折騰了好久,最後發送Android端也是能使用pfx格式的證書的,一直以爲用不了,服務器端是c#或者netty。
證書準備:
服務器端用到的是server.pfx+ca.pfx
客戶端用到的是client.pfx+ca.pfx
服務器端與Android端都是使用netty
獲取sslcontex
public SSLContext getClientSSLContext(){
try {
SSLContext sslContext;
try {
String keyPassword = "***";
String trustPassword = "***";
// key store manager
KeyStore keyStore = KeyStore.getInstance("PKCS12");
InputStream keyInput = new FileInputStream("C:\\Users\\Desktop\\certificates1\\client.pfx");
keyStore.load(keyInput, keyPassword.toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyPassword.toCharArray());
// trust store manager
KeyStore trustStore = KeyStore.getInstance("PKCS12");
InputStream trustInput = new FileInputStream("C:\\Users\\Desktop\\certificates1\\ca.pfx");
trustStore.load(trustInput, trustPassword.toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
return sslContext;
} catch (Exception e) {
e.printStackTrace();
return null;
}
}catch (Exception er){
return null;
}
}
服務器端
ChannelPipeline pipeline = socketChannel.pipeline();
SSLEngine engine = new SSLUtils().getClientSSLContext().createSSLEngine();
engine.setUseClientMode(false);
engine.setNeedClientAuth(true);
pipeline.addFirst(new SslHandler(engine));
android 端
SSLEngine engine = new SSLUtils().getClientSSLContext().createSSLEngine();
engine.setUseClientMode(true);
pipeline.addFirst(new SslHandler(engine));
Android端使用的是mina
注意加setEnabledCipherSuites,這個坑我找了很久。必須設置這個加密方式,否則出現一發數據就會自動斷開連接
SSLContext sslContext = new SSLUtils().getClientSSLContext();
if(sslContext!=null){
SslFilter sslFilter = new SslFilter(sslContext);
sslFilter.setUseClientMode(true);
//太坑了,需要加入這個纔行,不然一握手就會失敗
sslFilter.setEnabledCipherSuites(new String[]{"TLS_RSA_WITH_AES_128_CBC_SHA"});
connector.getFilterChain().addFirst("sslFilter", sslFilter);
}