我使用标准方式连接到SSL服务器,并使用此处描述的自签名证书:https://developer.android.com/training/articles/security-ssl.html为"Unknown certificate authority" .
一切都适用于Android 7 .
在Android 7及更高版本上,我收到证书异常,并显示以下消息:“java.security.cert.CertPathValidatorException:找不到证书路径的信任锚” .
我唯一能做的就是创建一个“空”的X509TrustManager,它接受所有证书:
final TrustManager[] trustAllCerts = new TrustManager[]
{
new javax.net.ssl.X509TrustManager() {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException { }
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] chain, String authType) throws CertificateException {}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() { }
};
//and then
sSslContext = SSLContext.getInstance("TLS");
sSslContext.init(null, trustAllCerts, null);
但是当我将验证添加到checkServerTrusted函数时:
public void checkServerTrusted(java.security.cert.X509Certificate[]
chain, String authType) throws CertificateException {
((X509TrustManager) trustManager.checkServerTrusted(chain, authType);
}
一切都是一样的
我还检查了conscrypt库的来源,我看到 checkTrusted 函数将叶子放到不受信任的链上,如果leafAsAnchor == null就是这种情况 .
那么是否可以以这种方式使用自签名证书?