一些知识点
1.服务端生成证书文件,其实只需要利用keyTool工具生成jks后,再利用KeyTool工具根据这个jks去签发出来一个证书就可以了。具体步骤为
1. 通过keytool命令生成 jks 秘钥文件
keytool -genkey -alias zhy_server
-keyalg RSA -keystore zhy_server.jks
-validity 3600 -storepass 123456
2. 通过keytool命令对 jks 进行签发证书
keytool -export -alias zhy_server
-file zhy_server.cer
-keystore zhy_server.jks
-storepass 123456
2.在加载证书的代码中,Java平台默认识别jks
格式的证书文件,但是android平台只识别bks
格式的证书文件。所以你需要将'jks'转换成bks
文件,放入项目中。
3.加载证书有两种实现方式(访问自签名的网站,单向验证):
1.你可以通过将证书文件.cer
放入到项目可读取的位置,如'assest'文件夹。
private static SSLSocketFactory getSSLSocketFactory_Certificate(Context context, String keyStoreType, int keystoreResId)
throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException, KeyManagementException {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = context.getResources().openRawResource(keystoreResId);
Certificate ca = cf.generateCertificate(caInput);
caInput.close();
if (keyStoreType == null || keyStoreType.length() == 0) {
keyStoreType = KeyStore.getDefaultType();
}
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
TrustManager[] wrappedTrustManagers = getWrappedTrustManagers(tmf.getTrustManagers());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, wrappedTrustManagers, null);
return sslContext.getSocketFactory();
}
2.你可以通过keytool命令,将.cer
文件以.rfc
格式输出(其实也就是文本格式),然后加载这段文本就行。
keytool -printcert -rfc -file srca.cer
4.Android中 自带的SSLContext的TrustManager无法进行工作,具体原因目前不清楚,可能是自带的TrustManager的内部实现不符合场景需求。
TrustManager的主要责任是去决定提出的认证证书应该是可信任的。如果证书是不可信任的,那么连接将会被终止
完整加载证书代码:
private static TrustManager[] getWrappedTrustManagers(TrustManager[] trustManagers) {
final X509TrustManager originalTrustManager = (X509TrustManager) trustManagers[0];
return new TrustManager[]{
new X509TrustManager() {
public X509Certificate[] getAcceptedIssuers() {
return originalTrustManager.getAcceptedIssuers();
}
public void checkClientTrusted(X509Certificate[] certs, String authType) {
try {
originalTrustManager.checkClientTrusted(certs, authType);
} catch (CertificateException e) {
e.printStackTrace();
}
}
public void checkServerTrusted(X509Certificate[] certs, String authType) {
try {
originalTrustManager.checkServerTrusted(certs, authType);
} catch (CertificateException e) {
e.printStackTrace();
}
}
}
};
}
/**
*
* @param context
* @param keyStoreType Keystore类型,一般都是jks 或者 bks,but,Android平台只识别bks,所以如果你要做这种
* 加密通信的话,你需要将你的秘钥转成bks格式
* @param keystoreResId
* @return
* @throws CertificateException
* @throws KeyStoreException
* @throws IOException
* @throws NoSuchAlgorithmException
* @throws KeyManagementException
*/
private static SSLSocketFactory getSSLSocketFactory_Certificate(Context context, String keyStoreType, int keystoreResId)
throws CertificateException, KeyStoreException, IOException, NoSuchAlgorithmException, KeyManagementException {
CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = context.getResources().openRawResource(keystoreResId);
Certificate ca = cf.generateCertificate(caInput);
caInput.close();
if (keyStoreType == null || keyStoreType.length() == 0) {
keyStoreType = KeyStore.getDefaultType();
}
KeyStore keyStore = KeyStore.getInstance(keyStoreType);
keyStore.load(null, null);
keyStore.setCertificateEntry("ca", ca);
String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
tmf.init(keyStore);
TrustManager[] wrappedTrustManagers = getWrappedTrustManagers(tmf.getTrustManagers());
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, wrappedTrustManagers, null);
return sslContext.getSocketFactory();
}
5. 默认信任所有证书
上面的代码都是在有证书的条件下,而如果没有证书呢?如果跳过这个环节还保证不出错?那么只能信任所有的证书
client.sslSocketFactory(createSSLSocketFactory());
client.hostnameVerifier(new TrustAllHostnameVerifier());
private static class TrustAllManager implements X509TrustManager {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
private static class TrustAllHostnameVerifier implements HostnameVerifier {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
}