没有中介的 OkHttp 客户端证书

OkHttp client certificate without intermediaries

我正在尝试使用 okhttp 对服务器进行身份验证。

使用 curl 会这样:

curl \
--cert certificate.cer \
--key private-key.pkcs8 \
"https://some-url"

不幸的是,okhttp-tls 似乎总是希望除了持有的证书之外还有一系列证书,而我没有。

heldCertificate 除了 clientCertificate 之外,还需要证书链,这与 reame 中提供的示例相反:

HandshakeCertificates clientCertificates = new HandshakeCertificates.Builder()
    .addTrustedCertificate(rootCertificate.certificate())
    .heldCertificate(clientCertificate) // <--------------------
    .build();

如何将 okhttp 与单个证书和我的私钥一起使用?

heldCertificates 期望在客户端证书(匹配私钥)和直到但不包括服务器已知信任的根 CA 之间可能存在中间链。因此,如果不需要其他证书,则可以将其省略。

https://square.github.io/okhttp/4.x/okhttp-tls/okhttp3.tls/-handshake-certificates/-builder/held-certificate/

Configure the certificate chain to use when being authenticated. The first certificate is the held certificate, further certificates are included in the handshake so the peer can build a trusted path to a trusted root certificate.

The chain should include all intermediate certificates but does not need the root certificate that we expect to be known by the remote peer. The peer already has that certificate so transmitting it is unnecessary.

这里有一些使用自签名证书(如果已知服务器已经信任)的示例,以及根据所连接的主机切换使用的密钥的示例。您需要根据您的具体设置调整这些设置,但它们应该为您提供一个测试起点。

https://github.com/square/okhttp/pull/6470/files