配置apache cxf 客户端支持https

包括CXF官网在内的的网上所有示例配置中，都把CA证书配置为jks或者p12格式的，由于这两种格式都是同时包含了公钥和私钥的keyStore，所以这么配置相当于向客户端暴露了CA的私钥。。。瞬间让https的存在失去了意义，还徒增一层加解密耗时操作。。

解决方案简单到哭（忽略熬夜一晚上尝试keyStore去私钥等操作），就是配置trustManagers节点(也即CA节点)的时候不用keyStore，改用certStore，而certStore仅仅存放公钥，保证了CA信息的安全

下面附上cxf client完整配置：

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
    xmlns:http="http://cxf.apache.org/transports/http/configuration"
    xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
    xsi:schemaLocation="
      http://cxf.apache.org/configuration/security
      http://cxf.apache.org/schemas/configuration/security.xsd
      http://cxf.apache.org/transports/http/configuration
      http://cxf.apache.org/schemas/configuration/http-conf.xsd
      http://www.springframework.org/schema/beans
      http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">

    <http:conduit name="*.http-conduit">

        <http:tlsClientParameters>
            <sec:keyManagers>
                <sec:keyStore type="PKCS12" password="" file="/my/certs/path/client.p12" />
            </sec:keyManagers>
            <sec:trustManagers>
                <!-- 
                <sec:keyStore type="PKCS12" password="" file="/my/certs/path/ca.p12" />
                     -->
                <sec:certStore file="/my/certs/path/ca.cer" />
            </sec:trustManagers>
            <sec:cipherSuitesFilter>
                <!-- these filters ensure that a ciphersuite with export-suitable 
                    or null encryption is used, but exclude anonymous Diffie-Hellman key change 
                    as this is vulnerable to man-in-the-middle attacks -->
                <sec:include>.*_EXPORT_.*</sec:include>
                <sec:include>.*_EXPORT1024_.*</sec:include>
                <sec:include>.*_WITH_DES_.*</sec:include>
                <sec:include>.*_WITH_AES_.*</sec:include>
                <sec:include>.*_WITH_NULL_.*</sec:include>
                <sec:exclude>.*_DH_anon_.*</sec:exclude>
            </sec:cipherSuitesFilter>
        </http:tlsClientParameters>
        <!-- 
        <http:authorization>
            <sec:UserName>Betty</sec:UserName>
            <sec:Password>password</sec:Password>
        </http:authorization>
         -->
         <!-- 
        <http:client AutoRedirect="true" Connection="Keep-Alive" />
         -->

    </http:conduit>

</beans>

补充：

最近给tomcat部署https双向验证的时候，发现jks格式支持仅添加ca证书（pkcs12格式仅添加ca证书后keystore不支持），所以上面在配置trustManagers的时候也可以用keystore配置jks格式的证书，里面仅包含ca证书，示例如下：

<sec:trustManagers>
    <sec:keyStore type="JKS" password="defaultpwd" file="/my/certs/path/ca_only.jks" />
</sec:trustManagers>

附上ca.crt转jks方法：

keytool -import -v -trustcacerts -storepass defaultpwd -keypass defaultpwd -file ca.crt -keystore ca_only.jks