Android 的 WebViewClient
在遇到不受信任的证书时调用 onReceivedSslError
。但是,我在该调用中收到的 SslError
对象没有任何公共(public)方式来获取底层 X509Certificate
以根据现有 TrustStoreManager对其进行验证
。查看源代码,我可以这样访问 X509Certificate
的编码字节:
public void onReceivedSslError(WebView view, SslErrorHandler handler,
SslError error) {
Bundle bundle = SslCertificate.saveState(error.getCertificate());
X509Certificate x509Certificate;
byte[] bytes = bundle.getByteArray("x509-certificate");
if (bytes == null) {
x509Certificate = null;
} else {
try {
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
Certificate cert = certFactory.generateCertificate(new ByteArrayInputStream(bytes));
x509Certificate = (X509Certificate) cert;
} catch (CertificateException e) {
x509Certificate = null;
}
}
// Now I have an X509Certificate I can pass to an X509TrustManager for validation.
}
显然,这是私有(private) API 并且很脆弱,但我认为它相当可靠,因为它们无法更改包格式。有没有更好的办法?
最佳答案
经过漫长的等待,一个名为getX509Certificate(): java.security.cert.X509Certificate
的方法似乎已添加到SslCertificate
中。在我的feature request as issue 36984840之后.
关于android - 如何使用 X509TrustManager 验证 android.net.http.SslCertificate?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/20228800/