我已经基于Java sslserversocket编写了一台服务器,该服务器接受连接并通过自定义二进制协议与Android应用程序进行通信:
ServerSocket serverSocket = SSLServerSocketFactory.getDefault().createServerSocket(1234);
while (true) {
Socket socket = serverSocket.accept();
...
}
我使用以下参数运行服务器:
-Djavax.net.ssl.keyStore=keystore.jks
-Djavax.net.ssl.keyStorePassword=<PASSWORD>
使用以下教程生成证书,该教程构建了公共和私有密钥集:http://judebert.com/progress/archives/425-usish-ssl-in-ssl-in-java,part-part-2.html:
keytool -genkeypair -keystore keystore.jks -alias keyname
keytool -export -alias keyname -file keyname.crt -keystore keystore.jks
keytool -importcert -file keyname.crt -keystore truststore.jks
另外,我通过使用Bouncycastle构建信托基地来使其与Android兼容:
keytool -importkeystore -srckeystore truststore.jks -srcstoretype JKS -srcstorepass <PASSWORD> -destkeystore truststore.bks -deststoretype BKS -deststorepass <PASSWORD> -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-ext-jdk15on-1.58.jar
在此处下载Bouncycastle提供商:https://www.bouncycastle.org/latest_releases.html
并将结果truststore.bks移至原始资源文件夹中。
在Android上,我使用以下代码来构建SSLSocketFactory,该代码允许我导入生成的Bouncycastle证书,该证书对服务器进行了身份验证我:
KeyStore trustStore = KeyStore.getInstance("BKS");
InputStream trustStoreStream = context.getResources().openRawResource(R.raw.truststore);
trustStore.load(trustStoreStream, "<PASSWORD>".toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
Socket socket = sslContext.getSocketFactory().createSocket("ip", 1234);
... use socket
这适用于6个以下的Android版本,我的问题是在第6版及更高版本中,我尝试使用套接字时会得到例外:
Shutting down connection Socket[address=/ip,port=1234,localPort=321321] due to exception Handshake failed
javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:429)
at com.example.Client.connect(Client.java:97)
at com.example.Client.start(Client.java:60)
at com.example.BackendServiceFactory$2.call(BackendServiceFactory.java:136)
at com.example.BackendServiceFactory$2.call(BackendServiceFactory.java:130)
...
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake terminated: ssl=0xe69ec900: Failure in SSL library, usually a protocol error
error:10000410:SSL routines:OPENSSL_internal:SSLV3_ALERT_HANDSHAKE_FAILURE (external/boringssl/src/ssl/s3_pkt.c:641 0xe2d10880:0x00000001)
error:1000009a:SSL routines:OPENSSL_internal:HANDSHAKE_FAILURE_ON_CLIENT_HELLO (external/boringssl/src/ssl/s3_clnt.c:800 0xe6ea5af3:0x00000000)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.OpenSSLSocketImpl.startHandshake(OpenSSLSocketImpl.java:357)
... 24 more
我不确定这里发生了什么。在处理客户证书的过程中,似乎有一个失误,这可能是密码套件的不匹配吗?
我已经与Java服务器,Java客户端和Android客户端一起汇总了一个最小示例,以帮助诊断此问题:
https://github.com/johncarl81/androidca
我认为这将是一个简单的修复。似乎我需要在第一个键盘命令中指定密钥算法:
keytool -genkeypair -keystore keystore.jks -alias keyname -keyalg RSA
这将生成一个2048位RSA键,该密钥与Android&lt;的版本兼容。6和> = 6。