《网络（三）：简单易懂的Android平台Okhttp/Retrofit下的https双向认证环境配置》

网络（一）：简单易懂的Https工作原理

网络（二）：简单易懂的https双向认证自制安全证书和tomcat配置

网络（三）：简单易懂的Android平台Okhttp/Retrofit下的https双向认证环境配置

前面的两篇文章（网络（一）和网络（二））已经简单总结了https的工作原理、证书的生成过程和tomcat的配置以及PC端的证书导入过程，具体每一个不走都有相应的代码和截图。安卓平台下现在主流使用网络框架且官方推荐使用的网络框架为okhttp，或基于okhttp的retrofit框架，其实retrofit的配置还是通过okhttp配置。

证书准备

网络（二）中已经生成了客户端密钥client.jks 和包含服务端公钥证书publickeys.jks，但是安卓平台不支持jsk,需要将jsk转成bks,依然使用工具portecle进行转换。

证书导入工程

放入assets工程下就好了

image.png

读取密钥代码


import android.content.Context;

import java.io.IOException;
import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;

/**
 * Created by Zhouds
 * Created time  2018/03/26.
 * Description:
 * Version: V 1.0
 */
public class SSLHelper {

    /**
     * 存储客户端自己的密钥
     */
    private final static String CLIENT_PRI_KEY = "client.bks";

    /**
     * 存储服务器的公钥
     */
    private final static String TRUSTSTORE_PUB_KEY = "publickey.bks";

    /**
     * 读取密码
     */
    private final static String CLIENT_BKS_PASSWORD = "123321";

    /**
     * 读取密码
     */
    private final static String PUCBLICKEY_BKS_PASSWORD = "123321";

    private final static String KEYSTORE_TYPE = "BKS";

    private final static String PROTOCOL_TYPE = "TLS";

    private final static String CERTIFICATE_STANDARD = "X509";



    public static SSLSocketFactory getSSLCertifcation(Context context) {

        SSLSocketFactory sslSocketFactory = null;

        try {
            // 服务器端需要验证的客户端证书，其实就是客户端的keystore
            KeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
            // 客户端信任的服务器端证书
            KeyStore trustStore = KeyStore.getInstance(KEYSTORE_TYPE);

            //读取证书
            InputStream ksIn = context.getAssets().open(CLIENT_PRI_KEY);
            InputStream tsIn = context.getAssets().open(TRUSTSTORE_PUB_KEY);

            //加载证书
            keyStore.load(ksIn, CLIENT_BKS_PASSWORD.toCharArray());
            trustStore.load(tsIn, PUCBLICKEY_BKS_PASSWORD.toCharArray());

            //关闭流
            ksIn.close();
            tsIn.close();

            //初始化SSLContext
            SSLContext sslContext = SSLContext.getInstance(PROTOCOL_TYPE);
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(CERTIFICATE_STANDARD);
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(CERTIFICATE_STANDARD);

            trustManagerFactory.init(trustStore);
            keyManagerFactory.init(keyStore, CLIENT_BKS_PASSWORD.toCharArray());

            sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
            sslSocketFactory = sslContext.getSocketFactory();
        } catch (KeyStoreException e) {
            e.printStackTrace();
        } catch (IOException e) {
            e.printStackTrace();
        } catch (CertificateException e) {
            e.printStackTrace();
        } catch (NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (UnrecoverableKeyException e) {
            e.printStackTrace();
        } catch (KeyManagementException e) {
            e.printStackTrace();
        }
        return sslSocketFactory;
    }
}

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;

import itsen.com.bduidemo.lib.tool.LogTool;

/**
 * Created by zhoud
 * Created time  2018/03/27.
 * Description:
 * Version: V 1.0
 */
public class UnSafeHostnameVerifier implements HostnameVerifier {
    @Override
    public boolean verify(String hostname, SSLSession session) {
        LogTool.e("hostname:"+hostname);
        return true;
    }
}

OKHTTP添加SSL

       //参数配置
        client = new OkHttpClient.Builder()
                .sslSocketFactory(SSLHelper.getSSLCertifcation(this))
                .hostnameVerifier(new UnSafeHostnameVerifier())
                .addInterceptor(loggingInterceptor)
                .connectTimeout(mTimeOut, TimeUnit.SECONDS)
                .readTimeout(mTimeOut, TimeUnit.SECONDS)
                .writeTimeout(mTimeOut, TimeUnit.SECONDS)
                .build();

        //retrofit 对象初始化
        retrofit = new Retrofit.Builder()
                .baseUrl(baseUrl + FORADN)
                .addConverterFactory(GsonConverterFactory.create())
                .client(client)
                .build();

验证

1）tomcat日志，433端口接受了请求并返回请求

image.png

2）retrofit请求日志

image.png

3）手机页面

image.png

至此整个https双向认证环境搭建完毕！！！

如果解决你的问题，请给个喜欢，谢谢！！！

《网络（三）：简单易懂的Android平台Okhttp/Retrofit下的https双向认证环境配置》

证书准备

证书导入工程

读取密钥代码

OKHTTP添加SSL

验证

你可能感兴趣的:(《网络（三）：简单易懂的Android平台Okhttp/Retrofit下的https双向认证环境配置》)