SSL双向认证Java实现 Tomcat篇

 

双向验证,在客户机连接服务器时,客户机验证服务器的证书,服务器验证客户机的证书,链接双方都要对彼此的数字证书进行验证,保证这是经过授权的才能够连接。

1. 生成服务器端的keystore和truststore文件:

    1.1. 以jks格式生成服务器端包含Public key和Private Key的keystore文件,keypass与storepass务必要一样,因为在tomcat server.xml中只配置一个password.
    keytool -genkey -alias server -keystore serverKeystore.jks -keypass 123456 -storepass 123456 -keyalg RSA  -keysize 512 -validity 365 -v -dname "CN = W03GCA01A,O = ABC BANK,DC = Server Https,DC = ABC,OU = Firefly Technology And Operation"

    1.2. 从keystore中导出别名为server的服务端证书.
    keytool -export -alias server -keystore serverKeystore.jks -storepass 123456 -file server.cer
 
    1.3. 将server.cer导入客户端的信任证书库clientTruststore.jks。 
     keytool -import -alias trustServer -file server.cer -keystore clientTruststore.jks -storepass 123456
 
2. 生成客户端的keystore和truststore文件:

    1.1. 以jks格式生成服务器端包含Public key和Private Key的keystore文件。
    keytool -genkey -alias client -keystore clientKeystore.jks -keypass 123456 -storepass 123456 -keyalg RSA  -keysize 512 -validity 365 -v -dname "CN = W03GCA01A,O = ABC BANK,DC = Client Https,DC = ABC,OU = Firefly Technology And Operation"

    1.2. 从keystore中导出别名为client的客户端证书.
    keytool -export -alias client -keystore clientKeystore.jks -storepass 123456 -file client.cer
 
    1.3. 将client.cer导入服务端的信任证书库serverTruststore.jks。 
     keytool -import -alias trustClient -file client.cer -keystore serverTruststore.jks -storepass 123456 
 
 
 服务器端: serverKeystore.jks   serverTruststore.jks
 客户端:   clientKeystore.jks   clientTruststore.jks
 
3. 在tomcat 配置server.xml

Xml代码 复制代码 收藏代码
  1. <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"  
  2.                maxThreads="150" scheme="https" secure="true"  
  3.            clientAuth="true" sslProtocol="TLS"    
  4.            keystoreFile="keystore/serverKeystore.jks" keystorePass="123456"    
  5.         truststoreFile="keystore/serverTruststore.jks" truststorePass="123456" />  

 

4. 客户端代码

Java代码 复制代码 收藏代码
  1. package com.ssl.http;   
  2.   
  3. import java.io.File;   
  4. import java.io.FileInputStream;   
  5. import java.security.KeyStore;   
  6. import java.security.KeyStoreException;   
  7.   
  8. import org.apache.http.HttpEntity;   
  9. import org.apache.http.HttpResponse;   
  10. import org.apache.http.client.methods.HttpGet;   
  11. import org.apache.http.conn.scheme.Scheme;   
  12. import org.apache.http.conn.ssl.SSLSocketFactory;   
  13. import org.apache.http.impl.client.DefaultHttpClient;   
  14.   
  15. /**  
  16.  *   
  17.  * @author kevin  
  18.  *   
  19.  */  
  20. public class ClientTwoWaySSL {   
  21.   
  22.     /**  
  23.      * @param args  
  24.      * @throws Exception  
  25.      */  
  26.     public static void main(String[] args) throws Exception {   
  27.         // TODO Auto-generated method stub   
  28.   
  29.         DefaultHttpClient httpclient = new DefaultHttpClient();   
  30.   
  31.         KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());   
  32.         KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());   
  33.   
  34.         FileInputStream keyStoreIn = new FileInputStream(new File(   
  35.                 "com/ssl/http/clientKeystore.jks"));   
  36.         FileInputStream trustStoreIn = new FileInputStream(new File(   
  37.                 "com/ssl/http/clientTruststore.jks"));   
  38.   
  39.         try {   
  40.             keyStore.load(keyStoreIn, "123456".toCharArray());   
  41.             trustStore.load(trustStoreIn, "123456".toCharArray());   
  42.         } finally {   
  43.             keyStoreIn.close();   
  44.             trustStoreIn.close();   
  45.         }   
  46.   
  47.         SSLSocketFactory socketFactory = new SSLSocketFactory(keyStore,   
  48.                 "123456", trustStore);   
  49.         Scheme sch = new Scheme("https", socketFactory, 8443);   
  50.   
  51.         httpclient.getConnectionManager().getSchemeRegistry().register(sch);   
  52.   
  53.         HttpGet httpget = new HttpGet("https://w03gca01a:8443/");   
  54.   
  55.         System.out.println("Request:" + httpget.getRequestLine());   
  56.   
  57.         HttpResponse response = httpclient.execute(httpget);   
  58.         HttpEntity entity = response.getEntity();   
  59.   
  60.         System.out.println("----------------------------------------");   
  61.         System.out.println(response.getStatusLine());   
  62.         if (entity != null) {   
  63.             System.out.println("Response content length: "  
  64.                     + entity.getContentLength());   
  65.         }   
  66.         if (entity != null) {   
  67.             entity.consumeContent();   
  68.         }   
  69.         httpclient.getConnectionManager().shutdown();   
  70.   
  71.     }   
  72.   
  73. }  

 

备注:

A. 如出现如下error,请配置C:\WINDOWS\system32\drivers\etc\hosts, 将“127.0.0.1     w03gca01a” 加在hosts文件中

Exception代码 复制代码 收藏代码
  1. # executing requestGET https://w03gca01a/ HTTP/1.1     
  2. # Exception in thread "main" javax.net.ssl.SSLException: hostname in certificate didn't match: <w03gca01a> != <localhost>     
  3. #     at org.apache.http.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:220)     
  4. #     at org.apache.http.conn.ssl.BrowserCompatHostnameVerifier.verify(BrowserCompatHostnameVerifier.java:54)   

 

B. 本文用到 httpcore-4.0.1.jar httpclient-4.0.1.jar httpmime-4.0.1.jar,下载地址:

http://hc.apache.org/downloads.cgi

posted on 2013-10-26 10:49  sqljiang  阅读(592)  评论(0编辑  收藏  举报