通过HTTPS / SSL的Java客户端证书

我正在使用Java 6,并尝试HttpsURLConnection使用客户端证书针对远程服务器创建一个。

服务器正在使用自签名的根证书,并且要求提供受密码保护的客户端证书。我已将服务器根证书和客户端证书添加到在/System/Library/Frameworks/JavaVM.framework/Versions/1.6.0/Home/lib/security/cacerts(OSX 10.5)中找到的默认Java密钥库中。密钥库文件的名称似乎表明不应将客户端证书放入其中?

无论如何,将根证书添加到此存储解决了臭名昭著的问题 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed' problem.

但是,我现在停留在如何使用客户端证书上。我尝试了两种方法,但都无济于事。

首先,最好尝试:

SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();

URL url = new URL("https://somehost.dk:3049");

HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();

conn.setSSLSocketFactory(sslsocketfactory);

InputStream inputstream = conn.getInputStream();

// The last line fails, and gives:

// javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

我尝试跳过HttpsURLConnection类(因为我想与服务器进行HTTP通信,因此不理想),而是这样做:

SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();

SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("somehost.dk", 3049);

InputStream inputstream = sslsocket.getInputStream();

// do anything with the inputstream results in:

// java.net.SocketTimeoutException: Read timed out

我什至不确定客户端证书是否是这里的问题。

回答:

对我来说,这是使用Apache HttpComponents〜HttpClient 4.x的方法:

    KeyStore keyStore  = KeyStore.getInstance("PKCS12");

FileInputStream instream = new FileInputStream(new File("client-p12-keystore.p12"));

try {

keyStore.load(instream, "helloworld".toCharArray());

} finally {

instream.close();

}

// Trust own CA and all self-signed certs

SSLContext sslcontext = SSLContexts.custom()

.loadKeyMaterial(keyStore, "helloworld".toCharArray())

//.loadTrustMaterial(trustStore, new TrustSelfSignedStrategy()) //custom trust store

.build();

// Allow TLSv1 protocol only

SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(

sslcontext,

new String[] { "TLSv1" },

null,

SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); //TODO

CloseableHttpClient httpclient = HttpClients.custom()

.setHostnameVerifier(SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER) //TODO

.setSSLSocketFactory(sslsf)

.build();

try {

HttpGet httpget = new HttpGet("https://localhost:8443/secure/index");

System.out.println("executing request" + httpget.getRequestLine());

CloseableHttpResponse response = httpclient.execute(httpget);

try {

HttpEntity entity = response.getEntity();

System.out.println("----------------------------------------");

System.out.println(response.getStatusLine());

if (entity != null) {

System.out.println("Response content length: " + entity.getContentLength());

}

EntityUtils.consume(entity);

} finally {

response.close();

}

} finally {

httpclient.close();

}

P12文件包含使用BouncyCastle创建的客户端证书和客户端私钥:

public static byte[] convertPEMToPKCS12(final String keyFile, final String cerFile,

final String password)

throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException,

NoSuchProviderException

{

// Get the private key

FileReader reader = new FileReader(keyFile);

PEMParser pem = new PEMParser(reader);

PEMKeyPair pemKeyPair = ((PEMKeyPair)pem.readObject());

JcaPEMKeyConverter jcaPEMKeyConverter = new JcaPEMKeyConverter().setProvider("BC");

KeyPair keyPair = jcaPEMKeyConverter.getKeyPair(pemKeyPair);

PrivateKey key = keyPair.getPrivate();

pem.close();

reader.close();

// Get the certificate

reader = new FileReader(cerFile);

pem = new PEMParser(reader);

X509CertificateHolder certHolder = (X509CertificateHolder) pem.readObject();

java.security.cert.Certificate x509Certificate =

new JcaX509CertificateConverter().setProvider("BC")

.getCertificate(certHolder);

pem.close();

reader.close();

// Put them into a PKCS12 keystore and write it to a byte[]

ByteArrayOutputStream bos = new ByteArrayOutputStream();

KeyStore ks = KeyStore.getInstance("PKCS12", "BC");

ks.load(null);

ks.setKeyEntry("key-alias", (Key) key, password.toCharArray(),

new java.security.cert.Certificate[]{x509Certificate});

ks.store(bos, password.toCharArray());

bos.close();

return bos.toByteArray();

}

以上是 通过HTTPS / SSL的Java客户端证书 的全部内容, 来源链接: utcz.com/qa/425921.html

回到顶部