SSL从理论到实践(五)——SSL通信的实现(Java、Android、IOS、C)

SSL从理论到实践全解析
最新推荐文章于 2022-07-11 07:35:00 发布
原创 最新推荐文章于 2022-07-11 07:35:00 发布 · 1.7k 阅读 · 3 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#SSL双向认证 #Android #SSL #IOS #C

本文详述了SSL从理论到实践的过程,包括密码学基础、SSL协议、证书文件管理、Keytool工具使用,以及Java、Android、iOS、C语言的SSL编程实践。涵盖了证书生成、密钥库配置、客户端与服务器端的双向认证流程。

没有读过前几篇文章的同学建议先阅读:
SSL从理论到实践(一)——密码学的相关概念
SSL从理论到实践(二)——SSL
SSL从理论到实践(三)——证书文件
SSL从理论到实践(四)——Keytool
  要使用SSL,首先要生成证书。由于JDK自带的keytool工具默认不能生成BKS类型的密钥库,而Android客户端只支持BKS类型的密钥库,所以要先扩展keytool使其能够生成BKS密钥库。

1. BouncyCastle配置
1.1下载bcprov-ext-jdk15on-158.jar(截止2017/11/19日最新)

下载地址:http://www.bouncycastle.org/latest_releases.html

1.2将bcprov-ext-jdk15on-158.jar复制到 jdk_home\jre\lib\ext下
1.3在jdk_home\jre\lib\security\目录中找到 java.security 在其中增加一行(xx表示数字)
security.provider.xx=org.bouncycastle.jce.provider.BouncyCastleProvider

配置后如下图:
在这里插入图片描述

2.使用keytool工具生成密钥库、导出证书、导入信任库
2.1生成服务器端的密钥库kserver.keystore,采用默认的JKS类型
keytool -genkeypair -alias server -keystore kserver.keystore -validity 36500 -keyalg ec
(SSLSocket签名算法默认为DSA,Android6.0(API 23)以后KeyStore发生更改,不再支持DSA,但仍支持ECDSA。所以需要指定签名算法:-keyalg ec)
2.2从服务器端密钥库kserver.keystore中导出服务器证书
keytool -exportcert -alias server -file server.cer -keystore kserver.keystore
2.3将服务器端导出的证书导入到客户端信任密钥库tclient.bks中,客户端信任密钥库(tclient.bks)会自动生成,并且此时要特别指明信任密钥库是BKS类型
keytool -importcert -alias server -file server.cer -keystore tclient.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider
2.4生成客户端密钥库kclient.bks
keytool -genkeypair -alias client -keystore kclient.bks -storetype BKS -validity 36500 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -keyalg ec
2.5导出客户端证书
keytool -exportcert -alias client -file client.cer -keystore kclient.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider
2.6将客户端导出的证书导入到服务器端信任密钥库tserver.keystore中,服务器端信任密钥库(tserver.keystore)会自动生成
keytool -importcert -v -alias client -file client.cer -keystore tserver.keystore
2.7将客户端密钥库kclient.bks转成IOS支持的pkcs12格式,会生成kclient.p12文件
keytool -importkeystore -srckeystore kclient.bks -srcstoretype bks -destkeystore kclient.p12 -deststoretype pkcs12

  至此,我们已经生成了Java、Android端和IOS需要的密钥库和证书文件,接下来我们只需要将使用到的文件复制到项目中就可以了。

3.SSLSocket服务器端代码 (Java实现)
public class SocketServer {
    private static final String SERVER_KEY_PASSWORD = "123456";
    private static final String TRUST_KEY_PASSWORD = "123456";
    private static final String SERVER_KEYSTORE_PATH = "src/kserver.keystore";
    private static final String TRUST_KEYSTORE_PATH = "src/tserver.keystore";
    private static final int PORT = 2345;//端口号

    public static void main(String[] args) {
        startServer();
    }

    private static void startServer() {
        ServerSocket serverSocket = null;
        try {
            serverSocket = createServerSocket();
            serverSocket.bind(new InetSocketAddress(PORT));

            while (true) {
                Socket socket = serverSocket.accept();

                OutputStream outputStream = socket.getOutputStream();
                outputStream.write("Hello, I am Server!".getBytes());
                outputStream.flush();

                InputStream inputStream = socket.getInputStream();
                byte[] buffer = new byte[1024];
                int len = inputStream.read(buffer);
                System.out.println("receive:" + new String(buffer,0,len));
                try {
                    if (outputStream != null) {
                        outputStream.close();
                    }
                    if (inputStream != null) {
                        inputStream.close();
                    }
                    if (socket != null) {
                        socket.close();
                    }
                } catch (IOException e) {
                    e.printStackTrace();
                }
            }

        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            try {
                if (serverSocket != null) {
                    serverSocket.close();
                }
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }

    private static ServerSocket createServerSocket() throws Exception {
        SSLContext sslContext = SSLContext.getInstance("TLS");// 使用协议 TLS

        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(new FileInputStream(SERVER_KEYSTORE_PATH),SERVER_KEY_PASSWORD.toCharArray());
        keyManagerFactory.init(keyStore, SERVER_KEY_PASSWORD.toCharArray());

        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509");
        KeyStore trustkeyStore = KeyStore.getInstance("JKS");
        trustkeyStore.load(new FileInputStream(TRUST_KEYSTORE_PATH),TRUST_KEY_PASSWORD.toCharArray());
        trustManagerFactory.init(trustkeyStore);

        sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

        SSLServerSocket sslServerSocket = (SSLServerSocket) sslContext.getServerSocketFactory().createServerSocket();
        if (sslServerSocket != null) {
            sslServerSocket.setNeedClientAuth(true);// 需要双向认证
        }

        return sslServerSocket;
    }

}
4.SSLSocket客户端代码(Android实现,记得添加权限< uses-permission android:name = “android.permission.INTERNET” />)
public class MainActivity extends Activity {
    private static final String CLIENT_KEY_PASSWORD = "123456";
    private static final String TRUST_KEY_PASSWORD = "123456";
    private static final String CLIENT_KEYSTORE_PATH = "kclient.bks";
    private static final String TRUST_KEYSTORE_PATH = "tclient.bks";
    private static final String IP = "192.168.99.52";//ip和端口号根据服务器不同自行修改
    private static final int PORT = 2345;//ip和端口号根据服务器不同自行修改

    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);
        setContentView(R.layout.activity_main);
        new Thread() {
            public void run() {
                startSocket();
            };
        }.start();
    }

    public void startSocket(){
        byte[] buffer = new byte[1024];
        Socket socket = null;
        InputStream reader = null;
        OutputStream writer = null;
        try {
            socket = createSocket();
            socket.setReuseAddress(true);
            socket.setSoLinger(true, 0);            //socket关闭时,立即释放资源 
            socket.setTcpNoDelay(true);                //数据不作缓冲,立即发送 
            socket.setTrafficClass(0x04 | 0x10);    //高可靠性和最小延迟传输 
            socket.setKeepAlive(true);
            socket.setSoTimeout(10000);
            socket.connect(new InetSocketAddress(IP, PORT), 3000);

            reader = socket.getInputStream();
            int len = reader.read(buffer);
            Log.i("read", "receive:" + new String(buffer,0,len));

            writer = socket.getOutputStream();
            writer.write("Hello, I am Client!".getBytes());
            writer.flush();
        } catch (Exception e) {
            e.printStackTrace();
        } finally {
            try {
                if (writer != null) {
                    writer.close();
                }
                if (reader != null) {
                    reader.close();
                }
                if (socket != null) {
                    socket.close();
                }
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }

    private Socket createSocket() throws Exception {
        //取得TLS协议的SSLContext实例
        SSLContext sslContext = SSLContext.getInstance("TLS");

        KeyStore clientKeyStore = KeyStore.getInstance("BKS");
        clientKeyStore.load(getResources().getAssets().open(CLIENT_KEYSTORE_PATH), CLIENT_KEY_PASSWORD.toCharArray());
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("X509");
        keyManagerFactory.init(clientKeyStore, CLIENT_KEY_PASSWORD.toCharArray());

        //取得BKS类型的密钥库实例,这里特别注意:手机只支持BKS密钥库,不支持Java默认的JKS密钥库
        KeyStore trustKeyStore = KeyStore.getInstance("BKS");
        trustKeyStore.load(getResources().getAssets().open(TRUST_KEYSTORE_PATH), TRUST_KEY_PASSWORD.toCharArray());
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
        trustManagerFactory.init(trustKeyStore);

        //初始化SSLContext实例
        sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);

        //以下两步获得SSLSocket实例
        SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
        return sslSocketFactory.createSocket();
    }
}
5.SSLSocket客户端代码(IOS实现——由热心的IOS同事生浩提供)
#import "GCDAsyncSocket.h"
@interface ViewController ()<GCDAsyncSocketDelegate>
@property (nonatomic,strong)GCDAsyncSocket *socket;
@end

@implementation ViewController

- (void)viewDidLoad {
    [super viewDidLoad];
    _socket = [[GCDAsyncSocket alloc]initWithDelegate:self delegateQueue:dispatch_get_main_queue()];
    [_socket connectToHost:@"192.168.99.52" onPort:2345 error:nil];

}

- (void)socket:(GCDAsyncSocket *)sock didReadData:(NSData *)data withTag:(long)tag
{
    NSString *str = [[NSString alloc]initWithData:data encoding:NSUTF8StringEncoding];
    NSLog(@"接收到数据:%@",str);
}
- (void)socket:(GCDAsyncSocket *)sock didWriteDataWithTag:(long)tag
{
    NSLog(@"发送 hello 成功");
}
- (void)socketDidDisconnect:(GCDAsyncSocket *)sock withError:(NSError *)err
{
    if (err) {
        NSLog(@"%@",err.description);
    }
}
- (void)socket:(GCDAsyncSocket *)sock didConnectToHost:(NSString *)host port:(uint16_t)port
{
    NSLog(@"进入SSL验证");
    [self starSSL:sock];
}
- (void)socket:(GCDAsyncSocket *)sock didReceiveTrust:(SecTrustRef)trust completionHandler:(void (^)(BOOL))completionHandler
{
    //    // SSL 证书
    NSLog(@"进入 didReceiveTrust");
    NSString *certFilePath1 = [[NSBundle mainBundle] pathForResource:@"server" ofType:@"cer"];
    NSData *certData1 = [NSData dataWithContentsOfFile:certFilePath1];

    OSStatus status = -1;
    SecTrustResultType result = kSecTrustResultDeny;

    if(certData1)
    {
        SecCertificateRef   cert1;

        cert1 = SecCertificateCreateWithData(NULL, (__bridge_retained CFDataRef) certData1);

        // 设置证书用于验证
        SecTrustSetAnchorCertificates(trust, (__bridge CFArrayRef)[NSArray arrayWithObjects:(__bridge id)cert1,nil]);

        // 验证服务器证书和本地证书是否匹配
        status = SecTrustEvaluate(trust, &result);
    }
    else
    {
        NSLog(@"local certificates could not be loaded");

        completionHandler(NO);
    }

    if ((status == noErr && (result == kSecTrustResultProceed || result == kSecTrustResultUnspecified)))
    {
        //成功通过验证,证书可信
        completionHandler(YES);
    }
    else
    {
        CFArrayRef arrayRefTrust = SecTrustCopyProperties(trust);
        NSLog(@"error in connection occured\n%@", arrayRefTrust);

        completionHandler(NO);
    }
}
- (void)socketDidSecure:(GCDAsyncSocket *)sock
{
    NSLog(@"握手成功");
    NSString *dataStr = @"hello server";
    NSData *data = [dataStr dataUsingEncoding:NSUTF8StringEncoding];
    [_socket readDataWithTimeout:-1 tag:0];

    [_socket writeData:data withTimeout:-1 tag:0];
}

- (void)starSSL:(GCDAsyncSocket*)sock {


    /**********单向验证***************/
    // 配置 SSL/TLS 设置信息
    //    NSMutableDictionary *settings = [NSMutableDictionary dictionaryWithCapacity:3];
    //    //允许自签名证书手动验证
    //    [settings setObject:@YES forKey:GCDAsyncSocketManuallyEvaluateTrust];

    // 如果不是自签名证书,而是那种权威证书颁发机构注册申请的证书
    // 那么这个settings字典可不传。
    //    [sock startTLS:settings]; // 开始SSL握手


    /**********双向验证***************/

    NSMutableDictionary *sslSettings = [[NSMutableDictionary alloc] init];

    // SSL 证书
    NSData *pkcs12data = [[NSData alloc] initWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"kclient" ofType:@"p12"]];

    CFDataRef inPKCS12Data = (CFDataRef)CFBridgingRetain(pkcs12data);

    // c语言字符串
    CFStringRef password = CFSTR("123456");

    const void *keys[] = { kSecImportExportPassphrase };

    const void *values[] = { password };

    CFDictionaryRef options = CFDictionaryCreate(NULL, keys, values, 1, NULL, NULL);

    CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);

    OSStatus securityError = SecPKCS12Import(inPKCS12Data, options, &items);
    CFRelease(options);
    CFRelease(password);

    if(securityError == errSecSuccess)
        NSLog(@"Success opening p12 certificate.");

    CFDictionaryRef identityDict = CFArrayGetValueAtIndex(items, 0);
    SecIdentityRef myIdent = (SecIdentityRef)CFDictionaryGetValue(identityDict,
                                                                  kSecImportItemIdentity);

    SecIdentityRef  certArray[1] = { myIdent };
    CFArrayRef myCerts = CFArrayCreate(NULL, (void *)certArray, 1, NULL);

    [sslSettings setObject:(id)CFBridgingRelease(myCerts) forKey:(NSString *)kCFStreamSSLCertificates];
    [sslSettings setObject:[[NSArray alloc] initWithObjects:(__bridge id)(myIdent), nil] forKey:GCDAsyncSocketSSLCertificates];
    //    SSLProtocol
    [sslSettings setObject:@YES forKey:GCDAsyncSocketManuallyEvaluateTrust];
    [sslSettings setObject:@0 forKey:GCDAsyncSocketSSLProtocolVersionMax];

    // 此方法是GCDScoket 设置ssl验证的唯一方法,需要穿字典
    [sock startTLS:sslSettings];
}


- (void)didReceiveMemoryWarning {
    [super didReceiveMemoryWarning];
    // Dispose of any resources that can be recreated.
}


@end
6.使用keytool和openssl生成C需要的密钥文件和证书文件

  C语言需要导入的私钥和证书是pem格式的,而我们之前生成的文件都是der格式的,所以我们需要先将der格式转换成pem格式,然后从pem格式的文件中拷出私钥和证书。

6.1将服务器密钥库kserver.keystore转成pkcs12格式,生成kserver.p12文件
keytool -importkeystore -srckeystore kserver.keystore -srcstorepass 123456 -destkeystore kserver.p12 -deststoretype pkcs12 -deststorepass 123456
(123456是密钥库的密码,请对照自己的密码进行修改)
6.2利用openssl将kserver.p12文件的格式由der转成pem,会生成kserver.pem文件
openssl pkcs12 -in kserver.p12 -out kserver.pem -passin pass:123456 -passout pass:123456
6.3新建文件server.key和server.crt,将kserver.pem文件中的私钥信息复制到server.key中,将kserver.pem文件中的证书信息复制到server.crt中。其中私钥和证书信息如下:

在这里插入图片描述

6.4利用openssl将kclient.p12文件(之前生成的IOS密钥库)的格式由der转成pem,会生成kclient.pem文件
openssl pkcs12 -in kclient.p12 -out kclient.pem -passin pass:123456 -passout pass:123456
6.5新建文件client.key和client.crt,将kclient.pem文件中的私钥信息复制到client.key中,将kclient.pem文件中的证书信息复制到client.crt中(过程同6.3)

至此,C语言需要的四个文件(server.key、server.crt、client.key和client.crt)我们也已经生成完成。

7.SSLSocket头文件“ssl_common.h”
#ifndef _SSL_COMMON_H_
#define _SSL_COMMON_H_

#define FAIL            -1
#define MAXBUF            1024
#define PRIKEY_PASSWD    "123456"                        //prikey password
#define ALGO_TYPE        "ALL"                            //algorithm type
#define SERVER_CERT        "certs/server.crt"                    //vbox cert file
#define SERVER_KEYF        "certs/server.key"                    //vbox key file
#define CLIENT_CERT        "certs/client.crt"                    //client cert file
#define CLIENT_KEYF        "certs/client.key"                    //client key file
#endif
8.SSLSocket服务端代码(C实现)
#include <stdio.h>
#include <unistd.h>
#include <malloc.h>
#include <string.h>
#include <sys/socket.h>
#include <resolv.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include "ssl_common.h"

/*---------------------------------------------------------------------*/
/*--- open_listener - create server socket                          ---*/
/*---------------------------------------------------------------------*/
int open_listener(int port)
{
    int sd;
    struct sockaddr_in addr;

    sd = socket(AF_INET, SOCK_STREAM, 0);
    bzero(&addr, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = INADDR_ANY;
    if ( bind(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
    {
        perror("can't bind port");
        abort();
    }
    if ( listen(sd, 10) != 0 )
    {
        perror("Can't configure listening port");
        abort();
    }
    return sd;
}

/*---------------------------------------------------------------------*/
/*--- init_server_ctx - initialize SSL server  and create contexts  ---*/
/*---------------------------------------------------------------------*/
SSL_CTX* init_server_ctx(void)
{   
    SSL_METHOD *method;
    SSL_CTX *ctx;

    SSL_library_init();                 /* init algorithms library */
    OpenSSL_add_all_algorithms();       /* load & register all cryptos, etc. */
    SSL_load_error_strings();           /* load all error messages */
    OpenSSL_add_all_ciphers();
    method = SSLv23_server_method();  /* create new server-method instance */
    //method = TLSv1_server_method();
    ctx = SSL_CTX_new(method);          /* screate new context from method */
    if ( ctx == NULL )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    return ctx;
}

/*---------------------------------------------------------------------*/
/*--- verify_callback - SSL_CTX_set_verify callback function.       ---*/
/*---------------------------------------------------------------------*/
int verify_callback(int ok, X509_STORE_CTX *store)
{
    char data[256];
    if (ok)
    {
        fprintf(stderr, "verify_callback\n{\n");
        X509 *cert = X509_STORE_CTX_get_current_cert(store);
        int  depth = X509_STORE_CTX_get_error_depth(store);
        int  err = X509_STORE_CTX_get_error(store);

        fprintf(stderr, "certificate at depth: %i\n", depth);
        memset(data, 0, sizeof(data));
        X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
        fprintf(stderr, "issuer = %s\n", data);
        X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
        fprintf(stderr, "subject = %s\n", data);
        fprintf(stderr, "error status:  %i:%s\n}\n", err, X509_verify_cert_error_string(err));
    }
    return ok;
}

/*---------------------------------------------------------------------*/
/*--- load_certificates - load from files.                          ---*/
/*---------------------------------------------------------------------*/
void load_certificates(SSL_CTX* ctx, char* CaFile, char* CertFile, char* KeyFile)
{
    #if 1
    /* set maximum depth for the certificate chain */
    //SSL_CTX_set_verify_depth(ctx, 1);
    /* set voluntary certification mode*/
    //SSL_VERIFY_NONE SSL_VERIFY_PEER
    //SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
    /* set mandatory certification mode*/
    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback);
    /* load CA certificate file */
    if (SSL_CTX_load_verify_locations(ctx, CaFile, NULL) <=0)
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    #endif
    /* set the local certificate from CertFile */
    if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    /* set server private key password */ 
    SSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)PRIKEY_PASSWD);
    /* set the private key from KeyFile (may be the same as CertFile) */
    if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    /* verify private key */
    if ( !SSL_CTX_check_private_key(ctx) )
    {
        fprintf(stderr, "Private key does not match the public certificate\n");
        abort();
    }
    /* set SSL cipher type */
    SSL_CTX_set_cipher_list(ctx, ALGO_TYPE);
}

/*---------------------------------------------------------------------*/
/*--- show_certs_info - print out certificates.                     ---*/
/*---------------------------------------------------------------------*/
void show_certs_info(SSL* ssl)
{
    X509 *cert;
    char *line;

    /* Get connect use algorithm type */
    //printf("SSL connection using %s\n", SSL_get_cipher(ssl));
    /* Get certificates (if available) */
    cert = SSL_get_peer_certificate(ssl);
    if ( cert != NULL )
    {
        printf("Server certificates:\n");
        line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
        printf("Subject: %s\n", line);
        free(line);
        line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
        printf("Issuer: %s\n", line);
        free(line);
        X509_free(cert);
    }
    else
        printf("No certificates.\n");
}

/*---------------------------------------------------------------------*/
/*--- server_handler - SSL servlet                                  ---*/
/*---------------------------------------------------------------------*/
void server_handler(SSL* ssl)   /* Serve the connection -- threadable */
{
    char buf[1024];
    char reply[1280];
    int sd, bytes;

    if (FAIL == SSL_accept(ssl))                    /* do SSL-protocol accept */
    {
         printf("Accept Fail\n");
        ERR_print_errors_fp(stderr);   
    }
    else
    {
        show_certs_info(ssl);                       /* get any certificates */
        bytes = SSL_read(ssl, buf, sizeof(buf)-1);  /* get request */
        if (FAIL == bytes)
        {
            printf("SSL_read Fail\n");
            ERR_print_errors_fp(stderr);
        }
        buf[bytes] = '\0';
        printf("Client msg: \"%s\"\n", buf);

        printf("Connected with %s encryption\n", SSL_get_cipher(ssl));

        snprintf(reply, sizeof(reply), "Hello,I am server!", buf);
        bytes = SSL_write(ssl, reply, strlen(reply));   /* send reply */
        if (FAIL == bytes)
        {
            printf("SSL_write Fail\n");
            ERR_print_errors_fp(stderr);
        }
    }
    sd = SSL_get_fd(ssl);               /* get socket connection */
    //SSL_shutdown(ssl);                /* shutdown SSL link */
    SSL_free(ssl);                      /* release SSL state */
    close(sd);                          /* close connection */
}

/*---------------------------------------------------------------------*/
/*--- main - create SSL socket server.                              ---*/
/*---------------------------------------------------------------------*/
int main(int count, char *strings[])
{
    SSL_CTX *ctx;
    int server;
    char *portnum;

    if ( count != 2 )
    {
        printf("Usage: %s <portnum>\n", strings[0]);
        exit(0);
    }
    portnum = strings[1];
    ctx = init_server_ctx();                                        /* initialize SSL */
    load_certificates(ctx, CLIENT_CERT, SERVER_CERT, SERVER_KEYF);        /* load certs */
    server = open_listener(atoi(portnum));                          /* create server socket */
    while (1)
    {   struct sockaddr_in addr;
        int len = sizeof(addr);
        SSL *ssl;
        /* accept connection as usual */
        int client = accept(server, (struct sockaddr*)&addr, &len);
        printf("Connection from %d, port %d\n", addr.sin_addr.s_addr, addr.sin_port);



        ssl = SSL_new(ctx);             /* get new SSL state with context */
        SSL_set_fd(ssl, client);        /* set connection socket to SSL state */
        server_handler(ssl);            /* service connection */
    }
    close(server);                      /* close server socket */
    SSL_CTX_free(ctx);                  /* release context */

    return 0;
}
9.SSLSocket客户端代码(C实现)
#include <stdio.h>
#include <unistd.h>
#include <malloc.h>
#include <string.h>
#include <sys/socket.h>
#include <resolv.h>
#include <netdb.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include "ssl_common.h"

/*---------------------------------------------------------------------*/
/*--- open_connection - create socket and connect to server.        ---*/
/*---------------------------------------------------------------------*/
int open_connection(const char *hostname, int port)
{
    int sd;
    struct hostent *host;
    struct sockaddr_in addr;

    if ( (host = gethostbyname(hostname)) == NULL )
    {
        perror(hostname);
        abort();
    }
    sd = socket(AF_INET, SOCK_STREAM, 0);
    bzero(&addr, sizeof(addr));
    addr.sin_family = AF_INET;
    addr.sin_port = htons(port);
    addr.sin_addr.s_addr = *(long*)(host->h_addr);
    if ( connect(sd, (struct sockaddr*)&addr, sizeof(addr)) != 0 )
    {
        close(sd);
        perror(hostname);
        abort();
    }
    return sd;
}

/*---------------------------------------------------------------------*/
/*--- init_client_ctx - initialize the SSL engine.                  ---*/
/*---------------------------------------------------------------------*/
SSL_CTX* init_client_ctx(void)
{
    SSL_METHOD *method;
    SSL_CTX *ctx;

    SSL_library_init();                 /* init algorithms library */
    OpenSSL_add_all_algorithms();       /* load & register all cryptos, etc. */
    SSL_load_error_strings();           /* load all error messages */
    method = SSLv23_client_method();  /* create new server-method instance */
    //method = TLSv1_client_method();
    ctx = SSL_CTX_new(method);          /* create new context from method */
    if ( ctx == NULL )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    return ctx;
}

/*---------------------------------------------------------------------*/
/*--- verify_callback - SSL_CTX_set_verify callback function.       ---*/
/*---------------------------------------------------------------------*/
int verify_callback(int ok, X509_STORE_CTX *store)
{
    char data[256];
    if (ok)
    {
        fprintf(stderr, "verify_callback\n{\n");
        X509 *cert = X509_STORE_CTX_get_current_cert(store);
        int  depth = X509_STORE_CTX_get_error_depth(store);
        int  err = X509_STORE_CTX_get_error(store);

        fprintf(stderr, "certificate at depth: %i\n", depth);
        memset(data, 0, sizeof(data));
        X509_NAME_oneline(X509_get_issuer_name(cert), data, 256);
        fprintf(stderr, "issuer = %s\n", data);
        X509_NAME_oneline(X509_get_subject_name(cert), data, 256);
        fprintf(stderr, "subject = %s\n", data);
        fprintf(stderr, "error status:  %i:%s\n}\n", err, X509_verify_cert_error_string(err));
    }
    return ok;
}

/*---------------------------------------------------------------------*/
/*--- load_certificates - load from files.                          ---*/
/*---------------------------------------------------------------------*/
void load_certificates(SSL_CTX* ctx, char* CaFile, char* CertFile, char* KeyFile)
{
    #if 1
    /* set maximum depth for the certificate chain */
    //SSL_CTX_set_verify_depth(ctx, 1);
    /* set verify mode*/
    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, verify_callback);
    /* load CA certificate file */
    if (SSL_CTX_load_verify_locations(ctx, CaFile, NULL) <=0)
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    #endif
    /* set the local certificate from CertFile */
    if ( SSL_CTX_use_certificate_file(ctx, CertFile, SSL_FILETYPE_PEM) <= 0 )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    /* set server private key password */ 
    SSL_CTX_set_default_passwd_cb_userdata(ctx, (void*)PRIKEY_PASSWD);
    /* set the private key from KeyFile (may be the same as CertFile) */
    if ( SSL_CTX_use_PrivateKey_file(ctx, KeyFile, SSL_FILETYPE_PEM) <= 0 )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    /* verify private key */
    if ( !SSL_CTX_check_private_key(ctx) )
    {
        fprintf(stderr, "Private key does not match the public certificate\n");
        abort();
    }
    /* set SSL cipher type */
    SSL_CTX_set_cipher_list(ctx, ALGO_TYPE);
}

/*---------------------------------------------------------------------*/
/*--- show_certs_info - print out the certificates.                 ---*/
/*---------------------------------------------------------------------*/
void show_certs_info(SSL* ssl)
{   X509 *cert;
    char *line;

    cert = SSL_get_peer_certificate(ssl);   /* get the server's certificate */
    if ( cert != NULL )
    {
        printf("Server certificates:\n");
        line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
        printf("Subject: %s\n", line);
        free(line);                         /* free the malloc'ed string */
        line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
        printf("Issuer: %s\n", line);
        free(line);                         /* free the malloc'ed string */
        X509_free(cert);                    /* free the malloc'ed certificate copy */
    }
    else
        printf("No certificates.\n");
}

/*---------------------------------------------------------------------*/
/*--- main - create SSL context and connect                         ---*/
/*---------------------------------------------------------------------*/
int main(int count, char *strings[])
{
    SSL_CTX *ctx;
    int server;
    SSL *ssl;
    char buf[1024];
    int bytes;
    char *hostname, *portnum;

    if ( count != 3 )
    {
        printf("usage: %s <hostname> <portnum>\n", strings[0]);
        exit(0);
    }
    hostname = strings[1];
    portnum = strings[2];

    ctx = init_client_ctx();                                        /* initialize SSL */
    load_certificates(ctx, SERVER_CERT, CLIENT_CERT, CLIENT_KEYF);  /* load certs */
    server = open_connection(hostname, atoi(portnum));
    ssl = SSL_new(ctx);                 /* create new SSL connection state */
    SSL_set_fd(ssl, server);            /* attach the socket descriptor */
    if ( SSL_connect(ssl) == FAIL )     /* perform the connection */
    {
        ERR_print_errors_fp(stderr);
    }
    else
    {
        char *msg = "Hi! I am Client!";

        printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
        show_certs_info(ssl);                       /* get any certs */
        SSL_write(ssl, msg, strlen(msg));           /* encrypt & send message */
        memset(buf, 0, sizeof(buf));
        bytes = SSL_read(ssl, buf, sizeof(buf)-1);  /* get reply & decrypt */
        buf[bytes] = '\0';
        printf("Server msg: \"%s\"\n", buf);
        SSL_shutdown(ssl);                          /* shutdown SSL link */
        SSL_free(ssl);                              /* release connection state */
    }
    close(server);                                  /* close socket */
    SSL_CTX_free(ctx);                              /* release context */

    return 0;
}
参考

1.SSL协议详解
2.让SSL/TLS协议流行起来:深度解读SSL/TLS实现
3.使用wireshark观察SSL/TLS握手过程–双向认证/单向认证
4.Android 6.0 SSL通信
5.SSL/TLS的原理以及互联网究竟是如何工作的(1-5)
6.JDK 中的证书生成和管理工具 keytool
7.那些证书相关的玩意儿(SSL,X.509,PEM,DER,CRT,CER,KEY,CSR,P12等)

iOS 电商网站HTTPS实践之路——性能优化篇
H.A.N的博客
05-17 1696
通过分析TLS握手过程的细节我们会发现HTTPS比HTTP会增加多个RTT网络传输时间,既增加了服务端开销,又拖慢了客户端响应时间。因此,性能优化是必不可少的工作。很多文章都集中在服务端的性能优化上,但对于电商行业而言,大部分的用户流量源于App,因此客户端的性能优化配合服务端才能使收益最大化。 HTTPS带来的负担 1.1 增加的传输延时 1.2 服务端额外开销 服务端性能优化 2.1...
ym——android源码大放送(实战开发必备)
热门推荐
陈宇明
08-10 4万+
文件夹 PATH 列表 卷序列号为 000A-8F50 E:. │  javaapk.com文件列表生成工具.bat │  使用说明.txt │  免费下载更多源码.url │  目录列表.txt │   ├─android web应用 │      jqmDemo_static.zip │      jqmMobileDemo-master.zip │      jqmMo
android 7.0 SSLsocket
12-21
SSLSOCKET demo 解决7.0认证失败 http://blog.youkuaiyun.com/zdy10326621/article/details/53744835
SSL原理和实现
厚积薄发
01-09 647
原理: 要想保证网络通信的安全,我们第一反应就是给传输的数据加密,这也是现行安全传输通用的模式。但在传统加密方式(单密钥,对称加密)下,密钥不可避免的要被传送于网络节点之间,(除非是写死到各个节点中,不过那样就没有任何灵活性和普适性),在一定强度的网络攻击下,这种加密方式是很脆弱的。 SSL 的出现解决了这个难题,理解SSL 的关键是理解非对称加密的含义。 在对称加密的情况下,源数据A,通...
SSL协议的分析及实现
NeverUp_的专栏
04-26 1289
<br />1引言        SSL是一种在客户端和服务器端之间建立安全通道的协议。SSL一经提出,就在Internet上得到广泛的应用。SSL最常用来保护Web的安全。为了保护存有敏感信息Web的服务器的安全,消除用户在Internet上数据传输的安全顾虑。OpenSSL是一个支持SSL认证的服务器.它是一个源码开放的自由软件,支持多种操作系统。OpenSSL软件的目的是实现一个完整的、健壮的、商业级的开放源码工具,通过强大的加密算法来实现建立在传输层之上的安全性。OpenSSL包含一套SSL协议的完
Web应用中使用SSL实现方式
hui_yan2012的专栏
03-25 3501
Web应用中使用SSL的三种实现方式发展背景Internet的迅猛发展,信息的快速通达使得企业拥有了一个商机无限的广阔发展空间,由于互联网是一个完全开放的网络,使得在其上传输的各种数据面临种种被窃听和丢失的危险。目前在互联网上很多Web应用,尤其是那些电子商务应用,如网上银行,网上超市,股票和债券的在线交易以及软件的付费下载等,都需要在Web服务器和客户端浏览器之间传输机密敏感数据,这些数据包括了信
【密码学应用全解】:从理论实践,确保数据安全无忧
[【密码学应用全解】:从理论实践,确保数据安全无忧](https://img-blog.csdnimg.cn/a0d3a746b89946989686ff9e85ce33b7.png) 参考资源链接:[刘树棠《信号与系统》答案]...
AndroidiOS银联支付SDK的下载与应用
标题中的“Android、iphone银联支付sdk”指向了两个主要的移动应用开发平台——AndroidiOS,以及这两个平台上使用的银联支付软件开发工具包(SDK)。描述中提到的“jar包”是指在Android平台上,开发银联支付功能...
安卓逆向_24( 一 ) --- Hook 框架 frida( Hook Java层 和 so层) )
墨鱼菜鸡
07-11 5809
From:Hook 神器家族的 Frida 工具使用详解:https://blog.youkuaiyun.com/FlyPigYe/article/details/90258758 详解 Hook 框架 frida ( 信抢红包 ):https://www.freebuf.com/company-information/180480.html APP逆向神器之F...
SSLSocketAndroid通信
08-16
android ssl socket java 整理了socket 中ssl安全通信
学习Android客户端和服务器端SSLSocket交互的总结
07-24
这个是我通过学习总结的资料,介绍了如何SSLSocket的一些简单的知识,以及介绍了如何利用JDK自带的keytool工具生成密钥库、证书等,还有Demo作为例子,很好的学习资料。
Java Android SSL 双向认证代码
yuxiaohui78的专栏
12-24 8957
源代码下载: https://github.com/yuxiaohui78/androidHttps package com.example.ssl.util; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.net.Sock
android SSLsocket建立连接,不需要非要使用.bks类型的证书秘钥文件
这是我的博客
11-06 2271
Sslsocket连接,主要是秘钥格式等的加载问题。 遇到的问题,服务器端是linux系统生成的秘钥文件除了需要的一串字符串外还有一个头部,要去掉那个头部才行。 例子: -----BEGIN CERTIFICATE----- MIIDwjCCAqqgAwIBAgIBATANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJBVTET MBEGA1UECAwKU29tZ
Android客户端的SSLSocket通信实例源码(PC做服务器、BKS密库)
身披白袍的博客
06-12 3145
安卓客户端与PC服务器的SSL socket通信实例。 坑特别多,需要注意。第一次接触,处处遇坑...折腾了几天终于搞定了...接下来准备做双向验证。 需要注意的是,安卓端的密库必须是BKS,PC端的密库必须是JKS
Android 实现SLL Socket 双向认证(原有格式为PEM(私钥.key和证书.pem))
tnbaiyunf的博客
02-18 3142
为了实现TLS socket 消息认证。Server需要:1)KeyStore: 其中保存服务端的私钥2)Trust KeyStore:其中保存客户端的授权证书同样,Client需要:1)KeyStore:其中保存客户端的私钥2)Trust KeyStore:其中保存服务端的授权证书 但是Android 确实只能识别BKS 格式的证书,如果为其他格式的证书需要转换, 其中用到的转换工具为...
android sslsocket证书,在Android上使用自签名证书创建SSL-Socket - java
weixin_39913628的博客
05-29 428
我正在尝试将Android应用连接到使用自签名证书的启用SSL的服务器。我已经阅读了数十个教程,并且该应用程序现在正在接受证书并连接到服务器,但是我再也收不到任何数据。我用来初始化套接字的原始代码是这样的://passphrase for keystorechar[] keystorePass="password".toCharArray();//load own keystore (MyApp ...
android登陆双加密,AndroidSSL Socket双向认证加密通信
weixin_39917811的博客
06-02 386
密钥制作(命名解释:k -> keymanager ; t -> TrustManager)通过Java 的keytool 工具生成密钥keytool -genkey -v -alias server -keyalg RSA -storetype PKCS12 -keystore kserver.p12NOTICE:指定别名为server指定存储类型为PKCS12指定文件名kserve...
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值