关于SSL/TLS/JSSE的介绍:
1)SSL/TLS协议运行机制
2)图解SSL/TLS协议
3)使用wireshark观察SSL/TLS握手过程
4)SSL/TLS的Java实现--JSSE
(一)使用keytool创建密钥库
使用双向认证的SSL/TLS协议通信,客户端和服务器端都要设置用于证实自己身份的安全证书,并且还要设置信任对方的哪些安全证书。
理论上一共需要准备四个文件,两个keystore文件和两个truststore文件。
通信双方分别拥有一个keystore和一个truststore,keystore用于存放自己的密钥和公钥,truststore用于存放所有需要信任方的公钥。
首先使用JDK自带的keytool工具来生成keystore和truststore。这里使用的Java版本是1.7。
1)创建server的keystore文件,生成server的公钥/私钥密钥对。需要指定keystore的密码(storepass)和密钥对的密码(keypass)。
访问keystore需要storepass。访问密钥对需要keypass。
<span style="font-family:Verdana;">C:\Program Files\Java\jre7\bin>keytool -genkey -alias catserver -keyalg rsa -keysize 1024 -sigalg sha256withrsa -keypass catserver -keystore c:\_tmp\catserver.keystore -storepass catserverks
What is your first and last name?
[Unknown]: cat
What is the name of your organizational unit?
[Unknown]: cat
What is the name of your organization?
[Unknown]: cat
What is the name of your City or Locality?
[Unknown]: cat
What is the name of your State or Province?
[Unknown]: cat
What is the two-letter country code for this unit?
[Unknown]: ct
Is CN=cat, OU=cat, O=cat, L=cat, ST=cat, C=ct correct?
[no]: y</span>
2)创建client的keystore文件。同样需要指定keystore的密码和密钥对的密码。
<span style="font-family:Verdana;">C:\Program Files\Java\jre7\bin>keytool -genkey -alias foxclient -keyalg dsa -keysize 512 -sigalg sha1withdsa -keypass foxclient -keystore c:\_tmp\foxclient.keystore -storepass foxclientks
What is your first and last name?
[Unknown]: fox
What is the name of your organizational unit?
[Unknown]: fox
What is the name of your organization?
[Unknown]: fox
What is the name of your City or Locality?
[Unknown]: fox
What is the name of your State or Province?
[Unknown]: fox
What is the two-letter country code for this unit?
[Unknown]: fx
Is CN=fox, OU=fox, O=fox, L=fox, ST=fox, C=fx correct?
[no]: y</span>
3)从server的keystore中导出server的证书(其中包括server的公钥)。
<span style="font-family:Verdana;">C:\Program Files\Java\jre7\bin>keytool -export -alias catserver -keystore c:\_tmp\catserver.keystore -storepass catserverks -file c:\_tmp\catserver.cer
Certificate stored in file <c:\_tmp\catserver.cer>
</span>
4)从client的keystore中导出client的证书(其中包括client的公钥)。
<span style="font-family:Verdana;">C:\Program Files\Java\jre7\bin>keytool -export -alias foxclient -keystore c:\_tmp\foxclient.keystore -storepass foxclientks -file c:\_tmp\foxclient.cer
Certificate stored in file <c:\_tmp\foxclient.cer>
</span>
5)创建server的truststore文件并导入client的证书(其中包括client的公钥)。
<span style="font-family:Verdana;">C:\Program Files\Java\jre7\bin>keytool -import -alias foxclient -keystore c:\_tmp\catservertrust.keystore -storepass catservertrustks -file c:\_tmp\foxclient.cer
Owner: CN=fox, OU=fox, O=fox, L=fox, ST=fox, C=fx
Issuer: CN=fox, OU=fox, O=fox, L=fox, ST=fox, C=fx
Serial number: 6eaf996f
Valid from: Wed Nov 05 16:15:41 CST 2014 until: Tue Feb 03 16:15:41 CST 2015
Certificate fingerprints:
MD5: B5:B6:92:66:84:92:A0:C2:F5:40:39:25:F8:66:2A:17
SHA1: 07:42:A3:1A:49:7B:C9:34:4B:6B:FA:37:6C:20:98:D4:20:13:7C:91
SHA256: 37:A5:00:A3:13:00:DE:99:3B:08:47:F6:1E:8A:05:F1:4A:B2:C6:22:20:
E1:AF:0E:05:B2:CE:E0:2F:94:B6:94
Signature algorithm name: SHA1withDSA
Version: 3
Extensions:
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 69 3E 6A D0 B5 B1 1F BD 48 46 E1 A4 6C 1F 71 90 i>j.....HF..l.q.
0010: 29 06 3B 32 ).;2
]
]
Trust this certificate? [no]: y
Certificate was added to keystore</span>
6)创建client的truststore文件并导入server的证书(其中包括server的公钥)。<