java如何发送认证请求_Java客户端发送双向TLS认证HTTPS请求

给出一个java客户端代码例子，这个客户端程序向REST服务器发送HTTPS请求，客户端和服务器端实现TLS双向认证。

import java.util.Map;

import java.util.HashMap;

import java.util.Map.Entry;

import java.util.Set;

import java.net.HttpURLConnection;

import java.net.URL;

import java.security.KeyStore;

import java.security.cert.CertificateException;

import java.security.cert.X509Certificate;

import java.io.BufferedReader;

import java.io.FileInputStream;

import java.io.IOException;

import java.io.OutputStreamWriter;

import java.io.StringReader;

import java.io.InputStreamReader;

import java.io.InputStream;

import javax.net.ssl.HttpsURLConnection;

import javax.net.ssl.KeyManagerFactory;

import javax.net.ssl.SSLContext;

import javax.net.ssl.SSLSocketFactory;

import javax.net.ssl.TrustManager;

import javax.net.ssl.TrustManagerFactory;

import javax.net.ssl.X509TrustManager;

public class Test {

private String serverUrl = "https://10.20.xxx.xxx:8080/api/v1.1/service/test";

private SSLSocketFactory sslFactory = null;

public void run() {

try {

String requestBody ="{\"instance\":\"instance\",\"list\":[{\"id\":\"id\",\"status\":\"OK\",\"action\":\"UPDATE\"}]}";

HttpURLConnection connection = doHttpRequest(serverUrl, "PUT", requestBody, null);

int responseCode = getResponseCode(connection);

String responseBody = getResponseBodyAsString(connection);

connection.disconnect();

System.out.println("response code=" + responseCode + ", body=[" + responseBody + "]");

} catch (Exception e) {

e.printStackTrace();

}

}

public static void main(String[] args) {

Test test = new Test();

test.run();

}

private synchronized SSLSocketFactory getSSLFactory() throws Exception {

if (sslFactory == null) {

SSLContext sslContext = SSLContext.getInstance("SSL");

TrustManager[] tm = { new MyX509TrustManager() };

KeyStore truststore = KeyStore.getInstance("JKS");

truststore.load(new FileInputStream("cert.jks"), "123456".toCharArray());

KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");

kmf.init(truststore, "123456".toCharArray());

sslContext.init(kmf.getKeyManagers(), tm, new java.security.SecureRandom());

sslFactory = sslContext.getSocketFactory();

}

return sslFactory;

}

private HttpURLConnection doHttpRequest(String requestUrl, String method, String body, Map header) throws Exception {

HttpURLConnection conn;

if (method == null || method.length() == 0 ) {

method = "GET";

}

if ("GET".equals(method) && body != null && ! body.isEmpty()) {

requestUrl = requestUrl + "?" + body;

}

URL url = new URL(requestUrl);

conn = (HttpURLConnection) url.openConnection();

conn.setDoOutput(true);

conn.setDoInput(true);

conn.setUseCaches(false);

conn.setInstanceFollowRedirects(true);

conn.setRequestMethod(method);

if (requestUrl.matches("^(https?)://.*$")){

((HttpsURLConnection) conn).setSSLSocketFactory(this.getSSLFactory());

}

if (header != null) {

for (String key : header.keySet()) {

conn.setRequestProperty(key, header.get(key));

}

}

if (body != null && ! body.isEmpty()) {

if (!method.equals("GET") ) {

OutputStreamWriter wr = new OutputStreamWriter(conn.getOutputStream());

wr.write(body);

wr.close();

}

}

conn.connect();

return conn;

}

public int getResponseCode(HttpURLConnection connection) throws IOException {

return connection.getResponseCode();

}

public String getResponseBodyAsString(HttpURLConnection connection) throws Exception {

BufferedReader reader = null;

if (connection.getResponseCode() == 200) {

reader = new BufferedReader(new InputStreamReader(connection.getInputStream()));

} else {

reader = new BufferedReader(new InputStreamReader(connection.getErrorStream()));

}

StringBuffer buffer = new StringBuffer();

String line=null;

while ((line = reader.readLine()) != null) {

buffer.append(line);

}

return buffer.toString();

}

class MyX509TrustManager implements X509TrustManager {

private X509TrustManager sunJSSEX509TrustManager;

MyX509TrustManager() throws Exception {

// create a "default" JSSE X509TrustManager.

KeyStore ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream("ca.jks"), "123456".toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509", "SunJSSE");

tmf.init(ks);

TrustManager tms[] = tmf.getTrustManagers();

/*

* Iterate over the returned trustmanagers, look for an instance of

* X509TrustManager. If found, use that as our "default" trust manager.

*/

for (int i = 0; i < tms.length; i++) {

if (tms[i] instanceof X509TrustManager) {

sunJSSEX509TrustManager = (X509TrustManager) tms[i];

return;

}

}

throw new Exception("Couldn't initialize");

}

@Override

public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {

try {

sunJSSEX509TrustManager.checkClientTrusted(chain, authType);

} catch (CertificateException excep) {

}

}

@Override

public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {

try {

sunJSSEX509TrustManager.checkServerTrusted(chain, authType);

} catch (CertificateException excep) {

}

}

@Override

public X509Certificate[] getAcceptedIssuers() {

return sunJSSEX509TrustManager.getAcceptedIssuers();

}

}

}

准备客户端证书

使用openssl生成PEM格式证书

包含三个文件：

ca.pem // CA证书

cert.pem // 客户端证书

key.pem // 客户端私钥

使用keytool生成JKS格式证书

使用JDK自带的keytool工具从PEM格式证书生成JKS格式证书

$ keytool -import -noprompt -file ca.pem -keystore ca.jks -storepass 123456

$ openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.p12 -passout pass:123456

$ keytool -importkeystore -srckeystore cert.p12 -srcstoretype PKCS12 -srcstorepass 123456 -deststorepass 123456} -destkeystore cert.jks

工具keytool 一般在${JDK_HOME}/bin目录下面；"123456"是随便取的密码。

最终生成两个需要的JKS格式证书。

ca.jks # CA证书

cert.jks # 客户端证书

其实是我一直没有找到java如何直接加载PEM格式证书；如果能加载PEM格式证书，就不需要转换成JKS格式。

编译运行

javac Test.java && java Test