1. 生成bks与jks密钥证书
1.1 jks证书生成
1.1.1 生成服务端JKS秘钥与证书指令
keytool -genkeypair -alias myserver -keystore myserver.jks
1.1.2 服务器导出证书server.cer
keytool -exportcert -alias myserver -keystore myserver.jks -file trust.cer
1.1.3从证书导出信任客户端
keytool -importcert -file trust.cer -keystore trust.jks
1.2bks证书生成
1.2.1 安装所需环境以及配置
1.2.1.1 下载依赖包
1.2.1.2 将下载好的jar包放到java环境中去 具体路径如下 %JAVAHOME%/jre/lib/ext
1.2.1.3 添加安全加密环境配置
s e c u r i t y . p r o v i d e r . X = o r g . b o u n c y c a s t l e . j c e . p r o v i d e r . B o u n c y C a s t l e P r o v i d e r / / 数 字 x 为 上 一 个 p r o v i d e r 的 y + 1 security.provider.X=org.bouncycastle.jce.provider.BouncyCastleProvider //数字x为上一个provider的y+1 security.provider.X=org.bouncycastle.jce.provider.BouncyCastleProvider//数字x为上一个provider的y+1
1.2.1.4 重启
1.2.2 生成客户端bks密钥与证书指令
keytool -genkey -keystore client.bks -storepass 密码 -keyalg RSA -keypass 密码 -storetype BKS -provider org.bouncycastle.jce.provider.BouncyCastleProvider
1.2.3 导出客户端证书client.cer
keytool -exportcert -keystore client.bks -storepass 密码 -storetype BKS -file client.cer -provider org.bouncycastle.jce.provider.BouncyCastleProvider
1.2.4 把证书导入信任库
keytool -import -keystore tserver.bks -storetype BKS -storepass 密码 -file client.cer
1.3 总结
我们得到了一下几个文件以及文件密码
myserver.jks : 服务器端的jks密钥(KeyManager) client.bks: 客户端的bks密钥(KeyManager)
trust.cer :服务器端信任证书 client.cer: 客户端信任证书。
trust.jks:服务器端信任的客户端 tserver.bks :客户端信任的服务器端
2. 代码
2.1 服务器端代码
package Service;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import javax.net.ssl.*;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.ServerSocket;
import java.net.Socket;
import java.security.KeyStore;
import java.util.Properties;
public class Service {
private static final int port = 9999;
public static SSLServerSocket createServerSocket() throws Exception {
KeyStore ks = KeyStore.getInstance("jks");
KeyStore bks = KeyStore.getInstance("bks", new BouncyCastleProvider());
ClassLoader cl = Service.class.getClassLoader();
InputStream tis = cl.getResourceAsStream("tserver.bks");
InputStream input = cl.getResourceAsStream("myserver.jks");
Properties properties = new Properties();
properties.load(cl.getResourceAsStream("server.properties"));
String server_jsk = properties.getProperty("server_jsk");
String cer_trust = properties.getProperty("cer_trust");
String client_trust = properties.getProperty("client_trust");
bks.load(tis, client_trust.toCharArray());
ks.load(input, server_jsk.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
TrustManagerFactory tks = TrustManagerFactory.getInstance("SunX509");
tks.init(bks);
kmf.init(ks, cer_trust.toCharArray());
SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(kmf.getKeyManagers(), tks.getTrustManagers(), null);
input.close();
SSLServerSocketFactory ssf = context.getServerSocketFactory();
return (SSLServerSocket) ssf.createServerSocket(port);
}
public static void main(String[] args) throws Exception {
final ServerSocket ss = createServerSocket();
System.out.println("ssl server startup at port " + port);
while (true) {
final Socket s = ss.accept();
new Thread(() -> {
InputStream inputStream = null;
try {
inputStream = s.getInputStream();
byte[] b = new byte[1024];
inputStream.read(b);
System.out.println(new String(b));
} catch (Exception e) {
e.printStackTrace();
} finally {
try {
inputStream.close();
s.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}).start();
}
}
}
2.2 客户端代码
package Service;
import javax.net.SocketFactory;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
import java.security.KeyStore;
import java.util.Properties;
import org.bouncycastle.jce.provider.*;
public class Client {
private static final int port = 9999;
public static SSLSocket createSocket(String host) throws Exception {
KeyStore ks = KeyStore.getInstance("jks");
KeyStore bks = KeyStore.getInstance("bks", new BouncyCastleProvider());
ClassLoader cl = Client.class.getClassLoader();
Properties pt = new Properties();
InputStream tinput = cl.getResourceAsStream("client.bks");
InputStream input = cl.getResourceAsStream("trust.jks");
KeyManagerFactory instance = KeyManagerFactory.getInstance("SunX509");
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
pt.load(cl.getResourceAsStream("client.properties"));
bks.load(tinput,pt.getProperty("client_bks").toCharArray());
ks.load(input, pt.getProperty("server_trust").toCharArray());
instance.init(bks,pt.getProperty("crt_trust").toCharArray());
tmf.init(ks);
SSLContext context = SSLContext.getInstance("TLSv1.2");
context.init(instance.getKeyManagers(), tmf.getTrustManagers(), null);
input.close();
SocketFactory sf = context.getSocketFactory();
return (SSLSocket) sf.createSocket(host, port);
}
public static void main(String[] args) throws Exception {
Socket s = createSocket("127.0.0.1");
byte[] b = new byte[1024];
System.out.println("创建连接!");
OutputStream outputStream = s.getOutputStream();
outputStream.write("hello world".getBytes());
outputStream.close();
s.close();
}
}
2.3 软件结构
3.实验结果
Client端:
Service端: