Android端Https 数据传输双向认证

【1】双向认证：

• 客户端存放自己的密钥和服务期的公钥，服务器端存放自己的密钥和客户端的公钥，这样服务器的公钥是服务端的密钥来进行认证的，而客户端的公钥是客户端的密钥认证的，这样就实现了，客户端校验服务器，服务器校验客户端的操作。

 

• 生成客户端，服务端的公钥和私钥（android的keystore跟java的keystore加密方式是不太一样的，android的bks，而Java的jks的）

        1.参考BKS配置文档，配置JDK

        2.生成客户端私钥

                keytool -genkeypair -alias client -keyalg RSA -validity 3650 -keypass 123456 -storepass 123456 -keystore client.keystore

        3.生成客户端公钥

                keytool -export -alias client -file client.cer -keystore client.keystore -storepass 123456

        4.生成服务器私钥

                keytool -genkeypair -alias server -keyalg RSA -validity 3650 -keypass 123456 -storepass 123456 -keystore server.keystore

        5.生成服务器公钥

                keytool -export -alias server -file server.cer -keystore server.keystore -storepass 123456

        6.生成客户端信任证书库(由服务端证书生成的证书库)

                keytool -import -v -alias server -file server.cer -keystore truststore.jks -storepass 123456

        7.将客户端证书导入到服务器证书库(使得服务器信任客户端证书)

                keytool -import -v -alias client -file client.cer -keystore server.keystore -storepass 123456

• Tomcat进行配置打开TomCat根目录下的Conf目录下的Server.xml

 

 

 

Portecle工具使用

• 用Portecle工具，运行protecle.jar将client.keystore和truststore.jks分别转换成client.bks和truststore.bks,然后放到android客户端的assert目录下

• truststore.jks 是客户端密钥生成，信任证书

cd：当前文件夹    java -jar 调用portecle.jar

• 打开对应文件

• 进行转换

• 转换成功后保存

• 把文件添加assets 下

 

• 客户端访问

  try {

            // 服务器端需要验证的客户端证书，其实就是客户端的keystore

            KeyStore keyStore = KeyStore.getInstance("BKS");

            //读取证书

            InputStream ksIn = getResources().getAssets().open("client.bks");

            //加载证书

            keyStore.load(ksIn, "123456".toCharArray());

            ksIn.close();

            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("X509");

            keyManagerFactory.init(keyStore, "123456".toCharArray());



            // 客户端信任的服务器端证书

            KeyStore trustStore = KeyStore.getInstance("BKS");

            InputStream tsIn = getResources().getAssets().open("truststore.bks");

            trustStore.load(tsIn, "123456".toCharArray());

            tsIn.close();

            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

            trustManagerFactory.init(trustStore);

            //初始化SSLContext

            SSLContext sslContext = SSLContext.getInstance("TLS");

            sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

            //通过HttpsURLConnection设置链接

            URL connectUrl = new URL("https://10.0.2.2:8443");

            HttpsURLConnection conn = (HttpsURLConnection) connectUrl.openConnection();

            conn.setSSLSocketFactory(sslContext.getSocketFactory());

            //设置信任主机ip

            conn.setHostnameVerifier(new HostnameVerifier() {

                @Override

                public boolean verify(String hostname, SSLSession session) {

                    return true;

                }

            });

            InputStream inputStream = conn.getInputStream();

            //获取数据

            ByteArrayOutputStream out = new ByteArrayOutputStream();

            byte[] b = new byte[1024];

            int len = -1;

            while ((len = inputStream.read(b)) != -1) {

                out.write(b, 0, len);

            }

            String string = out.toString();

            Log.i("hh", string);

        } catch (Exception e) {

            e.printStackTrace();

        }