java jni openssl nginx证书私钥有效性校验

 

1、安装openssl

wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz

./config --prefix=/usr/local/openssl  --shared

--shared为添加动态库，生成libssl.so，默认只有libssl.a静态库

make

make install

ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

cp /usr/local/openssl/lib/openssl/libssl.so.1.1 /lib/x86_64-linux-gnu/

cp /usr/local/openssl/lib/openssl/libcrypto.so.1.1 /lib/x86_64-linux-gnu/ 

 

2、新建jni工程（eclipse为例）

新建java工程PemCheck

src下新建class  com.jni.OpenSSLUtils.java

package com.jni;

public class OpenSSLUtils {
	public native static int checkPem(String pem,String key);
}

cd ${workspace}/PemCheck

javah -classpath . -d . com.jni.OpenSSLUtils

javah -jni com.jni.OpenSSLUtils

此时src下生成com_jni_OpenSSLUtils.h头文件

/* DO NOT EDIT THIS FILE - it is machine generated */
#include <jni.h>
/* Header for class com_jni_OpenSSLUtils */

#ifndef _Included_com_jni_OpenSSLUtils
#define _Included_com_jni_OpenSSLUtils
#ifdef __cplusplus
extern "C" {
#endif
/*
 * Class:     com_jni_OpenSSLUtils
 * Method:    checkPem
 * Signature: (Ljava/lang/String;Ljava/lang/String;)I
 */
JNIEXPORT jint JNICALL Java_com_jni_OpenSSLUtils_checkPem
  (JNIEnv *, jclass, jstring, jstring);

#ifdef __cplusplus
}
#endif
#endif

　3、新建C++工程（eclipse为例）

new project   >> C++ Project    >> ShardLibrary

 

 

 设置编译环境

include jdk的头文件path

include jdk的头文件 linux path

include openssl 头文件path

 

 

 

 

 

 

编译参数加上-fPIC

 

 

 

链接库加上ssl,crypto

 

可以配置个命令将编译后的so库cp到测试或使用的工程路径下 

 

4、编写openssl检测代码

新建src文件夹，将com_jni_OpenSSLUtils.h复制到该目录下，

同时新建com_jni_OpenSSLUtils.cpp

 

#include "com_jni_OpenSSLUtils.h"
#include "openssl/pem.h"
#include "openssl/bio.h"
#include "openssl/ssl.h"

#include <iostream>

using namespace std; // @suppress("Symbol is not resolved")
/*
 * Class:     com_jni_OpenSSLUtils
 * Method:    checkPem
 * Signature: (Ljava/lang/String;Ljava/lang/String;)I
 */
JNIEXPORT jint JNICALL Java_com_jni_OpenSSLUtils_checkPem
  (JNIEnv *env, jclass jc, jstring pem, jstring key){
		BIO* keyBIO;
		EVP_PKEY* pkey;
		BIO* pemBIO = BIO_new_mem_buf(env->GetStringUTFChars(pem,0),-1);
		X509* cert = PEM_read_bio_X509(pemBIO,NULL,NULL,NULL);
	    if (cert == NULL) {
	    	cout << "PEM_read_bio_X509_AUX() failed" << endl;
	    	if(NULL != pemBIO)
	    	  BIO_free(pemBIO);
	    	return -1;
	    }
	    keyBIO = BIO_new_mem_buf(env->GetStringUTFChars(key,0),-1);
	    pkey = PEM_read_bio_PrivateKey(keyBIO,NULL,NULL,NULL);
	    if (pkey == NULL) {
	        	cout << "PEM_read_bio_PrivateKey() failed" << endl;
	        	if(NULL != cert)
	        		X509_free(cert);
	        	if(NULL != pemBIO)
	        		BIO_free(pemBIO);
	        	if(NULL != keyBIO)
	        		BIO_free(keyBIO);
	        	return -1;
	    }
	    SSL_library_init();
	    OpenSSL_add_all_algorithms();
	    SSL_load_error_strings();
	    SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
	    if (ctx == NULL) {
	    	cout << "ctx create failed" << endl;
        	goto bad;
	        }
	    if(SSL_CTX_use_certificate(ctx,cert)<=0){
	    	cout << "user certificate fail" << endl;
	    	goto bad;
	    }

	    if(SSL_CTX_use_PrivateKey(ctx,pkey) <=0){
	    	cout << "user key fail" << endl;
	    	goto bad;
	    }

	    if(!SSL_CTX_check_private_key(ctx)){
	    	cout << "key does not match the certificate" << endl;
	    	goto bad;
	    }
		if(NULL != pemBIO)
			BIO_free(pemBIO);
		if(NULL != keyBIO)
			BIO_free(keyBIO);
		if(NULL != pkey)
			EVP_PKEY_free(pkey);
		if(NULL != cert)
			X509_free(cert);
		if(NULL != ctx)
			SSL_CTX_free(ctx);
		return 0;

		bad:
			if(NULL != cert)
				X509_free(cert);
			if(NULL != pemBIO)
				BIO_free(pemBIO);
			if(NULL != keyBIO)
				BIO_free(keyBIO);
			if(NULL != pkey)
				EVP_PKEY_free(pkey);
			if(NULL != ctx)
				SSL_CTX_free(ctx);
			return -1;
	}

　　

 Build All.

5、测试

在java工程下新建Test 类

package com.jni;

public class Test {

	static {
		System.load("${solibpath}/libPemCheck.so");
	}
	
	public static void main(String[] args) {
		System.out.println(
		OpenSSLUtils.checkPem("cert","pem"));
	}
}