How to port OpenSSL to Android and its related experience

1. Install the OpenSSL library in Linux

See section 2.3.2 "Advanced PKI Network Security Authentication Technology and programming implementation" to build an OpenSSL development environment in Linux

Linuxdecompress tar.bz2 file: Tar jxvf android-ndk-r5c-linux-x86.tar.bz2

 

2. Configure ndk Environment Variables

In ~ /Add at the end of the bashrc file:
Ndk = ~ Android-ndk-r4b
Export ndk

 

Execute source ~ /. Bashrc

If a terminal is running, you must restart the terminal to use the ndk variable.

3. Introduction to JNI

The main function of JNI is to call the C library. here we need to use C or C ++ to call the OpenSSL library to implement encryption and signature functions, and then compile it into the so library of the arm system, use Java to call the provided interfaces.

For details, see thejava Native Interface: programmer's guide and specification.

4. Download OpenSSL for Android and compile

Now I have seen three versions of Android-OpenSSL, fries, eighthave, and guardianproject on the Internet. The previous two versions have been tested but failed, the method cannot be found if the guardianproject version is compiled into a static library and called by the JNI dynamic library program of Android. It is not clear why, but the JNI program can be compiled directly with the OpenSSL Project.

The following blog describes how to compile the OpenSSL static library for Android, but I don't know what version of OpenSSL he uses. I tried it by his method.

Http://blog.csdn.net/someonea/article/details/6312213

 

Guardianproject version:

Https://github.com/guardianproject/openssl-android

My modified version:

Http://download.csdn.net/source/3408214

In my modified version, you can directly compile the JNI program in the MyApp folder, and package and compile it into a dynamic library together with OpenSSL.

Some undefined references may occur during compilation, most of which may be that no link library is added, and some may be due to ndk version issues. It is best to use the latest ndk version (My r5c ), note that the following two static libraries are not added:

Local_ldlibs: =-LZ-LDL

Note: If the OpenSSL source code is modified by myself, use the Android-8 version. in the OpenSSL source code uploaded by myself, default. properties can be used to change the version.

5. Place the compiled so library in the libs/armeabi directory of the android project directory.

6. Java calls the dynamic library

The following is a two-digit sum written during my test:

Native method: Public native int add (int A, int B); Load Library: static {system. loadlibrary ("add"); // all compiled files start with Lib. Do not add the load here}

7. Call the android log in the C program to record the running information.

It means that it will not use GDB to debug this item, so we have to use log to record it step by step .....

# Include <Android/log. h> # define log_tag "show infomation" // This is the log tag and the content is set by yourself # define logw (a) _ android_log_write (android_log_warn, log_tag,) // In addition to this method, the _ android_log_print method is similar to printf. For details, see Android/log. in the makefile, local_ldlibs: =-L $ (sysroot)/usr/lib-llog

 

8. bouncycastle uses OpenSSL for key management

Refer to the introduction of this blog

Http://blog.csdn.net/zhenyongyuan123/article/details/5558562

I have tried to use bouncycastle to generate a keystore and a key pair on Android,

It should be noted that there is a bouncycastle package in the Android system. If the package is imported directly, errors such as class cannot be found during running.

We need to download the bouncycastle source code, modify the package name, such as org. bouncycastle2, and compile and package it into jar.

Build path-> Add External Archives to add a package. Otherwise, a class error cannot be found during running. This may be because the jar package is not added to the APK.

9. Compatibility Between OpenSSL and CryptoAPI symmetric encryption

CryptoAPI itself does not support passing in plain text keys. You must use genkey or derivekey to obtain the key handle,

In addition, the hash algorithm is not only used to calculate the imported key. For details, see the msdn

Http://msdn.microsoft.com/en-us/library/aa379916%28v=VS.85%29.aspx

In remarks

If the hash is not a member of the SHA-2 family and therequired key is for either 3DES or AEs, the key is derived as follows: the next six steps.

We can use public key encryption and Private Key decryption to view the symmetric encryption session key of CryptoAPI. The complete code is available here:

Http://www.codeproject.com/KB/security/plaintextsessionkey.aspx

It seems a problem when using the EVP encapsulated by OpenSSL for symmetric encryption. It may be that I am using an error. The following method can be used to match the encryption of CryptoAPI.

Http://blog.csdn.net/lyjinger/article/details/1722570

10. In some cases, you may only need to compile the static library with ndk, but if you do not add a dynamic library, nothing will be compiled.

Here, we only need to create an application. mk under JNI to compile the static library. We need to add the following sentence to the file:

App_modules: = libexample (Module name)

 

11. In addition, there is a certificate installation function on Android.There is no real machine and I don't know what the purpose is,

In the setting field of the android simulator, you can find the location & Security column, where you can install the encrypted certificate from SD card, in p12 format, with a private key. After the installation, you can find the corresponding certificate, key, and other files in data/MISC/keystore. The Code operation has no permission.

---------------------------------------- The following content has been modified --------------------------------------------------

The cacerts. BKS and bouncycastle keystore exist under system/etc/security. when reading the keystore, the system prompts that the integrity check fails. This file should also be inaccessible.

Bytes ---------------------------------------------------------------------------------------------------------------

Cacerts. BKS has the permission to read data. The default password is changeit. If the password is incorrect, the integrity check fails.

If you need to modify cacerts. BKS, you can try to use remount or chmod to modify the read/write permissions before accessing

The method of the certificate installed by certinstaller has not been found. After reading the source code of certinstaller, it is still invalid after simulation.

Some friends said that this is only available for WiFi or VPN use. It seems that there is still a way to obtain it, but it is useless.

(If you are interested, you can try the method in Android. Security. keystore to simulate false returned by empty, which means you can get the correct value.

However, some methods require the parameter key. If you try many methods, they still fail)

(To be continued .....)

Reprinted please indicate the source:Http://blog.csdn.net/zhouyuqwert/article/details/6603004