在Android平臺上使用SSL，第一步就是要生成證書。因為JDK自帶的keytool工具默認生成的密鑰庫是JKS類型的，而Android客戶端只支持BKS類型的密鑰庫，所以必須先擴展keytool工具使其生成BKS密鑰庫。要擴展，則需要下載BouncyCastle庫。

JKS和JCEKS是Java密鑰庫(KeyStore)的兩種比較常見類型，JKS的Provider是SUN，在每個版本的JDK中都有。
BKS來自BouncyCastleProvider，它使用的也是TripleDES來保護密鑰庫中的Key，它能夠防止證書庫被不小心修改（Keystore的keyentry改掉1個bit都會產生錯誤），BKS能夠跟JKS互操作。

BouncyCastle配置

1.下載 bcprov-ext-jdk15on-156.jar (截止2017/1/19最新)
下載地址：http://www.bouncycastle.org

2.將bcprov-ext-jdk15on-156.jar復制到 jdk_home\jre\lib\ext下

3.在jdk_home\jre\lib\security\目錄中找到 java.security 在其中增加一行（xx表示數字）

security.provider.xx=org.bouncycastle.jce.provider.BouncyCastleProvider

配置后如下圖：

Paste_Image.png

使用keytool工具生成密鑰庫、導出證書、導入信任庫

1）生成服務器端的密鑰庫kserver.keystore，采用默認的JKS類型

keytool -genkeypair -v -alias server -keystore kserver.keystore -keyalg ec

※SSLSocket簽名算法默認為DSA，Android6.0（API 23）以后KeyStore發生更改，不再支持DSA，但仍支持ECDSA。所以需要指定簽名算法：-keyalg ec

longer supports DSA. ECDSA is still supported.
    Keys which do not require encryption at rest will no 
longer be deleted when secure lock screen is disabled or 
reset (for example, by the user or a Device Administrator).
 Keys which require encryption at rest will be deleted during these events.```

執行命令后，然后填寫一些必要的信息，就可以生成了，如下圖：

![Paste_Image.png](http://upload-images.jianshu.io/upload_images/1546230-c76e1f50ad92f810.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
 
生成的密鑰庫如下圖：

![Paste_Image.png](http://upload-images.jianshu.io/upload_images/1546230-a6be23e75b779cb9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
 
**2）從服務器端密鑰庫kserver.keystore中導出服務器證書：**

keytool -exportcert -v -alias server -file server.cer -keystore kserver.keystore

執行命令后，填寫密鑰庫密碼即可，如下圖：
 
![Paste_Image.png](http://upload-images.jianshu.io/upload_images/1546230-d25820dd9039cc82.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

生成證書文件如下圖：
 
![Paste_Image.png](http://upload-images.jianshu.io/upload_images/1546230-5248037e0dea287d.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

**3）將導出的服務器端證書導入到客戶端信任密鑰庫tclient.bks中，其中客戶端信任密鑰庫自動生成，并且此時要特別指明信任密鑰庫是BKS類型的，使用命令如下：**

keytool -importcert -v -alias server -file server.cer -keystore tclient.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider

命令執行后過程截圖如下：
 
![Paste_Image.png](http://upload-images.jianshu.io/upload_images/1546230-6b0073c9e865f049.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

生成客戶端密鑰庫tclient.bks如下：

![Paste_Image.png](http://upload-images.jianshu.io/upload_images/1546230-92b6bb394afe18d9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
 
**※接下來采用同樣的方法，生成客戶端的密鑰庫，導出客戶端的證書，并且導入到服務端的信任密鑰庫中 **

**4）現在生成客戶端密鑰庫kclient.bks，使用命令如下：**

keytool -genkeypair -v -alias client -keystore kclient.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider  -keyalg ec 
 
![Paste_Image.png](http://upload-images.jianshu.io/upload_images/1546230-f857814e846bdf9b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

![Paste_Image.png](http://upload-images.jianshu.io/upload_images/1546230-20825b5009a21dce.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

**5）導出客戶端證書：**

keytool -exportcert -v -alias client -file client.cer -keystore kclient.bks -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider

![Paste_Image.png](http://upload-images.jianshu.io/upload_images/1546230-df042652c07129d1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

![Paste_Image.png](http://upload-images.jianshu.io/upload_images/1546230-5c961f34b9f36cad.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

**6）導入生成服務器端信任密鑰庫（JKS類型）：**
keytool -importcert -v -alias client -file client.cer -keystore tserver.keystore

![Paste_Image.png](http://upload-images.jianshu.io/upload_images/1546230-4740c8f3fcfe0e8e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
 
![Paste_Image.png](http://upload-images.jianshu.io/upload_images/1546230-ba3db4a36372eda0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)

至此，我們已經按照自己的要求生成了密鑰庫和證書文件，我們只需要將需要的文件復制到項目中去使用就可以了。

###SSLSocket使用例

**客戶端代碼如下：**

public class MainActivity extends Activity {
private static final String KEYSTOREPASSWORD = "123456"; //密鑰庫密碼
private static final String KEYSTOREPATH_CLIENT = "kclient.bks"; //本地密鑰庫
private static final String KEYSTOREPATH_TRUST = "tclient.bks"; //信任密鑰庫
private static final String HOST = "192.168.1.196"; //服務器IP地址
private static final int PORT = 7891; //開放端口

@Override
protected void onCreate(Bundle savedInstanceState) {

    super.onCreate(savedInstanceState);
    setContentView(R.layout.activity_main);

    msgEt = (EditText) findViewById(R.id.msg_et);
}

public void onClickBtn(View v) {
    if (v.getId() == R.id.send_btn) {
        connectAndSend();
    }
}

private void connectAndSend() {
    new Thread(new Runnable() {
        SSLContext sslContext = null;

        @Override
        public void run() {
            try {
                //取得TLS協議的SSLContext實例
                sslContext = SSLContext.getInstance("TLS");
                //取得BKS類型的本地密鑰庫實例，這里特別注意：手機只支持BKS密鑰庫，不支持Java默認的JKS密鑰庫
                KeyStore clientkeyStore = KeyStore.getInstance("BKS");
                //初始化
                clientkeyStore.load(
                        getResources().getAssets().open(KEYSTOREPATH_CLIENT),
                        KEYSTOREPASSWORD.toCharArray());
                KeyStore trustkeyStore = KeyStore.getInstance("BKS");
                trustkeyStore.load(getResources().getAssets()
                        .open(KEYSTOREPATH_TRUST), KEYSTOREPASSWORD.toCharArray());

                //獲得X509密鑰庫管理實例
                KeyManagerFactory keyManagerFactory = KeyManagerFactory
                        .getInstance("X509");
                keyManagerFactory.init(clientkeyStore, KEYSTOREPASSWORD.toCharArray());
                TrustManagerFactory trustManagerFactory = TrustManagerFactory
                        .getInstance("X509");
                trustManagerFactory.init(trustkeyStore);

                //初始化SSLContext實例
                sslContext.init(keyManagerFactory.getKeyManagers(),
                        trustManagerFactory.getTrustManagers(), null);

                Log.i("System.out", "SSLContext初始化完畢...");
                //以下兩步獲得SSLSocket實例
                SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
                SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket(HOST,
                        PORT);
                Log.i("System.out", "獲得SSLSocket成功...");
                ObjectInputStream objectInputStream = new ObjectInputStream(sslSocket
                        .getInputStream());
                Log.i("System.out", objectInputStream.readObject().toString());

                ObjectOutputStream objectOutputStream = new ObjectOutputStream(
                        sslSocket.getOutputStream());
                objectOutputStream.writeObject(msgEt.getText().toString());
                objectOutputStream.flush();

                objectInputStream.close();
                objectOutputStream.close();
                sslSocket.close();

            } catch (KeyStoreException e) {
                e.printStackTrace();
            } catch (NoSuchAlgorithmException e) {
                e.printStackTrace();
            } catch (CertificateException e) {
                e.printStackTrace();
            } catch (IOException e) {
                e.printStackTrace();
            } catch (KeyManagementException e) {
                e.printStackTrace();
            } catch (UnrecoverableKeyException e) {
                e.printStackTrace();
            } catch (ClassNotFoundException e) {
                e.printStackTrace();
            }
        }
    }).start();
}

}

**服務端代碼如下：**

public class ServerMain {
private static final String KEYSTOREPASSWORD = "123456"; //密鑰庫的密碼
private static final String KEYSTOREPATH_SERVER = "src/kserver.keystore"; //密鑰庫存放路徑
private static final int PORT = 7891; //端口

public static void main(String[] args) {
    SSLContext sslContext = null;

    try {
        //服務端我們采用java默認的密鑰庫JKS類型，通過KeyStore類的靜態方法獲得實例并且指定密鑰庫類型
        KeyStore serverKeyStore = KeyStore.getInstance("JKS");      
        //利用提供的密鑰庫文件輸入流和密碼初始化密鑰庫實例
        serverKeyStore.load(new FileInputStream(KEYSTOREPATH_SERVER),
                KEYSTOREPASSWORD.toCharArray());
        //取得SunX509私鑰管理器
        KeyManagerFactory keyManagerFactory = KeyManagerFactory
                .getInstance("SunX509");
        //用之前初始化后的密鑰庫實例初始化私鑰管理器
        keyManagerFactory.init(serverKeyStore, KEYSTOREPASSWORD.toCharArray());
        //獲得TLS協議的SSLContext實例
        sslContext = SSLContext.getInstance("TLS");
        //初始化SSLContext實例
        sslContext.init(keyManagerFactory.getKeyManagers(), null, null);
        //以下兩步獲得SSLServerSocket實例
        SSLServerSocketFactory sslServerSocketFactory = sslContext
                .getServerSocketFactory();
        SSLServerSocket sslServerSocket = (SSLServerSocket) sslServerSocketFactory
                .createServerSocket(PORT);
        System.out.println("SSLServerSocket準備就緒...");
        while (true) {
            SSLSocket socket = (SSLSocket) sslServerSocket.accept();

            ObjectOutputStream objectOutputStream = new ObjectOutputStream(
                    socket.getOutputStream());
            objectOutputStream.flush();
            objectOutputStream.writeObject("這里是服務器端...");
            objectOutputStream.flush();

            ObjectInputStream objectInputStream = new ObjectInputStream(
                    socket.getInputStream());
            try {
                System.out.println(objectInputStream.readObject().toString());
            } catch (ClassNotFoundException e) {
                e.printStackTrace();
            } catch (Exception e) {
                e.printStackTrace();
            }

            objectOutputStream.close();
            objectInputStream.close();
            socket.close();
        }

    } catch (KeyStoreException e) {
        e.printStackTrace();
    } catch (NoSuchAlgorithmException e) {
        e.printStackTrace();
    } catch (CertificateException e) {
        e.printStackTrace();
    } catch (IOException e) {
        e.printStackTrace();
    } catch (UnrecoverableKeyException e) {
        e.printStackTrace();
    } catch (KeyManagementException e) {
        e.printStackTrace();
    }
    System.out.println("服務器端退出了");
}

}