TrustManager,CertificatePinner和主机名验证都做不同但重要的事情。如果您要使用自签名证书但仍然具有安全性,而不是仅仅为了便于本地开发而与自签名证书相反,那么您可能要创建一个有效的TrustManager。
例如https://github.com/yschimke/oksocial/blob/3757196cde420b9d0fe37cf385b66f4cdafb1ae1/src/main/java/com/baulsupp/oksocial/security/CertificateUtils.java#L19
public static X509TrustManager load(List<File> serverCerts) throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException { return trustManagerForKeyStore(keyStoreForCerts(serverCerts)); } public static X509TrustManager trustManagerForKeyStore(KeyStore ks) throws NoSuchAlgorithmException, KeyStoreException { TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); return (X509TrustManager) tmf.getTrustManagers()[0]; } public static KeyStore keyStoreForCerts(List<File> serverCerts) throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException { CertificateFactory cf = CertificateFactory.getInstance("X.509"); KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(null); for (int i = 0; i < serverCerts.size(); i++) { try (InputStream is = new FileInputStream(serverCerts.get(i))) { X509Certificate caCert = (X509Certificate) cf.generateCertificate(is); ks.setCertificateEntry("cacrt." + i, caCert); } } return ks; }这将从加载系统证书开始,因此您的客户端仍可用于加载外部托管的映像等。
然后,最重要的是,您可以使用CertificatePinner要求仅将可信任的自签名证书用于您的域。
