-证书文件存在并且有效，无需进行握手-");

return socket;

}

if (!startHandshake(socket)) {

return null;

}

X509Certificate[] chain = tm.chain;

if (chain == null || chain.length == 0) {

logger.log(Level.SEVERE, "-证书链为空，认证失败-");

return null;

}

if (config.isVerifyRootCAEnabled()) {

boolean isValidRootCA = checkX509CertificateRootCA(ks, chain, config.isSelfSignedCertificateEnabled());

if (!isValidRootCA) {

logger.log(Level.SEVERE, "根证书校验无效");

return null;

}

return socket;

}

public static SSLSocket createTrustCASocket(Socket s) throws Exception {

return createTrustCASocket(s, null);

}

public static class CAX509TrustManager implements X509TrustManager {

private final X509TrustManager tm;

private X509Certificate[] chain;

private KeyStore keyStore;

private ConnectionConfiguration config;

public MessageDigest sha1 = null;

public MessageDigest md5 = null;

public CAX509TrustManager(X509TrustManager tm, KeyStore ks, ConnectionConfiguration config)

throws NoSuchAlgorithmException {

this.tm = tm;

this.keyStore = ks;

sha1 = MessageDigest.getInstance("SHA1");

md5 = MessageDigest.getInstance("MD5");

this.config = config;

}

public X509Certificate[] getAcceptedIssuers() {

return tm.getAcceptedIssuers(); // 生成证书数组，用于存储新证书

}

public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {

tm.checkClientTrusted(chain, authType); // 检查客户端

}

public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {

if (this.chain == null) {

this.chain = getAcceptedIssuers();

}

if (chain != null && chain.length > 0) {

if (!checkX509CertificateValid(chain, config)) {

logger.log(Level.SEVERE, "证书校验未通过");

return;

}

for (int i = 0; i < chain.length; i++) {

X509Certificate certificate = chain[i];

if (i == 0) {

saveCAToKeyStore(certificate, config.getServer() + ":" + config.getPort());

} else {

saveCAToKeyStore(certificate, null);

}

public void saveCAToKeyStore(X509Certificate certificate, String aliasKey) throws CertificateEncodingException {

try {

X509Certificate cert = certificate;

System.out.println(" Subject " + cert.getSubjectDN());

System.out.println(" Issuer " + cert.getIssuerDN());

sha1.update(cert.getEncoded());

System.out.println(" sha1 " + toHexString(sha1.digest()));

md5.update(cert.getEncoded());

System.out.println(" md5 " + toHexString(md5.digest()));

String alias = keyStore.getCertificateAlias(cert);

if (alias == null || alias != null && !isValid(certificate)) {

if (aliasKey == null || aliasKey.length() == 0) {

alias = cert.getSubjectDN().getName();

} else {

alias = aliasKey;

logger.log(Level.INFO, "设定指定证书别名:" + alias);

}

keyStore.setCertificateEntry(alias, certificate);

OutputStream out = new FileOutputStream(config.getTruststorePath());

keyStore.store(out, config.getTruststorePassword().toCharArray());

out.close();

chain = Arrays.copyOf(chain, chain.length + 1);

chain[chain.length - 1] = certificate;

logger.fine(certificate.toString());

}

} catch (KeyStoreException e) {

e.printStackTrace();

} catch (FileNotFoundException e) {

e.printStackTrace();

} catch (NoSuchAlgorithmException e) {

e.printStackTrace();

} catch (CertificateException e) {

e.printStackTrace();

} catch (IOException e) {

e.printStackTrace();

}

public static boolean isValid(X509Certificate cert) {

if (cert == null) {

return false;

}

try {

cert.checkValidity();

} catch (CertificateExpiredException e) {

e.printStackTrace();

return false;

} catch (CertificateNotYetValidException e) {

e.printStackTrace();

return false;

}

return true;

}

/**

* 校验证书的有效性

* @param chain

* @param config

* @return

private static boolean checkX509CertificateValid(X509Certificate[] chain, ConnectionConfiguration config) {

boolean result = true;

if (config.isExpiredCertificatesCheckEnabled()) {

result = result && checkX509CertificateExpired(chain);

}

if (config.isVerifyChainEnabled()) {

result = result && checkX509CertificateChain(chain);

}

if (config.isNotMatchingDomainCheckEnabled()) {

result = result && checkIsMatchDomain(chain, config.getServer());

}

return result;

}

/**

* 检查是否匹配域名

* @param x509Certificates

* @param server

* @return

public static boolean checkIsMatchDomain(X509Certificate[] x509Certificates, String server) {

server = server.toLowerCase();

List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);

if (peerIdentities.size() == 1 && peerIdentities.get(0).startsWith("*.")) {

String peerIdentity = peerIdentities.get(0).replace("*.", "");

if (!server.endsWith(peerIdentity)) {

return false;

}

} else {

for (int i = 0; i < peerIdentities.size(); i++) {

String peerIdentity = peerIdentities.get(i).replace("*.", "");

if (server.endsWith(peerIdentity)) {

return true;

}

return false;

}

/**

* 校验根证书

* @param trustStore

* @param x509Certificates

* @param isSelfSignedCertificate

* 是否自签名证书

* @return

public static boolean checkX509CertificateRootCA(KeyStore trustStore, X509Certificate[] x509Certificates,

boolean isSelfSignedCertificate) {

List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);

boolean trusted = false;

try {

int size = x509Certificates.length;

trusted = trustStore.getCertificateAlias(x509Certificates[size - 1]) != null;

if (!trusted && size == 1 && isSelfSignedCertificate) {

logger.log(Level.WARNING, "-强制认可自签名证书-");

trusted = true;

}

} catch (KeyStoreException e) {

e.printStackTrace();

}

if (!trusted) {

logger.log(Level.SEVERE, "-根证书签名的网站：" + peerIdentities + "不能被信任");

}

return trusted;

}

/**

* 检查证书是否过期

* @param x509Certificates

* @return

public static boolean checkX509CertificateExpired(X509Certificate[] x509Certificates) {

Date date = new Date();

for (int i = 0; i < x509Certificates.length; i++) {

try {

x509Certificates[i].checkValidity(date);

} catch (GeneralSecurityException generalsecurityexception) {

logger.log(Level.SEVERE, "-证书已经过期-");

return false;

}

return true;

}

/**

* 校验证书链的完整性

* @param x509Certificates

* @return

public static boolean checkX509CertificateChain(X509Certificate[] x509Certificates) {

Principal principalLast = null;

List<String> peerIdentities = getPeerIdentity(x509Certificates[0]);

for (int i = x509Certificates.length - 1; i >= 0; i--) {

X509Certificate x509certificate = x509Certificates[i];

Principal principalIssuer = x509certificate.getIssuerDN();

Principal principalSubject = x509certificate.getSubjectDN();

if (principalLast != null) {

if (principalIssuer.equals(principalLast)) {

try {

PublicKey publickey = x509Certificates[i + 1].getPublicKey();

x509Certificates[i].verify(publickey);

} catch (GeneralSecurityException generalsecurityexception) {

logger.log(Level.SEVERE, "-无效的证书签名-" + peerIdentities);

return false;

}

} else {

logger.log(Level.SEVERE, "-无效的证书签名-" + peerIdentities);

return false;

}

principalLast = principalSubject;

}

return true;

}

/**

* 返回所有可用的签名方式键值对如CN=VeriSignMPKI-2-6

* @param certificate

* @return

private static List<String> getSubjectAlternativeNames(X509Certificate certificate) {

List<String> identities = new ArrayList<String>();

try {

Collection<List<?>> altNames = certificate.getSubjectAlternativeNames();

if (altNames == null) {

return Collections.emptyList();

}

Iterator<List<?>> iterator = altNames.iterator();

do {

if (!iterator.hasNext())

break;

List<?> altName = iterator.next();

int size = altName.size();

if (size >= 2) {

identities.add((String) altName.get(1));

}

} while (true);

} catch (CertificateParsingException e) {

e.printStackTrace();

}

return identities;

}

/**

* 返回所有可用的签名方式的值

* @param certificate

* @return

public static List<String> getPeerIdentity(X509Certificate x509Certificate) {

List<String> names = getSubjectAlternativeNames(x509Certificate);

if (names.isEmpty()) {

String name = x509Certificate.getSubjectDN().getName();

Matcher matcher = cnPattern.matcher(name);

if (matcher.find()) {

name = matcher.group(2);

}

names = new ArrayList<String>();

names.add(name);

}

return names;

}

三.测试代码

public class TestX509CertManager {

 public static void main(String[] args) {
		try {
			SSLSocket baiduSocket = SSLX509CertificateManager.createTrustCASocket("www.baidu.com", 443);
			SSLSocket taobaoSocket = SSLX509CertificateManager.createTrustCASocket("www.taobao.com", 443);
			SSLSocket imququSocket = SSLX509CertificateManager.createTrustCASocket("imququ.com", 443);
		} catch (Exception e) {
			e.printStackTrace();
		}
	}
}

public class TestX509CertManager {

public static void main(String[] args) {

try {

SSLSocket baiduSocket = SSLX509CertificateManager.createTrustCASocket("www.baidu.com", 443);

SSLSocket taobaoSocket = SSLX509CertificateManager.createTrustCASocket("www.taobao.com", 443);

SSLSocket imququSocket = SSLX509CertificateManager.createTrustCASocket("imququ.com", 443);

} catch (Exception e) {

e.printStackTrace();

}

四.附加测试代码

我们这里附加一个工具类，专门来实现Server-Side与Client-Side的SSLSocket 连接，也可以用于测试我们的上述代码，只不过需要稍加改造。

package com.tianwt.rx.http;

public class SSLTrustManager implements javax.net.ssl.TrustManager,
            javax.net.ssl.X509TrustManager ,HostnameVerifier {
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[]{};
        }
  
        public boolean isServerTrusted(
                java.security.cert.X509Certificate[] certs) {
            return true;
        }
  
        public boolean isClientTrusted(
                java.security.cert.X509Certificate[] certs) {
            return true;
        }
  
        public void checkServerTrusted(
                java.security.cert.X509Certificate[] certs, String authType)
                throws java.security.cert.CertificateException {
            return;
        }
  
        public void checkClientTrusted(
                java.security.cert.X509Certificate[] certs, String authType)
                throws java.security.cert.CertificateException {
            return;
        }
         
            @Override
        public boolean verify(String urlHostName, SSLSession session) { //允许所有主机
            return true;
        }
        
   /**
    * 客户端使用
    */
   public static HttpURLConnection connectTrustAllServer(String strUrl) throws Exception {
         
        return connectTrustAllServer(strUrl,null);
    }
   /**
    * 客户端使用
    * 
    * @param strUrl 要访问的地址
    * @param proxy 需要经过的代理
    * @return
    * @throws Exception
    */
   public static HttpURLConnection connectTrustAllServer(String strUrl,Proxy proxy) throws Exception {
         
         javax.net.ssl.TrustManager[] trustCertsmanager = new javax.net.ssl.TrustManager[1];
         javax.net.ssl.TrustManager tm = new SSLTrustManager();
         trustCertsmanager[0] = tm;
         javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext
                 .getInstance("TLS");
         sc.init(null, trustCertsmanager, null);
         javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc
                 .getSocketFactory());
          
         HttpsURLConnection.setDefaultHostnameVerifier((HostnameVerifier) tm);
          
        URL url = new URL(strUrl);
        HttpURLConnection urlConn = null;
        if(proxy==null)
        {
        	 urlConn = (HttpURLConnection) url.openConnection();
        }else{
        	 urlConn = (HttpURLConnection) url.openConnection(proxy);
        }
        urlConn.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36");
        return urlConn;
    }

   /**
    * 用于双向认证,客户端使用
    * 
    * @param strUrl
    * @param proxy
    * @return
    * @throws KeyStoreException
    * @throws NoSuchAlgorithmException
    * @throws CertificateException
    * @throws FileNotFoundException
    * @throws IOException
    * @throws UnrecoverableKeyException
    * @throws KeyManagementException
    */
   public static HttpURLConnection connectProxyTrustCA(String strUrl,Proxy proxy) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException
   {
	   HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
			
			@Override
public boolean verify(String s, SSLSession sslsession) {
				
				return true;
			}
		});
	   String clientKeyStoreFile = "D:/JDK8Home/tianwt/sslClientKeys";  
       String clientKeyStorePwd = "123456";  
       String catServerKeyPwd = "123456";  
       
       String serverTrustKeyStoreFile = "D:/JDK8Home/tianwt/sslClientTrust";  
       String serverTrustKeyStorePwd = "123456";  
       KeyStore serverKeyStore = KeyStore.getInstance("JKS");  
       serverKeyStore.load(new FileInputStream(clientKeyStoreFile), clientKeyStorePwd.toCharArray());  
 
       KeyStore serverTrustKeyStore = KeyStore.getInstance("JKS");  
       serverTrustKeyStore.load(new FileInputStream(serverTrustKeyStoreFile), serverTrustKeyStorePwd.toCharArray());  
 
       KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());  
       kmf.init(serverKeyStore, catServerKeyPwd.toCharArray());  
 
       TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());  
       tmf.init(serverTrustKeyStore);  
 
       SSLContext sslContext = SSLContext.getInstance("TLS");  
       sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());  
        
       HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
		
	   URL url = new URL(strUrl);
	   HttpURLConnection httpURLConnection = null;
	   if(proxy==null)
	   {
		   httpURLConnection = (HttpURLConnection) url.openConnection();
	   }else{
		   httpURLConnection = (HttpURLConnection) url.openConnection(proxy);
	   }
	   httpURLConnection.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36");
	   return httpURLConnection;

   }
   /**
    * 用于单向认证，客户端使用
    * 
    * server侧只需要自己的keystore文件，不需要truststore文件
	* client侧不需要自己的keystore文件，只需要truststore文件（其中包含server的公钥）。
    * 此外server侧需要在创建SSLServerSocket之后设定不需要客户端证书：setNeedClientAuth(false)
    * @param strUrl
    * @param proxy
    * @return
    * @throws KeyStoreException
    * @throws NoSuchAlgorithmException
    * @throws CertificateException
    * @throws FileNotFoundException
    * @throws IOException
    * @throws UnrecoverableKeyException
    * @throws KeyManagementException
    */
   public static HttpURLConnection connectProxyTrustCA2(String strUrl,Proxy proxy) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException
   {
	   HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
			
			@Override
public boolean verify(String s, SSLSession sslsession) {
				
				return true;
			}
		});
       
       String serverTrustKeyStoreFile = "D:/JDK8Home/tianwt/sslClientTrust";  
       String serverTrustKeyStorePwd = "123456";  
 
       KeyStore serverTrustKeyStore = KeyStore.getInstance("JKS");  
       serverTrustKeyStore.load(new FileInputStream(serverTrustKeyStoreFile), serverTrustKeyStorePwd.toCharArray());  
 
       TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());  
       tmf.init(serverTrustKeyStore);  
 
       SSLContext sslContext = SSLContext.getInstance("TLS");  
       sslContext.init(null, tmf.getTrustManagers(), null);  
        
       HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
		
	   URL url = new URL(strUrl);
	   HttpURLConnection httpURLConnection = null;
	   if(proxy==null)
	   {
		   httpURLConnection = (HttpURLConnection) url.openConnection();
	   }else{
		   httpURLConnection = (HttpURLConnection) url.openConnection(proxy);
	   }
	   httpURLConnection.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36");
	   return httpURLConnection;

   }
   /**
    * 用于双向认证
    * @param socketClient 是否产生socket
    * @return
    * @throws KeyStoreException
    * @throws NoSuchAlgorithmException
    * @throws CertificateException
    * @throws FileNotFoundException
    * @throws IOException
    * @throws UnrecoverableKeyException
    * @throws KeyManagementException
    */
   public SSLSocket createTlsConnect(Socket socketClient) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException
	{
		
		    String protocol = "TLS";  
	        String serverKey = "D:/JDK8Home/tianwt/sslServerKeys";  
	        String serverTrust = "D:/JDK8Home/tianwt/sslServerTrust";  
	        String serverKeyPwd = "123456";  //私钥密码
	        String serverTrustPwd = "123456";  //信任证书密码
	        String serverKeyStorePwd = "123456";  // keystore存储密码
	          
	        KeyStore keyStore = KeyStore.getInstance("JKS");    
	        keyStore.load(new FileInputStream(serverKey),serverKeyPwd.toCharArray());  
	        
	        KeyStore tks = KeyStore.getInstance("JKS");
	        tks.load(new FileInputStream(serverTrust), serverTrustPwd.toCharArray());
	        
	        KeyManagerFactory km = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());   
	        km.init(keyStore, serverKeyStorePwd.toCharArray());
	        
	        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());  
	        tmf.init(tks);
	        
	        SSLContext sslContext = SSLContext.getInstance(protocol); 
	        sslContext.init(km.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());  //第一项是用来做服务器验证的
	        
	        SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
	        SSLSocket clientSSLSocket = (SSLSocket) sslSocketFactory.createSocket(socketClient,socketClient.getInetAddress().getHostAddress(),socketClient.getPort(), true);
	        clientSSLSocket.setNeedClientAuth(false);
	        clientSSLSocket.setUseClientMode(false);
	        
	        return clientSSLSocket;
	}
   /**
    * 用于单向认证
    * server侧只需要自己的keystore文件，不需要truststore文件
	* client侧不需要自己的keystore文件，只需要truststore文件（其中包含server的公钥）。
    * 此外server侧需要在创建SSLServerSocket之后设定不需要客户端证书：setNeedClientAuth(false)
    * @param socketClient
    * @return
    * @throws KeyStoreException
    * @throws NoSuchAlgorithmException
    * @throws CertificateException
    * @throws FileNotFoundException
    * @throws IOException
    * @throws UnrecoverableKeyException
    * @throws KeyManagementException
    */
   public static SSLSocket createTlsConnect2(Socket socketClient) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException
  	{
  		
  		    String protocol = "TLS";  
  	        String serverKey = "D:/JDK8Home/tianwt/sslServerKeys";  
  	        String serverKeyPwd = "123456";  //私钥密码
  	        String serverKeyStorePwd = "123456";  // keystore存储密码
  	          
  	        KeyStore keyStore = KeyStore.getInstance("JKS");    
  	        keyStore.load(new FileInputStream(serverKey),serverKeyPwd.toCharArray());  
  	        
  	        KeyManagerFactory km = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());   
  	        km.init(keyStore, serverKeyStorePwd.toCharArray());
  	        
  	        SSLContext sslContext = SSLContext.getInstance(protocol); 
  	        sslContext.init(km.getKeyManagers(), null, new SecureRandom());  //第一项是用来做服务器验证的
  	        
  	        SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
  	        SSLSocket clientSSLSocket = (SSLSocket) sslSocketFactory.createSocket(socketClient,socketClient.getInetAddress().getHostAddress(),socketClient.getPort(), true);
  	        clientSSLSocket.setNeedClientAuth(false);
  	        clientSSLSocket.setUseClientMode(false);
  	        
  	        return clientSSLSocket;
  	}
   
   /**
    * 将普通的socket转为sslsocket，客户端和服务端均可使用
    * 
    * 服务端使用的时候是把普通的socket转为sslsocket,并且作为服务器套接字（注意：指的不是ServerSocket,当然ServerSocket的本质也是普通socket）
    * 
    * @param remoteHost
    * @param isClient
    * @return
    */
public static SSLSocket getTlsTrustAllSocket(Socket remoteHost,boolean isClient)
{
		SSLSocket remoteSSLSocket = null;
		SSLContext context = SSLTrustManager.getTrustAllSSLContext(isClient);
		try {
			remoteSSLSocket =  (SSLSocket) context.getSocketFactory().createSocket(remoteHost, remoteHost.getInetAddress().getHostName(),remoteHost.getPort(), true);
			remoteSSLSocket.setTcpNoDelay(true);
			remoteSSLSocket.setSoTimeout(5000);
			remoteSSLSocket.setNeedClientAuth(false); //这里设置为true时会强制握手
			remoteSSLSocket.setUseClientMode(isClient); //注意服务器和客户的角色选择 
			 
		} catch (IOException e) {
			e.printStackTrace();
		}
		return remoteSSLSocket;
	}
	/**
	 * 用于客户端，通过所有证书验证
	 * @param isClient 是否生成客户端SSLContext，否则生成服务端SSLContext
	 * @return
	 */
   public static SSLContext getTrustAllSSLContext(boolean isClient)
   {
	   String protocol = "TLS"; 
	   javax.net.ssl.SSLContext sc = null;
	   try {
		javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
		   javax.net.ssl.TrustManager tm = new SSLTrustManager();
		   trustAllCerts[0] = tm;
		    sc = javax.net.ssl.SSLContext
		           .getInstance(protocol);
		   
		    if(isClient)
		    {
		    	sc.init(null, trustAllCerts, null); //作为客户端使用
		    }
		    else
		    {
	  	        String serverKeyPath = "D:/JDK8Home/tianwt/sslServerKeys";  
	  	        String serverKeyPwd = "123456";  //私钥密码
	  	        String serverKeyStorePwd = "123456";  // keystore存储密码
	  	        
	  	        KeyStore keyStore = KeyStore.getInstance("JKS");    
	  	        keyStore.load(new FileInputStream(serverKeyPath),serverKeyPwd.toCharArray());  
	  	        
		    	KeyManagerFactory km = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());   
		  	    km.init(keyStore, serverKeyStorePwd.toCharArray());
		  	    KeyManager[] keyManagers = km.getKeyManagers();
		  	    keyManagers = Arrays.copyOf(keyManagers, keyManagers.length+1);
	  	        sc.init(keyManagers, null, new SecureRandom());
		    }
	} catch (KeyManagementException e) {
		e.printStackTrace();
	} catch (NoSuchAlgorithmException e) {
		e.printStackTrace();
	} catch (UnrecoverableKeyException e) {
		e.printStackTrace();
	} catch (KeyStoreException e) {
		e.printStackTrace();
	} catch (CertificateException e) {
		e.printStackTrace();
	} catch (FileNotFoundException e) {
		e.printStackTrace();
	} catch (IOException e) {
		e.printStackTrace();
	}
	   return sc;
   }
 }

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

package com.tianwt.rx.http;

public class SSLTrustManager implements javax.net.ssl.TrustManager,

javax.net.ssl.X509TrustManager ,HostnameVerifier {

public java.security.cert.X509Certificate[] getAcceptedIssuers() {

return new X509Certificate[]{};

}

public boolean isServerTrusted(

java.security.cert.X509Certificate[] certs) {

return true;

}

public boolean isClientTrusted(

java.security.cert.X509Certificate[] certs) {

return true;

}

public void checkServerTrusted(

java.security.cert.X509Certificate[] certs, String authType)

throws java.security.cert.CertificateException {

return;

}

public void checkClientTrusted(

java.security.cert.X509Certificate[] certs, String authType)

throws java.security.cert.CertificateException {

return;

}

@Override

public boolean verify(String urlHostName, SSLSession session) { //允许所有主机

return true;

}

/**

* 客户端使用

public static HttpURLConnection connectTrustAllServer(String strUrl) throws Exception {

return connectTrustAllServer(strUrl,null);

}

/**

* 客户端使用

* @param strUrl 要访问的地址

* @param proxy 需要经过的代理

* @return

* @throws Exception

public static HttpURLConnection connectTrustAllServer(String strUrl,Proxy proxy) throws Exception {

javax.net.ssl.TrustManager[] trustCertsmanager = new javax.net.ssl.TrustManager[1];

javax.net.ssl.TrustManager tm = new SSLTrustManager();

trustCertsmanager[0] = tm;

javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext

.getInstance("TLS");

sc.init(null, trustCertsmanager, null);

javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc

.getSocketFactory());

HttpsURLConnection.setDefaultHostnameVerifier((HostnameVerifier) tm);

URL url = new URL(strUrl);

HttpURLConnection urlConn = null;

if(proxy==null)

{

urlConn = (HttpURLConnection) url.openConnection();

}else{

urlConn = (HttpURLConnection) url.openConnection(proxy);

}

urlConn.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36");

return urlConn;

}

/**

* 用于双向认证,客户端使用

* @param strUrl

* @param proxy

* @return

* @throws KeyStoreException

* @throws NoSuchAlgorithmException

* @throws CertificateException

* @throws FileNotFoundException

* @throws IOException

* @throws UnrecoverableKeyException

* @throws KeyManagementException

public static HttpURLConnection connectProxyTrustCA(String strUrl,Proxy proxy) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException

{

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {

@Override

public boolean verify(String s, SSLSession sslsession) {

return true;

}

});

String clientKeyStoreFile = "D:/JDK8Home/tianwt/sslClientKeys";

String clientKeyStorePwd = "123456";

String catServerKeyPwd = "123456";

String serverTrustKeyStoreFile = "D:/JDK8Home/tianwt/sslClientTrust";

String serverTrustKeyStorePwd = "123456";

KeyStore serverKeyStore = KeyStore.getInstance("JKS");

serverKeyStore.load(new FileInputStream(clientKeyStoreFile), clientKeyStorePwd.toCharArray());

KeyStore serverTrustKeyStore = KeyStore.getInstance("JKS");

serverTrustKeyStore.load(new FileInputStream(serverTrustKeyStoreFile), serverTrustKeyStorePwd.toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

kmf.init(serverKeyStore, catServerKeyPwd.toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(serverTrustKeyStore);

SSLContext sslContext = SSLContext.getInstance("TLS");

sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());

HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

URL url = new URL(strUrl);

HttpURLConnection httpURLConnection = null;

if(proxy==null)

{

httpURLConnection = (HttpURLConnection) url.openConnection();

}else{

httpURLConnection = (HttpURLConnection) url.openConnection(proxy);

}

httpURLConnection.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36");

return httpURLConnection;

}

/**

* 用于单向认证，客户端使用

* server侧只需要自己的keystore文件，不需要truststore文件

* client侧不需要自己的keystore文件，只需要truststore文件（其中包含server的公钥）。

* 此外server侧需要在创建SSLServerSocket之后设定不需要客户端证书：setNeedClientAuth(false)

* @param strUrl

* @param proxy

* @return

* @throws KeyStoreException

* @throws NoSuchAlgorithmException

* @throws CertificateException

* @throws FileNotFoundException

* @throws IOException

* @throws UnrecoverableKeyException

* @throws KeyManagementException

public static HttpURLConnection connectProxyTrustCA2(String strUrl,Proxy proxy) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException

{

HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {

@Override

public boolean verify(String s, SSLSession sslsession) {

return true;

}

});

String serverTrustKeyStoreFile = "D:/JDK8Home/tianwt/sslClientTrust";

String serverTrustKeyStorePwd = "123456";

KeyStore serverTrustKeyStore = KeyStore.getInstance("JKS");

serverTrustKeyStore.load(new FileInputStream(serverTrustKeyStoreFile), serverTrustKeyStorePwd.toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(serverTrustKeyStore);

SSLContext sslContext = SSLContext.getInstance("TLS");

sslContext.init(null, tmf.getTrustManagers(), null);

HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

URL url = new URL(strUrl);

HttpURLConnection httpURLConnection = null;

if(proxy==null)

{

httpURLConnection = (HttpURLConnection) url.openConnection();

}else{

httpURLConnection = (HttpURLConnection) url.openConnection(proxy);

}

httpURLConnection.setRequestProperty("User-Agent", "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36");

return httpURLConnection;

}

/**

* 用于双向认证

* @param socketClient 是否产生socket

* @return

* @throws KeyStoreException

* @throws NoSuchAlgorithmException

* @throws CertificateException

* @throws FileNotFoundException

* @throws IOException

* @throws UnrecoverableKeyException

* @throws KeyManagementException

public SSLSocket createTlsConnect(Socket socketClient) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException

{

String protocol = "TLS";

String serverKey = "D:/JDK8Home/tianwt/sslServerKeys";

String serverTrust = "D:/JDK8Home/tianwt/sslServerTrust";

String serverKeyPwd = "123456"; //私钥密码

String serverTrustPwd = "123456"; //信任证书密码

String serverKeyStorePwd = "123456"; // keystore存储密码

KeyStore keyStore = KeyStore.getInstance("JKS");

keyStore.load(new FileInputStream(serverKey),serverKeyPwd.toCharArray());

KeyStore tks = KeyStore.getInstance("JKS");

tks.load(new FileInputStream(serverTrust), serverTrustPwd.toCharArray());

KeyManagerFactory km = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

km.init(keyStore, serverKeyStorePwd.toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(tks);

SSLContext sslContext = SSLContext.getInstance(protocol);

sslContext.init(km.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom()); //第一项是用来做服务器验证的

SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

SSLSocket clientSSLSocket = (SSLSocket) sslSocketFactory.createSocket(socketClient,socketClient.getInetAddress().getHostAddress(),socketClient.getPort(), true);

clientSSLSocket.setNeedClientAuth(false);

clientSSLSocket.setUseClientMode(false);

return clientSSLSocket;

}

/**

* 用于单向认证

* server侧只需要自己的keystore文件，不需要truststore文件

* client侧不需要自己的keystore文件，只需要truststore文件（其中包含server的公钥）。

* 此外server侧需要在创建SSLServerSocket之后设定不需要客户端证书：setNeedClientAuth(false)

* @param socketClient

* @return

* @throws KeyStoreException

* @throws NoSuchAlgorithmException

* @throws CertificateException

* @throws FileNotFoundException

* @throws IOException

* @throws UnrecoverableKeyException

* @throws KeyManagementException

public static SSLSocket createTlsConnect2(Socket socketClient) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, FileNotFoundException, IOException, UnrecoverableKeyException, KeyManagementException

{

String protocol = "TLS";

String serverKey = "D:/JDK8Home/tianwt/sslServerKeys";

String serverKeyPwd = "123456"; //私钥密码

String serverKeyStorePwd = "123456"; // keystore存储密码

KeyStore keyStore = KeyStore.getInstance("JKS");

keyStore.load(new FileInputStream(serverKey),serverKeyPwd.toCharArray());

KeyManagerFactory km = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

km.init(keyStore, serverKeyStorePwd.toCharArray());

SSLContext sslContext = SSLContext.getInstance(protocol);

sslContext.init(km.getKeyManagers(), null, new SecureRandom()); //第一项是用来做服务器验证的

SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

SSLSocket clientSSLSocket = (SSLSocket) sslSocketFactory.createSocket(socketClient,socketClient.getInetAddress().getHostAddress(),socketClient.getPort(), true);

clientSSLSocket.setNeedClientAuth(false);

clientSSLSocket.setUseClientMode(false);

return clientSSLSocket;

}

/**

* 将普通的socket转为sslsocket，客户端和服务端均可使用

* 服务端使用的时候是把普通的socket转为sslsocket,并且作为服务器套接字（注意：指的不是ServerSocket,当然ServerSocket的本质也是普通socket）

* @param remoteHost

* @param isClient

* @return

public static SSLSocket getTlsTrustAllSocket(Socket remoteHost,boolean isClient)

{

SSLSocket remoteSSLSocket = null;

SSLContext context = SSLTrustManager.getTrustAllSSLContext(isClient);

try {

remoteSSLSocket = (SSLSocket) context.getSocketFactory().createSocket(remoteHost, remoteHost.getInetAddress().getHostName(),remoteHost.getPort(), true);

remoteSSLSocket.setTcpNoDelay(true);

remoteSSLSocket.setSoTimeout(5000);

remoteSSLSocket.setNeedClientAuth(false); //这里设置为true时会强制握手

remoteSSLSocket.setUseClientMode(isClient); //注意服务器和客户的角色选择

} catch (IOException e) {

e.printStackTrace();

}

return remoteSSLSocket;

}

/**

* 用于客户端，通过所有证书验证

* @param isClient 是否生成客户端SSLContext，否则生成服务端SSLContext

* @return

public static SSLContext getTrustAllSSLContext(boolean isClient)

{

String protocol = "TLS";

javax.net.ssl.SSLContext sc = null;

try {

javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];

javax.net.ssl.TrustManager tm = new SSLTrustManager();

trustAllCerts[0] = tm;

sc = javax.net.ssl.SSLContext

.getInstance(protocol);

if(isClient)

{

sc.init(null, trustAllCerts, null); //作为客户端使用

}

else

{

String serverKeyPath = "D:/JDK8Home/tianwt/sslServerKeys";

String serverKeyPwd = "123456"; //私钥密码

String serverKeyStorePwd = "123456"; // keystore存储密码

KeyStore keyStore = KeyStore.getInstance("JKS");

keyStore.load(new FileInputStream(serverKeyPath),serverKeyPwd.toCharArray());

KeyManagerFactory km = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

km.init(keyStore, serverKeyStorePwd.toCharArray());

KeyManager[] keyManagers = km.getKeyManagers();

keyManagers = Arrays.copyOf(keyManagers, keyManagers.length+1);

sc.init(keyManagers, null, new SecureRandom());

}

} catch (KeyManagementException e) {

e.printStackTrace();

} catch (NoSuchAlgorithmException e) {

e.printStackTrace();

} catch (UnrecoverableKeyException e) {

e.printStackTrace();

} catch (KeyStoreException e) {

e.printStackTrace();

} catch (CertificateException e) {

e.printStackTrace();

} catch (FileNotFoundException e) {

e.printStackTrace();

} catch (IOException e) {

e.printStackTrace();

}

return sc;

}

参考链接

Java 实现TLS/SSL证书的自动安装校验

okhttp3.0忽略/检查https证书

最近公司项目需要，网络协议支持https，之前接触不多，所以这次想总结一下https在android开发中的相关内容

一、https证书

对于https和证书的概念，大家可以自行搜索百度。

证书分两种：

1、花钱向认证机构购买的证书。服务器如果使用了此类证书的话，那对于移动端来说，直接可以忽略此证书，直接用https访问。与之不同的是ios内置了很多信任的证书，所以他们不需要做任何操作

2、另一种是自己制作的证书，使用此类证书的话是不受信任的，也不需要花钱，所以需要我们在代码中将此类证书设置为信任证书

二、如何忽略证书

1、服务器如果加上了证书的话，那么你们的网络请求的url将从http:xx改成https:xx,如果你直接也将http改成https的话而什么也不做的话，客户端将直接报错，如图：

继续阅读okhttp3.0忽略/检查https证书

2020年十月
一	二	三	四	五	六	日
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30	31