java https tomcat 单双认证(含证书生成和代码实现)

https://www.cnblogs.com/sprinng/p/5757795.html

 

自己研究的步骤

 

keytool -genkey -alias tbb -keyalg RSA -validity 3650 -keystore D:\ssl\cert\tbb.keystore    --服务端证书，放入tomcat中

keytool -export -alias tbb -keystore D:\ssl\cert\tbb.keystore -storepass 123456 -rfc -file D:\ssl\cert\tbb.cer

 

keytool -import -alias mycert -file D:\ssl\cert\tbb.cer -keystore D:\ssl\cert\tbb.jks   --交给客户使用

keytool -validity 36500 -genkeypair -v -alias client -keyalg RSA -storetype PKCS12 -keystore D:\ssl\cert\client.p12    --交给客户使用

keytool -export -v -alias client -keystore D:\ssl\cert\client.p12 -storetype PKCS12 -storepass 123456 -rfc -file D:\ssl\cert\client.cer   --服务端认证客户端证书

keytool -import -v -alias client -file D:\ssl\cert\client.cer -keystore D:\ssl\cert\tbb.keystore -storepass 123456   --服务端认证客户端证书

 

 

以下是转载

 

server: apache-tomcat-6.0.44 jdk1.7.0_79
client: jdk1.7.0_79

jks是JAVA的keytools证书工具支持的证书私钥格式。 pfx是微软支持的私钥格式。 cer是证书的公钥。

生成：
    keytool -genkey -alias tbb -keyalg RSA -keystore D:\cert\tbb.keystore
    模板：
     keytool -genkey -alias yushan -keypass yushan -keyalg RSA -keysize 1024 -validity 365((默认为90天)) -keystore D:\cert\tbb.keystore -storepass 123456 -dname "CN=(名字与姓氏), OU=(组织单位名称), O=(组织名称), L=(城市或区域名称), ST=(州或省份名称), C=(单位的两字母国家代码)";(中英文即可)
验证：
    keytool -selfcert -alias tbb -keystore D:\cert\tbb.keystore
导出：    
    keytool -export -alias tbb -keystore D:\cert\tbb.keystore -storepass 12345678 -rfc -file D:\cert\tbb.cer
转换    cer -> jks
    keytool -import -alias mycert -file D:\cert\tbb.cer -keystore D:\cert\tbb.jks  

keystore信息的查看：
     打印证书的 MD5 指纹
    keytool -list  -v -keystore D:\cert\tbb.keystore -storepass 12345678
    可打印的编码格式输出证书
    keytool -list  -rfc -keystore D:\cert\tbb.keystore -storepass 12345678

 

生成客户端证书库
keytool -validity 36500 -genkeypair -v -alias client -keyalg RSA -storetype PKCS12 -keystore D:\cert\client.p12 -dname "CN=spring,OU=jiajianfa,O=jiajianfa,L=Wuhan,ST=HuBei,c=cn" -storepass 12345678 -keypass 12345678
从客户端证书库中导出客户端证书
keytool -export -v -alias client -keystore D:\cert\client.p12 -storetype PKCS12 -storepass 12345678 -rfc -file D:\cert\client.cer

将客户端证书导入到服务器证书库(使得服务器信任客户端证书,服务器端用此验证客户端的合法性)
keytool -import -v -alias client -file D:\cert\client.cer -keystore D:\cert\tbb.keystore -storepass 12345678

查看服务端证书中信任的客户端证书
keytool -list -keystore D:\cert\tbb.keystore  -storepass 12345678

 

tomcat server.xml 配置：

<!-- clientAuth  true:双向认证   false:单向认证-->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS"  keystorePass="12345678" keystoreFile="D:\cert\tbb.keystore"
               truststoreFile="D:\cert\tbb.keystore" truststorePass="12345678"  />

<!--  配置服务端项目web.xml  在<welcome-file-list>之后增加：-->

<!-- 强制SSL配置，即普通的请求也会重定向为SSL请求 --> 
    <security-constraint>
        <web-resource-collection>
            <web-resource-name>SSL</web-resource-name>
            <url-pattern>/*</url-pattern><!-- 全站使用SSL <url-pattern>/*</url-pattern>-->
        </web-resource-collection>
        <user-data-constraint>
            <description>SSL required</description>
            <!-- CONFIDENTIAL: 要保证服务器和客户端之间传输的数据不能够被修改，且不能被第三方查看到 -->
            <!-- INTEGRAL: 要保证服务器和client之间传输的数据不能够被修改 -->
            <!-- NONE: 指示容器必须能够在任一的连接上提供数据。（即用HTTP或HTTPS，由客户端来决定）-->
            <transport-guarantee>CONFIDENTIAL</transport-guarantee>
        </user-data-constraint>
    </security-constraint>

 

 

 

单向认证：

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.Authenticator;
import java.net.InetSocketAddress;
import java.net.PasswordAuthentication;
import java.net.Proxy;
import java.net.URL;
import java.util.Date;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;

/**
 * @Description https单向认证
 * @author sprinng
 *
 */
public class ClientSendDataSingle {
    /**
     * 
     * @param sendurl 请求地址
     * @param res  返回结果
     * @param sendData 参数
     * @param timeOut  超时时间(min)
     * @param useProxy  是否使用代理
     * @param trustStorePath 证书路径
     * @param trustStorePwd 证书密码
     * @return
     * @throws Exception
     */
    public static String send(String sendurl, String res, String sendData, String timeOut, boolean useProxy, String trustStorePath, String trustStorePwd)throws Exception {
        System.setProperty("javax.net.ssl.trustStore", trustStorePath);
        System.setProperty("javax.net.ssl.trustStorePassword", trustStorePwd);
        URL url = new URL(sendurl);
        HttpsURLConnection connection = null;
        HostnameVerifier hv = new HostnameVerifier() {
            public boolean verify(String urlHostName, SSLSession session) {
                return true;
            }
        };
        System.setProperty("java.protocol.handler.pkgs","sun.net.www.protocol");
        HttpsURLConnection.setDefaultHostnameVerifier(hv);
        Date current = new Date(System.currentTimeMillis());
        System.out.println("begint to open connection at " + current);
        //使用代理
        if(useProxy){
            InetSocketAddress isa = new InetSocketAddress(PropertiesUtil.properties.getProperty("proxy_host"), Integer.parseInt(PropertiesUtil.properties.getProperty("proxy_port")));
            Proxy proxy = new Proxy(Proxy.Type.HTTP, isa);
            Authenticator.setDefault(new MyAuthenticator(PropertiesUtil.properties.getProperty("proxy_user"), PropertiesUtil.properties.getProperty("proxy_password")));
            connection = (HttpsURLConnection) url.openConnection(proxy);
        }else{
            connection = (HttpsURLConnection) url.openConnection();
        }
        Date end = new Date(System.currentTimeMillis());
        System.out.println("open connection ok at " + end + ",cost:"+ (end.getTime() - current.getTime()));
        connection.setRequestProperty("Content-Type", "text/xml");
        connection.setDoOutput(true);
        connection.setDoInput(true);
        connection.setRequestMethod("POST");
        connection.setUseCaches(false);
        connection.setReadTimeout(60 * 1000 * Integer.parseInt(timeOut));
        byte data[] = sendData.getBytes();
        current = new Date(System.currentTimeMillis());
        System.out.println("[SSLIX]notifyEai,begint to write data at " + current);
        OutputStream out = connection.getOutputStream();
        out.write(data);
        end = new Date(System.currentTimeMillis());
        System.out.println("write data ok at " + end + ",cost:"  + (end.getTime() - current.getTime()));
        StringBuffer receivedData = new StringBuffer();
        current = new Date(System.currentTimeMillis());
        System.out.println("begint to read data at " + current);
        InputStreamReader inReader = new InputStreamReader(connection.getInputStream(), "UTF-8");
        BufferedReader aReader = new BufferedReader(inReader);
        String aLine;
        while ((aLine = aReader.readLine()) != null) {
            receivedData.append(aLine);
        }
        end = new Date(System.currentTimeMillis());
        System.out.println("read data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));
        System.out.println("开始返回状态码");
        Integer statusCode = connection.getResponseCode();
        System.out.println("返回状态码:" + statusCode);
        aReader.close();
        connection.disconnect();
        res = receivedData.toString();
        return res;
    }

    public static class MyAuthenticator extends Authenticator {
        private String user = "";
        private String password = "";

        public MyAuthenticator(String user, String password) {
            this.user = user;
            this.password = password;
        }

        protected PasswordAuthentication getPasswordAuthentication() {
            return new PasswordAuthentication(user, password.toCharArray());
        }
    }
    
    public static void main(String[] args) throws Exception {
        System.out.println(ClientSendDataSingle.send("https://localhost:8443/spdbSjptServer", "", "", "5", false, "D:/cert/tbb.jks", "12345678"));
    }
}

 

双向认证：

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.Authenticator;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URL;
import java.util.Date;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession;

import com.pf.util.ClientSendDataSingle.MyAuthenticator;

/**
 * 
 * @Description https双向认证
 * @author sprinng
 *
 */
public class ClientSendDataDouble {
    /**
     * 
     * @param sendurl 请求地址
     * @param res  返回结果
     * @param sendData 参数
     * @param timeOut  超时时间(min)
     * @param useProxy  是否使用代理
     * @param trustStorePath 服务器证书路径
     * @param trustStorePwd 服务器证书密码
     * @param keyStore 客户端证书路径
     * @param keyStorePwd 客户端证书密码
     * @param keyStoreType 客户端证书类型      如:JKS PKCS12等
     * @return
     * @throws Exception
     */
    public static String send(String sendurl, String res, String sendData, String timeOut, boolean useProxy, String trustStorePath, String trustStorePwd, String keyStore, String keyStorePwd, String keyStoreType) throws Exception {
        //设置客户端证书
        System.setProperty("javax.net.ssl.keyStore", keyStore);
        System.setProperty("javax.net.ssl.keyStorePassword",keyStorePwd);
        System.setProperty("javax.net.ssl.keyStoreType", keyStoreType);
         
        //设置服务器证书
        System.setProperty("javax.net.ssl.trustStore", trustStorePath);
        System.setProperty("javax.net.ssl.trustStorePassword",  trustStorePwd);
        URL url = new URL(sendurl);
        HttpsURLConnection connection = null;
        HostnameVerifier hv = new HostnameVerifier() {
            public boolean verify(String urlHostName, SSLSession session) {
                return true;
            }
        };
        System.setProperty("java.protocol.handler.pkgs","sun.net.www.protocol");
        HttpsURLConnection.setDefaultHostnameVerifier(hv);
        Date current = new Date(System.currentTimeMillis());
        System.out.println("begint to open connection at " + current);
        if(useProxy){//使用代理
            InetSocketAddress isa = new InetSocketAddress(PropertiesUtil.properties.getProperty("proxy_host"), Integer.parseInt(PropertiesUtil.properties.getProperty("proxy_port")));
            Proxy proxy = new Proxy(Proxy.Type.HTTP, isa);
            Authenticator.setDefault(new MyAuthenticator(PropertiesUtil.properties.getProperty("proxy_user"), PropertiesUtil.properties.getProperty("proxy_password")));
            connection = (HttpsURLConnection) url.openConnection(proxy);
        }else{
            connection = (HttpsURLConnection) url.openConnection();
        }
        Date end = new Date(System.currentTimeMillis());
        System.out.println("open connection ok at " + end + ",cost:"+ (end.getTime() - current.getTime()));
        connection.setRequestProperty("Content-Type", "text/xml");
        connection.setDoOutput(true);
        connection.setDoInput(true);
        connection.setRequestMethod("POST");
        connection.setUseCaches(false);
        connection.setReadTimeout(30000);
        byte data[] = sendData.getBytes();
        current = new Date(System.currentTimeMillis());
        System.out.println("[SSLIX]notifyEai,begint to write data at " + current);
        OutputStream out = connection.getOutputStream();
        out.write(data);
        end = new Date(System.currentTimeMillis());
        System.out.println("write data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));
        StringBuffer receivedData = new StringBuffer();
        current = new Date(System.currentTimeMillis());
        System.out.println("begint to read data at " + current);
        InputStreamReader inReader = new InputStreamReader(connection.getInputStream(), "UTF-8");
        BufferedReader aReader = new BufferedReader(inReader);
        String aLine;
        while ((aLine = aReader.readLine()) != null) {
            receivedData.append(aLine);
        }
        end = new Date(System.currentTimeMillis());
        System.out.println("read data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));
        System.out.println("开始返回状态码");
        Integer statusCode = connection.getResponseCode();
        System.out.println("返回状态码:" + statusCode);
        aReader.close();
        connection.disconnect();
        return receivedData.toString();
    }

    public static void main(String[] args) throws Exception {
        System.out.println(ClientSendDataDouble.send("https://localhost:8443/spdbSjptServer/", "", "", "5", false, "D:/cert/tbb.jks", "12345678", "D:/cert/client.p12", "12345678", "PKCS12"));
    }
}

 

附：

import java.io.IOException;
import java.util.Properties;


public class PropertiesUtil {
    public static final Properties properties = new Properties();
    static {
         try {
          properties.load(PropertiesUtil.class.getClassLoader().getResourceAsStream("config.properties"));
         } catch (IOException e) { 
             ECommonUtil.getLog().error("初始config配置文件失败");
        }
    }
}