随着大家安全意识的提高,越来越多的软件采用https代替http进行网络传输信息,与http的明文传输不同,https在网络传输的应用层与传输层增加了一个中间层(SSL或TLS),用来对传输的明文数据进行加密处理,从而保证了网络传输的隐私性和安全性。

前段时间因为项目原因,需要android手机客户端和服务器端进行通信,在学习过程中遇到了一些坑,特记录以供后面备忘。

因为有传输文件的需求,所以我在使用时采用的是appache的HttpClient,而不是HttpURLConnection, 因为appache的包中的MultipartEntity类封装了上传时的multipart/form-data格式,同时还支持多个文件同时上传,减少了重复造轮子的可能性。

先看一下HttpClient给的https连接的demo:

public final static void main(String[] args) throws Exception {
        DefaultHttpClient httpclient = new DefaultHttpClient();
        try {
            KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());
            FileInputStream instream = new FileInputStream(new File("my.keystore"));
            try {
                trustStore.load(instream, "nopassword".toCharArray());
            } finally {
                try { instream.close(); } catch (Exception ignore) {}
            }

            SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
            Scheme sch = new Scheme("https", 443, socketFactory);
            httpclient.getConnectionManager().getSchemeRegistry().register(sch);

            HttpGet httpget = new HttpGet("https://localhost/");

            System.out.println("executing request" + httpget.getRequestLine());

            HttpResponse response = httpclient.execute(httpget);
            HttpEntity entity = response.getEntity();

            System.out.println("----------------------------------------");
            System.out.println(response.getStatusLine());
            if (entity != null) {
                System.out.println("Response content length: " + entity.getContentLength());
            }
            EntityUtils.consume(entity);

        } finally {
            // When HttpClient instance is no longer needed,
            // shut down the connection manager to ensure
            // immediate deallocation of all system resources
            httpclient.getConnectionManager().shutdown();
        }
    }

如果你是的证书使用java自带的keygen生成的话,上面的例子基本已经可以开箱即用了。

由于我的服务器是用golang写的,害怕服务器端不认识keygen生成的证书,所以采用了openssl来生成证书。

生成自签名证书:

生成私钥,采用DES3加密,https握手采用RSA 2048

$openssl genrsa ­des3 ­out server.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................................++++++
........++++++
e is 65537 (0x10001)
Enter PEM pass phrase:
Verifying password ­ Enter PEM pass phrase:

生成证书签名请求,注意common name填写你的host ip或者域名:

$openssl req ­new ­key server.key ­out server.csr
Country Name (2 letter code) [GB]: CN
State or Province Name (full name) [Berkshire]: ShangHai
Locality Name (eg, city) [Newbury]: shanghai
Organization Name (eg, company) [My Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []: baidu.com
Email Address []: martin dot zahn at akadia dot ch
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

如果嫌加密私钥太麻烦,可以去掉:

$cp server.key server.key.org
$openssl rsa ­in server.key.org ­out server.key
$ll
­rw­r­­r­­ 1 root root 745 Jun 29 12:19 server.csr
­rw­r­­r­­ 1 root root 891 Jun 29 13:22 server.key
­rw­r­­r­­ 1 root root 963 Jun 29 13:22 server.key.org

自签名我们的证书,有效期一年:

openssl x509 ­req ­days 365 ­in server.csr ­signkey server.key ­out server.crt

这样生成的证书是采用PKCS12打包的,而java的TrustStore似乎对该格式支持的并不好,直接load,结果发现:

Exception in thread "main" java.lang.AssertionError: java.io.IOException: toDerInputStream rejects tag type 45

Exception in thread "main" java.lang.AssertionError: java.security.KeyStoreException: TrustedCertEntry not supported

然后Google了一下,好像有一个开源的加解密项目支持的还不错http://www.bouncycastle.org/,果断下载试试:http://www.bouncycastle.org/download/bcprov-ext-jdk15on-153.jar,话说这下载速度也是够慢的。
然后添加该套件供应商:

Security.addProvider(new BouncyCastleProvider());
KeyStore trusted = KeyStore.getInstance("PKCS12", "BC");

再次运行,结果又悲催了:

Exception in thread "main" java.lang.AssertionError: java.lang.NullPointerException: No password supplied for PKCS#12 KeyStore.
好吧,既然这样,那我初始话一个空的keystore,然后曲线救国总可以吧:

Security.addProvider(new BouncyCastleProvider());
            KeyStore trusted = KeyStore.getInstance("PKCS12", "BC");
            // Get the raw resource, which contains the keystore with
            // your trusted certificates (root and any intermediate certs)
            InputStream in = getClass().getResourceAsStream("/server.crt");
            // Initialize the keystore with the provided trusted certificates
            // Also provide the password of the keystore
            // trusted.load(in, "mysecret".toCharArray());
            trusted.load(null, null);
            CertificateFactory certificateFactory = CertificateFactory
                    .getInstance("X.509");
            Certificate certificate = certificateFactory
                    .generateCertificate(in);
            trusted.setCertificateEntry("trust", certificate);
            in.close();

ok,问题解决,总算能愉(苦)快(逼)的继续玩耍了~_~, 顺便附上我的HttpsClient:

package com.snail.myapp.http;
import com.snail.myapp.App;
import org.apache.http.conn.ClientConnectionManager;
import org.apache.http.conn.scheme.PlainSocketFactory;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.SingleClientConnManager;

import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;

/**
 * Created by daemonw on 15-10-10.
 */
public class HttpsClient extends DefaultHttpClient{
    protected ClientConnectionManager createClientConnectionManager() {
        SchemeRegistry registry = new SchemeRegistry();
        registry.register(new Scheme("http", PlainSocketFactory.getSocketFactory(), 80));
        // Register for port 443 our SSLSocketFactory with our keystore
        // to the ConnectionManager
        registry.register(new Scheme("https", newSslSocketFactory(), 443));
        return new SingleClientConnManager(getParams(), registry);
    }

    private SSLSocketFactory newSslSocketFactory() {
        try {
            // Get an instance of the Bouncy Castle KeyStore format
            KeyStore trusted = KeyStore.getInstance("PKCS12", "BC");
            // Get the raw resource, which contains the keystore with
            // your trusted certificates (root and any intermediate certs)
            InputStream in = App.getInstance().getAssets().open("server.crt");
            // Initialize the keystore with the provided trusted certificates
            // Also provide the password of the keystore
            //trusted.load(in, "mysecret".toCharArray());
            trusted.load(null, null);
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            Certificate certificate = certificateFactory.generateCertificate(in);
            trusted.setCertificateEntry("trust", certificate);
            in.close();
            // Pass the keystore to the SSLSocketFactory. The factory is responsible
            // for the verification of the server certificate.
            SSLSocketFactory sf = new SSLSocketFactory(trusted);
            // Hostname verification from certificate
            // http://hc.apache.org/httpcomponents-client-ga/tutorial/html/connmgmt.html#d4e506
            //sf.setHostnameVerifier(SSLSocketFactory.STRICT_HOSTNAME_VERIFIER);
            return sf;
        } catch (Exception e) {
            throw new AssertionError(e);
        }
    }
}

注意:
1.部分android 的sdk里已自带BouncyCastleProvider提供的套件,如果没有,请下载并添加进去:
ecurity.addProvider(new BouncyCastleProvider());
2.本文代码展示采用的HttpClient版本为httpcomponents-client-4.1.3,最新的api可能已经发生变化,某些api已经被Deprecated,请自行参考官方文档。