如何使用OkHttp响应获取服务器证书。

huangapple go评论98阅读模式
英文:

how to get the server certificate with okhttp response

问题

我想保存服务器证书,但是我无法找到使用OkHttpClient获取它的方法。response.handshake为空:

client.newCall(request).execute().handshake().peerCertificates()
英文:

I want to save a server certificate, but I cannot find the method to get it with OkHttpClient. The response.handshake is empty:

client.newCall(request).execute().handshake().peerCertificates()

答案1

得分: 1

以下是翻译好的内容:

你已经拥有了正确的代码。但是很可能你已经禁用了安全性或类似的功能,导致你的请求没有干净的证书链。

正确的安全代码

  return response.use {
    it.handshake!!.peerCertificates
  }.map { it as X509Certificate }

不安全的代码

import okhttp3.internal.connection.RealCall
import okhttp3.tls.HandshakeCertificates
import java.security.cert.X509Certificate
import javax.net.ssl.SSLSocket

fun main() {
  val handshakeCertificates = HandshakeCertificates.Builder()
    .addPlatformTrustedCertificates()
    .addInsecureHost("self-signed.badssl.com")
    .build()

  val client = OkHttpClient.Builder()
    .sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager)
    .eventListener(object : EventListener() {
      override fun connectionAcquired(call: Call, connection: Connection) {
        val socket = (call as RealCall).connection?.socket() as? SSLSocket

        println("connectionAcquired " + socket?.session?.peerCertificates?.size)
        socket?.session?.peerCertificates?.forEach {
          val x509 = it as X509Certificate
          println(x509.subjectDN)
        }
      }
    })
    .build()

  val response = client.newCall(Request.Builder().url("https://self-signed.badssl.com").build()).execute()
  println("response " + response.handshake?.peerCertificates?.size)
  response.handshake?.peerCertificates?.forEach {
    val x509 = it as X509Certificate
    println(x509.subjectDN)
  }
}

输出

connectionAcquired 1
CN=*.badssl.com, O=BadSSL, L=San Francisco, ST=California, C=US
response 0
英文:

You have the correct code. But likely you have disabled security or similar such that there is no clean certificate chain for your request.

Correct secure code

https://github.com/cashapp/certifikit/blob/master/certifikit-cli/src/main/kotlin/app/cash/certifikit/cli/http.kt#L124-L128

  return response.use {
    it.handshake!!.peerCertificates
  }.map { it as X509Certificate }

Insecure code

import okhttp3.internal.connection.RealCall
import okhttp3.tls.HandshakeCertificates
import java.security.cert.X509Certificate
import javax.net.ssl.SSLSocket

fun main() {
  val handshakeCertificates = HandshakeCertificates.Builder()
    .addPlatformTrustedCertificates()
    .addInsecureHost("self-signed.badssl.com")
    .build()

  val client = OkHttpClient.Builder()
    .sslSocketFactory(handshakeCertificates.sslSocketFactory(), handshakeCertificates.trustManager)
    .eventListener(object : EventListener() {
      override fun connectionAcquired(call: Call, connection: Connection) {
        val socket = (call as RealCall).connection?.socket() as? SSLSocket

        println("connectionAcquired " + socket?.session?.peerCertificates?.size)
        socket?.session?.peerCertificates?.forEach {
          val x509 = it as X509Certificate
          println(x509.subjectDN)
        }
      }
    })
    .build()

  val response = client.newCall(Request.Builder().url("https://self-signed.badssl.com").build()).execute()
  println("response " + response.handshake?.peerCertificates?.size)
  response.handshake?.peerCertificates?.forEach {
    val x509 = it as X509Certificate
    println(x509.subjectDN)
  }
}

Output

connectionAcquired 1
CN=*.badssl.com, O=BadSSL, L=San Francisco, ST=California, C=US
response 0

答案2

得分: 0

certifikit CLI可以以OkHttp友好的格式为您下载它们。

https://github.com/cashapp/certifikit/tree/master/certifikit-cli

$ certifikit-cli git:(master) ./cft --host badssl.com --insecure --output tmp
CN: *.badssl.com
Pin: sha256/f522e496c72fccc623f1ffb9da5a79cdefe16340851f22d23d0cd2a58608066f
SAN: *.badssl.com, badssl.com
Key Usage: DigitalSignature, KeyEncipherment
Ext Key Usage: serverAuth, clientAuth
Authority Info Access:
ocsp: http://ocsp.digicert.com
caIssuers: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
Valid: 2020-03-23T00:00:00Z..2022-05-17T12:00:00Z (1 years)
CA: false

CN: DigiCert SHA2 Secure Server CA
Pin: sha256/e6426f344330d0a8eb080bbb7976391d976fc824b5dc16c0d15246d5148ff75c
SAN: <N/A>
Key Usage: DigitalSignature, KeyCertSign, CRLSign
Authority Info Access:
ocsp: http://ocsp.digicert.com
Valid: 2013-03-08T12:00:00Z..2023-03-08T12:00:00Z (2 years)
CA: true Max Intermediate: 0

CN: DigiCert Global Root CA (signed by locally-trusted root)
Pin: sha256/aff988906dde12955d9bebbf928fdcc31cce328d5b9384f21c8941ca26e20391
SAN: <N/A>
OU: www.digicert.com
Key Usage: DigitalSignature, KeyCertSign, CRLSign
Valid: 2006-11-10T00:00:00Z..2031-11-10T00:00:00Z (11 years)
CA: true
$ certifikit-cli git:(master) ✗ ls tmp
aff988906dde12955d9bebbf928fdcc31cce328d5b9384f21c8941ca26e20391.pem f522e496c72fccc623f1ffb9da5a79cdefe16340851f22d23d0cd2a58608066f.pem
e6426f344330d0a8eb080bbb7976391d976fc824b5dc16c0d15246d5148ff75c.pem
英文:

The certifikit CLI can download them for you in an OkHttp friendly format.

https://github.com/cashapp/certifikit/tree/master/certifikit-cli

$  certifikit-cli git:(master) ./cft --host badssl.com --insecure --output tmp 
CN: 	*.badssl.com
Pin:	sha256/f522e496c72fccc623f1ffb9da5a79cdefe16340851f22d23d0cd2a58608066f
SAN: 	*.badssl.com, badssl.com
Key Usage: DigitalSignature, KeyEncipherment
Ext Key Usage: serverAuth, clientAuth
Authority Info Access:
	ocsp: http://ocsp.digicert.com
	caIssuers: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
Valid: 	2020-03-23T00:00:00Z..2022-05-17T12:00:00Z (1 years)
CA: false

CN: 	DigiCert SHA2 Secure Server CA
Pin:	sha256/e6426f344330d0a8eb080bbb7976391d976fc824b5dc16c0d15246d5148ff75c
SAN: 	<N/A>
Key Usage: DigitalSignature, KeyCertSign, CRLSign
Authority Info Access:
	ocsp: http://ocsp.digicert.com
Valid: 	2013-03-08T12:00:00Z..2023-03-08T12:00:00Z (2 years)
CA: true Max Intermediate: 0

CN: 	DigiCert Global Root CA (signed by locally-trusted root)
Pin:	sha256/aff988906dde12955d9bebbf928fdcc31cce328d5b9384f21c8941ca26e20391
SAN: 	<N/A>
OU: 	www.digicert.com
Key Usage: DigitalSignature, KeyCertSign, CRLSign
Valid: 	2006-11-10T00:00:00Z..2031-11-10T00:00:00Z (11 years)
CA: true
$  certifikit-cli git:(master) ✗ ls tmp
aff988906dde12955d9bebbf928fdcc31cce328d5b9384f21c8941ca26e20391.pem  f522e496c72fccc623f1ffb9da5a79cdefe16340851f22d23d0cd2a58608066f.pem
e6426f344330d0a8eb080bbb7976391d976fc824b5dc16c0d15246d5148ff75c.pem

huangapple
  • 本文由 发表于 2020年10月26日 11:53:46
  • 转载请务必保留本文链接:https://go.coder-hub.com/64531304.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定