一、项目背景
Java项目需要作为客户端发起HTTPS请求访问服务端,并且需要携带证书进行SSL双向认证,当前提供的证书相关文件有:ca.crt、ca.key、client.crt、client.key、server.crt、server.key
二、实现步骤
1、对客户端证书和私钥进行打包处理(需要输入密码,之后在代码中需要用到该密码)
openssl pkcs12 -export clcerts -in client.crt -inkey client.key -out client.p12
2、.p12文件转化成JKS格式
keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.jks -deststoretype JKS
3、CA根证书转成JKS格式(需要输入密码,之后在代码中需要用到该密码)
keytool -import -noprompt -file ca.crt -keystore ca.jks -storepass 123456
4、Java代码实现HTTPS请求(POST)
package com.fuck.study.utils;
import lombok.extern.slf4j.Slf4j;
import org.springframework.stereotype.Service;
import javax.net.ssl.*;
import java.io.*;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
@Slf4j
@Service
public class HttpsUtil {
//CA根证书文件路径
private String caPath="D:/https/ca.jks";
//CA根证书生成密码
private String caPassword="123456";
//客户端证书文件名
private String clientCertPath="D:/https/client.jks";
//客户端证书生成密码
private String clientCertPassword="123456";
private SSLSocketFactory sslFactory;
//https POST请求返回结果和结果码
public Map<String,Object> httpsPost(String requestUrl, String xml) throws Exception {
Map<String,Object> map=new HashMap<>();
OutputStreamWriter wr=null;
HttpURLConnection conn=null;
try {
URL url = new URL(requestUrl);
//start 这一段代码必须加在open之前,即支持ip访问的关键代码
HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() {
@Override
public boolean verify(String s, SSLSession sslSession) {
return true;
}
});
//end
byte[] xmlBytes = xml.getBytes();
conn = (HttpsURLConnection) url.openConnection();
conn.setDoOutput(true);
conn.setDoInput(true);
conn.setUseCaches(false);
conn.setInstanceFollowRedirects(true);
conn.setRequestMethod("POST");
//根据自己项目需求设置Content-Type
conn.setRequestProperty("Content-Type", "application/xml;charset=UTF-8");
conn.setRequestProperty("Content-Length", String.valueOf(xmlBytes.length));
((HttpsURLConnection) conn).setSSLSocketFactory(getSslFactory());
wr = new OutputStreamWriter(conn.getOutputStream());
wr.write(xml);
wr.close();
conn.connect();
String responseBody = getResponseBodyAsString(conn);
int responseCode=getResponseCode(conn);
map.put("responseBody",responseBody);
map.put("responseCode",responseCode);
if (getResponseCode(conn) == 200) {
System.out.println("请求成功");
} else {
System.out.println("请求失败");
}
System.out.println(responseBody);
conn.disconnect();
} catch (Exception e) {
log.error("HTTPS请求出现异常,请求参数为:"+xml);
e.printStackTrace();
throw e;
}finally {
try{
if(wr!=null){
wr.close();
}
if(conn!=null){
conn.disconnect();
}
}catch (Exception e){
}
}
return map;
}
public SSLSocketFactory getSslFactory() throws Exception {
if (sslFactory == null) {
SSLContext sslContext = SSLContext.getInstance("SSL");
TrustManager[] tm = {new MyX509TrustManager()};
KeyStore trustStore = KeyStore.getInstance("JKS");
//加载客户端证书
FileInputStream clientInputStream=new FileInputStream(clientCertPath);
trustStore.load(clientInputStream, clientCertPassword.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(trustStore, clientCertPassword.toCharArray());
sslContext.init(kmf.getKeyManagers(), tm, new SecureRandom());
sslFactory = sslContext.getSocketFactory();
}
return sslFactory;
}
public int getResponseCode(HttpURLConnection connection) throws Exception {
return connection.getResponseCode();
}
public String getResponseBodyAsString(HttpURLConnection connection) throws Exception {
BufferedReader reader = null;
if (connection.getResponseCode() == 200) {
reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));
} else {
reader = new BufferedReader(new InputStreamReader(connection.getErrorStream()));
}
StringBuffer buffer = new StringBuffer();
String line = null;
while ((line = reader.readLine()) != null) {
buffer.append(line);
}
reader.close();
return buffer.toString();
}
class MyX509TrustManager implements X509TrustManager {
private X509TrustManager sunJSSEX509TrustManager;
MyX509TrustManager() throws Exception {
KeyStore ks = KeyStore.getInstance("JKS");
//获取CA证书
FileInputStream caInputStream=new FileInputStream(caPath);
ks.load(caInputStream, caPassword.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509", "SunJSSE");
tmf.init(ks);
TrustManager tms[] = tmf.getTrustManagers();
for (int i = 0; i < tms.length; i++) {
if (tms[i] instanceof X509TrustManager) {
sunJSSEX509TrustManager = (X509TrustManager) tms[i];
return;
}
}
throw new Exception("Couldn't not initialize");
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
try {
sunJSSEX509TrustManager.checkClientTrusted(x509Certificates, s);
} catch (Exception e) {
}
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
try {
sunJSSEX509TrustManager.checkServerTrusted(x509Certificates, s);
} catch (Exception e) {
}
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return sunJSSEX509TrustManager.getAcceptedIssuers();
}
}
}
本文是直接参照(COPY)以下大佬的文章,感谢大佬的奉献,嘻嘻:
CA双向认证完整实现步骤(附java客户端代码)
CA双向认证补充:java客户端使用优化及证书链和Android证书
Java客户端发送双向TLS认证HTTPS请求