服务器如何获取客户端证书,在Servlet中读取客户端证书

小编典典

如何将证书(.cer)从客户端发送到服务器？

客户端证书(.cer，.crt，.pem)及其对应的私钥(.key)应首先包装到PKCS＃12(.p12，.pfx)或JKS(.jks)容器中(密钥库)。您还应该将服务器的CA证书打包为JKS(信任库)。

HttpClient client = new HttpClient();

// truststore

KeyStore trustStore = KeyStore.getInstance("JKS", "SUN");

trustStore.load(TestSupertype.class.getResourceAsStream("/client-truststore.jks"), "amber%".toCharArray());

String alg = KeyManagerFactory.getDefaultAlgorithm();

TrustManagerFactory fac = TrustManagerFactory.getInstance(alg);

fac.init(trustStore);

// keystore

KeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE");

keystore.load(X509Test.class.getResourceAsStream("/etomcat_client.p12"), "etomcat".toCharArray());

String keyAlg = KeyManagerFactory.getDefaultAlgorithm();

KeyManagerFactory keyFac = KeyManagerFactory.getInstance(keyAlg);

keyFac.init(keystore, "etomcat".toCharArray());

// context

SSLContext ctx = SSLContext.getInstance("TLS", "SunJSSE");

ctx.init(keyFac.getKeyManagers(), fac.getTrustManagers(), new SecureRandom());

SslContextedSecureProtocolSocketFactory secureProtocolSocketFactory = new SslContextedSecureProtocolSocketFactory(ctx);

Protocol.registerProtocol("https", new Protocol("https", (ProtocolSocketFactory) secureProtocolSocketFactory, 8443));

// test get

HttpMethod get = new GetMethod("https://127.0.0.1:8443/etomcat_x509");

client.executeMethod(get);

// get response body and do what you need with it

byte[] responseBody = get.getResponseBody();

您可以在该项目中找到工作示例，请参见X509Test类。

HttpClient httpclient = new DefaultHttpClient();

// truststore

KeyStore ts = KeyStore.getInstance("JKS", "SUN");

ts.load(PostService.class.getResourceAsStream("/truststore.jks"), "amber%".toCharArray());

// if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing truststore

if(0 == ts.size()) throw new IOException("Error loading truststore");

// tmf

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

tmf.init(ts);

// keystore

KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");

ks.load(PostService.class.getResourceAsStream("/" + certName), certPwd.toCharArray());

// if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing keystore

if(0 == ks.size()) throw new IOException("Error loading keystore");

// kmf

KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

kmf.init(ks, certPwd.toCharArray());

// SSL

SSLContext ctx = SSLContext.getInstance("TLS");

ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

// socket

SSLSocketFactory socketFactory = new SSLSocketFactory(ctx, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);

Scheme sch = new Scheme("https", 8443, socketFactory);

httpclient.getConnectionManager().getSchemeRegistry().register(sch);

// request

HttpMethod get = new GetMethod("https://localhost:8443/foo");

client.executeMethod(get);

IOUtils.copy(get.getResponseBodyAsStream(), System.out);

如何在服务器中接收证书并提取其公钥？

您的服务器必须配置为要求X.509客户端证书身份验证。然后，在SSL握手期间，servlet容器将接收证书，对照trustore进行检查，并将其作为请求属性提供给应用程序。通常，对于单个证书，您可以在servlet环境中使用此方法来提取证书：

protected X509Certificate extractCertificate(HttpServletRequest req) {

X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");

if (null != certs && certs.length > 0) {

return certs[0];

}

throw new RuntimeException("No X.509 client certificate found in request");

}

2020-10-18