java go nginx android https 单向 双向认证
16lz
2021-01-26
闲聊
验证服务端证书 如果是花钱购买的 最好验证 如果不是 要跳过验证服务端证书
nginx 配置双向验证 中 server 可以和 根证书没有关系 可以使用两个ca 证书
#自己生成 证书 丢给权威机构认证openssl genrsa -des3 -out jesonc.key 2048openssl req -new -key jesonc.key -out jesonc.csr#自己认证 使用下面的方式 nginx 会有保护吗openssl x509 -req -days 3650 -in jesonc.csr -signkey jesonc.key -out jesonc.crt#去掉保护码openssl rsa -in jesonc.key -out jesonc_onpas.keyopenssl req -new -key jesonc_onpas.key -out jesonc.csropenssl x509 -req -days 3650 -in jesonc.csr -signkey jesonc_onpas.key -out jesonc.crt#一步到位openssl genrsa -des3 -out jesonc.key 2048openssl req -days 3650 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out jesonc.crt
使用一个ca 签发 服务端 和客户端
#生成ca 证书openssl genrsa -out ca.key 2048openssl req -new -x509 -days 3650 -key ca.key -out ca.crt#server 端openssl genrsa -out server.pem 2048openssl rsa -in server.pem -out server.keyopenssl req -new -key server.pem -out server.csr#生成签发openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out server.crt#client端openssl genrsa -out client.pem 2048openssl rsa -in client.pem -out client.key#生成签发请求openssl req -new -key client.pem -out client.csropenssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out client.crtopenssl pkcs12 -export -clcerts -in ./client.crt -inkey ./client.key -out ./client.p12keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore client.jksopenssl x509 -in ca.crt -out ca.cer -outform der
使用不同的ca证书
服务端 shell 脚本
openssl genrsa -des3 -out server.key 2048openssl req -days 3650 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
配置客户端shell 脚本
# 双向认证 client ca 签发openssl genrsa -out ca.key 2048openssl req -new -x509 -days 3650 -key ca.key -out ca.crtopenssl genrsa -out client.pem 2048openssl rsa -in client.pem -out client.key#生成签发请求openssl req -new -key client.pem -out client.csropenssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out client.crtopenssl pkcs12 -export -clcerts -in ./client.crt -inkey ./client.key -out ./client.p12keytool -importkeystore -srckeystore client.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore client.jksopenssl x509 -in ca.crt -out ca.cer -outform der
ngxin https 单向认证配置
server { server_name localhost;listen 8899;ssl on;ssl_certificate ca-demo5/server.crt;ssl_certificate_key ca-demo5/server.key;location / {root html;index index.html index.htm;}}
ngxin https 双向认证配置
server { server_name localhost;listen 8899;ssl on;ssl_certificate ca-demo5/server.crt;ssl_certificate_key ca-demo5/server.key;ssl_client_certificate ca-demo5/ca.crt;ssl_verify_client on;location / {root html;index index.html index.htm;}}
java 端https 单向 双向 认证代码
// 跳过验证服务端证书 private static final class DefaultTrustManager implements X509TrustManager { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public X509Certificate[] getAcceptedIssuers() { return null; } }//双向认证public static SSLSocketFactory getSSLSocketFactory() { / /验证服务端ca证书 如果是花钱购买的 最好验证 如果不是 要跳过验证服务端证书 String path1 = "D:\\openresty-1.13.6.2-win64\\conf\\ca-demo5\\ca.cer"; try { InputStream certificates[] = {new FileInputStream(path1)}; CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null); int index = 0; for (InputStream certificate : certificates) { String certificateAlias = Integer.toString(index++); keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate)); try { if (certificate != null) certificate.close(); } catch (IOException e) { } } String defaultAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); SSLContext sslContext = SSLContext.getInstance("TLS"); TrustManagerFactory trustManagerFactory = TrustManagerFactory. getInstance(defaultAlgorithm); trustManagerFactory.init(keyStore); //初始化keystore KeyStore clientKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()); String path = "D:\\openresty-1.13.6.2-win64\\conf\\ca-demo5\\client.jks"; InputStream in = new FileInputStream(path); // 123456 是 jks 密码 clientKeyStore.load(in, "123456".toCharArray()); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); //demo 是原密码 keyManagerFactory.init(clientKeyStore, "demo".toCharArray()); // sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom()); sslContext.init(keyManagerFactory.getKeyManagers(), new TrustManager[] { new DefaultTrustManager() }, new SecureRandom()); //sslContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom()); SSLSocketFactory socketFactory = sslContext.getSocketFactory(); return socketFactory; } catch (Exception e) { e.printStackTrace(); } return null; }private static HttpsURLConnection getHttpsURLConnection(String uri, String method) throws IOException { /* //单向认证 SSLContext ctx = null; try { ctx = SSLContext.getInstance("TLS"); ctx.init(new KeyManager[0], new TrustManager[] { new DefaultTrustManager() }, new SecureRandom()); } catch (KeyManagementException e) { e.printStackTrace(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } SSLSocketFactory ssf = ctx.getSocketFactory(); */ //这里使用双向认证 SSLSocketFactory ssf = getSSLSocketFactory(); URL url = new URL(uri); HttpsURLConnection httpsConn = (HttpsURLConnection) url.openConnection(); httpsConn.setSSLSocketFactory(ssf); httpsConn.setHostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String arg0, SSLSession arg1) { return true; } }); httpsConn.setRequestMethod(method); httpsConn.setDoInput(true); httpsConn.setDoOutput(true); return httpsConn; }
golang 中实现双向认证
func main() {basePath := "D:\\openresty-1.13.6.2-win64\\conf\\ca-demo5"rootCa:=basePath+"\\ca.crt"client_crt:=basePath + "\\client.crt"client_key:=basePath + "\\client.key"pool := x509.NewCertPool()addTrust(pool, rootCa) //添加信任的证书,最好是服务端对应的根证书 cliCrt, err := tls.LoadX509KeyPair(client_crt, client_key) if err != nil { fmt.Println("Loadx509keypair err:", err) return } tr := &http.Transport{ TLSClientConfig: &tls.Config{ RootCAs: pool, Certificates: []tls.Certificate{cliCrt}, InsecureSkipVerify: true, //跳过验证服务端证书 }, } client := &http.Client{Transport: tr} //resp, err := client.Get("https://SZ:8008/") //此处必须使用域名或者host内的别名resp, err := client.Get("https://localhost:8899/") //此处必须使用域名或者host内的别名 if err != nil { fmt.Println("Get error:", err) return } defer resp.Body.Close() body, err := ioutil.ReadAll(resp.Body) fmt.Println(string(body))}func addTrust(pool *x509.CertPool, path string) { aCrt, err := ioutil.ReadFile(path) if err != nil { fmt.Println("ReadFile err:", err) return } pool.AppendCertsFromPEM(aCrt)}
android 配置https 双向认证
https 证书配置 bks
工具下载
Download portecle-1.9.zip (3.4 MB)
使用okhttp 来访问
public void http()throws Exception{ // p12 转过来的 bks InputStream in = getAssets().open("client.bks"); //信任的证书 最后不加入 InputStream in2 = getAssets().open("ca.cer"); InputStream[] certificates = {in2}; // SslSocketFactory 工具 HttpsUtils.SSLParams demo = HttpsUtils.getSslSocketFactory(null, in, "demo"); OkHttpClient client = new OkHttpClient.Builder() // 添加 主机名 验证 或者会报错 .hostnameVerifier(new HostnameVerifier() { @Override public boolean verify(String hostname, SSLSession session){ return true; } }) //重点 .sslSocketFactory(demo.sSLSocketFactory,demo.trustManager).build(); String url = "https://192.168.1.103:8899/"; Request request = new Request.Builder().url(url).build(); client.newCall(request).enqueue(new Callback() { @Override public void onFailure(Call call, IOException e) { Log.e(TAG2, "onFailure: " +e.toString()); runOnUiThread(new Runnable() { @Override public void run() { Toast.makeText(MainActivity.this, "onFailure", Toast.LENGTH_SHORT).show(); } }); } @Override public void onResponse(Call call, Response response) throws IOException { runOnUiThread(new Runnable() { @Override public void run() { Toast.makeText(MainActivity.this, "成功", Toast.LENGTH_SHORT).show(); } }); } }); }
HttpsUtils 工具类
package demo.zgt.com.myapplication.demo;import java.io.IOException;import java.io.InputStream;import java.security.KeyManagementException;import java.security.KeyStore;import java.security.KeyStoreException;import java.security.NoSuchAlgorithmException;import java.security.UnrecoverableKeyException;import java.security.cert.CertificateException;import java.security.cert.CertificateFactory;import java.security.cert.X509Certificate;import javax.net.ssl.HostnameVerifier;import javax.net.ssl.KeyManager;import javax.net.ssl.KeyManagerFactory;import javax.net.ssl.SSLContext;import javax.net.ssl.SSLSession;import javax.net.ssl.SSLSocketFactory;import javax.net.ssl.TrustManager;import javax.net.ssl.TrustManagerFactory;import javax.net.ssl.X509TrustManager;/** * Created by zhy on 15/12/14. */public class HttpsUtils{ public static class SSLParams { public SSLSocketFactory sSLSocketFactory; public X509TrustManager trustManager; } public static SSLParams getSslSocketFactory(InputStream[] certificates, InputStream bksFile, String password) { SSLParams sslParams = new SSLParams(); try { TrustManager[] trustManagers = prepareTrustManager(certificates); KeyManager[] keyManagers = prepareKeyManager(bksFile, password); SSLContext sslContext = SSLContext.getInstance("TLS"); X509TrustManager trustManager = null; if (trustManagers != null) { trustManager = new MyTrustManager(chooseTrustManager(trustManagers)); } else { trustManager = new UnSafeTrustManager(); } sslContext.init(keyManagers, new TrustManager[]{trustManager},null); sslParams.sSLSocketFactory = sslContext.getSocketFactory(); sslParams.trustManager = trustManager; return sslParams; } catch (NoSuchAlgorithmException e) { throw new AssertionError(e); } catch (KeyManagementException e) { throw new AssertionError(e); } catch (KeyStoreException e) { throw new AssertionError(e); } } private class UnSafeHostnameVerifier implements HostnameVerifier { @Override public boolean verify(String hostname, SSLSession session) { return true; } } private static class UnSafeTrustManager implements X509TrustManager { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public X509Certificate[] getAcceptedIssuers() { return new java.security.cert.X509Certificate[]{}; //return null; } } private static TrustManager[] prepareTrustManager(InputStream... certificates) { if (certificates == null || certificates.length <= 0) return null; try { CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null); int index = 0; for (InputStream certificate : certificates) { String certificateAlias = Integer.toString(index++); keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate)); try { if (certificate != null) certificate.close(); } catch (IOException e) { } } TrustManagerFactory trustManagerFactory = null; trustManagerFactory = TrustManagerFactory. getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keyStore); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); return trustManagers; } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (CertificateException e) { e.printStackTrace(); } catch (KeyStoreException e) { e.printStackTrace(); } catch (Exception e) { e.printStackTrace(); } return null; } private static KeyManager[] prepareKeyManager(InputStream bksFile, String password) { try { if (bksFile == null || password == null) return null; KeyStore clientKeyStore = KeyStore.getInstance("BKS"); clientKeyStore.load(bksFile, password.toCharArray()); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(clientKeyStore, password.toCharArray()); return keyManagerFactory.getKeyManagers(); } catch (KeyStoreException e) { e.printStackTrace(); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } catch (UnrecoverableKeyException e) { e.printStackTrace(); } catch (CertificateException e) { e.printStackTrace(); } catch (IOException e) { e.printStackTrace(); } catch (Exception e) { e.printStackTrace(); } return null; } private static X509TrustManager chooseTrustManager(TrustManager[] trustManagers) { for (TrustManager trustManager : trustManagers) { if (trustManager instanceof X509TrustManager) { return (X509TrustManager) trustManager; } } return null; } private static class MyTrustManager implements X509TrustManager { private X509TrustManager defaultTrustManager; private X509TrustManager localTrustManager; public MyTrustManager(X509TrustManager localTrustManager) throws NoSuchAlgorithmException, KeyStoreException { TrustManagerFactory var4 = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); var4.init((KeyStore) null); defaultTrustManager = chooseTrustManager(var4.getTrustManagers()); this.localTrustManager = localTrustManager; } @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { defaultTrustManager.checkServerTrusted(chain, authType); } catch (CertificateException ce) { localTrustManager.checkServerTrusted(chain, authType); } } @Override public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; } }}
如何失败了可以试试下面的方法
#生成CA 证书openssl genrsa -des3 -out cakey.pem 2048openssl req -new -x509 -days 3650 -key cakey.pem -out ca.crt#生成service 认证openssl genrsa -out server.keyopenssl req -new -key server.key -out server.csropenssl ca -in server.csr -cert ca.crt -keyfile cakey.pem -out server.crt -days 3650#生成client 认证openssl genrsa -des3 -out client.key 2048openssl req -new -key client.key -out client.csropenssl ca -in client.csr -cert ca.crt -keyfile cakey.pem -out client.crt -config "/etc/ssl/openssl.cnf"openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12#不同ca service 认证openssl genrsa -des3 -out server.key 2048openssl req -days 3650 -x509 -sha256 -nodes -newkey rsa:2048 -keyout server.key -out server.crt
/etc/ssl/openssl.cnf 文件内容
## OpenSSL example configuration file.# This is mostly being used for generation of certificate requests.## This definition stops the following lines choking if HOME isn't# defined.HOME= .RANDFILE= $ENV::HOME/.rnd# Extra OBJECT IDENTIFIER info:#oid_file= $ENV::HOME/.oidoid_section= new_oids# To use this configuration file with the "-extfile" option of the# "openssl x509" utility, name here the section containing the# X.509v3 extensions to use:# extensions= # (Alternatively, use a configuration file that has only# X.509v3 extensions in its main [= default] section.)[ new_oids ]# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.# Add a simple OID like this:# testoid1=1.2.3.4# Or use config file substitution like this:# testoid2=${testoid1}.5.6# Policies used by the TSA examples.tsa_policy1 = 1.2.3.4.1tsa_policy2 = 1.2.3.4.5.6tsa_policy3 = 1.2.3.4.5.7####################################################################[ ca ]default_ca= CA_default# The default ca section####################################################################[ CA_default ]dir= /etc/pki/CA# Where everything is keptcerts= $dir/certs# Where the issued certs are keptcrl_dir= $dir/crl# Where the issued crl are keptdatabase= $dir/index.txt# database index file.#unique_subject= no# Set to 'no' to allow creation of# several ctificates with same subject.new_certs_dir= $dir/newcerts# default place for new certs.certificate= $dir/cacert.pem # The CA certificateserial= $dir/serial # The current serial numbercrlnumber= $dir/crlnumber# the current crl number# must be commented out to leave a V1 CRLcrl= $dir/crl.pem # The current CRLprivate_key= $dir/private/cakey.pem# The private keyRANDFILE= $dir/private/.rand# private random number filex509_extensions= usr_cert# The extentions to add to the cert# Comment out the following two lines for the "traditional"# (and highly broken) format.name_opt = ca_default# Subject Name optionscert_opt = ca_default# Certificate field options# Extension copying option: use with caution.# copy_extensions = copy# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs# so this is commented out by default to leave a V1 CRL.# crlnumber must also be commented out to leave a V1 CRL.# crl_extensions= crl_extdefault_days= 3650# how long to certify fordefault_crl_days= 30# how long before next CRLdefault_md= sha256# use SHA-256 by defaultpreserve= no# keep passed DN ordering# A few difference way of specifying how similar the request should look# For type CA, the listed attributes must be the same, and the optional# and supplied fields are just that :-)policy= policy_match# For the CA policy[ policy_match ]countryName= matchstateOrProvinceName= matchorganizationName= matchorganizationalUnitName= optionalcommonName= suppliedemailAddress= optional# For the 'anything' policy# At this point in time, you must list all acceptable 'object'# types.[ policy_anything ]countryName= optionalstateOrProvinceName= optionallocalityName= optionalorganizationName= optionalorganizationalUnitName= optionalcommonName= suppliedemailAddress= optional####################################################################[ req ]default_bits= 2048default_md= sha256default_keyfile = privkey.pemdistinguished_name= req_distinguished_nameattributes= req_attributesx509_extensions= v3_ca# The extentions to add to the self signed cert# Passwords for private keys if not present they will be prompted for# input_password = secret# output_password = secret# This sets a mask for permitted string types. There are several options. # default: PrintableString, T61String, BMPString.# pkix : PrintableString, BMPString (PKIX recommendation before 2004)# utf8only: only UTF8Strings (PKIX recommendation after 2004).# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).# MASK:XXXX a literal mask value.# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.string_mask = utf8only# req_extensions = v3_req # The extensions to add to a certificate request[ req_distinguished_name ]countryName= Country Name (2 letter code)countryName_default= XXcountryName_min= 2countryName_max= 2stateOrProvinceName= State or Province Name (full name)#stateOrProvinceName_default= Default ProvincelocalityName= Locality Name (eg, city)localityName_default= Default City0.organizationName= Organization Name (eg, company)0.organizationName_default= Default Company Ltd# we can do this but it is not needed normally :-)#1.organizationName= Second Organization Name (eg, company)#1.organizationName_default= World Wide Web Pty LtdorganizationalUnitName= Organizational Unit Name (eg, section)#organizationalUnitName_default=commonName= Common Name (eg, your name or your server\'s hostname)commonName_max= 64emailAddress= Email AddressemailAddress_max= 64# SET-ex3= SET extension number 3[ req_attributes ]challengePassword= A challenge passwordchallengePassword_min= 4challengePassword_max= 20unstructuredName= An optional company name[ usr_cert ]# These extensions are added when 'ca' signs a request.# This goes against PKIX guidelines but some CAs do it and some software# requires this to avoid interpreting an end user certificate as a CA.basicConstraints=CA:FALSE# Here are some examples of the usage of nsCertType. If it is omitted# the certificate can be used for anything *except* object signing.# This is OK for an SSL server.# nsCertType= server# For an object signing certificate this would be used.# nsCertType = objsign# For normal client use this is typical# nsCertType = client, email# and for everything including object signing:# nsCertType = client, email, objsign# This is typical in keyUsage for a client certificate.# keyUsage = nonRepudiation, digitalSignature, keyEncipherment# This will be displayed in Netscape's comment listbox.nsComment= "OpenSSL Generated Certificate"# PKIX recommendations harmless if included in all certificates.subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid,issuer# This stuff is for subjectAltName and issuerAltname.# Import the email address.# subjectAltName=email:copy# An alternative to produce certificates that aren't# deprecated according to PKIX.# subjectAltName=email:move# Copy subject details# issuerAltName=issuer:copy#nsCaRevocationUrl= http://www.domain.dom/ca-crl.pem#nsBaseUrl#nsRevocationUrl#nsRenewalUrl#nsCaPolicyUrl#nsSslServerName# This is required for TSA certificates.# extendedKeyUsage = critical,timeStamping[ v3_req ]# Extensions to add to a certificate requestbasicConstraints = CA:FALSEkeyUsage = nonRepudiation, digitalSignature, keyEncipherment[ v3_ca ]# Extensions for a typical CA# PKIX recommendation.subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid:always,issuer# This is what PKIX recommends but some broken software chokes on critical# extensions.#basicConstraints = critical,CA:true# So we do this instead.basicConstraints = CA:true# Key usage: this is typical for a CA certificate. However since it will# prevent it being used as an test self-signed certificate it is best# left out by default.# keyUsage = cRLSign, keyCertSign# Some might want this also# nsCertType = sslCA, emailCA# Include email address in subject alt name: another PKIX recommendation# subjectAltName=email:copy# Copy issuer details# issuerAltName=issuer:copy# DER hex encoding of an extension: beware experts only!# obj=DER:02:03# Where 'obj' is a standard or added object# You can even override a supported extension:# basicConstraints= critical, DER:30:03:01:01:FF[ crl_ext ]# CRL extensions.# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.# issuerAltName=issuer:copyauthorityKeyIdentifier=keyid:always[ proxy_cert_ext ]# These extensions should be added when creating a proxy certificate# This goes against PKIX guidelines but some CAs do it and some software# requires this to avoid interpreting an end user certificate as a CA.basicConstraints=CA:FALSE# Here are some examples of the usage of nsCertType. If it is omitted# the certificate can be used for anything *except* object signing.# This is OK for an SSL server.# nsCertType= server# For an object signing certificate this would be used.# nsCertType = objsign# For normal client use this is typical# nsCertType = client, email# and for everything including object signing:# nsCertType = client, email, objsign# This is typical in keyUsage for a client certificate.# keyUsage = nonRepudiation, digitalSignature, keyEncipherment# This will be displayed in Netscape's comment listbox.nsComment= "OpenSSL Generated Certificate"# PKIX recommendations harmless if included in all certificates.subjectKeyIdentifier=hashauthorityKeyIdentifier=keyid,issuer# This stuff is for subjectAltName and issuerAltname.# Import the email address.# subjectAltName=email:copy# An alternative to produce certificates that aren't# deprecated according to PKIX.# subjectAltName=email:move# Copy subject details# issuerAltName=issuer:copy#nsCaRevocationUrl= http://www.domain.dom/ca-crl.pem#nsBaseUrl#nsRevocationUrl#nsRenewalUrl#nsCaPolicyUrl#nsSslServerName# This really needs to be in place for it to be a proxy certificate.proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo####################################################################[ tsa ]default_tsa = tsa_config1# the default TSA section[ tsa_config1 ]# These are used by the TSA reply generation only.dir= ./demoCA# TSA root directoryserial= $dir/tsaserial# The current serial number (mandatory)crypto_device= builtin# OpenSSL engine to use for signingsigner_cert= $dir/tsacert.pem # The TSA signing certificate# (optional)certs= $dir/cacert.pem# Certificate chain to include in reply# (optional)signer_key= $dir/private/tsakey.pem # The TSA private key (optional)default_policy= tsa_policy1# Policy if request did not specify it# (optional)other_policies= tsa_policy2, tsa_policy3# acceptable policies (optional)digests= sha1, sha256, sha384, sha512# Acceptable message digests (mandatory)accuracy= secs:1, millisecs:500, microsecs:100# (optional)clock_precision_digits = 0# number of digits after dot. (optional)ordering= yes# Is ordering defined for timestamps?# (optional, default: no)tsa_name= yes# Must the TSA name be included in the reply?# (optional, default: no)ess_cert_id_chain= no# Must the ESS cert id chain be included?# (optional, default: no)
更多相关文章
- 【Android】支持https接口调用的简单证书校验
- Android指纹识别,看这一篇就够了
- Android(安卓)Studio AIDL实现
- java Android(安卓)OKHttp HTTPS 请求证书验证 PEM证书(1)
- Android中socket的实例分析(二)
- 简述Android(安卓)framework之AMS、PMS、WMS
- android 蓝牙搜索、配对连接通信总结
- Android(安卓)7.0及以上版本 使用fillder抓取https请求
- ADB源码分析(一)