用SSL进行双向身份验证意思就是在客户机连接
服务器
时,链接双方都要对彼此的数字证书进行验证,保证这是经过授权的才能够连接(我们链接一般的SSL时采用的是单向验证,客户机只验证服务器的证书,服务器不验证客户机的证书。而连接网上银行时使用的U盾就是用来存储进行双向验证所需要的客户端证书的)。
JDK里面内置了一个数字证书生产 工具 :keytool。但是这个工具只能生成自签名的数字证书。所谓自签名就是指证书只能保证自己是完整的,没有经过非法修改的。但是无法保证这个证书是属于谁的。其实用这种自签名的证书也是可以进行双向验证的(用keytool生成的自签名证书进行双向验证请看这里,向这位仁兄致意~: http://www.blogjava.net/stone2083/archive/2007/12/20/169015.html ),但是这种验证有一个缺点:对于每一个要链接的服务器,都要保存一个证书的验证副本。而且一旦服务器更换证书,所有客户端就需要重新部署这些副本。对于比较大型的应用来说,这一点是不可接受的。所以就需要证书链进行双向认证。证书链是指对证书的签名又一个预先部署的,众所周知的签名方签名完成,这样每次需要验证证书时只要用这个公用的签名方的公钥进行验证就可以了。比如我们使用的浏览器就保存了几个常用的CA_ROOT。每次连接到网站时只要这个网站的证书是经过这些CA_ROOT签名过的。就可以通过验证了。
但是这些共用的CA_ROOT的服务不是免费的。而且价格不菲。所以我们有必要自己生成一个CA_ROOT的密钥对,然后部署应用时,只要把这个CA_ROOT的私钥部署在所有节点就可以完成验证了。要进行CA_ROOT的生成,需要OpenSSL( http://www.openssl.org/ )。你也可以在 http://www.slproweb.com/products/Win32OpenSSL.html 找到Windows下的版本
安装好OpenSSL以后就可以生成证书链了,我写了一个BAT 解决 这些东西:
运行这个批处理,期间需要回答一些问题,然后就可以得到一些
文件
其中client.keystore是需要在客户端部署的,server.keystore是在服务器部署的。ca.*是root_ca的密钥文件。
然后可以用下面的代码测试:
JDK里面内置了一个数字证书生产 工具 :keytool。但是这个工具只能生成自签名的数字证书。所谓自签名就是指证书只能保证自己是完整的,没有经过非法修改的。但是无法保证这个证书是属于谁的。其实用这种自签名的证书也是可以进行双向验证的(用keytool生成的自签名证书进行双向验证请看这里,向这位仁兄致意~: http://www.blogjava.net/stone2083/archive/2007/12/20/169015.html ),但是这种验证有一个缺点:对于每一个要链接的服务器,都要保存一个证书的验证副本。而且一旦服务器更换证书,所有客户端就需要重新部署这些副本。对于比较大型的应用来说,这一点是不可接受的。所以就需要证书链进行双向认证。证书链是指对证书的签名又一个预先部署的,众所周知的签名方签名完成,这样每次需要验证证书时只要用这个公用的签名方的公钥进行验证就可以了。比如我们使用的浏览器就保存了几个常用的CA_ROOT。每次连接到网站时只要这个网站的证书是经过这些CA_ROOT签名过的。就可以通过验证了。
但是这些共用的CA_ROOT的服务不是免费的。而且价格不菲。所以我们有必要自己生成一个CA_ROOT的密钥对,然后部署应用时,只要把这个CA_ROOT的私钥部署在所有节点就可以完成验证了。要进行CA_ROOT的生成,需要OpenSSL( http://www.openssl.org/ )。你也可以在 http://www.slproweb.com/products/Win32OpenSSL.html 找到Windows下的版本
安装好OpenSSL以后就可以生成证书链了,我写了一个BAT 解决 这些东西:
@echo off
set C
set PWD_SERVER_KS=serverks
set PWD_SERVER_KEY=serverkey
set PWD_CLIENT_KS=clientks
set PWD_CLIENT_KEY=clientkey
if not exist ca.key (
echo Generating a ca root key file...
openssl req -new -x509 -keyout ca.key -out ca.crt -config %CONFIG%
) else (
echo ca.key already exists...
)
if not exist server.keystore (
echo Generating server's private key...
keytool -genkey -alias logon_server_private_key -validity 365 -keyalg RSA -keysize 1024 -keystore server.keystore -keypass %PWD_SERVER_KEY% -storepass %PWD_SERVER_KS%
) else (
echo server.keystore already exits...
)
if not exist client.keystore (
echo Generating client's private key...
keytool -genkey -alias ipclient_private_key -validity 365 -keyalg RSA -keysize 1024 -keystore client.keystore -keypass %PWD_CLIENT_KEY% -storepass %PWD_CLIENT_KS%
) else (
echo client.keystore already exits...
)
echo ========Finished key generation=========
if not exist logon_server_private_key.csr (
echo Generating server's singature request file...
keytool -certreq -alias logon_server_private_key -sigalg MD5withRSA -file logon_server_private_key.csr -keypass %PWD_SERVER_KEY% -storepass %PWD_SERVER_KS% -keystore server.keystore
) else (
echo logon_server_private_key.csr already exits...
)
if not exist ipclient_private_key.csr (
echo Generating client's singature request file...
keytool -certreq -alias ipclient_private_key -sigalg MD5withRSA -file ipclient_private_key.csr -keypass %PWD_CLIENT_KEY% -storepass %PWD_CLIENT_KS% -keystore client.keystore
) else (
echo ipclient_private_key.csr already exits...
)
if not exist logon_server_private_key.crt (
openssl ca -in logon_server_private_key.csr -out logon_server_private_key.crt -cert ca.crt -keyfile ca.key -notext -config %CONFIG%
) else (
echo logon_server_private_key.crt already exits...
)
if not exist ipclient_private_key.crt (
openssl ca -in ipclient_private_key.csr -out ipclient_private_key.crt -cert ca.crt -keyfile ca.key -notext -config %CONFIG%
) else (
echo ipclient_private_key.crt already exits...
)
echo =========Finished ca root signaturing==========
echo Importing ca root certs into keystore...
keytool -import -v -trustcacerts -alias ca_root -file ca.crt -storepass %PWD_SERVER_KS% -keystore server.keystore
keytool -import -v -trustcacerts -alias ca_root -file ca.crt -storepass %PWD_CLIENT_KS% -keystore client.keystore
echo Importing signatured keys...
keytool -import -v -alias logon_server_private_key -file logon_server_private_key.crt -keypass %PWD_SERVER_KEY% -storepass %PWD_SERVER_KS% -keystore server.keystore
keytool -import -v -alias ipclient_private_key -file ipclient_private_key.crt -keypass %PWD_CLIENT_KEY% -storepass %PWD_CLIENT_KS% -keystore client.keystore
echo All done!
然后可以用下面的代码测试:
/*
* Copyrights (C) 2008 Bearice (Bearice@Gmail.com)
* Release under GNU/GPL Version 2.
*/
package cn.bearice.ipcontroller.ccserver;
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
/**
*
* @author Bearice
*/
public class NewClass extends Thread {
@Override
public void run() {
try {
sleep(100);
SSLContext ctx = SSLContext.getInstance("SSL");
KeyManagerFactory kmf =KeyManagerFactory.getInstance("SunX509");
TrustManagerFactory tmf =TrustManagerFactory.getInstance("SunX509");
KeyStore ks = KeyStore.getInstance("JKS");
//KeyStore tks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("e:/certs/client.keystore"),"clientks".toCharArray());
//tks.load(new FileInputStream("e:/certs/tclient.keystore"), "clientks".toCharArray());
kmf.init(ks, "clientkey".toCharArray());
tmf.init(ks);
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(),null);
SSLSocketFactory factory = ctx.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket("127.0.0.1", 4433);
showCerts(socket.getSession());
PrintWriter pw = newPrintWriter(socket.getOutputStream());
pw.println("GET /index.html HTTP/1.0");
pw.println("Server: mail.google.com");
pw.println("Connection: close");
pw.println();
pw.flush();
BufferedReader in = new BufferedReader(newInputStreamReader(socket.getInputStream()));
String ln;
while ((ln = in.readLine()) != null) {
System.err.println(ln);
}
} catch (Exception ex) {
Logger.getLogger(NewClass.class.getName()).log(Level.SEVERE, null,ex);
}
}
public static void showCerts(SSLSession session) {
X509Certificate cert = null;
try {
cert = (X509Certificate) session.getPeerCertificates()[0];
} catch (SSLPeerUnverifiedException e) {
e.printStackTrace();
System.err.println(session.getPeerHost() + " did not present a valid certificate");
//System.exit(1);
return;
}
System.out.println(session.getPeerHost() + " has presented a certificate belonging to" + "[" + cert.getSubjectDN() + "]\n" + "The certificate was issued by: \t" + "[" + cert.getIssuerDN() + "]");
}
public static void main(String[] args) throws Exception {
SSLContext ctx = SSLContext.getInstance("SSL");
KeyManagerFactory kmf =KeyManagerFactory.getInstance("SunX509");
TrustManagerFactory tmf =TrustManagerFactory.getInstance("SunX509");
KeyStore ks = KeyStore.getInstance("JKS");
//KeyStore tks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("e:/certs/server.keystore"),"serverks".toCharArray());
//tks.load(new FileInputStream("e:/certs/tserver.keystore"), "serverks".toCharArray());
kmf.init(ks, "serverkey".toCharArray());
tmf.init(ks);
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLServerSocketFactory factory = ctx.getServerSocketFactory();
SSLServerSocket serverSocket = (SSLServerSocket)factory.createServerSocket(4433);
serverSocket.setNeedClientAuth(true);
new NewClass().start();
SSLSocket socket = (SSLSocket) serverSocket.accept();
try {
socket.startHandshake();
} catch (Exception ex) {
System.out.println("Handshake failed: " + ex);
}
showCerts(socket.getSession());
socket.startHandshake();
PrintWriter out = new PrintWriter(socket.getOutputStream());
BufferedReader in = new BufferedReader(newInputStreamReader(socket.getInputStream()));
String ln;
while ((ln = in.readLine()) != null) {
System.out.println(ln);
if (ln.equals("")) {
break;
}
}
out.println("HTTP/1.1 200 OK");
out.println("Cache-Control: no-cache");
out.println("Pragma: no-cache");
out.println("Expires: Fri, 01 Jan 1990 00:00:00 GMT");
out.println("Content-Type: text/html; charset=UTF-8");
out.println("Date: Tue, 01 Jul 2008 11:56:42 GMT");
out.println("Server: BWS");
out.println("X-Powered-By: BWS");
out.println();
out.println("<html><h1>hello world</h1></html>");
out.close();
socket.close();
}
}