Https双向认证啊  做了两遍,第一遍懵懂状态处于 好不容易做好了,换服务器,一下子懵了,使出浑身解数又找了一遍,这下终于好了  快哭啦,必须滴要记录一下,以免以后遇到继续懵,这里用retrofit2+okhttp3为例子来简单说明下

先来说说证书:

服务端提供的证书有四个(我这里四个就够用了,有的上面介绍说有一个p12证书,原来提供过,表示没用到,可能是我用的验证方法不一样吧)

转化步骤:

1)生成客户端证书

keytool -genkeypair -alias client -keyalg RSA -validity 3650 -keypass123456 -storepass 123456 -keystore client.jks

这里要说一下,client.jks后端的同事已经提供给我,这一步我就省啦,如果没提供的话 走一步就行啦

2)生成服务端keystore

keytool -genkeypair -alias server -keyalg RSA -validity 3650 -keypass 123456 -storepass123456 -keystore server.keystore

这个也提供啦,我也省了哈

3)导出客户端证书
keytool -export -alias client -file client.cer -keystore client.jks -storepass 123456

这里根据本人理解是将客户端的jks证书导入到服务端cer证书中

4)导出服务端证书
keytool -export -alias server -file server.cer -keystore server.keystore -storepass 123456

这里本人理解是将cer证书导入到keystore中(这里感觉理解的不是很透彻,勿喷)

5)证书交换
将客户端证书导入服务端keystore中,再将服务端证书导入客户端keystore中, 一个keystore可以导入多个证书,生成证书列表。
生成客户端信任证书库(由服务端证书生成的证书库):
    keytool -import -v -alias server -file  server.cer -keystore truststore.jks -storepass 123456

将客户端证书导入到服务器证书库(使得服务器信任客户端证书):
keytool -import -v -alias client -file client.cer -keystore server.keystore -storepass 123456

6)转换jks证书为Android能够识别的BKS证书

将client.jks和truststore.jks通过portecle-1.9软件转换为.bks文件

步骤:打开portecle.jar文件(window系统的,直接打开是压缩包哦,要选择打开方式 用java方式打开,或者直接切换到mac系统转换好了再粘贴回来即可)

注意:我这里转换client.jks的时候回报错的哦

java.security.KeyStoreException: java.io.IOException: Error initialising store of key store: java.security.InvalidKeyException: Illegal key size
这个尚未明白什么意思,就换了一个方法生成client.bks文件了
7)生成客户端bks文件
keytool -importcert -trustcacerts -keystore E:\newkey\client.bks -file E:\keyhttps\server.cer -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider
这个要在JDK目录下:C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext中添加bcprov-ext-jdk15on-146.jar包文件(这个根据不同的jdk版本找对应的,这个搜一下就行啦)
8)将client.bks,truststore.bks,以及server.cercopy到工程的Assets下完成验证
9)项目中的配置
Application文件 
import android.app.Application;
import android.os.Environment;
import android.os.Process;
import android.util.Log;import com.baidu.mapapi.SDKInitializer;
import com.franmontiel.persistentcookiejar.ClearableCookieJar;
import com.franmontiel.persistentcookiejar.PersistentCookieJar;
import com.franmontiel.persistentcookiejar.cache.SetCookieCache;
import com.franmontiel.persistentcookiejar.persistence.SharedPrefsCookiePersistor;
import com.zhy.http.okhttp.OkHttpUtils;
import com.zhy.http.okhttp.https.HttpsUtils;
import com.zhy.http.okhttp.log.LoggerInterceptor;import org.wlf.filedownloader.FileDownloadConfiguration;
import org.wlf.filedownloader.FileDownloader;import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.util.concurrent.TimeUnit;import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLSession;import okhttp3.OkHttpClient;import static android.content.ContentValues.TAG;
/*** Created by Jane on 2017/6/23.*/
public class HNAPPlication extends Application {private final static String CLIENT_PRI_KEY = "client.bks";private final static String TRUSTSTORE_PUB_KEY = "truststore.bks";private final static String SERVER_KEY = "server.cer";@Overridepublic void onCreate() {super.onCreate();initOkhttp();// 在使用 SDK 各组间之前初始化 context 信息,传入 ApplicationContextcheckAppReplacingState();}private void checkAppReplacingState() {if (getResources() == null) {Log.w(TAG, "app is replacing...kill");Process.killProcess(Process.myPid());}}private void initOkhttp() {//InputStream [] inputStreams=null;ClearableCookieJar cookieJar1 = new PersistentCookieJar(new SetCookieCache(), new SharedPrefsCookiePersistor(getApplicationContext()));
//        inputStreams = new InputStream[4];
//        try {inputStreams[0] = getClass().getResourceAsStream("/assets/newkey.cer");
//            inputStreams[0] = getAssets().open("newkey.cer");
//        } catch (IOException e) {
//            e.printStackTrace();
//        }//读取证书try {InputStream clientkey = getAssets().open(CLIENT_PRI_KEY);InputStream serverkey = getAssets().open(TRUSTSTORE_PUB_KEY);InputStream[] inputStreams = new InputStream[4];
//            inputStreams[0] = getClass().getResourceAsStream("/assets/" + SERVER_KEY);inputStreams[0] = getAssets().open(SERVER_KEY);HttpsUtils.SSLParams sslParams = HttpsUtils.getSslSocketFactory(inputStreams, clientkey, "Eastcom_1");
//        CookieJarImpl cookieJar1 = new CookieJarImpl(new MemoryCookieStore());OkHttpClient okHttpClient = new OkHttpClient.Builder().connectTimeout(10000L, TimeUnit.MILLISECONDS).readTimeout(10000L, TimeUnit.MILLISECONDS).addInterceptor(new LoggerInterceptor("TAG")).cookieJar(cookieJar1).hostnameVerifier(new HostnameVerifier() {@Overridepublic boolean verify(String hostname, SSLSession session) {return true;}}).sslSocketFactory(sslParams.sSLSocketFactory, sslParams.trustManager).build();OkHttpUtils.initClient(okHttpClient);} catch (IOException e) {e.printStackTrace();}}}

HttpsUtil类

public class HttpsUtils
{public static class SSLParams{public SSLSocketFactory sSLSocketFactory;public X509TrustManager trustManager;}public static SSLParams getSslSocketFactory(InputStream[] certificates, InputStream bksFile, String password){SSLParams sslParams = new SSLParams();try{TrustManager[] trustManagers = prepareTrustManager(certificates);KeyManager[] keyManagers = prepareKeyManager(bksFile, password);SSLContext sslContext = SSLContext.getInstance("TLS");X509TrustManager trustManager = null;if (trustManagers != null){trustManager = new MyTrustManager(chooseTrustManager(trustManagers));} else{trustManager = new UnSafeTrustManager();}sslContext.init(keyManagers, new TrustManager[]{trustManager},null);sslParams.sSLSocketFactory = sslContext.getSocketFactory();sslParams.trustManager = trustManager;return sslParams;} catch (NoSuchAlgorithmException e){throw new AssertionError(e);} catch (KeyManagementException e){throw new AssertionError(e);} catch (KeyStoreException e){throw new AssertionError(e);}}private class UnSafeHostnameVerifier implements HostnameVerifier{@Overridepublic boolean verify(String hostname, SSLSession session){return true;}}private static class UnSafeTrustManager implements X509TrustManager{@Overridepublic void checkClientTrusted(X509Certificate[] chain, String authType)throws CertificateException{}@Overridepublic void checkServerTrusted(X509Certificate[] chain, String authType)throws CertificateException{}@Overridepublic X509Certificate[] getAcceptedIssuers(){return new java.security.cert.X509Certificate[]{};}}private static TrustManager[] prepareTrustManager(InputStream... certificates){if (certificates == null || certificates.length <= 0) return null;try{CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());keyStore.load(null);int index = 0;for (InputStream certificate : certificates){String certificateAlias = Integer.toString(index++);keyStore.setCertificateEntry(certificateAlias, certificateFactory.generateCertificate(certificate));try{if (certificate != null)certificate.close();} catch (IOException e){}}TrustManagerFactory trustManagerFactory = null;trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());trustManagerFactory.init(keyStore);TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();return trustManagers;} catch (NoSuchAlgorithmException e){e.printStackTrace();} catch (CertificateException e){e.printStackTrace();} catch (KeyStoreException e){e.printStackTrace();} catch (Exception e){e.printStackTrace();}return null;}private static KeyManager[] prepareKeyManager(InputStream bksFile, String password){try{if (bksFile == null || password == null) return null;KeyStore clientKeyStore = KeyStore.getInstance("BKS");clientKeyStore.load(bksFile, password.toCharArray());KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());keyManagerFactory.init(clientKeyStore, password.toCharArray());return keyManagerFactory.getKeyManagers();} catch (KeyStoreException e){e.printStackTrace();} catch (NoSuchAlgorithmException e){e.printStackTrace();} catch (UnrecoverableKeyException e){e.printStackTrace();} catch (CertificateException e){e.printStackTrace();} catch (IOException e){e.printStackTrace();} catch (Exception e){e.printStackTrace();}return null;}private static X509TrustManager chooseTrustManager(TrustManager[] trustManagers){for (TrustManager trustManager : trustManagers){if (trustManager instanceof X509TrustManager){return (X509TrustManager) trustManager;}}return null;}private static class MyTrustManager implements X509TrustManager{private X509TrustManager defaultTrustManager;private X509TrustManager localTrustManager;public MyTrustManager(X509TrustManager localTrustManager) throws NoSuchAlgorithmException, KeyStoreException{TrustManagerFactory var4 = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());var4.init((KeyStore) null);defaultTrustManager = chooseTrustManager(var4.getTrustManagers());this.localTrustManager = localTrustManager;}@Overridepublic void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException{}@Overridepublic void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException{try{defaultTrustManager.checkServerTrusted(chain, authType);} catch (CertificateException ce){localTrustManager.checkServerTrusted(chain, authType);}}@Overridepublic X509Certificate[] getAcceptedIssuers(){return new X509Certificate[0];}}
}

Net请求配置

/*** Created by Jane on 2017/6/16.* 网络请求Api*/
public class NetHttpApi {private Retrofit retrofit;//请求超时时间private static final int REQUEST_TIME = 10;private static NetHttpApi instance;private Context context;private OkHttpClient okHttpClient;private   InputStream[] inputStreams;private SSLSocketFactory sslSocketFactory;/*** @param urlType url访问地址类型**/private NetHttpApi(int urlType, Context context) {this.context = context;
//        //日志显示级别Gson gson = new GsonBuilder().setLenient().create();OkHttpClient client = aa();if (urlType == Contants.OLD_URL_TYPE) {retrofit = new Retrofit.Builder().client(client).addConverterFactory(GsonConverterFactory.create(gson)).addCallAdapterFactory(RxJavaCallAdapterFactory.create()).baseUrl(Contants.APP_OLD_URL).build();} else if (urlType == Contants.NEW_URL_TYPE) {retrofit = new Retrofit.Builder().client(client).addConverterFactory(GsonConverterFactory.create(gson)).addCallAdapterFactory(RxJavaCallAdapterFactory.create()).baseUrl(Contants.APP_URL).build();}}private OkHttpClient aa() {//日志显示级别HttpLoggingInterceptor.Level level = HttpLoggingInterceptor.Level.BODY;//新建log拦截器HttpLoggingInterceptor loggingInterceptor = new HttpLoggingInterceptor(new HttpLoggingInterceptor.Logger() {@Overridepublic void log(String message) {Log.d("vvvvvvvvv", "OkHttp====Message==:" + message);}});loggingInterceptor.setLevel(level);OkHttpClient okHttpClient = new OkHttpClient.Builder().sslSocketFactory(SSLHelper.getSSLCertifcation(context)).hostnameVerifier(new UnSafeHostnameVerifier()).addInterceptor(loggingInterceptor).build();return okHttpClient;}/*** 创建单例模式,避免重复创建对象**/public static NetHttpApi getInstance(final int urlType, Context context) {
//        if (instance == null) {
//            synchronized (NetHttpApi.class) {
//                if (instance == null) {
//                    instance = new NetHttpApi(urlType,context);
//                }
//            }
//        }NetHttpApi netHttpApi = new NetHttpApi(urlType, context);return netHttpApi;}/*** 获取一个service对象*/public <T> T getService(Class<T> service) {return retrofit.create(service);}
}

SSLHelper

public class SSLHelper {private final static String CLIENT_PRI_KEY = "client.bks";private final static String TRUSTSTORE_PUB_KEY = "truststore.bks";private final static String CLIENT_BKS_PASSWORD = "Eastcom_1";private final static String TRUSTSTORE_BKS_PASSWORD = "Eastcom_1";private final static String KEYSTORE_TYPE = "BKS";private final static String PROTOCOL_TYPE = "TLS";private final static String CERTIFICATE_STANDARD = "X509";public static SSLSocketFactory getSSLCertifcation(Context context) {SSLSocketFactory sslSocketFactory = null;try {// 服务器端需要验证的客户端证书,其实就是客户端的keystoreKeyStore keyStore = KeyStore.getInstance(KEYSTORE_TYPE);// 客户端信任的服务器端证书KeyStore trustStore = KeyStore.getInstance(KEYSTORE_TYPE);//读取证书InputStream ksIn = context.getAssets().open(CLIENT_PRI_KEY);InputStream tsIn = context.getAssets().open(TRUSTSTORE_PUB_KEY);//加载证书keyStore.load(ksIn, CLIENT_BKS_PASSWORD.toCharArray());trustStore.load(tsIn, TRUSTSTORE_BKS_PASSWORD.toCharArray());ksIn.close();tsIn.close();//初始化SSLContextSSLContext sslContext = SSLContext.getInstance(PROTOCOL_TYPE);TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(CERTIFICATE_STANDARD);KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(CERTIFICATE_STANDARD);trustManagerFactory.init(trustStore);keyManagerFactory.init(keyStore, CLIENT_BKS_PASSWORD.toCharArray());sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);sslSocketFactory = sslContext.getSocketFactory();} catch (KeyStoreException e) {e.printStackTrace();} catch (IOException e) {e.printStackTrace();} catch (CertificateException e) {e.printStackTrace();} catch (NoSuchAlgorithmException e) {e.printStackTrace();} catch (UnrecoverableKeyException e) {e.printStackTrace();} catch (KeyManagementException e) {e.printStackTrace();}return sslSocketFactory;}
}

这是配置文件,其他项目类 需要的话  私我

Https双向认证Android客户端配置相关推荐

  1. RN https 双向认证

    一  概述 Rreact Native  https双向认证  Android端修改,有两种方案: 一是修改 facebook桥接Android的网络请求 二是自己新建桥接 android和rn,修改 ...

  2. 解决ios的https双向认证不能抓包问题

    一般来说,我们抓https包使用fiddler或charles,然后手机安装证书就可以抓包了,但是有时候我们抓某些app时候,一连上代理,却提示不能上网,明明可以上网,为啥app提示无网络,原因可能就 ...

  3. android 客户端bks,Keytools Https双向认证(Android通用)

    Https认证: 单向认证:保证服务器是可信任的,可以安全的访问的! 客户端拿到服务器的证书,通过CA认证信任,然后取出公钥,加密对称密钥传给服务器,服务器用自己的私钥解密得到对称密钥,后续使用该对称 ...

  4. HTTPS双向认证配置

    最近看了下HTTPS相关的,概念性的东西各位就去查查资料吧.主要找到两篇比较靠谱的文章,收藏下. xiooa面复制自https://my.oschina.net/jjface/blog/339144 ...

  5. android https 双向认证

    一 .首先是  单向认证的原理,首先说下,下面的文章我没看出来是双向认证的原理(我觉得是单向认证的),你们自己理解 https://www.jianshu.com/p/733dc1f06acf 二.实 ...

  6. (转载)Android 让WebView完美支持https双向认证(SSL)

    (转载)https://blog.csdn.net/kpioneer123/article/details/51491739 这是@happyzhang0502   关于webview https的建 ...

  7. tomcat实现https双向认证配置

    Tomcat实现https双向认证配置 1.生成证书库 2.jks转p12 3.证书库导出cer文件 4.证书库生成证书请求 5.对证书请求进行签名 6.例子 6.1创建证书库 6.2导出根证书 6. ...

  8. nginx 配置 https双向认证

    参考文章: https://blog.csdn.net/xiangguiwang/article/details/76400805 https://blog.csdn.net/qq_37049781/ ...

  9. android webview单向认证,android 让webview支持自签名证书https 双向认证(SSL)

    最近完成一个项目,安全级别比较高.所以涉及到https双向认证,在网上找了很多资料都没有完美的解决方案.最后参考了org.sandrob.sslexample的实现方式,结合实际情况才完成该技术难题, ...

最新文章

  1. STL (13) 非变动型算法
  2. 深入解读EOS源代码之——区块链内核
  3. 17-chmod命令
  4. c++ pat 乙级 --1001 害死人不偿命的(3n+1)猜想
  5. 畅销书《深入浅出Vue.js》作者,在阿里淘系1年的收获成长
  6. Swagger在header中添加token
  7. mysql多表查询方式_MySQL多表查询方式问题
  8. Samsung x210 Android makefile 的一些配置实例问题
  9. STL常用函数总结-set
  10. TeaTalk·Online 演讲实录 | 圆满完结 大数据+云原生,再度风云起
  11. unity 企鹅砸小猪 笔记1
  12. 集美大学计算机工程学院 曾勇进,电子政务评估方法AHP 的研究及实现.pdf
  13. 北京市平谷区谷歌卫星地图下载
  14. Linux如何安装iperf软件,【iperf】iperfforLinux-最笨下载
  15. matlab 求特征值的命令,matlab怎么求特征值
  16. python按顺序执行函数_Python3的unittest用例按编写顺序执行
  17. 工作薄与工作表的区别:
  18. 苹果手机热点连上不能上网_iPhone手机开了热点,为什么电脑连不上?靠这三招即可轻松解决!...
  19. 阿里云IOT设备数据接入 (从阿里云IOT云平台获取设备数据)
  20. Keras之TCN:基于keras框架利用时间卷积网络TCN算法对上海最高气温实现回归预测(把时间序列数据集转化为有监督学习数据集)案例

热门文章

  1. 深入理解C++的new
  2. 云计算解决方案架构师=售前?[新职业的浅析]
  3. 南开大学计算机考研大纲,南开大学2019年考研812计算机综合基础考试大纲
  4. ITGZ的JMS583硬盘盒通电次数飙升
  5. (译)java NIO 示例代码
  6. 用计算机获取机读卡是通过什么实现的,一种基于图像识别技术的答题卡及考试系统的制作方法...
  7. singalrhub
  8. 4 评价类算法:变异系数法笔记(附Python代码)
  9. 乙酰六肽-49/Delisens/Acetyl Hexapeptide-49
  10. 计算机数字编码表示有,计算机中数字、文字、图像、声音和视频的表示与编码...