{"id":1627,"date":"2023-03-25T21:10:38","date_gmt":"2023-03-25T13:10:38","guid":{"rendered":"https:\/\/www.appblog.cn\/?p=1627"},"modified":"2023-04-23T22:03:09","modified_gmt":"2023-04-23T14:03:09","slug":"okhttp-lock-certificate-certificate-pinner","status":"publish","type":"post","link":"https:\/\/www.appblog.cn\/index.php\/2023\/03\/25\/okhttp-lock-certificate-certificate-pinner\/","title":{"rendered":"OKHttp\u9501\u5b9a\u8bc1\u4e66CertificatePinner"},"content":{"rendered":"

OKHttp\u7684CertificatePinner<\/code>\u7c7b\u7528\u4e8e\u7ea6\u675f\u54ea\u4e9b\u8bc1\u4e66\u662f\u53ef\u4fe1\u7684\u3002\u9501\u5b9a\u8bc1\u4e66\u53ef\u4ee5\u9632\u6b62\u5bf9\u8bc1\u4e66\u9881\u53d1\u673a\u6784\u76f8\u5173\u7684\u653b\u51fb\u3002\u5b83\u8fd8\u963b\u6b62\u901a\u8fc7\u7528\u6237\u5df2\u77e5\u6216\u672a\u77e5\u7684\u4e2d\u95f4\u8bc1\u4e66\u9881\u53d1\u673a\u6784\u5efa\u7acb\u7684\u8fde\u63a5\u3002\u8fd9\u4e2a\u7c7b\u76ee\u524d\u9501\u5b9a\u4e86\u4e00\u4e2a\u8bc1\u4e66\u7684\u4e3b\u9898\u516c\u94a5\u4fe1\u606f\uff0c\u5982Adam Langley\u7684\u535a\u5ba2\u6240\u8ff0\u3002\u516c\u94a5\u4e0d\u662fHTTP\u516c\u94a5\u9501\u5b9a(HPKP)\u4e2d\u7684base64 SHA-256\u54c8\u5e0c\uff0c\u5c31\u662fChromium\u9759\u6001\u8bc1\u4e66\u4e2d\u7684SHA-1 base64\u54c8\u5e0c\u3002HTTP Public Key Pinning (HPKP) Chromium\u9759\u6001\u8bc1\u4e66\u3002<\/p>\n

\u8bbe\u7f6e\u56fa\u5b9a\u8bc1\u4e66<\/h2>\n

<\/p>\n

\u7406\u89e3\u9501\u5b9a\u4e3b\u673a\u6700\u7b80\u5355\u7684\u65b9\u6cd5\u662f\u6253\u5f00\u9519\u8bef\u914d\u7f6e\u7684\u9501\u5b9a\uff0c\u5e76\u5728\u8fde\u63a5\u5931\u8d25\u65f6\u8bfb\u53d6\u9884\u671f\u914d\u7f6e\u3002\u4e00\u5b9a\u8981\u5728\u53ef\u4fe1\u7684\u7f51\u7edc\u4e0a\u5b8c\u6210\uff0c\u4e0d\u8981\u4f7f\u7528\u50cfCharles\u6216Fiddler\u8fd9\u6837\u7684\u4e2d\u95f4\u5de5\u5177\u3002\u4f8b\u5982\uff0c\u8981\u9501\u5b9a\uff1ahttps:\/\/publicobject.com<\/code>\uff0c\u8bf7\u4ece\u4e00\u4e2a\u9519\u8bef\u7684\u914d\u7f6e\u5f00\u59cb<\/p>\n

String hostname = "publicobject.com";\n\u00a0 \u00a0 \u00a0CertificatePinner certificatePinner = new CertificatePinner.Builder()\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0.add(hostname, "sha256\/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=")\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0.build();\n\u00a0 \u00a0 \u00a0OkHttpClient client = new OkHttpClient();\n\u00a0 \u00a0 \u00a0client.setCertificatePinner(certificatePinner);\n\n\u00a0 \u00a0 \u00a0Request request = new Request.Builder()\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0.url("https:\/\/" + hostname)\n\u00a0 \u00a0 \u00a0 \u00a0 \u00a0.build();\n\u00a0 \u00a0 \u00a0client.newCall(request).execute();<\/code><\/pre>\n
\u6b63\u5982\u9884\u671f\u7684\u90a3\u6837\uff0c\u4ee5\u4e00\u4e2a\u8bc1\u4e66\u9501\u5b9a\u5f02\u5e38\u800c\u5931\u8d25\u4e86:<\/p>\n
javax.net.ssl.SSLPeerUnverifiedException: Certificate pinning failure!\n   Peer certificate chain:\n     sha256\/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=: CN=publicobject.com, OU=PositiveSSL\n     sha256\/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=: CN=COMODO RSA Secure Server CA\n     sha256\/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=: CN=COMODO RSA Certification Authority\n     sha256\/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=: CN=AddTrust External CA Root\n   Pinned certificates for publicobject.com:\n     sha256\/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=\n   at okhttp3.CertificatePinner.check(CertificatePinner.java)\n   at okhttp3.Connection.upgradeToTls(Connection.java)\n   at okhttp3.Connection.connect(Connection.java)\n   at okhttp3.Connection.connectAndSetOwner(Connection.java)<\/code><\/pre>\n
\u63a5\u4e0b\u6765\uff0c\u5c06\u5f02\u5e38\u4e2d\u7684\u516c\u94a5\u6563\u5217\u7c98\u8d34\u5230\u8bc1\u4e66pinner\u7684\u914d\u7f6e\u4e2d<\/p>\n
CertificatePinner certificatePinner = new CertificatePinner.Builder()\n    .add("publicobject.com", "sha256\/afwiKY3RxoMmLkuRW1l7QsPZTJPwDS2pdDROQjXw8ig=")\n    .add("publicobject.com", "sha256\/klO23nT2ehFDXCfx3eHTDRESMz3asj1muO+4aIdjiuY=")\n    .add("publicobject.com", "sha256\/grX4Ta9HpZx6tSHkmCrvpApTQGo67CYDnvprLg5yRME=")\n    .add("publicobject.com", "sha256\/lCppFqbkrlJ3EcVFAkeip0+44VaoJUymbnOaEUk7tEU=")\n    .build();<\/code><\/pre>\n
Pinning\u662f\u6bcf\u4e2a\u4e3b\u673a\u540d\u548c\/\u6216\u6bcf\u4e2a\u901a\u914d\u7b26\u6a21\u5f0f\u3002\u8981\u540c\u65f6\u4f7f\u7528publicobject.com<\/code>\u548cwww.publicobject.com<\/code>\uff0c\u5fc5\u987b\u914d\u7f6e\u8fd9\u4e24\u4e2a\u4e3b\u673a\u540d\u3002<\/p>\n
\u901a\u914d\u7b26\u6a21\u5f0f\u89c4\u5219<\/h2>\n
    \n
  • \u661f\u53f7*<\/code>\u53ea\u5141\u8bb8\u51fa\u73b0\u5728\u6700\u5de6\u8fb9\u7684\u57df\u540d\u6807\u7b7e\u4e2d\uff0c\u5e76\u4e14\u5fc5\u987b\u662f\u8be5\u6807\u7b7e(\u5373\u5fc5\u987b\u5339\u914d\u6574\u4e2a\u6700\u5de6\u8fb9\u7684\u6807\u7b7e)\u3002\u4f8b\u5982\uff0c\u5141\u8bb8*.example.com<\/code>\uff0c\u800c*a.example.com<\/code>, a*.example.com<\/code>, a*b.example.com<\/code>, a.*.example.com<\/code>\u4e0d\u5141\u8bb8<\/li>\n
  • \u661f\u53f7*<\/code>\u4e0d\u80fd\u8de8\u57df\u540d\u6807\u7b7e\u5339\u914d\u3002\u4f8b\u5982\uff1a*.example.com<\/code>\u5339\u914dtest.example.com<\/code>\uff0c\u4f46\u4e0d\u5339\u914dsub.test.example.com<\/code><\/li>\n
  • \u4e0d\u5141\u8bb8\u4e3a\u5355\u6807\u7b7e\u57df\u540d\u4f7f\u7528\u901a\u914d\u7b26\u6a21\u5f0f
    \n\u5982\u679c\u4e3b\u673a\u540d\u76f4\u63a5\u6216\u901a\u8fc7\u901a\u914d\u7b26\u6a21\u5f0f\u9501\u5b9a\uff0c\u5c06\u4f7f\u7528\u76f4\u63a5\u6216\u901a\u914d\u7b26\u56fa\u5b9a\u3002\u4f8b\u5982\uff1a*.example.com<\/code>\u7528pin1<\/code>\u56fa\u5b9a\uff0ca.example.com<\/code>\u7528pin2<\/code>\u56fa\u5b9a\uff0c\u68c0\u67e5a.example.com<\/code>\u5c06\u4f7f\u7528pin1<\/code>\u548cpin2<\/code><\/li>\n<\/ul>\n
    \u8b66\u544a: \u8bc1\u4e66\u9501\u5b9a\u662f\u5371\u9669\u7684\uff01<\/h2>\n
    \u9501\u5b9a\u8bc1\u4e66\u9650\u5236\u4e86\u670d\u52a1\u5668\u56e2\u961f\u66f4\u65b0TLS\u8bc1\u4e66\u7684\u80fd\u529b\u3002\u901a\u8fc7\u9501\u5b9a\u8bc1\u4e66\uff0c\u53ef\u4ee5\u589e\u52a0\u64cd\u4f5c\u590d\u6742\u6027\uff0c\u5e76\u9650\u5236\u5728\u8bc1\u4e66\u9881\u53d1\u673a\u6784\u4e4b\u95f4\u8fc1\u79fb\u7684\u80fd\u529b\u3002\u5982\u679c\u6ca1\u6709\u670d\u52a1\u5668\u7684TLS\u7ba1\u7406\u5458\u7684\u8bb8\u53ef\uff0c\u4e0d\u8981\u4f7f\u7528\u8bc1\u4e66\u56fa\u5b9a!<\/p>\n
    \u9759\u6001\u5185\u90e8\u7c7bPin<\/h2>\n
    Pin\u662fCertificatePinner\u7684\u9759\u6001\u5185\u90e8\u7c7b\u3002\u76f4\u63a5\u4e0a\u6e90\u7801\uff1a<\/p>\n
    static final class Pin {\n    \/**\n     * \u4e3b\u673a\u540d\uff0c\u5982example.com\u6216\u5982*.example.com\u7684\u4e00\u79cd\u5f62\u5f0f\u3002\n     *\/\n    final String pattern;\n    \/**\n     * \u6216\u8005sha1\/\u6216\u8005sha256\/.\n     *\/\n    final String hashAlgorithm;\n    \/**\n     * \u4f7f\u7528{@link #hashAlgorithm}\u7684\u56fa\u5b9a\u8bc1\u4e66\u7684\u54c8\u5e0c\u3002\n     *\/\n    final ByteString hash;\n\n    Pin(String pattern, String pin) {\n        this.pattern = pattern;\n        if (pin.startsWith("sha1\/")) {\n            this.hashAlgorithm = "sha1\/";\n            this.hash = ByteString.decodeBase64(pin.substring("sha1\/".length()));\n        } else if (pin.startsWith("sha256\/")) {\n            this.hashAlgorithm = "sha256\/";\n            this.hash = ByteString.decodeBase64(pin.substring("sha256\/".length()));\n        } else {\n            throw new IllegalArgumentException("pins must start with 'sha256\/' or 'sha1\/': " + pin);\n        }\n\n        if (this.hash == null) {\n            throw new IllegalArgumentException("pins must be base64: " + pin);\n        }\n    }\n\n    boolean matches(String hostname) {\n        if (pattern.equals(hostname)) return true;\n\n        int firstDot = hostname.indexOf('.');\n        return pattern.startsWith("*.")\n                && hostname.regionMatches(false, firstDot + 1, pattern, 2, pattern.length() - 2);\n    }\n\n    @Override\n    public boolean equals(Object other) {\n        return other instanceof Pin\n                && pattern.equals(((Pin) other).pattern)\n                && hashAlgorithm.equals(((Pin) other).hashAlgorithm)\n                && hash.equals(((Pin) other).hash);\n    }\n\n    @Override\n    public int hashCode() {\n        int result = 17;\n        result = 31 * result + pattern.hashCode();\n        result = 31 * result + hashAlgorithm.hashCode();\n        result = 31 * result + hash.hashCode();\n        return result;\n    }\n\n    @Override\n    public String toString() {\n        return hashAlgorithm + hash.base64();\n    }\n}<\/code><\/pre>\n
    \u770b\u4ee3\u7801\u4ee5\u53ca\u6ce8\u91ca\u4e0d\u96be\u7406\u89e3Pin\u7c7b\u5c31\u662f\u9501\u5b9a\u8bc1\u4e66\u7c7b\u3002Pin\u7c7b\u4e2d\uff0c\u76f4\u63a5\u4e3b\u673a\u540d\u6216\u4e3b\u673a\u540d\u901a\u914d\u7b26\u3001\u54c8\u5e0c\u7b97\u6cd5\u3001\u54c8\u5e0c\u7801\u4e00\u4e00\u5bf9\u5e94\u3002<\/p>\n
    pins\u8fd9\u4e2a\u6210\u5458\u53d8\u91cf\u662f\u4e2alist\u96c6\u5408\uff0c\u90a3\u4e48\u662f\u600e\u4e48\u7ef4\u62a4\u7684\u5462\u3002\u9996\u5148\u770b\u6dfb\u52a0\uff1a<\/p>\n
    CertificatePinner\u7684\u6784\u9020\u4f7f\u7528\u7684\u6784\u9020\u5668\u6a21\u5f0f\uff0c\u6dfb\u52a0\u65b9\u6cd5\u5728\u6784\u9020\u7c7b\u91cc\u9762\uff1a<\/p>\n
    \/**\n * \u4e3a{@code pattern}\u6dfb\u52a0\u56fa\u5b9a\u8bc1\u4e66\u3002\n *\n * @param pattern \u5c0f\u5199\u4e3b\u673a\u540d\u6216\u901a\u914d\u7b26\u6a21\u5f0f\uff08\u5982*.example.com\uff09\u3002\n * @param pins SHA-256\u6216SHA-1\u54c8\u5e0c\u3002\u6bcf\u4e2apin\u90fd\u662f\u8bc1\u4e66\u4e3b\u9898\u516c\u94a5\u4fe1\u606f\u7684\u6563\u5217\uff0c\u4ee5base64\u7f16\u7801\uff0c\u524d\u7f00\u4e3asha256\/\u6216sha1\/\u3002\n *\/\npublic Builder add(String pattern, String... pins) {\n    if (pattern == null) throw new IllegalArgumentException("pattern == null");\n\n    for (String pin : pins) {\n        this.pins.add(new Pin(pattern, pin));\n    }\n\n    return this;\n}<\/code><\/pre>\n
    \u6784\u9020\u7c7b\u7684\u5b8c\u6574\u4ee3\u7801\uff1a<\/p>\n
    public static final class Builder {\n    private final List<Pin> pins = new ArrayList<>();\n    private TrustRootIndex trustRootIndex;\n\n    public Builder() {\n    }\n\n    Builder(CertificatePinner certificatePinner) {\n        this.pins.addAll(certificatePinner.pins);\n        this.trustRootIndex = certificatePinner.trustRootIndex;\n    }\n\n    public Builder trustRootIndex(TrustRootIndex trustRootIndex) {\n        this.trustRootIndex = trustRootIndex;\n        return this;\n    }\n\n    \/**\n     * \u4e3a{@code pattern}\u6dfb\u52a0\u56fa\u5b9a\u8bc1\u4e66\u3002\n     *\n     * @param pattern \u5c0f\u5199\u4e3b\u673a\u540d\u6216\u901a\u914d\u7b26\u6a21\u5f0f\uff08\u5982*.example.com\uff09\u3002\n     * @param pins SHA-256\u6216SHA-1\u54c8\u5e0c\u3002\u6bcf\u4e2apin\u90fd\u662f\u8bc1\u4e66\u4e3b\u9898\u516c\u94a5\u4fe1\u606f\u7684\u6563\u5217\uff0c\u4ee5base64\u7f16\u7801\uff0c\u524d\u7f00\u4e3asha256\/\u6216sha1\/\u3002\n     *\/\n    public Builder add(String pattern, String... pins) {\n        if (pattern == null) throw new IllegalArgumentException("pattern == null");\n\n        for (String pin : pins) {\n            this.pins.add(new Pin(pattern, pin));\n        }\n\n        return this;\n    }\n\n    public CertificatePinner build() {\n        return new CertificatePinner(this);\n    }\n}<\/code><\/pre>\n
    \u5176\u6b21\u7528\u5230\u6210\u5458\u53d8\u91cfpins\u7684\u5730\u65b9\u5c31\u662f\uff1a<\/p>\n
    public void check(String hostname, List<Certificate> peerCertificates)\n        throws SSLPeerUnverifiedException {\n    List<Pin> pins = findMatchingPins(hostname);\n    if (pins.isEmpty()) return;\n\n    if (trustRootIndex != null) {\n        peerCertificates = new CertificateChainCleaner(trustRootIndex).clean(peerCertificates);\n    }\n\n    for (int c = 0, certsSize = peerCertificates.size(); c < certsSize; c++) {\n        X509Certificate x509Certificate = (X509Certificate) peerCertificates.get(c);\n\n        \/\/\u61d2\u60f0\u5730\u8ba1\u7b97\u6bcf\u4e2a\u8bc1\u4e66\u7684\u6563\u5217\u3002\n        ByteString sha1 = null;\n        ByteString sha256 = null;\n\n        for (int p = 0, pinsSize = pins.size(); p < pinsSize; p++) {\n            Pin pin = pins.get(p);\n            if (pin.hashAlgorithm.equals("sha256\/")) {\n                if (sha256 == null) sha256 = sha256(x509Certificate);\n                if (pin.hash.equals(sha256)) return; \/\/ Success!\n            } else if (pin.hashAlgorithm.equals("sha1\/")) {\n                if (sha1 == null) sha1 = sha1(x509Certificate);\n                if (pin.hash.equals(sha1)) return; \/\/ Success!\n            } else {\n                throw new AssertionError();\n            }\n        }\n    }\n\n    \/\/\u5982\u679c\u6211\u4eec\u627e\u4e0d\u5230\u5339\u914d\u7684\u9501\u5b9a\u8bc1\u4e66\uff0c\u629b\u51fa\u5f02\u5e38\u3002\n    StringBuilder message = new StringBuilder()\n            .append("Certificate pinning failure!")\n            .append("\\n  Peer certificate chain:");\n    for (int c = 0, certsSize = peerCertificates.size(); c < certsSize; c++) {\n        X509Certificate x509Certificate = (X509Certificate) peerCertificates.get(c);\n        message.append("\\n    ").append(pin(x509Certificate))\n                .append(": ").append(x509Certificate.getSubjectDN().getName());\n    }\n    message.append("\\n  Pinned certificates for ").append(hostname).append(":");\n    for (int p = 0, pinsSize = pins.size(); p < pinsSize; p++) {\n        Pin pin = pins.get(p);\n        message.append("\\n    ").append(pin);\n    }\n    throw new SSLPeerUnverifiedException(message.toString());\n}<\/code><\/pre>\n
    check\u65b9\u6cd5\u7684\u4f5c\u7528\u662f\u786e\u8ba4\u9501\u5b9a\u4e3b\u673a\u540d\u7684\u81f3\u5c11\u4e00\u4e2a\u8bc1\u4e66\u5728peerCertificates\u4e2d\u3002\u5982\u679c\u6ca1\u6709\u9501\u5b9a\u4e3b\u673a\u540d\u7684\u8bc1\u4e66\uff0c\u5219\u4ec0\u4e48\u4e5f\u4e0d\u505a\u3002OkHttp\u5728TLS\u63e1\u624b\u6210\u529f\u540e\uff0c\u5efa\u7acb\u8fde\u63a5\u4e4b\u524d\u8c03\u7528\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"
    OKHttp\u7684CertificatePinner\u7c7b\u7528\u4e8e\u7ea6\u675f\u54ea\u4e9b\u8bc1\u4e66\u662f\u53ef\u4fe1\u7684\u3002\u9501\u5b9a\u8bc1\u4e66\u53ef\u4ee5\u9632\u6b62\u5bf9\u8bc1\u4e66\u9881\u53d1\u673a\u6784\u76f8\u5173 […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[311,116],"tags":[373],"class_list":["post-1627","post","type-post","status-publish","format-standard","hentry","category-android-advance","category-okhttp","tag-ssl-pinning"],"_links":{"self":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts\/1627","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/comments?post=1627"}],"version-history":[{"count":0,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/posts\/1627\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/media?parent=1627"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/categories?post=1627"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.appblog.cn\/index.php\/wp-json\/wp\/v2\/tags?post=1627"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}