网络(二):简单易懂的https双向认证自制安全证书和tomcat配置
网络(三):简单易懂的Android平台Okhttp/Retrofit下的https双向认证环境配置
前面的两篇文章(网络(一)和网络(二))已经简单总结了https的工作原理、证书的生成过程和tomcat的配置以及PC端的证书导入过程,具体每一个不走都有相应的代码和截图。安卓平台下现在主流使用网络框架且官方推荐使用的网络框架为okhttp,或基于okhttp的retrofit框架,其实retrofit的配置还是通过okhttp配置。
证书准备
网络(二)中已经生成了客户端密钥client.jks 和包含服务端公钥证书publickeys.jks,但是安卓平台不支持jsk,需要将jsk转成bks,依然使用工具portecle进行转换。
证书导入工程
放入assets工程下就好了
image.png
读取密钥代码
import android.content.Context;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
/**
* Created by Zhouds
* Created time 2018/03/26.
* Description:
* Version: V 1.0
*/
public class SSLHelper {
/**
* 存储客户端自己的密钥
*/
private final static String CLIENT_PRI_KEY = "client.bks";
/**
* 存储服务器的公钥
*/
private final static String TRUSTSTORE_PUB_KEY = "publickey.bks";
/**
* 读取密码
*/
private final static String CLIENT_BKS_PASSWORD = "123321";
/**
* 读取密码
*/
private final static String PUCBLICKEY_BKS_PASSWORD = "123321";
private final static String KEYSTORE_TYPE = "BKS";
private final static String PROTOCOL_TYPE = "TLS";
private final static String CERTIFICATE_STANDARD = "X509";
public static SSLSocketFactory getSSLCertifcation(Context context) {
SSLSocketFactory sslSocketFactory = null;
try {
// 服务器端需要验证的客户端证书,其实就是客户端的keystore
KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
// 客户端信任的服务器端证书
KeyStore trustStore = KeyStore.getInstance(KEYSTORE_TYPE);
//读取证书
InputStream ksIn = context.getAssets().open(CLIENT_PRI_KEY);
InputStream tsIn = context.getAssets().open(TRUSTSTORE_PUB_KEY);
//加载证书
keyStore.load(ksIn, CLIENT_BKS_PASSWORD.toCharArray());
trustStore.load(tsIn, PUCBLICKEY_BKS_PASSWORD.toCharArray());
//关闭流
ksIn.close();
tsIn.close();
//初始化SSLContext
SSLContext sslContext = SSLContext.getInstance(PROTOCOL_TYPE);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(CERTIFICATE_STANDARD);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(CERTIFICATE_STANDARD);
trustManagerFactory.init(trustStore);
keyManagerFactory.init(keyStore, CLIENT_BKS_PASSWORD.toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
sslSocketFactory = sslContext.getSocketFactory();
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (UnrecoverableKeyException e) {
e.printStackTrace();
} catch (KeyManagementException e) {
e.printStackTrace();
}
return sslSocketFactory;
}
}
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;
import itsen.com.bduidemo.lib.tool.LogTool;
/**
* Created by zhoud
* Created time 2018/03/27.
* Description:
* Version: V 1.0
*/
public class UnSafeHostnameVerifier implements HostnameVerifier {
@Override
public boolean verify(String hostname, SSLSession session) {
LogTool.e("hostname:"+hostname);
return true;
}
}
OKHTTP添加SSL
//参数配置
client = new OkHttpClient.Builder()
.sslSocketFactory(SSLHelper.getSSLCertifcation(this))
.hostnameVerifier(new UnSafeHostnameVerifier())
.addInterceptor(loggingInterceptor)
.connectTimeout(mTimeOut, TimeUnit.SECONDS)
.readTimeout(mTimeOut, TimeUnit.SECONDS)
.writeTimeout(mTimeOut, TimeUnit.SECONDS)
.build();
//retrofit 对象初始化
retrofit = new Retrofit.Builder()
.baseUrl(baseUrl + FORADN)
.addConverterFactory(GsonConverterFactory.create())
.client(client)
.build();
验证
1)tomcat日志,433端口接受了请求并返回请求
image.png
2)retrofit请求日志
image.png
3)手机页面
image.png
至此整个https双向认证环境搭建完毕!!!
如果解决你的问题,请给个喜欢,谢谢!!!
