Nginx双向认证配置及测试
一、前言
在我的前面两篇博客中我已经介绍了什么是Nginx的双向认证,以及如何使用keytool实现tomcat的双向认证,概念阐述以及废话比较多哈哈,今天主要是将Nginx的双向认证如何配置并且使用Java程序去访问Nginx。看过我前面两篇博客的小伙伴应该都知道,Nginx的双向认证我们使用的是Openssl工具来生成CA证书、Server的证书、Client的证书,而Tomcat双向认证使用的是Jdk自带的Keytool工具来生成Server证书和Client证书。所以在我们使用Java访问Nginx的时候就存在证书格式的问题。(或者说如何将Openssl生成的Ca证书引入信任库中)
二、Nginx双向认证
准备工作
A.生成需要使用的CA证书
创建一个/cert/test 文件夹,在该文件夹生成CA证书
mkdir /cert/test
cd /cert/test
openssl genrsa -out ca.key 2048 //生成CA的私钥
//用刚刚生成的私钥生成CA证书
openssl req -x509 -new -nodes -key ca.key -subj "/CN=achao666.xyz" -days 365 -out ca.crt
openssl x509 -in ca.crt -noout -text //查看证书
说明:命令行中的CN指的是Common Name,小伙伴们如果有自己的域名就可以用域名,没有域名就使用ip地址
截图:
B.生成Server端的证书
创建一个服务器证书,并将该证书交由CA签名
openssl genrsa -out server.key 2048 //生成server的私钥
//生成server证书请求文件
openssl req -new -key server.key -subj "/CN=achao666.xyz" -out server.csr
//生成server证书
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365
截图:
C.生成Client端的证书
创建一个客户端证书,并将该证书交由CA签名
openssl genrsa -out client.key 2048 //生成client的私钥
//生成client的证书请求文件
openssl req -new -key client.key -subj "/CN=achao666.xyz" -out client.csr
//创建一个拓展文件
cat > client.ext << EOF
extendedKeyUsage=clientAuth
EOF
//生成client证书
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile client.ext -out client.crt -days 356
截图:
D.生成浏览器需要的证书格式
生成client证书的pfx格式,需要设置密码
openssl pkcs12 -export -inkey /cert/test/client.key -in /cert/test/client.crt -out client.pfx
sz client.pfx //下载到Windows
截图:
E.配置Nginx
修改nginx.conf配置,并重启nginx
vi /usr/local/nginx/conf/nginx.conf
/usr/local/nginx/sbin/nginx -s reload //重启nginx
截图:
测试
测试浏览器访问
无法访问,我们需要安装之前导出的client.pfx文件
安装完成再次访问浏览器
已经能够成功访问
使用Linux shell脚本访问
curl https://achao666.xyz --cacert /cert/test/ca.crt --cert /cert/test/client.crt --key /cert/test/client.key --resolve achao666.xyz:443:139.224.50.94 -k
截图:
使用Java程序访问
需生成truststore库文件进行访问,使用jdk自带工具keytool生成
keytool -keystore truststore -keypass 123456 -storepass 123456 -alias achaoCa -import -trustcacerts -file ca.cer //这边需要将ca.crt复制一份并改为ca.cer
截图:
Java实现
三、Java代码块
HttpConfig
import javax.net.ssl.*;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.Optional;
public class HttpConfig {
public static final String PROTOCOL = "TLS";
/**
* 获取keystore
*
* @param keystorePath keystore路径
* @param password 密码
* @return 密钥库
* @throws Exception Exception
*/
private static KeyStore getKeyStore(String keystorePath, String password) throws Exception {
KeyStore keystore = KeyStore.getInstance("JKS"); //JKS PKCS12
// KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
try (FileInputStream in = new FileInputStream(keystorePath);) {
keystore.load(in, password.toCharArray());
return keystore;
}
}
/**
* 获取 SSLSocketFactory
* @param keyManagerFactory 密钥库工厂
* @param trustFactory 信任库工厂
* @return SSLSocketFactory
* @throws Exception Exception
*/
public static SSLSocketFactory getSSLSocketFactory(KeyManagerFactory keyManagerFactory,
TrustManagerFactory trustFactory) throws Exception {
// 实例化SSL上下文
SSLContext context = SSLContext.getInstance(PROTOCOL);
KeyManager[] keyManagers = Optional.ofNullable(keyManagerFactory)
.map(KeyManagerFactory::getKeyManagers).orElse(null);
TrustManager[] trustManagers = Optional.ofNullable(trustFactory)
.map(TrustManagerFactory::getTrustManagers).orElse(null);
context.init(keyManagers, trustManagers, new SecureRandom());
return context.getSocketFactory();
}
public static TrustManagerFactory getTrustManagersFactory(String trustStorePath, String password) throws Exception {
// 实例化信任库
TrustManagerFactory trustFactory = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore trustStore = getKeyStore(trustStorePath, password);
// 初始化信任库
trustFactory.init(trustStore);
return trustFactory;
}
public static KeyManagerFactory getKeyManagerFactory(String keystorePath, String password) throws Exception {
KeyManagerFactory factory = KeyManagerFactory
.getInstance(KeyManagerFactory.getDefaultAlgorithm());
// 获取密钥库
KeyStore keyStore = getKeyStore(keystorePath, password);
// 初始化密钥工厂
factory.init(keyStore, password.toCharArray());
return factory;
}
}
测试类
import org.junit.Test;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import java.io.DataInputStream;
import java.io.IOException;
import java.net.URL;
public class HttpsRequestTest {
private String password = "123456";
private String trustStorePath = "F:\\ca\\nginx\\test\\truststore";
private String keyStorePath = "F:\\ca\\nginx\\test\\client.pfx";
private String httpUrl = "https://139.224.50.94";
@Test
public void twoWayAuthentication() throws Exception {
URL url = new URL(httpUrl);
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
// 打开输入输出流
conn.setDoInput(true);
//域名校验
conn.setHostnameVerifier((k, t) -> true);
// 双向认证
TrustManagerFactory trustManagersFactory =
HttpConfig.getTrustManagersFactory(trustStorePath, password);
KeyManagerFactory keyManagerFactory = HttpConfig
.getKeyManagerFactory(keyStorePath, password);
SSLSocketFactory sslSocketFactory = HttpConfig
.getSSLSocketFactory(keyManagerFactory, trustManagersFactory);
conn.setSSLSocketFactory(sslSocketFactory);
conn.connect();
receiveData(conn);
conn.disconnect();
}
private void receiveData(HttpsURLConnection conn) throws IOException {
int length = conn.getContentLength();
byte[] data = null;
if (length != -1) {
DataInputStream input = new DataInputStream(conn.getInputStream());
data = new byte[length];
input.readFully(data);
input.close();
System.out.println(new String(data));
}
}
}