https代理服务器（六）再次java动态签发【成功】

1

X500Name canamem = new X500Name(caCertificate.getSubjectX500Principal().getName());

改为

X500Name issuerName = new JcaX509CertificateHolder(caCertificate).getSubject();

否则写入keystore时报错 KeyStoreException: Certificate chain is not valid

 

2

GeneralNames generalNames = new GeneralNames(
        new GeneralName[]{new GeneralName(GeneralName.dNSName, subject),
                new GeneralName(GeneralName.dNSName, "hhh.com")}
);
certificateBuilder.addExtension(
        org.bouncycastle.asn1.x509.Extension.subjectAlternativeName,
        false,
        generalNames
);

必须，iphone实测

 

3

System.setProperty("javax.net.ssl.trustStore", "rootCA.pem");

这一句不能加

 

/Library/Java/JavaVirtualMachines/jdk-11.jdk/Contents/Home!/java.base/sun/security/ssl/TrustStoreManager.class

static {
    fileSep = File.separator;
    defaultStorePath = GetPropertyAction.privilegedGetProperty("java.home") + fileSep + "lib" + fileSep + "security";
    defaultStore = defaultStorePath + fileSep + "cacerts";
    jsseDefaultStore = defaultStorePath + fileSep + "jssecacerts";
}

sun.security.ssl.TrustStoreManager.TrustStoreDescriptor#createInstance

String storePropName = System.getProperty("javax.net.ssl.trustStore", TrustStoreManager.TrustStoreDescriptor.jsseDefaultStore);

 否则好像这个地方报错，不记得了

public static SSLContext getSslContextSuper(String host) throws Exception {
    SSLContext sslContext = SSLContext.getInstance("TLSv1");
    KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    KeyStore ks = CertificateGenerator.genkeyStore(host);
    char[] passArray = "changeit".toCharArray();
    kmf.init(ks, passArray);
    sslContext.init(kmf.getKeyManagers(), null, null);
    return sslContext;
}

 

4 

new Date(System.currentTimeMillis() - 60000),  

服务器证书starttime给扰动，否则iphone和mac时间不一样或者传输太快iphone会判定证书过期