public class SSLSocketFactory
extends Object implements LayeredSocketFactory
| java.lang.Object | |
| ↳ | org.apache.http.conn.ssl.SSLSocketFactory |
这个类在API级别22已被弃用。
请改用openConnection() 。 请访问this webpage了解更多详情。
基于JSSE的分层套接字工厂,用于TLS / SSL连接。 。
SSLSocketFactory可用于根据可信证书列表验证HTTPS服务器的身份,并使用私钥向HTTPS服务器进行身份验证。
当提供包含一个或多个可信证书的truststore文件时,SSLSocketFactory将启用服务器身份验证。 如果目标HTTPS服务器尝试使用不可信证书对自身进行身份验证,则客户端安全套接字将在SSL会话握手期间拒绝连接。
使用JDK keytool实用程序导入可信证书并生成信任库文件:
Android开发手册
keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
SSLSocketFactory将在提供包含私钥/公用证书对的keystore文件时启用客户端身份验证。 如果服务器要求这样做,客户端安全套接字将使用私钥在SSL会话握手期间向目标HTTPS服务器进行身份验证。 目标HTTPS服务器将依次验证客户端提供的证书以建立客户端的真实性
使用以下一系列操作来生成密钥库文件
使用JDK keytool实用程序生成新密钥
keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystoreFor simplicity use the same password for the key as that of the keystore
发出证书签名请求(CSR)
keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore
将证书请求发送给受信任的证书颁发机构进行签名。 可以选择充当自己的CA,并使用PKI工具(如OpenSSL)签署证书请求。
导入可信CA根证书
keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore
Import the PKCS#7 file containg the complete certificate chain
keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore
验证结果密钥库文件的内容
keytool -list -v -keystore my.keystore
Constants |
|
|---|---|
String |
SSL |
String |
SSLV2 |
String |
TLS |
Fields |
|
|---|---|
public static final X509HostnameVerifier |
ALLOW_ALL_HOSTNAME_VERIFIER |
public static final X509HostnameVerifier |
BROWSER_COMPATIBLE_HOSTNAME_VERIFIER |
public static final X509HostnameVerifier |
STRICT_HOSTNAME_VERIFIER |
Public constructors |
|
|---|---|
SSLSocketFactory(String algorithm, KeyStore keystore, String keystorePassword, KeyStore truststore, SecureRandom random, HostNameResolver nameResolver) |
|
SSLSocketFactory(KeyStore keystore, String keystorePassword, KeyStore truststore) |
|
SSLSocketFactory(KeyStore keystore, String keystorePassword) |
|
SSLSocketFactory(KeyStore truststore) |
|
Public methods |
|
|---|---|
Socket |
connectSocket(Socket sock, String host, int port, InetAddress localAddress, int localPort, HttpParams params) 将套接字连接到给定的主机。 |
Socket |
createSocket(Socket socket, String host, int port, boolean autoClose) 返回连接到分层到现有套接字上的给定主机的套接字。 |
Socket |
createSocket() 创建一个新的未连接的套接字。 |
X509HostnameVerifier |
getHostnameVerifier() |
static SSLSocketFactory |
getSocketFactory() 获取SSLProtocolSocketFactory的单例实例。 |
boolean |
isSecure(Socket sock) 检查套接字连接是否安全。 |
void |
setHostnameVerifier(X509HostnameVerifier hostnameVerifier) |
Inherited methods |
|
|---|---|
 From class java.lang.Object
|
|
From interface org.apache.http.conn.scheme.LayeredSocketFactory
|
|
From interface org.apache.http.conn.scheme.SocketFactory
|
|
X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
SSLSocketFactory (String algorithm, KeyStore keystore, String keystorePassword, KeyStore truststore, SecureRandom random, HostNameResolver nameResolver)
| Parameters | |
|---|---|
algorithm |
String
|
keystore |
KeyStore
|
keystorePassword |
String
|
truststore |
KeyStore
|
random |
SecureRandom
|
nameResolver |
HostNameResolver
|
| Throws | |
|---|---|
NoSuchAlgorithmException |
|
KeyManagementException |
|
KeyStoreException |
|
UnrecoverableKeyException |
|
SSLSocketFactory (KeyStore keystore, String keystorePassword, KeyStore truststore)
| Parameters | |
|---|---|
keystore |
KeyStore
|
keystorePassword |
String
|
truststore |
KeyStore
|
| Throws | |
|---|---|
NoSuchAlgorithmException |
|
KeyManagementException |
|
KeyStoreException |
|
UnrecoverableKeyException |
|
SSLSocketFactory (KeyStore keystore, String keystorePassword)
| Parameters | |
|---|---|
keystore |
KeyStore
|
keystorePassword |
String
|
| Throws | |
|---|---|
NoSuchAlgorithmException |
|
KeyManagementException |
|
KeyStoreException |
|
UnrecoverableKeyException |
|
SSLSocketFactory (KeyStore truststore)
| Parameters | |
|---|---|
truststore |
KeyStore
|
| Throws | |
|---|---|
NoSuchAlgorithmException |
|
KeyManagementException |
|
KeyStoreException |
|
UnrecoverableKeyException |
|
Socket connectSocket (Socket sock, String host, int port, InetAddress localAddress, int localPort, HttpParams params)
将套接字连接到给定的主机。
| Parameters | |
|---|---|
sock |
Socket: the socket to connect, as obtained from createSocket. null indicates that a new socket should be created and connected. |
host |
String: the host to connect to |
port |
int: the port to connect to on the host |
localAddress |
InetAddress: the local address to bind the socket to, or null for any |
localPort |
int: the port on the local machine, 0 or a negative number for any |
params |
HttpParams: additional parameters for connecting |
| Returns | |
|---|---|
Socket |
the connected socket. The returned object may be different from the sock argument if this factory supports a layered protocol. |
| Throws | |
|---|---|
IOException |
|
Socket createSocket (Socket socket, String host, int port, boolean autoClose)
返回连接到分层到现有套接字上的给定主机的套接字。 主要用于通过代理创建安全套接字。
| Parameters | |
|---|---|
socket |
Socket: the existing socket |
host |
String: the host name/IP |
port |
int: the port on the host |
autoClose |
boolean: a flag for closing the underling socket when the created socket is closed |
| Returns | |
|---|---|
Socket |
Socket a new socket |
| Throws | |
|---|---|
IOException |
|
UnknownHostException |
|
Socket createSocket ()
创建一个新的未连接的套接字。 该套接字应该随后传递给connectSocket 。
| Returns | |
|---|---|
Socket |
a new socket |
| Throws | |
|---|---|
IOException |
|
X509HostnameVerifier getHostnameVerifier ()
| Returns | |
|---|---|
X509HostnameVerifier |
|
SSLSocketFactory getSocketFactory ()
获取SSLProtocolSocketFactory的单例实例。
| Returns | |
|---|---|
SSLSocketFactory |
a SSLProtocolSocketFactory |
boolean isSecure (Socket sock)
检查套接字连接是否安全。 该工厂创建TLS / SSL套接字连接,默认情况下,这些连接被认为是安全的。
派生类可以重写此方法来执行运行时检查,例如基于密码套件。
| Parameters | |
|---|---|
sock |
Socket: the connected socket |
| Returns | |
|---|---|
boolean |
true |
| Throws | |
|---|---|
IllegalArgumentException |
if the argument is invalid |
void setHostnameVerifier (X509HostnameVerifier hostnameVerifier)
| Parameters | |
|---|---|
hostnameVerifier |
X509HostnameVerifier
|