android使用https安全连接

最新推荐文章于 2024-07-02 13:38:49 发布

好大一只蜗牛

最新推荐文章于 2024-07-02 13:38:49 发布

阅读量2.1k

点赞数 1

分类专栏： android 文章标签： android ssl 安全网络

本文链接：https://blog.csdn.net/shapsnail/article/details/49035341

版权

android 专栏收录该内容

3 篇文章 0 订阅

订阅专栏

随着大家安全意识的提高，越来越多的软件采用https代替http进行网络传输信息，与http的明文传输不同，https在网络传输的应用层与传输层增加了一个中间层（SSL或TLS），用来对传输的明文数据进行加密处理，从而保证了网络传输的隐私性和安全性。

前段时间因为项目原因，需要android手机客户端和服务器端进行通信，在学习过程中遇到了一些坑，特记录以供后面备忘。

因为有传输文件的需求，所以我在使用时采用的是appache的HttpClient，而不是HttpURLConnection, 因为appache的包中的MultipartEntity类封装了上传时的multipart/form-data格式，同时还支持多个文件同时上传，减少了重复造轮子的可能性。

先看一下HttpClient给的https连接的demo:

    public final static void main(String[] args) throws Exception {
        DefaultHttpClient httpclient = new DefaultHttpClient();
        try {
            KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());
            FileInputStream instream = new FileInputStream(new File("my.keystore"));
            try {
                trustStore.load(instream, "nopassword".toCharArray());
            } finally {
                try { instream.close(); } catch (Exception ignore) {}
            }

            SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
            Scheme sch = new Scheme("https", 443, socketFactory);
            httpclient.getConnectionManager().getSchemeRegistry().register(sch);

            HttpGet httpget = new HttpGet("https://localhost/");

            System.out.println("executing request" + httpget.getRequestLine());

            HttpResponse response = httpclient.execute(httpget);
            HttpEntity entity = response.getEntity();

            System.out.println("----------------------------------------");
            System.out.println(response.getStatusLine());
            if (entity != null) {
                System.out.println("Response content length: " + entity.getContentLength());
            }
            EntityUtils.consume(entity);

        } finally {
            // When HttpClient instance is no longer needed,
            // shut down the connection manager to ensure
            // immediate deallocation of all system resources
            httpclient.getConnectionManager().shutdown();
        }
    }

如果你是的证书使用java自带的keygen生成的话，上面的例子基本已经可以开箱即用了。

由于我的服务器是用golang写的，害怕服务器端不认识keygen生成的证书，所以采用了openssl来生成证书。

生成自签名证书：

生成私钥，采用DES3加密，https握手采用RSA 2048

$openssl genrsa des3 out server.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................................++++++
........++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password  Enter PEM pass phrase:

生成证书签名请求，注意common name填写你的host ip或者域名：

$openssl req new key server.key out server.csr
Country Name (2 letter code) [GB]: CN
State or Province Name (full name) [Berkshire]: ShangHai
Locality Name (eg, city) [Newbury]: shanghai
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: baidu.com
Email Address []: martin dot zahn at akadia dot ch
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

如果嫌加密私钥太麻烦，可以去掉：

$cp server.key server.key.org
$openssl rsa in server.key.org out server.key
$ll
rwrr 1 root root 745 Jun 29 12:19 server.csr
rwrr 1 root root 891 Jun 29 13:22 server.key
rwrr 1 root root 963 Jun 29 13:22 server.key.org

自签名我们的证书,有效期一年：

openssl x509 req days 365 in server.csr signkey server.key out server.crt

这样生成的证书是采用PKCS12打包的，而java的TrustStore似乎对该格式支持的并不好，直接load，结果发现：

Exception in thread "main" java.lang.AssertionError: java.io.IOException: toDerInputStream rejects tag type 45

Exception in thread "main" java.lang.AssertionError: java.security.KeyStoreException: TrustedCertEntry not supported

然后Google了一下，好像有一个开源的加解密项目支持的还不错http://www.bouncycastle.org/，果断下载试试：http://www.bouncycastle.org/download/bcprov-ext-jdk15on-153.jar，话说这下载速度也是够慢的。
然后添加该套件供应商：

Security.addProvider(new BouncyCastleProvider());
KeyStore trusted = KeyStore.getInstance("PKCS12", "BC");

再次运行，结果又悲催了：

Exception in thread "main" java.lang.AssertionError: java.lang.NullPointerException: No password supplied for PKCS#12 KeyStore.
好吧，既然这样，那我初始话一个空的keystore，然后曲线救国总可以吧：

            Security.addProvider(new BouncyCastleProvider());
            KeyStore trusted = KeyStore.getInstance("PKCS12", "BC");
            // Get the raw resource, which contains the keystore with
            // your trusted certificates (root and any intermediate certs)
            InputStream in = getClass().getResourceAsStream("/server.crt");
            // Initialize the keystore with the provided trusted certificates
            // Also provide the password of the keystore
            // trusted.load(in, "mysecret".toCharArray());
            trusted.load(null, null);
            CertificateFactory certificateFactory = CertificateFactory
                    .getInstance("X.509");
            Certificate certificate = certificateFactory
                    .generateCertificate(in);
            trusted.setCertificateEntry("trust", certificate);
            in.close();

ok,问题解决，总算能愉（苦）快（逼）的继续玩耍了～_～, 顺便附上我的HttpsClient：

package com.snail.myapp.http;
import com.snail.myapp.App;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.SingleClientConnManager;

import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;

/**
 * Created by daemonw on 15-10-10.
 */
public class HttpsClient extends DefaultHttpClient{
    protected ClientConnectionManager createClientConnectionManager() {
        SchemeRegistry registry = new SchemeRegistry();
        registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
        // Register for port 443 our SSLSocketFactory with our keystore
        // to the ConnectionManager
        registry.register(new Scheme("https", newSslSocketFactory(), 443));
        return new SingleClientConnManager(getParams(), registry);
    }

    private SSLSocketFactory newSslSocketFactory() {
        try {
            // Get an instance of the Bouncy Castle KeyStore format
            KeyStore trusted = KeyStore.getInstance("PKCS12", "BC");
            // Get the raw resource, which contains the keystore with
            // your trusted certificates (root and any intermediate certs)
            InputStream in = App.getInstance().getAssets().open("server.crt");
            // Initialize the keystore with the provided trusted certificates
            // Also provide the password of the keystore
            //trusted.load(in, "mysecret".toCharArray());
            trusted.load(null, null);
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            Certificate certificate = certificateFactory.generateCertificate(in);
            trusted.setCertificateEntry("trust", certificate);
            in.close();
            // Pass the keystore to the SSLSocketFactory. The factory is responsible
            // for the verification of the server certificate.
            SSLSocketFactory sf = new SSLSocketFactory(trusted);
            // Hostname verification from certificate
            // http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
            //sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
            return sf;
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }
}

注意：
1.部分android 的sdk里已自带BouncyCastleProvider提供的套件，如果没有，请下载并添加进去：
ecurity.addProvider(new BouncyCastleProvider());
2.本文代码展示采用的HttpClient版本为httpcomponents-client-4.1.3，最新的api可能已经发生变化，某些api已经被Deprecated，请自行参考官方文档。