ssl協議安全基礎（安卓下安全通信）

2023-05-05 20:59:30

手機默認內置了主流的根證書，一般在使用OkHttp時，使用本地根證書進行校驗，項目不需要內置CA根證書。

手機可以在設置停用某個根證書，這時與一些伺服器通信，就會報ssl異常。用瀏覽器打開網頁時，會提示 未授信的網站。

當使用自己製作的證書的時候，可以把證書放到項目裡打包到APK中。

安卓通用使用的是BKS格式的證書。但JDK默認情況下不支持BKS證書格式，如果要使用BKS需要進行以下操作：

jdk.TLS.disabledAlgorithms=security.provider.1=sun.security.provider.Sunsecurity.provider.2=sun.security.rsa.SunRsaSignsecurity.provider.3=sun.security.ec.SunECsecurity.provider.4=com.sun.net.ssl.internal.ssl.Providersecurity.provider.5=com.sun.crypto.provider.SunJCEsecurity.provider.6=sun.security.jgss.SunProvidersecurity.provider.7=com.sun.security.sasl.Providersecurity.provider.8=org.jcp.xml.dsig.internal.dom.XMLDSigRIsecurity.provider.9=sun.security.smartcardio.SunPCSCsecurity.provider.10=org.bouncycastle.jce.provider.BouncyCastleProvider

keytool -importcert -trustcacerts -keystore cNetty.bks -file cNetty.cer -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider# 按提示輸入密鑰庫指令keytool -importcert -trustcacerts -keystore sNetty.bks -file sNetty.cer -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider# 按提示輸入密鑰庫指令

這時要把證書導入對方信任證書的倉庫中，使用命令：

keytool -import -alias securenettyclient_bks -file cNetty.cer -storepass 你的storepass密碼 -keystore sNetty.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProviderkeytool -import -alias securenettyservice_bks -file sNetty.cer -storepass 你的storepass密碼 -keystore cNetty.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider

# 查看證書鏈keytool -list -rfc -keystore cNetty.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider -storepass 你的storepass證書# 驗證BKSkeytool -list -v -storetype BKS -keystore sNetty.bks

以下代碼客戶端支持使用jks和bks兩種格式、支持windows和android端使用，可以用在Netty框架：

import lombok.extern.slf4j.Slf4j;import org.bouncycastle.jce.provider.BouncyCastleProvider;import javax.net.ssl.KeyManagerFactory;import javax.net.ssl.SSLContext;import javax.net.ssl.TrustManagerFactory;import java.io.IOException;import java.io.InputStream;import java.nio.file.Files;import java.nio.file.Paths;import java.security.*;import java.security.cert.CertificateException;/** * 加密通訊，獲取SSLContext的方法 * @author Cade */@Slf4jpublic final class SecureNettySslContextfactory { private static final String PROTOCOL = "TLS"; private static final String FILE_JKS ="jks"; private static final String KEYSTORE_BKS ="BKS"; private static final String KEYSTORE_JKS ="JKS"; /** * 伺服器安全上下文 */ private static SSLContext SERVER_CONTEXT; /** * 客戶端安全上下文 */ private static SSLContext CLIENT_CONTEXT; /** * * @param pkPath pkPath * @param caPath caPath * @param jksPass jksPass * @param storePass storePass * @return SSL上下文 */ public static SSLContext getClientContext(String pkPath,String caPath,String jksPass,String storePass){ if(CLIENT_CONTEXT!=null) { return CLIENT_CONTEXT; } final String; KeyManagerFactory kmf; TrustManagerFactory tf; KeyStore ks; KeyStore tks ; try { if(caPath.contains(FILE_JKS)) { ks = KeyStore.getInstance(KEYSTORE_JKS); tks = KeyStore.getInstance(KEYSTORE_JKS); }else{ Security.addProvider(new BouncyCastleProvider); ks = KeyStore.getInstance(KEYSTORE_BKS); tks = KeyStore.getInstance(KEYSTORE_BKS); } // 如果是安卓系統，讀取資源的方式有所不同 if (osAndroid.equals(Constants.OS)) { try (InputStream in = Constants.class.getResourceAsStream(pkPath)) { ks.load(in, jksPass.toCharArray); } try(InputStream in = Constants.class.getResourceAsStream(caPath)){ tks.load(in, jksPass.toCharArray); } } else { try (InputStream stream = Files.newInputStream(Paths.get(pkPath))) { ks.load(stream, jksPass.toCharArray); } try (InputStream stream = Files.newInputStream(Paths.get(caPath))) { tks.load(stream, jksPass.toCharArray); } } if(log.isInfoEnabled) { log.info(TrustManagerFactory.getDefaultAlgorithm); } kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, storePass.toCharArray); tf = TrustManagerFactory.getInstance("SunX509"); tf.init(tks); CLIENT_CONTEXT = SSLContext.getInstance(PROTOCOL); //初始化此上下文 //參數一：認證的密鑰 參數二：對等信任認證 參數三：偽隨機數生成器 。 由於單向認證，服務端不用驗證客戶端，所以第二個參數為null CLIENT_CONTEXT.init(kmf.getKeyManagers, tf.getTrustManagers, null); }catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException | KeyManagementException e){ if(log.isErrorEnabled){ log.error(e.toString); } } return CLIENT_CONTEXT; }}

代碼裡Constants類是自定義的常量類。

bks一般可以放在assets下。

public class MyOkhttpClient { private static MyOkhttpClient singleton; public static OkHttpClient getInstance { if (singleton == null) { synchronized (CBOkhttpClient.class) { if (singleton == null) { OkHttpClient.Builder builder = new OkHttpClient.newBuilder; builder.connectTimeout(50000, TimeUnit.MILLISECONDS); builder.writeTimeout(50000, TimeUnit.MILLISECONDS); builder.readTimeout(50000, TimeUnit.MILLISECONDS); try { SSLContext sslContext = SSLContext.getInstance("TLS"); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm); KeyStore trustStore = KeyStore.getInstance("BKS"); InputStream ksinstream = CBFramework.getApplication.getResources.openRawResource(R.raw.cbframework_trustcerts); trustStore.load(ksinstream, "".toCharArray); ksinstream.close; trustManagerFactory.init(trustStore); sslContext.init(null, trustManagerFactory.getTrustManagers, new SecureRandom); builder.sslSocketFactory(sslContext.getSocketFactory, new X509TrustManager { @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { } @Override public X509Certificate[] getAcceptedIssuers { return new X509Certificate[0]; } }); } catch (Exception e) { Log.e(e); } singleton = builder.build; } } } return singleton; }}