- 浏览: 177108 次
- 性别:
- 来自: 深圳
文章分类
- 全部博客 (56)
- 算法 (9)
- linux (15)
- oracle (4)
- Project Euler Problem (3)
- 编程珠玑 (2)
- 数学 (1)
- http (1)
- java (19)
- plsql (1)
- apusic (1)
- https (1)
- 备忘 (22)
- 概率 (1)
- EIP (0)
- eclipse (1)
- 安全 (1)
- 公钥体系 (6)
- PKI (2)
- 网络 (2)
- linux,克隆 (0)
- virt-manager (1)
- VMWare (1)
- 克隆 (1)
- logback (1)
- TimeBasedRollingPolicy (0)
- SizeBasedTriggeringPolicy (0)
- properties (1)
- class (1)
- classloader (1)
- netty (1)
- thread dump (1)
- jstack (1)
- jconsole (1)
- java,编码,文件名 (0)
- google (1)
- goagent (1)
- 线程池 (1)
- 博客 (1)
- hexo (1)
- github (1)
- gitcafe (1)
最新评论
-
panhl:
我也实现了一个https://github.com/panho ...
具有相同属性任务串行有序执行的线程池设计 -
fengwei5129:
感谢,最近在看netty源码一直搞不清楚是如何实现的死锁检测, ...
Future机制用于并发编程时的死锁检测 -
OpenMind:
发现IBM JDK的System.nanoTime()没有实现 ...
Java系统时钟几个值得思考的问题 -
lvhongfen:
好了,感谢LZ分享
windows下plsql 设置 里面timestamp显示的格式 -
OpenMind:
今天发现,在linux下还有个很简介的方法查看线程的转储信息, ...
不依赖jstack的java 线程dump和死锁检查工具
在不安全的网络环境下进行密钥交互(1/3,前面那一节),容易遭受中间人攻击,什么是中间人攻击,请google it。
通信的双方必须是相互信任的,在这个基础上再进行密钥协商才是可靠的。那么,如何建立信任关系呢?
我以前的几篇博文介绍了用如何 用 Java编程方式生成CA证书 以及用CA证书签发客户证书。
现在假设,Alice和Bob的证书都是被同一个CA atlas签发的(见我前面的博文),那么他们之间如何安全的交互密钥呢?
Alice:
- 发送自己的证书Certa;
- 发送DH 密钥对的公钥PDa;
- 发送用自己的私钥 对DH公钥的签名Sa。
Bob与Alice执行相同的步骤,下面是Bob处理Alice发送的东西的步骤:
- 接收Alice的公钥Certa、DH公钥PDa、和签名Sa
- 使用CA的证书验证Certa,如果通过,就证明了Alice的证书Certa是合法的。
- 使用证书Certa验证签名Sa,如果通过,就证明了Certa确实是Alice发送过来的,因为只有Alice用自己的私钥才可以对PDa进行签名。
Alice和Bob是对等的。
经过上面的过程,可以看出Alice和Bob在相互信任的基础上交互了DH算法的公钥,即通过这种方式避免了中间人攻击。
下面该上代码了:
/** * 安全的密钥交互类。 * 这个交互工具可以校验双方的身份,并对发送的DH公钥进行签名,防止中间者攻击。 * @author atlas * @date 2012-9-6 */ public class SecureKeyExchanger extends DHKeyExchanger { /** * 签名算法 */ private static String signAlgorithm = "SHA1withRSA"; /** * 此方的私钥 */ private PrivateKey privateKey; /** * 此方的证书 */ private Certificate certificate; /** * 用于校验彼方公钥的CA证书,此证书来自此方的CA或者此方可信任的CA */ private Certificate caCertificate; /** * 彼方的证书,在DH公钥交换之前进行交互获取的 */ private Certificate peerCert; /** * * @param out * @param in * @param privateKey 此方的私钥 * @param certificate 此方的证书 * @param caCertificate 用于校验彼方公钥的CA证书,此证书来自此方的CA或者此方可信任的CA */ public SecureKeyExchanger(Pipe pipe, PrivateKey privateKey, Certificate certificate, Certificate caCertificate) { super(pipe); this.privateKey = privateKey; this.certificate = certificate; this.caCertificate = caCertificate; } // Send the public key. public void sendPublicKey() throws IOException, CertificateEncodingException { byte[] keyBytes = certificate.getEncoded(); write(keyBytes); } public void receivePublicKey() throws IOException, SkipException { byte[] keyBytes =read(); try { CertificateFactory cf = CertificateFactory.getInstance("X.509"); peerCert = cf .generateCertificate(new ByteArrayInputStream(keyBytes)); peerCert.verify(caCertificate.getPublicKey()); } catch (CertificateException e) { throw new SkipException("Unsupported certificate type X.509", e); } catch (InvalidKeyException e) { throw new SkipException( "Peer's certificate was not invlaid or not signed by current CA.", e); } catch (NoSuchAlgorithmException e) { throw new SkipException("Signature algorithm not supported.", e); } catch (NoSuchProviderException e) { throw new SkipException("No signature Provider.", e); } catch (SignatureException e) { throw new SkipException( "Peer's certificate was not invlaid or not signed by current CA.", e); } } @Override public void receiveDHPublicKey() throws IOException, SkipException { // receiver public key receivePublicKey(); // receive dh public key byte[] publicKeyBytes = read(); // receive signature of dh public key byte[] sign = read(); KeyFactory kf; try { // verify signature using peer certificate Signature sig = Signature.getInstance(signAlgorithm); sig.initVerify(peerCert); sig.verify(sign); kf = KeyFactory.getInstance("DH"); X509EncodedKeySpec x509Spec = new X509EncodedKeySpec(publicKeyBytes); peerDHPublicKey = kf.generatePublic(x509Spec); } catch (NoSuchAlgorithmException e) { throw new SkipException("Signature algorithm " + signAlgorithm + " not supported.", e); } catch (InvalidKeySpecException e) { throw new SkipException("Peer's public key invalid.", e); } catch (InvalidKeyException e) { throw new SkipException("Peer's public key invalid.", e); } catch (SignatureException e) { throw new SkipException("Invalid signature.", e); } } @Override public void sendDHPublicKey() throws IOException, SkipException { try { // send public key sendPublicKey(); // send dh public key byte[] keyBytes = dhKeyPair.getPublic().getEncoded(); write(keyBytes); // sign dh public key using my private key and send the signature Signature sig; sig = Signature.getInstance(signAlgorithm); sig.initSign(privateKey); sig.update(keyBytes); byte[] sign = sig.sign(); write(sign); } catch (NoSuchAlgorithmException e) { throw new SkipException("Signature algorithm " + signAlgorithm + " not supported.", e); } catch (InvalidKeyException e) { throw new SkipException("My private key invalid.", e); } catch (SignatureException e) { throw new SkipException( "Signature exception when sending dh public key.", e); } catch (CertificateEncodingException e) { throw new SkipException("error when sending dh public key.", e); } } }
测试代码:
public class KeyInfo { PrivateKey privateKey; Certificate certificate; Certificate caCertificate; public KeyInfo(PrivateKey privateKey, Certificate certificate, Certificate caCertificate) { super(); this.privateKey = privateKey; this.certificate = certificate; this.caCertificate = caCertificate; } public Certificate getCaCertificate() { return caCertificate; } public Certificate getCertificate() { return certificate; } public PrivateKey getPrivateKey() { return privateKey; } }
public class Server4Alice { public static void main(String[] args) throws Exception { int port = Integer.parseInt("1111"); System.out.println(Base64.encode(exchangeFrom(port))); } public static byte[] exchangeFrom(int port) throws SkipException, IOException { InputStream file = SkipServer4Alice.class .getResourceAsStream("atlas-alice.jks"); KeyInfo key = Reader.read(file, "alice", "alice"); ServerSocket ss = new ServerSocket(port); // Wait for a connection. Socket s = ss.accept(); DataOutputStream out = new DataOutputStream(s.getOutputStream()); DataInputStream in = new DataInputStream(s.getInputStream()); Pipe pipe = new DataPipe(in, out); KeyExchanger exchanger = new SecureKeyExchanger(pipe, key.getPrivateKey(), key.getCertificate(), key.getCaCertificate()); exchanger.exchange(); s.close(); ss.close(); return exchanger.getKey(); } }
public class Client4Bob { public static void main(String[] args) throws Exception { String host = "localhost"; int port = Integer.parseInt("1111"); // Open the network connection. byte[] key = exchangeFrom(host, port); System.out.println(Base64.encode(key)); } public static byte[] exchangeFrom(String host, int port) throws SkipException, IOException { InputStream file = SkipServer4Alice.class .getResourceAsStream("atlas-bob.jks"); KeyInfo key = Reader.read(file, "bob", "bob"); Socket s = new Socket(host, port); DataOutputStream out = new DataOutputStream(s.getOutputStream()); DataInputStream in = new DataInputStream(s.getInputStream()); Pipe pipe = new DataPipe(in, out); KeyExchanger exchanger = new SecureKeyExchanger(pipe, key.getPrivateKey(), key.getCertificate(), key.getCaCertificate()); exchanger.exchange(); s.close(); return exchanger.getKey(); } }
几个JKS文件:
atlas-alice.jks:包含一个alice的私钥和证书,证书是用atlas的CA签发的
atlas-bob.jks:包含一个bob的私钥和证书,证书是用atlas的CA签发的
CA atlas的证书分别在alice和bob的信任证书列表里面有一个copy
Reader.read()是个工具方法,负责把jks文件里面的证书信息读取出来:
public class Reader { public static KeyInfo read(InputStream file, String alias, String password) { try { KeyStore store = KeyStore.getInstance("JKS"); store.load(file, password.toCharArray()); PrivateKeyEntry ke = (PrivateKeyEntry) store.getEntry(alias, new PasswordProtection(password.toCharArray())); KeyInfo info = new KeyInfo(ke.getPrivateKey(), ke.getCertificate(), ke.getCertificateChain()[1]); return info; } catch (Exception e) { e.printStackTrace(); } return null; } }
发表评论
-
具有相同属性任务串行有序执行的线程池设计
2014-09-04 15:30 1390我有一个这样的线程池的场景,相信很多人都遇到过: 1,每个用 ... -
不依赖jstack的java 线程dump和死锁检查工具
2013-10-08 14:41 2383java线程dump可以使用jdk的命令“jstack ... -
回忆去年用Java破解unity.exe的过程
2013-05-26 00:48 2585去年我一同学要我破解unity.exe,然后挂在网上卖点钱花 ... -
netty做Pipe一端快一端慢时防止内存溢出进行的操作
2013-05-23 17:12 5892前段时间用netty3.x做了 ... -
为什么InputStream.read()读取一个byte确返回一个int呢?
2013-05-09 16:26 5180问题1:为什么InputStream.read()读取一个 ... -
Java系统时钟几个值得思考的问题
2013-04-10 16:48 4558System.currentTimeMillis()是依赖 ... -
logback的SizeBasedTriggeringPolicy和TimeBasedRollingPolicy联合使用问题
2013-04-01 13:37 15176<appender name="FILE& ... -
netty应用分析
2013-03-07 15:54 0用netty 3.5.7做了一个网络程序,c与s之间有一个心 ... -
Java包装类Integer比较
2012-10-18 16:41 10771,用符号==比较两个对象,意味着比较他们是否是统一个对象。 ... -
Future机制用于并发编程时的死锁检测
2012-10-18 14:51 5947Netty源码里面有个类:De ... -
java-在非安全网络上建立可信任安全的通道(1/3)
2012-10-05 18:46 1864看到标题,几乎所有人都会想到SSL,但SSL比较重 ... -
java编程方式用CA给证书进行签名/签发证书
2012-10-05 18:02 11927这些代码首先加载CA证书,然后分别用CA给Alice和Bob签 ... -
java编程方式生成CA证书
2012-10-05 17:28 15277下面是java编程方式生成CA证书的代码,使用的是BC的pro ... -
安全领域的一些概念
2012-10-05 16:41 1381对称密钥/非对称密钥/key/cipher symmetri ... -
Class.getResourceAsStream
2013-04-06 14:09 977Class.getResourceAsStream(" ... -
findbugs
2012-03-02 16:41 0findbugsfindbugsfindbugsfindbug ... -
并发编程
2012-03-02 16:41 0C:\Users\Sunny\Desktop\docC:\Us ... -
泛型类里面获取到泛型的类型
2012-03-01 10:15 3411下面的代码可以让你在抽象的泛型类里面获取到泛型的类型 ab ... -
java 学习网站大全
2012-02-27 12:02 0http://scjp.home.sohu.com/ 模拟试题 ... -
车羊问题的一种简洁证明
2012-02-23 11:11 943在csdn上看到一篇关于车羊问题的文章(http://blog ...
相关推荐
mysql-connector-java-5.1.27.jar mysql-connector-java-5.1.27.jar
mysql-connector-java-5.1.40-bin.jar连接器,用于在hive和mysql的数据库连接
5.6.20 最新JDBC mysql-connector-java-5.1.32-bin.jar
mysql驱动包 mysql-connector-java-5.1.13-bin.jar 方便快捷获取。。。
mysql-connector-java-5.1.42-bin.jar 官网下载的驱动
这是MySQL最新的jar,mysql-connector-java-8.0.18.jar
<artifactId>aliyun-java-sdk-core</artifactId> <version>3.2.2</version> </dependency> 如此引用即可,更多关于阿里云短信发送相关请参考http://blog.csdn.net/niaoer2010/article/details/78036664
mysql-connector-java-5.1.30-bin.jar 最新的mysql jdbc
eclipse-java-indigo-SR2-win32 ,3.7,集成findbugs pmd checkstyle
mysql 的jdbc 驱动。mysql-connector-java-5.1.38-bin.jar
JAVA连MySQL驱动mysql-connector-java-5.1.25.jar
mysql-connector-java-8.0.11.jar连接器,用于在hive和mysql的数据库连接
使用C3P0额外依赖的一个jar包 :mchange-commons-java-0.2.3.4.jar
用于连接mysql数据库. mysql-connector-java-5.0.4-bin.jar
jdbc链接mysql数据库的jar包(mysql-connector-java-5.0.8-bin.jar)
MySQL官方提供的驱动包 mysql-connector-java-5.1.30.zip
从最简单的开始 ,-uri 指定wsdl文件> WSDL2Java -uri currencyConvert.wsdl-d 使用不同的data binding方法> WSDL2Java -uri currencyConvert.wsdl -d xmlbeans-a 生成异步的方法> WSDL2Java -uri currencyConvert....
jdbc的驱动jar包,有需要的童鞋自取。
java-1.7.0-openjdk devel rpm
mysql-connector-java-5.1.31-bin