本文介紹Https單、雙向認證實現過程及自簽名證書生成方式,下附實現代碼
[HTTPS單雙向認證過程理解參見:](http://blog.csdn.net/u011084603/article/details/78540994)
一、HTTPS 單向認證
1. 給服務器生成密鑰
- keytool -genkeypair -alias skxy -keyalg RSA -validity 3650 -keypass 123456 -storepass 123456 -keystore skxy.keystore
keytool -genkeypair -alias skxy -keyalg RSA -validity 3650 -keypass 123456 -storepass 123456 -keystore skxy.keystore
2. 給Tomcat服務器配置Https
tomcat/config/server.xml修改connector配置- <Connector port=“8443” protocol=“org.apache.coyote.http11.Http11Protocol”
- maxThreads=“150” SSLEnabled=“true” scheme=“https” secure=“true”
- clientAuth=“false” sslProtocol=“TLS”
- keystoreFile=“conf/skxy.keystore”
- keystorePass=“123456”/>
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="conf/skxy.keystore"
keystorePass="123456"/>
3.導出證書
keytool -export -alias skxy -file skxy.cer -keystore skxy.keystore -storepass 123456
4.將證書放在android客戶端,能夠讀取的地方比如assert目錄
5.代碼中執行網絡請求,獲取證書,讀取https網站的數據
- String path = “https://10.0.3.2:8443/Test/Hlloer”;
- try {
- //獲取證書
- InputStream stream = getAssets().open(“skxy.cer”);
- SSLContext tls = SSLContext.getInstance(“TLS”);
- //使用默認證書
- KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
- //去掉系統默認證書
- keystore.load(null);
- Certificate certificate =
- CertificateFactory.getInstance(“X.509”).generateCertificate(stream);
- //設置自己的證書
- keystore.setCertificateEntry(“skxy”, certificate);
- //通過信任管理器獲取一個默認的算法
- String algorithm = TrustManagerFactory.getDefaultAlgorithm();
- //算法工廠創建
- TrustManagerFactory instance = TrustManagerFactory.getInstance(algorithm);
- instance.init(keystore);
- tls.init(null, instance.getTrustManagers(), null);
- SSLSocketFactory socketFactory = tls.getSocketFactory();
- HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
- URL url = new URL(path);
- HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
- //設置ip授權認證:如果已經安裝該證書,可以不設置,否則需要設置
- conn.setHostnameVerifier(new HostnameVerifier() {
- @Override
- public boolean verify(String hostname, SSLSession session) {
- return true;
- }
- });
- InputStream inputStream = conn.getInputStream();
- String result = getString(inputStream);
- stream.close();
String path = "https://10.0.3.2:8443/Test/Hlloer";
try {
//獲取證書
InputStream stream = getAssets().open("skxy.cer");
SSLContext tls = SSLContext.getInstance("TLS");
//使用默認證書
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
//去掉系統默認證書
keystore.load(null);
Certificate certificate =
CertificateFactory.getInstance("X.509").generateCertificate(stream);
//設置自己的證書
keystore.setCertificateEntry("skxy", certificate);
//通過信任管理器獲取一個默認的算法
String algorithm = TrustManagerFactory.getDefaultAlgorithm();
//算法工廠創建
TrustManagerFactory instance = TrustManagerFactory.getInstance(algorithm);
instance.init(keystore);
tls.init(null, instance.getTrustManagers(), null);
SSLSocketFactory socketFactory = tls.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
URL url = new URL(path);
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
//設置ip授權認證:如果已經安裝該證書,可以不設置,否則需要設置
conn.setHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
InputStream inputStream = conn.getInputStream();
String result = getString(inputStream);
stream.close();
雙向認證
- 雙向證書驗證
首先對於雙向證書驗證,也就是說,客戶端有自己的密匙,並持有服務端的證書,服務端給客戶端發送數據時,需要將服務端的證書發給客戶端驗證,驗證通過才運行發送數據,同樣,客戶端請求服務器數據時,也需要將自己的證書發給服務端驗證,通過才允許執行請求。
按照以下步驟,我們設置雙向認證
1.生成客戶端keystore,因爲客戶端andoird不能用keystore格式的密鑰庫,所以先生成jks格式,再用Portecle工具轉成bks格式
- keytool -genkeypair -alias client -keyalg RSA -validity 3650 -keypass 123456 -storepass 123456 -keystore client.jks
keytool -genkeypair -alias client -keyalg RSA -validity 3650 -keypass 123456 -storepass 123456 -keystore client.jks
2.生成服務端keystore
- keytool -genkeypair -alias server -keyalg RSA -validity 3650 -keypass 123456 -storepass 123456 -keystore server.keystore
keytool -genkeypair -alias server -keyalg RSA -validity 3650 -keypass 123456 -storepass 123456 -keystore server.keystore
3.導出客戶端證書
- keytool -export -alias client -file client.cer -keystore client.jks -storepass 123456
keytool -export -alias client -file client.cer -keystore client.jks -storepass 123456
4.導出服務端證書
keytool -export -alias server -file server.cer -keystore server.keystore -storepass 123456
5.重點:證書交換,
將客戶端證書導入服務端keystore中,再將服務端證書導入客戶端keystore中, 一個keystore可以導入多個證書,生成證書列表
-
生成客戶端信任證書庫(由服務端證書生成的證書庫)
keytool -import -v -alias server -file E:\ssl\server.cer -keystore E:\ssl\truststore.jks -storepass 123456
-
將客戶端證書導入到服務器證書庫(使得服務器信任客戶端證書)
keytool -import -v -alias client -file E:\ssl\client.cer -keystore E:\ssl\server.keystore -storepass 123456
6.查看證書庫中的全部證書
- keytool -list -keystore E:\ssl\server.keystore -storepass 123456
7.配置服務器
-
修改server.xml文件
備註: - keystoreFile:指定服務器密鑰庫,可以配置成絕對路徑,如“D:/key/server.keystore”,本例中是在Tomcat目錄中創建了一個名- 稱爲key的文件夾,僅供參考。 - keystorePass:密鑰庫生成時的密碼 - truststoreFile:受信任密鑰庫,和密鑰庫相同即可 - truststorePass:受信任密鑰庫密碼
8.用Portecle工具,運行protecle.jar將client.jks和truststore.jks分別轉換成client.bks和truststore.bks,然後放到android客戶端的assert目錄下
- 運行protecle.jar–》打開文件選中client.jks,選擇tools–>change keystore type–>選擇BKS,最後關閉保存爲client.bks
9.讀取client.bks,進行網絡請求
- 通過上面的步驟生成的證書,客戶端需要用到的是client.bks(客戶端密鑰,用於請求的時候給服務器來驗證身份之用)和truststore.bks(客戶端證書庫,用於驗證服務器端身份,防止釣魚)這兩個文件.其中安卓端的證書類型必須要求是BKS類型
10.下面給出SSLContext方式進行SSL認證的客戶端代碼
- try {
- // 服務器端需要驗證的客戶端證書,其實就是客戶端的keystore
- KeyStore keyStore = KeyStore.getInstance(“BKS”);
- // 客戶端信任的服務器端證書
- KeyStore trustStore = KeyStore.getInstance(“BKS”);
- //讀取證書
- InputStream ksIn = getResources().getAssets().open(“client.bks”);
- InputStream tsIn = getResources().getAssets().open(“truststore.bks”);
- //加載證書
- keyStore.load(ksIn,”123456”.toCharArray());
- trustStore.load(tsIn,”123456”.toCharArray());
- IOUtils.close(ksIn);
- IOUtils.close(tsIn);
- //初始化SSLContext
- SSLContext sslContext = SSLContext.getInstance(“TLS”);
- TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(“X509”);
- KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(“X509”);
- trustManagerFactory.init(trustStore);
- keyManagerFactory.init(keyStore, “123456”.toCharArray());
- sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
- //通過HttpsURLConnection設置鏈接
- SSLSocketFactory socketFactory = sslContext.getSocketFactory();
- HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
- URL connectUrl = new URL(url);
- HttpsURLConnection conn = (HttpsURLConnection) connectUrl.openConnection();
- //設置ip授權認證:如果已經安裝該證書,可以不設置,否則需要設置
- conn.setHostnameVerifier(new HostnameVerifier() {
- @Override
- public boolean verify(String hostname, SSLSession session) {
- return true;
- }
- });
- InputStream inputStream = conn.getInputStream();
- String content = getString(inputStream);
- IOUtils.close(inputStream);
- showLog(content);
- } catch (Exception e) {
- e.printStackTrace();
- }
try {
// 服務器端需要驗證的客戶端證書,其實就是客戶端的keystore
KeyStore keyStore = KeyStore.getInstance("BKS");
// 客戶端信任的服務器端證書
KeyStore trustStore = KeyStore.getInstance("BKS");
//讀取證書
InputStream ksIn = getResources().getAssets().open("client.bks");
InputStream tsIn = getResources().getAssets().open("truststore.bks");
//加載證書
keyStore.load(ksIn,"123456".toCharArray());
trustStore.load(tsIn,"123456".toCharArray());
IOUtils.close(ksIn);
IOUtils.close(tsIn);
//初始化SSLContext
SSLContext sslContext = SSLContext.getInstance("TLS");
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("X509");
trustManagerFactory.init(trustStore);
keyManagerFactory.init(keyStore, "123456".toCharArray());
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
//通過HttpsURLConnection設置鏈接
SSLSocketFactory socketFactory = sslContext.getSocketFactory();
HttpsURLConnection.setDefaultSSLSocketFactory(socketFactory);
URL connectUrl = new URL(url);
HttpsURLConnection conn = (HttpsURLConnection) connectUrl.openConnection();
//設置ip授權認證:如果已經安裝該證書,可以不設置,否則需要設置
conn.setHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String hostname, SSLSession session) {
return true;
}
});
InputStream inputStream = conn.getInputStream();
String content = getString(inputStream);
IOUtils.close(inputStream);
showLog(content);
} catch (Exception e) {
e.printStackTrace();
}
另外一種方法
- 在上面的基礎上,修改第五步,將服務端的證書導入客戶端的keystore中,然後在客戶端只用一個keystore就額可以
-
同樣需要加載信任管理器和KeyManagerFactory,加載同一個keystore即可,這個已經驗證通過,如有不妥之處,請提出探討。
//讀取證書,這裏可以只講服務端的證書導入到客戶端的keystore中,然後只要讀取一個就可以 //請求服務器時,將客戶端的證書發給服務器驗證,服務器中的keystore已經導入了客戶端的證書,所以可以驗證 //服務器驗證通過,然後服務器將客戶端的證書發給客戶端驗證,同樣驗證成功才發送其他數據。 //這裏clientkeystore包含客戶端的keystore和服務端的證書,客戶端的keystore中包含自己的證書。 InputStream ksIn = getResources().getAssets().open("clientkeystore.bks"); InputStream tsIn = getResources().getAssets().open("clientkeystore.bks");