包括CXF官网在内的的网上所有示例配置中,都把CA证书配置为jks或者p12格式的,由于这两种格式都是同时包含了公钥和私钥的keyStore,所以这么配置相当于向客户端暴露了CA的私钥。。。瞬间让https的存在失去了意义,还徒增一层加解密耗时操作。。
解决方案简单到哭(忽略熬夜一晚上尝试keyStore去私钥等操作),就是配置trustManagers节点(也即CA节点)的时候不用keyStore,改用certStore,而certStore仅仅存放公钥,保证了CA信息的安全
下面附上cxf client完整配置:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:sec="http://cxf.apache.org/configuration/security"
xmlns:http="http://cxf.apache.org/transports/http/configuration"
xmlns:jaxws="http://java.sun.com/xml/ns/jaxws"
xsi:schemaLocation="
http://cxf.apache.org/configuration/security
http://cxf.apache.org/schemas/configuration/security.xsd
http://cxf.apache.org/transports/http/configuration
http://cxf.apache.org/schemas/configuration/http-conf.xsd
http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-2.0.xsd">
<http:conduit name="*.http-conduit">
<http:tlsClientParameters>
<sec:keyManagers>
<sec:keyStore type="PKCS12" password="" file="/my/certs/path/client.p12" />
</sec:keyManagers>
<sec:trustManagers>
<!--
<sec:keyStore type="PKCS12" password="" file="/my/certs/path/ca.p12" />
-->
<sec:certStore file="/my/certs/path/ca.cer" />
</sec:trustManagers>
<sec:cipherSuitesFilter>
<!-- these filters ensure that a ciphersuite with export-suitable
or null encryption is used, but exclude anonymous Diffie-Hellman key change
as this is vulnerable to man-in-the-middle attacks -->
<sec:include>.*_EXPORT_.*</sec:include>
<sec:include>.*_EXPORT1024_.*</sec:include>
<sec:include>.*_WITH_DES_.*</sec:include>
<sec:include>.*_WITH_AES_.*</sec:include>
<sec:include>.*_WITH_NULL_.*</sec:include>
<sec:exclude>.*_DH_anon_.*</sec:exclude>
</sec:cipherSuitesFilter>
</http:tlsClientParameters>
<!--
<http:authorization>
<sec:UserName>Betty</sec:UserName>
<sec:Password>password</sec:Password>
</http:authorization>
-->
<!--
<http:client AutoRedirect="true" Connection="Keep-Alive" />
-->
</http:conduit>
</beans>
补充:
最近给tomcat部署https双向验证的时候,发现jks格式支持仅添加ca证书(pkcs12格式仅添加ca证书后keystore不支持),所以上面在配置trustManagers的时候也可以用keystore配置jks格式的证书,里面仅包含ca证书,示例如下:
<sec:trustManagers>
<sec:keyStore type="JKS" password="defaultpwd" file="/my/certs/path/ca_only.jks" />
</sec:trustManagers>
附上ca.crt转jks方法:
keytool -import -v -trustcacerts -storepass defaultpwd -keypass defaultpwd -file ca.crt -keystore ca_only.jks