即使使用 CA 签名的证书，证书固定也会失败

Question

我正在尝试通过 Retrofit 在 Android 上使用证书固定。我正在尝试评估有效的 Verisign 签名证书。

我收到以下错误：

HTTP FAILED: javax.net.ssl.SSLPeerUnverifiedException: 未能找到签署证书的可信证书。

为什么证书 pinner 不能针对设备的 CA 根证书进行评估？它是否无权访问设备信任？或者设备信任可能不包含整个证书链。但是为什么我的 SSL 通信没有失败呢？

// Pin Certificate
CertificatePinner certificatePinner = new CertificatePinner.Builder()
        .add("www.mydomain.com", "sha256/somerandompublickeystring")
        .build();

// To handle self-signed cert
OkHttpClient.Builder clientBuilder = new OkHttpClient.Builder();

OkHttpClient client = clientBuilder.connectTimeout(120, TimeUnit.SECONDS)
        .writeTimeout(120, TimeUnit.SECONDS)
        .readTimeout(120, TimeUnit.SECONDS)
        .certificatePinner(certificatePinner)
        .build();

Answer 1

找到了答案。我可以获得如下所示的 Root 信任，并在 sslSocketFactory 调用中使用它。这对我有用。

OkHttpClient client = clientBuilder.connectTimeout(120, TimeUnit.SECONDS)
        .writeTimeout(120, TimeUnit.SECONDS)
        .readTimeout(120, TimeUnit.SECONDS)
        .sslSocketFactory(getSystemDefaultSSLSocketFactory(app))
        .certificatePinner(certificatePinner)
        .build();

private static SSLSocketFactory getSystemDefaultSSLSocketFactory(Application app) {
    SSLContext sslContext = null;
    try
    {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(
                TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
            throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
        }
        sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, trustManagers, null);

    }
    catch(Exception ex)
    {
        Log.e("TAG",ex.getMessage());
    }
    return sslContext.getSocketFactory();

}