我对安卓开发和实现SSLSockets还很新,经过一番探索,我能够建立一个简单的服务器/客户端并使其工作起来。然而,我觉得实现可以有所改进,困惑于如何加载keystore密码而不是以明文存在。以下是客户端代码片段,在这里你可以看到我将密码硬编码到本地变量中。有更好的方法来加载keystore密码吗?以便在代码中没有明文呈现?
char [] KSPASS = "password".toCharArray();
char [] KEYPASS = "password".toCharArray();
try {
final KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(context.getResources().openRawResource(R.raw.serverkeys), KSPASS);
final KeyManagerFactory keyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManager.init(keyStore, KEYPASS);
final TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManager.getKeyManagers(), trustFactory.getTrustManagers(), null);
Arrays.fill(KSPASS, ' ');
Arrays.fill(KEYPASS, ' ');
KSPASS = null;
KEYPASS = null;
更新:
客户端实际上根本不需要知道密钥库密码。我已经修改了代码,将null作为密码传递。到目前为止,与服务器的通信初始测试已经成功。在服务器端,我仍然加载密钥库密码。
final KeyStore keyStore = KeyStore.getInstance("BKS");
keyStore.load(context.getResources().openRawResource(R.raw.serverkeys), null);
final KeyManagerFactory keyManager = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManager.init(keyStore, null);
final TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(keyStore);
sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManager.getKeyManagers(), trustFactory.getTrustManagers(), null);