https单向认证 java_java + tomcat + openssl，https单向认证、双向认证（亲测）

最新推荐文章于 2021-07-13 19:26:42 发布

一八零天改四次

最新推荐文章于 2021-07-13 19:26:42 发布

阅读量405

点赞数

文章标签： https单向认证 java

本文链接：https://blog.csdn.net/weixin_36465618/article/details/114185829

版权

1.生成根证书、服务端证书、客户端证书

1.1 生成CA根证书

生成跟证书私钥root_private.key

openssl genrsa -out root_private.key 1024

(私钥中包含附加信息，可推到出公钥。使用私钥生成的证书包含对应公钥)

生成根证书签发请求文件root.csr

openssl req -new -key root_private.key -out root.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=Test company/OU=Test company/CN=Test company"

生成X.509格式的CA根证书root.crt

openssl x509 -req -days 365 -in root.csr -out root.crt -signkey root_private.key

根据root.crt证书生成truststore JKS文件root.truststore，输入秘钥库密码123456。

这一步只针对双向认证，单向不需要。

keytool -keystore root.truststore -import -trustcacerts -file root.crt

输入yes,信任此证书。

1.2 使用根证书签发服务端证书

(正常是先签发二级证书，由二级证书对服务端签发)

生成服务端私钥文件server_private.key

openssl genrsa -out server_private.key 1024

签名请求文件server.csr

openssl req -new -key server_private.key -out server.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=test-server/OU=test-server/CN=test-server"

使用根证书签发服务端证书server.crt

openssl x509 -req -days 365 -sha1 -CA root.crt -CAkey root_private.key -CAserial ca.srl -CAcreateserial -in server.csr -out server.crt

查看证书信息

openssl x509 -in server.crt -text -noout

将服务端证书转换为pkcs12格式，密码123456

openssl pkcs12 -export -in server.crt -inkey server_private.key -out server.p12

生成服务端秘钥库server.keystore，秘钥库密码也为123456

keytool -importkeystore -srckeystore server.p12 -destkeystore server.keystore -srcstoretype pkcs12

查看keystore

keytool -list -v -keystore server.keystore

1.3 使用根证书签发客户端证书

生成客户端私钥文件client_private.key

openssl genrsa -out client_private.key 1024

签名请求文件client.csr

openssl req -new -key client_private.key -out client.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=test-client/OU=test-client/CN=test-client"

使用根证书签发客户端证书client.crt

openssl x509 -req -days 365 -sha1 -CA root.crt -CAkey root_private.key -CAserial ca.srl -CAcreateserial -in client.csr -out client.crt

证书转换为pkcs12格式，密码123456

以上生成的公私钥和证书都是PEM格式的，服务端、浏览器一般使用PKCS12格式。

openssl pkcs12 -export -in client.crt -inkey client_private.key -out client.p12

查看证书信息

openssl x509 -in client.crt -text -noout

openssl pkcs12 -in client.p12 -info

2.校验自签发证书：单向和双向

2.1 访问CA中心颁发证书的网站

知名CA中心的证书都会预制到系统或浏览器中，无需特别处理，会自行查询验证。例如百度使用的证书，就是CA中心颁发的，如下三行代码即可实现访问。

URL url = new URL("https://www.baidu.com");

HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection();

InputStream in = urlConnection.getInputStream();

2.2 本机搭建tomcat服务，用于https服务端验证

从http://tomcat.apache.org下载压缩包解压，执行bin目录下的startup.bat

(使用tomcat7，最新tomcat9的配置有改变，资料较少)

启动成功后，在浏览器输入http://localhost:8080出现tomcat界面表示成功

2.3 自签证书的校验：单向验证

单向验证一般指客户端校验服务端证书，服务端并不检查客户端证书。

自签证书没有在系统中预制，需要自行实现校验。

2.3.1 首先服务端搭建https服务，并配置秘钥库server.keystore

将根证书颁发的server.keystore复制到tomcat的的conf目录

修改conf目录下的server.xml，添加clientAuth="false"、keystoreFile、keystorePass

maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

keystoreFile="conf/server.keystore"

keystorePass="123456"

clientAuth="false" sslProtocol="TLS" />

2.3.2 信任域名，否则域名必须跟ca证书域名内容一致

追求更要高安全性可严格校验域名，但对以后域名更换有麻烦。

HostnameVerifier hnv = new HostnameVerifier() {

@Override

public boolean verify(String hostname, SSLSession session) {

// Always return true，接受任意域名服务器

return true;

}

};

HttpsURLConnection.setDefaultHostnameVerifier(hnv);

2.3.3 加载预制的root.crt根证书

root.crt用于验证服务端发送的证书是否有效，有没有被中间人篡改。

Certificate g_ca;

CertificateFactory cf = CertificateFactory.getInstance("X.509");

InputStream caInput = new BufferedInputStream(

new FileInputStream("C:\\xxx\\root-ca\\root.crt"));

g_ca = cf.generateCertificate(caInput);

2.3.4 自实现X509TrustManager的checkServerTrusted()

自签证书验证，需要自行实现X509TrustManager中的checkServerTrusted()回调函数，即下文的myTrustManager。

URL url = new URL("https://localhost:8443");

HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection();

//添加自定义证书校验myTrustManager

SSLContext sslcontext = SSLContext.getInstance("TLS");

TrustManager[] tm = { new myTrustManager() };

sslcontext.init(null, tm, null);

urlConnection.setSSLSocketFactory(sslcontext.getSocketFactory());

InputStream in = urlConnection.getInputStream();

检查证书是否过期

使用root.crt校验服务器发送的证书

class myTrustManager implements X509TrustManager {

@Override

public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {

}

@Override

public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {

Exception error = null;

if (null == chain || 0 == chain.length)

{

error = new CertificateException("Certificate chain is invalid.");

}

else if (null == authType || 0 == authType.length())

{

error = new CertificateException("Authentication type is invalid.");

}

else

{

try

{

/* 自签名，服务端只发一个证书，可以不用检查证书链 */

// 检查证书是否过期

chain[0].checkValidity();

// 验证是否使用了指定公钥相对应的私钥签署了此证书

chain[0].verify(g_ca.getPublicKey());

} catch (NoSuchAlgorithmException e) {

error = e;

} catch (NoSuchProviderException e) {

error = e;

} catch (SignatureException e) {

error = e;

} catch (InvalidKeyException e) {

e.printStackTrace();

}

if (null != error)

{

throw new CertificateException(error);

}

@Override

public X509Certificate[] getAcceptedIssuers() {

return new X509Certificate[0];

}

2.4 自签证书的校验：双向验证

在单向的基础上，服务器端新增配置root.truststore，客户端新增client.p12证书。

2.4.1 服务端：添加客户端ca的根证书

将root.truststore复制到tomcat的的conf目录

修改conf目录下的server.xml，添加https服务，配置clientAuth="true"、root.truststore和密码

maxThreads="150" SSLEnabled="true" scheme="https" secure="true"

keystoreFile="conf/server.keystore"

keystorePass="123456"

truststoreFile="conf/root.truststore"

truststorePass="123456"

clientAuth="true" sslProtocol="TLS" />

访问https://localhost:8443/进行验证

这时直接用浏览器就无法访问了，没有客户端证书返回给服务器，只能自己用代码实现访问。

2.4.2 客户端：添加PKCS12格式秘钥库

在单向验证的基础上添加PKCS12秘钥库，SSLContext初始化时将KeyManagerFactory设置进去。

URL url = new URL("https://localhost:8443");

HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();

//添加PKCS12格式秘钥库，用于客户端发送证书给服务端

KeyStore keyStore = KeyStore.getInstance("PKCS12");

keyStore.load(

new FileInputStream("C:\\xxx\\client-ca\\client.p12"),

"123456".toCharArray());// 密钥库的密码

String tmfAlgorithm = KeyManagerFactory.getDefaultAlgorithm();

KeyManagerFactory kmf = KeyManagerFactory.getInstance(tmfAlgorithm);

kmf.init(keyStore, "123456".toCharArray());// 密钥库的密码

//添加自定义证书校验myTrustManager

SSLContext sslcontext = SSLContext.getInstance("TLS");

TrustManager[] tm = { new myTrustManager() };

sslcontext.init(kmf.getKeyManagers(), tm, null);

urlConnection.setSSLSocketFactory(sslcontext.getSocketFactory());

InputStream in = urlConnection.getInputStream();

2.5 证书校验异常汇总

2.5.1 单向认证：证书验证fail

假如被中间人攻击，服务端传过来的证书不是root ca签发的，那么会引发Signature does not match异常：

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.SignatureException: Signature does not match.

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)

at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)

at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)

at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)

at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)

at app.testHttps$3.run(testHttps.java:129)

at java.lang.Thread.run(Thread.java:745)

Caused by: java.security.cert.CertificateException: java.security.SignatureException: Signature does not match.

at app.testHttps$myTrustManager.checkServerTrusted(testHttps.java:186)

at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:922)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)

... 14 more

Caused by: java.security.SignatureException: Signature does not match.

at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449)

at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:392)

at app.testHttps$myTrustManager.checkServerTrusted(testHttps.java:172)

... 16 more

2.5.2 双向认证：客户端没有发送自己的证书

假如服务端开启了双向验证，避免非信任客户端连接，那么没有证书的客户端进行访问，会报recv failed异常：

java.net.SocketException: Software caused connection abort: recv failed

at java.net.SocketInputStream.socketRead0(Native Method)

at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)

at java.net.SocketInputStream.read(SocketInputStream.java:170)

at java.net.SocketInputStream.read(SocketInputStream.java:141)

at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)

at sun.security.ssl.InputRecord.read(InputRecord.java:503)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961)

at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1757)

at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)

at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1083)

at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1191)

at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1103)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:344)