ssl協議安全基礎(安卓下安全通信)
2023-05-05 20:59:30
安卓系統BKS證書的使用一、 概述手機默認內置了主流的根證書,一般在使用OkHttp時,使用本地根證書進行校驗,項目不需要內置CA根證書。
手機可以在設置停用某個根證書,這時與一些伺服器通信,就會報ssl異常。用瀏覽器打開網頁時,會提示 未授信的網站。
當使用自己製作的證書的時候,可以把證書放到項目裡打包到APK中。
二、keytool支持BKS的設置安卓通用使用的是BKS格式的證書。但JDK默認情況下不支持BKS證書格式,如果要使用BKS需要進行以下操作:
下載 org.bouncycastle.jce.provider.BouncyCastleProvider 包,網址:https://www.bouncycastle.org把下載的 bcprov-ext-jdk15to18-166.jar , bcprov-jdk15to18-166.jar 放到 %JAVA_HOME%/jre/lib/ext 下。(我也不知道為啥我下載有兩個包)修改%JAVA_HOME%/jre/lib/security/java.security文件我的配置是這樣的:jdk.TLS.disabledAlgorithms=security.provider.1=sun.security.provider.Sunsecurity.provider.2=sun.security.rsa.SunRsaSignsecurity.provider.3=sun.security.ec.SunECsecurity.provider.4=com.sun.net.ssl.internal.ssl.Providersecurity.provider.5=com.sun.crypto.provider.SunJCEsecurity.provider.6=sun.security.jgss.SunProvidersecurity.provider.7=com.sun.security.sasl.Providersecurity.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRIsecurity.provider.9=sun.security.smartcardio.SunPCSCsecurity.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider
三、cer轉換為bks格式1. 格式轉換命令keytool -importcert -trustcacerts -keystore cNetty.bks -file cNetty.cer -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider# 按提示輸入密鑰庫指令keytool -importcert -trustcacerts -keystore sNetty.bks -file sNetty.cer -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider# 按提示輸入密鑰庫指令
2. 導入信任證書庫這時要把證書導入對方信任證書的倉庫中,使用命令:
keytool -import -alias securenettyclient_bks -file cNetty.cer -storepass 你的storepass密碼 -keystore sNetty.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProviderkeytool -import -alias securenettyservice_bks -file sNetty.cer -storepass 你的storepass密碼 -keystore cNetty.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider
3. 查看bks證書# 查看證書鏈keytool -list -rfc -keystore cNetty.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass 你的storepass證書# 驗證BKSkeytool -list -v -storetype BKS -keystore sNetty.bks
四、java socket使用bks證書的核心客戶端代碼以下代碼客戶端支持使用jks和bks兩種格式、支持windows和android端使用,可以用在Netty框架:
import lombok.extern.slf4j.Slf4j;import org.bouncycastle.jce.provider.BouncyCastleProvider;import javax.net.ssl.KeyManagerFactory;import javax.net.ssl.SSLContext;import javax.net.ssl.TrustManagerFactory;import java.io.IOException;import java.io.InputStream;import java.nio.file.Files;import java.nio.file.Paths;import java.security.*;import java.security.cert.CertificateException;/** * 加密通訊,獲取SSLContext的方法 * @author Cade */@Slf4jpublic final class SecureNettySslContextfactory { private static final String PROTOCOL = "TLS"; private static final String FILE_JKS ="jks"; private static final String KEYSTORE_BKS ="BKS"; private static final String KEYSTORE_JKS ="JKS"; /** * 伺服器安全上下文 */ private static SSLContext SERVER_CONTEXT; /** * 客戶端安全上下文 */ private static SSLContext CLIENT_CONTEXT; /** * * @param pkPath pkPath * @param caPath caPath * @param jksPass jksPass * @param storePass storePass * @return SSL上下文 */ public static SSLContext getClientContext(String pkPath,String caPath,String jksPass,String storePass){ if(CLIENT_CONTEXT!=null) { return CLIENT_CONTEXT; } final String; KeyManagerFactory kmf; TrustManagerFactory tf; KeyStore ks; KeyStore tks ; try { if(caPath.contains(FILE_JKS)) { ks = KeyStore.getInstance(KEYSTORE_JKS); tks = KeyStore.getInstance(KEYSTORE_JKS); }else{ Security.addProvider(new BouncyCastleProvider); ks = KeyStore.getInstance(KEYSTORE_BKS); tks = KeyStore.getInstance(KEYSTORE_BKS); } // 如果是安卓系統,讀取資源的方式有所不同 if (osAndroid.equals(Constants.OS)) { try (InputStream in = Constants.class.getResourceAsStream(pkPath)) { ks.load(in, jksPass.toCharArray); } try(InputStream in = Constants.class.getResourceAsStream(caPath)){ tks.load(in, jksPass.toCharArray); } } else { try (InputStream stream = Files.newInputStream(Paths.get(pkPath))) { ks.load(stream, jksPass.toCharArray); } try (InputStream stream = Files.newInputStream(Paths.get(caPath))) { tks.load(stream, jksPass.toCharArray); } } if(log.isInfoEnabled) { log.info(TrustManagerFactory.getDefaultAlgorithm); } kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, storePass.toCharArray); tf = TrustManagerFactory.getInstance("SunX509"); tf.init(tks); CLIENT_CONTEXT = SSLContext.getInstance(PROTOCOL); //初始化此上下文 //參數一:認證的密鑰 參數二:對等信任認證 參數三:偽隨機數生成器 。 由於單向認證,服務端不用驗證客戶端,所以第二個參數為null CLIENT_CONTEXT.init(kmf.getKeyManagers, tf.getTrustManagers, null); }catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | KeyManagementException e){ if(log.isErrorEnabled){ log.error(e.toString); } } return CLIENT_CONTEXT; }}
代碼裡Constants類是自定義的常量類。
五、OKHttp使用證書bks一般可以放在assets下。
public class MyOkhttpClient { private static MyOkhttpClient singleton; public static OkHttpClient getInstance { if (singleton == null) { synchronized (CBOkhttpClient.class) { if (singleton == null) { OkHttpClient.Builder builder = new OkHttpClient.newBuilder; builder.connectTimeout(50000, TimeUnit.MILLISECONDS); builder.writeTimeout(50000, TimeUnit.MILLISECONDS); builder.readTimeout(50000, TimeUnit.MILLISECONDS); try { SSLContext sslContext = SSLContext.getInstance("TLS"); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm); KeyStore trustStore = KeyStore.getInstance("BKS"); InputStream ksinstream = CBFramework.getApplication.getResources.openRawResource(R.raw.cbframework_trustcerts); trustStore.load(ksinstream, "".toCharArray); ksinstream.close; trustManagerFactory.init(trustStore); sslContext.init(null, trustManagerFactory.getTrustManagers, new SecureRandom); builder.sslSocketFactory(sslContext.getSocketFactory, new X509TrustManager { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public X509Certificate[] getAcceptedIssuers { return new X509Certificate[0]; } }); } catch (Exception e) { Log.e(e); } singleton = builder.build; } } } return singleton; }}
,