实现 X509TrustManager - 将部分验证传递给现有验证程序

您可以获取现有的缺省信任管理器，并使用如下方式将其包装在您自己的信任管理器中：

TrustManagerFactory tmf = TrustManagerFactory
        .getInstance(TrustManagerFactory.getDefaultAlgorithm());
// Using null here initialises the TMF with the default trust store.
tmf.init((KeyStore) null);

// Get hold of the default trust manager
X509TrustManager x509Tm = null;
for (TrustManager tm : tmf.getTrustManagers()) {
    if (tm instanceof X509TrustManager) {
        x509Tm = (X509TrustManager) tm;
        break;
    }
}

// Wrap it in your own class.
final X509TrustManager finalTm = x509Tm;
X509TrustManager customTm = new X509TrustManager() {
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return finalTm.getAcceptedIssuers();
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain,
            String authType) throws CertificateException {
        finalTm.checkServerTrusted(chain, authType);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain,
            String authType) throws CertificateException {
        finalTm.checkClientTrusted(chain, authType);
    }
};

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { customTm }, null);

// You don't have to set this as the default context,
// it depends on the library you're using.
SSLContext.setDefault(sslContext);

然后，您可以围绕 实现自己的逻辑。finalTm.checkServerTrusted(chain, authType);

但是，应确保为要忽略的特定证书设置例外。

您在下面所做的是让任何证书具有这些颁发者DN和主题DN（这并不难伪造）：

if(chain[0].getIssuerDN().getName().equals("MyTrustedServer") && chain[0].getSubjectDN().getName().equals("MyTrustedServer"))
    return true;

您可以改为从已知引用加载实例，并比较链中的实际值。X509Certificate

此外，它们不是返回 或 的方法，而是默认情况下将以静默方式成功的方法。如果预期的证书有问题，请显式抛出一个。checkClientTrustedcheckServerTrustedtruefalsevoidCertificateException

您可以根据相关特定证书创建信任管理器，而不是实现信任任何证书。从 或 密钥库或 -file 加载证书（您可以在 Chrome 中将证书从浏览器复制到文件中，方法是点击挂锁并选择证书）。代码比实现你自己的代码短：X509TrustManager.p12.jks.crtX509TrustManager

private static SSLSocketFactory createSSLSocketFactory(File crtFile) throws GeneralSecurityException, IOException {
    SSLContext sslContext = SSLContext.getInstance("SSL");

    // Create a new trust store, use getDefaultType for .jks files or "pkcs12" for .p12 files
    KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
    // You can supply a FileInputStream to a .jks or .p12 file and the keystore password as an alternative to loading the crt file
    trustStore.load(null, null);

    // Read the certificate from disk
    X509Certificate result;
    try (InputStream input = new FileInputStream(crtFile)) {
        result = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(input);
    }
    // Add it to the trust store
    trustStore.setCertificateEntry(crtFile.getName(), result);

    // Convert the trust store to trust managers
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(trustStore);
    TrustManager[] trustManagers = tmf.getTrustManagers();

    sslContext.init(null, trustManagers, null);
    return sslContext.getSocketFactory();
}

您可以通过调用来使用它（您可能希望初始化套接字工厂一次并重用它）。HttpsURLConnection.setSSLSocketFactory(createSSLSocketFactory(crtFile))