Toggle navigation
VA伐木累
社区
VA伐木累
Proxy
JSON
BASE64
MyGit
登录
注册
×
登录
邮箱
密码
忘记密码?
置顶
Nginx+Andorid配置双向验证
•发布于
•作者
liuzy
•1623 次浏览
•最后一次编辑是
•来自
技术
Nginx+Andorid配置双向验证 # 服务器 **编辑证书中心配置文件** `vim /etc/pki/tls/openssl.cnf` **创建证书私钥** ``` cd /etc/pki/CA/private openssl genrsa -out cakey.pem 2048 ``` **生成自签证书** ``` cd /etc/pki/CA/ openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3650 sqfengchao.link ``` **创建服务器证书** ``` openssl genrsa -out nginx.key 1024 openssl req -new -key nginx.key -out nginx.csr api.sqfengchao.link openssl ca -in nginx.csr -out nginx.crt -days 3650 ``` **创建客户端证书** ``` cd /RESOURCE01/ssl cp /etc/pki/CA/cacert.pem . openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr android openssl ca -in client.csr -out client.crt -days 3650 openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 ``` **配置nginx服务器验证** ``` vim /usr/local/nginx/conf/nginx.conf ssl_certificate /RESOURCE01/ssl/nginx.crt; ssl_certificate_key /RESOURCE01/ssl/nginx.key; ssl_client_certificate /RESOURCE01/ssl/cacert.pem; ssl_verify_client on; ssl_protocols SSLv2 SSLv3 TLSv1; ``` # 安卓端 **jdk1.6 下载bcprov-jdk16-145.jar** **在 jdk_home\jre\lib\security\目录中找到 java.security 在内容增加一行** `security.provider.11=org.bouncycastle.jce.provider.BouncyCastleProvider` **生成BKS** `c:\Java\jdk1.6.0_43\bin\keytool.exe -importcert -keystore trust.bks -storepass 123456 -alias ca -file cacert.pem -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider` **查看BKS** `c:\Java\jdk1.6.0_43\bin\keytool.exe -list -v -keystore trust.bks -storepass 123456 -storetype BKS -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider` **登陆Activete代码** ``` @Override protected String doInBackground(String... params) { return HttpsManager.login(LoginActivity.this, userName, passWord); } ``` **Https代码** ``` HttpsURLConnection conn = null; try { URL url = new URL(SERVICE_ADDRESS + path);//登陆的https地址 conn = (HttpsURLConnection) url.openConnection(); conn.setSSLSocketFactory(MySSLSocketFactory.getSSLSocketFactory(pContext));//登陆界面的context conn.setRequestMethod("POST"); conn.setConnectTimeout(8000); conn.setReadTimeout(8000); conn.setUseCaches(false); conn.setDoOutput(true); OutputStream os = conn.getOutputStream(); os.write(body.getBytes()); os.flush(); os.close(); conn.connect(); System.out.println("Code => " + conn.getResponseCode()); return parseResponse(conn.getInputStream()); } catch (Exception e) { e.printStackTrace(); } return null; ``` **SSLSocketFactory代码** ``` private static final String keyStoreType = "PKCS12"; private static final String keyStoreFileName = "client.p12"; private static final String keyStorePassword = "android"; private static final String trustStoreType = "BKS"; private static final String trustStoreFileName = "trust.bks"; private static final String trustStorePassword = "123456"; private static Context pContext; public static SSLSocketFactory getSSLSocketFactory(Context ctx) { try { pContext = ctx; SSLContext context = SSLContext.getInstance("TLS"); context.init(createKeyManagers(), createTrustManagers(), null); return context.getSocketFactory(); } catch (Exception e) { e.printStackTrace(); } return null; } private static KeyManager[] createKeyManagers() throws Exception { InputStream inputStream = pContext.getResources().getAssets().open(keyStoreFileName); KeyStore keyStore = KeyStore.getInstance(keyStoreType); keyStore.load(inputStream, keyStorePassword.toCharArray()); print(keyStore); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, keyStorePassword.toCharArray()); return keyManagerFactory.getKeyManagers(); } private static TrustManager[] createTrustManagers() throws Exception { InputStream inputStream = pContext.getResources().getAssets().open(trustStoreFileName); KeyStore trustStore = KeyStore.getInstance(trustStoreType); trustStore.load(inputStream, trustStorePassword.toCharArray()); print(trustStore); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(trustStore); return trustManagerFactory.getTrustManagers(); } private static void print(KeyStore keystore) throws Exception { System.out.println("Provider : " + keystore.getProvider().getName()); System.out.println("Type : " + keystore.getType()); System.out.println("Size : " + keystore.size()); Enumeration<String> en = keystore.aliases(); while (en.hasMoreElements()) { System.out.println("Alias: " + en.nextElement()); } } ``` ### [点击这里](https://liuzy.xyz/files/Nginx+Andorid配置双向验证.zip)下载所有代码,及证书 ### 附:清除openssl CA库脚本** ``` cd /etc/pki/CA rm -rf ca* rm -rf index.* rm -rf serial* rm -rf private/* touch index.txt echo '01' > serial echo '' >> serial ```
1 回复
liuzy
### 也可以不添加BKS,设置为信任服务器所有证书。 ``` if (tm == null) { tm = new TrustManager[] { new X509TrustManager() { @Override public X509Certificate[] getAcceptedIssuers() { return null; } @Override public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { } @Override public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException { } } }; } ```
作者
liuzy
积分: 833
“ 黑眼圈圈男 ”
无人回复话题
SonarQube 9.4 + PostgreSQL
shell倒计时
日常网络巧技
使用ssh创建socks5代理服务
NodeJS集群demo
作者其他话题
SonarQube 9.4 + PostgreSQL
shell倒计时
日常网络巧技
使用ssh创建socks5代理服务
NodeJS集群demo
回到顶部
友情链接:
JFinal
©2015 Powered by
jfinalbbs
沪ICP备15012258号
