linux下用公钥，私钥创建Android bks证书

bks证书一般用于在android的应用https协议，有两种情形，

1. android上做客户端和https server 通信

2. android上做服务端创建一个https server,

3.

而https 需要bks证书文件支持

步骤：

a. Install jdk and set JAVA_HOME, ensure ‘keytool’ in PATH environment.

jerome1984@cws15]$ which keytool
/opt/jdk/bin/keytool
jerome1984@cws15]$ echo $JAVA_HOME
/opt/jdk

b. 确保公钥，私钥文件，bcprov-jdk16-141.jar 在同一个目录下

c. 用公钥，私钥文件生成p12格式的证书文件

jerome1984@cws15]$ openssl pkcs12 -export -in my_public.crt -inkey my_private.key -out my_tmp.p12 -name plum_file <--别名
Enter Export Password: chengdu   <-- .p12 password
Verifying - Enter Export Password: chengdu

d. 把p12正式转换为bks证书

jerome1984@cws15]$ keytool -importkeystore -srckeystore my_tmp.p12 -srcstoretype pkcs12 -destkeystore my_final.bks -deststoretype bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-jdk16-141.jar

Enter destination keystore password:  mypassword <-- bks password, private key password
Re-enter new password:

Enter source keystore password:  chengdu   <-- above .p12 password, keystore file's password
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

e. 验证bks文件

keytool -list -keystore my_final.bks -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath bcprov-jdk16-141.jar -storetype BKS -storepass chengdu

Keystore type: BKS
Keystore provider: BC

Your keystore contains 1 entry

1, May 14, 2015, PrivateKeyEntry,
Certificate fingerprint (SHA1): CF:F5:CB:C6:1E:AE:5C:39:34:25:62:25:55:24:6E:76:AF:9A:7F:D2

公钥 my_public.crt, 私钥 my_private.key是根据证书颁发机构颁发的证书做为根证书签发的

java代码调用

public void setSSLContext() {
char[] password = Config.sCertFilePwd.toCharArray(); //chengdu
char[] privateKeyPwd = Config.sCertPrivateKeyPwd.toCharArray(); //mypassword
InputStream is = null;
KeyStore ks = null;
try {
ks = KeyStore.getInstance("BKS");
is = NanoHttpServer.class.getClassLoader().getResourceAsStream(Config.sCertFilePath);
//          FileInputStream fis = new FileInputStream("assets/my_final.bks"); //viacube_server.keystore mykey
ks.load(is, password);
Key k = ks.getKey("plum_file", privateKeyPwd);
if (k != null) {
LogHelper.d(TAG, "k.getAlgorithm() = " + k.getAlgorithm());
} else {
LogHelper.d(TAG, "no private key for this android https server");
}
// setup the key manager factory
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, privateKeyPwd);
SSLServerSocketFactory sf = NanoHTTPD.makeSSLSocketFactory(ks, kmf);
makeSecure(sf);
} catch (KeyStoreException e) {
e.printStackTrace();
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
} catch (CertificateException e) {
e.printStackTrace();
} catch (IOException e) {
e.printStackTrace();
} catch (UnrecoverableKeyException e) {
e.printStackTrace();
} finally {
if (is != null) {
try {
is.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}