我正在使用Apache HttpClient 3.5和Spring Web Services 2.1.0開發Java 6項目。如何在Java 6中使用TLS 1.2和Apache HttpClient?
我的Spring WebServicesTemplate使用apache HttpClient發送WebServices請求。但是,我正在聯繫的服務已經逐步淘汰了TLS 1.0,轉而採用TLS 1.2。 Java 6不支持TLS 1.2。我被帶到了bouncycastle,這應該給我TLS 1.2的支持。
如何集成BouncyCastle的使用Spring或我HttpClient的,這樣我就可以發送支持TLS 1.2請求?我找到了一個提供擴展SSLSocketFactory的解決方案。但是,HttpClient只接受SSLConnectionSocketFactory。
升級到Java 8是不是在短期內可行,但我可以把它的長期優先,如果有人可以證實,這將解決我的問題。
我想出了,不需要升級到Java 8.免責聲明的解決方案,我不是很瞭解HTTPS的安全,我敢肯定有一些問題,一個更懂行的人可能會注意到。此方法需要使用內置的HttpsURLConnection,如果您習慣使用Unirest或甚至apache HttpClient,則這是非常原始的。
首先,您需要將BouncyCastle添加到您的pom。
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.54</version>
</dependency>
然後您將創建SSLSocketFactory的擴展。警告!此套接字工廠將接受所有證書,因此使用時風險自負。
import java.io.*;
import java.net.UnknownHostException;
import java.security.*;
import java.security.cert.*;
import java.util.*;
import javax.net.ssl.*;
import javax.security.cert.X509Certificate;
import org.bouncycastle.crypto.tls.*;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class TLSSocketConnectionFactory extends SSLSocketFactory {
static {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
Security.addProvider(new BouncyCastleProvider());
}
}
@Override
public Socket createSocket(Socket socket, final String host, int port,
boolean arg3) throws IOException {
if (socket == null) {
socket = new Socket();
}
if (!socket.isConnected()) {
socket.connect(new InetSocketAddress(host, port));
}
final TlsClientProtocol tlsClientProtocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), new SecureRandom());
return _createSSLSocket(host, tlsClientProtocol);
}
@Override public String[] getDefaultCipherSuites() { return null; }
@Override public String[] getSupportedCipherSuites() { return null; }
@Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { throw new UnsupportedOperationException(); }
@Override public Socket createSocket(InetAddress host, int port) throws IOException { throw new UnsupportedOperationException(); }
@Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { return null; }
@Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { throw new UnsupportedOperationException(); }
private SSLSocket _createSSLSocket(final String host, final TlsClientProtocol tlsClientProtocol) {
return new SSLSocket() {
private java.security.cert.Certificate[] peertCerts;
@Override public InputStream getInputStream() throws IOException { return tlsClientProtocol.getInputStream(); }
@Override public OutputStream getOutputStream() throws IOException { return tlsClientProtocol.getOutputStream(); }
@Override public synchronized void close() throws IOException { tlsClientProtocol.close(); }
@Override public void addHandshakeCompletedListener(HandshakeCompletedListener arg0) { }
@Override public boolean getEnableSessionCreation() { return false; }
@Override public String[] getEnabledCipherSuites() { return null; }
@Override public String[] getEnabledProtocols() { return null; }
@Override public boolean getNeedClientAuth() { return false; }
@Override
public SSLSession getSession() {
return new SSLSession() {
@Override
public int getApplicationBufferSize() {
return 0;
}
@Override public String getCipherSuite() { throw new UnsupportedOperationException(); }
@Override public long getCreationTime() { throw new UnsupportedOperationException(); }
@Override public byte[] getId() { throw new UnsupportedOperationException(); }
@Override public long getLastAccessedTime() { throw new UnsupportedOperationException(); }
@Override public java.security.cert.Certificate[] getLocalCertificates() { throw new UnsupportedOperationException(); }
@Override public Principal getLocalPrincipal() { throw new UnsupportedOperationException(); }
@Override public int getPacketBufferSize() { throw new UnsupportedOperationException(); }
@Override public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { return null; }
@Override public java.security.cert.Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { return peertCerts; }
@Override public String getPeerHost() { throw new UnsupportedOperationException(); }
@Override public int getPeerPort() { return 0; }
@Override public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { return null; }
@Override public String getProtocol() { throw new UnsupportedOperationException(); }
@Override public SSLSessionContext getSessionContext() { throw new UnsupportedOperationException(); }
@Override public Object getValue(String arg0) { throw new UnsupportedOperationException(); }
@Override public String[] getValueNames() { throw new UnsupportedOperationException(); }
@Override public void invalidate() { throw new UnsupportedOperationException(); }
@Override public boolean isValid() { throw new UnsupportedOperationException(); }
@Override public void putValue(String arg0, Object arg1) { throw new UnsupportedOperationException(); }
@Override public void removeValue(String arg0) { throw new UnsupportedOperationException(); }
};
}
@Override public String[] getSupportedProtocols() { return null; }
@Override public boolean getUseClientMode() { return false; }
@Override public boolean getWantClientAuth() { return false; }
@Override public void removeHandshakeCompletedListener(HandshakeCompletedListener arg0) { }
@Override public void setEnableSessionCreation(boolean arg0) { }
@Override public void setEnabledCipherSuites(String[] arg0) { }
@Override public void setEnabledProtocols(String[] arg0) { }
@Override public void setNeedClientAuth(boolean arg0) { }
@Override public void setUseClientMode(boolean arg0) { }
@Override public void setWantClientAuth(boolean arg0) { }
@Override public String[] getSupportedCipherSuites() { return null; }
@Override
public void startHandshake() throws IOException {
tlsClientProtocol.connect(new DefaultTlsClient() {
@SuppressWarnings("unchecked")
@Override
public Hashtable<Integer, byte[]> getClientExtensions() throws IOException {
Hashtable<Integer, byte[]> clientExtensions = super.getClientExtensions();
if (clientExtensions == null) {
clientExtensions = new Hashtable<Integer, byte[]>();
}
//Add host_name
byte[] host_name = host.getBytes();
final ByteArrayOutputStream baos = new ByteArrayOutputStream();
final DataOutputStream dos = new DataOutputStream(baos);
dos.writeShort(host_name.length + 3);
dos.writeByte(0);
dos.writeShort(host_name.length);
dos.write(host_name);
dos.close();
clientExtensions.put(ExtensionType.server_name, baos.toByteArray());
return clientExtensions;
}
@Override
public TlsAuthentication getAuthentication() throws IOException {
return new TlsAuthentication() {
@Override
public void notifyServerCertificate(Certificate serverCertificate) throws IOException {
try {
KeyStore ks = _loadKeyStore();
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<java.security.cert.Certificate> certs = new LinkedList<java.security.cert.Certificate>();
boolean trustedCertificate = false;
for (org.bouncycastle.asn1.x509.Certificate c : serverCertificate.getCertificateList()) {
java.security.cert.Certificate cert = cf.generateCertificate(new ByteArrayInputStream(c.getEncoded()));
certs.add(cert);
String alias = ks.getCertificateAlias(cert);
if(alias != null) {
if (cert instanceof java.security.cert.X509Certificate) {
try {
((java.security.cert.X509Certificate) cert).checkValidity();
trustedCertificate = true;
} catch(CertificateExpiredException cee) {
// Accept all the certs!
}
}
} else {
// Accept all the certs!
}
}
if (!trustedCertificate) {
// Accept all the certs!
}
peertCerts = certs.toArray(new java.security.cert.Certificate[0]);
} catch (Exception ex) {
ex.printStackTrace();
throw new IOException(ex);
}
}
@Override
public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException {
return null;
}
private KeyStore _loadKeyStore() throws Exception {
FileInputStream trustStoreFis = null;
try {
KeyStore localKeyStore = null;
String trustStoreType = System.getProperty("javax.net.ssl.trustStoreType")!=null?System.getProperty("javax.net.ssl.trustStoreType"):KeyStore.getDefaultType();
String trustStoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider")!=null?System.getProperty("javax.net.ssl.trustStoreProvider"):"";
if (trustStoreType.length() != 0) {
if (trustStoreProvider.length() == 0) {
localKeyStore = KeyStore.getInstance(trustStoreType);
} else {
localKeyStore = KeyStore.getInstance(trustStoreType, trustStoreProvider);
}
char[] keyStorePass = null;
String str5 = System.getProperty("javax.net.ssl.trustStorePassword")!=null?System.getProperty("javax.net.ssl.trustStorePassword"):"";
if (str5.length() != 0) {
keyStorePass = str5.toCharArray();
}
localKeyStore.load(trustStoreFis, keyStorePass);
if (keyStorePass != null) {
for (int i = 0; i < keyStorePass.length; i++) {
keyStorePass[i] = 0;
}
}
}
return localKeyStore;
} finally {
if (trustStoreFis != null) {
trustStoreFis.close();
}
}
}
};
}
});
} // startHandshake
};
}
}
接下來,您需要使用您的新套接字工廠。如果您使用Spring處理Web服務調用,則可以擴展現有的HttpUrlConnectionMessageSender以便爲您發送呼叫。只要確保在你的spring配置文件中更新你的消息sender bean就可以使用這個類。
import java.io.IOException;
import java.net.*;
import javax.net.ssl.HttpsURLConnection;
import org.springframework.ws.transport.WebServiceConnection;
import org.springframework.ws.transport.http.*;
public class HttpsUrlConnectionMessageSender extends HttpUrlConnectionMessageSender {
@Override
public WebServiceConnection createConnection(URI uri) throws IOException {
URL url = uri.toURL();
URLConnection connection = url.openConnection();
if (!(connection instanceof HttpsURLConnection)) {
throw new HttpTransportException("URI [" + uri + "] is not an HTTPS URL");
} else {
HttpsURLConnection httpsURLConnection = (HttpsURLConnection) connection;
httpsURLConnection.setSSLSocketFactory(new TLSSocketConnectionFactory());
prepareConnection(httpsURLConnection);
return new HttpsUrlConnection(httpsURLConnection);
}
}
private static class HttpsUrlConnection extends HttpUrlConnection {
private HttpsUrlConnection(HttpsURLConnection connection) {
super(connection);
}
}
}
另外,如果你不使用Spring,或者使用REST,您可以手動創建一個HttpsURLConnection的是在類以上完成,並且使用的OutputStream發送郵件。
請注意,如果您與之通信的服務使用了Cookie,則需要設置系統範圍的Cookie管理器。但是,Java 6的Cookie管理器卻充滿了bug。您可能需要複製Java 8 CookieManager中的源代碼才能使Cookie正常工作。
if (CookieHandler.getDefault() == null) {
CookieHandler.setDefault(new CookieManager());
}
Bouncy Castle將面臨的主要問題是其TLS實現不實現JSSE API。實際上,這意味着您不會得到SSLSocket,SSLSocketFactory(或HttpsURLConnection,但在使用Apache HTTP客戶端時無關緊要)的任何支持。
此外,TLS並不是Bouncy Castle的最佳文檔記錄功能,這會使您的工作更加困難。在this other question的答案中有一些例子。
你可能以某種方式能夠爲您編寫自定義Socket實現換到充氣城堡的TLS API的調用所需。然後,您可以從您的自定義org.apache.http.conn.ssl.SSLConnectionSocketFactory實現中返回這樣的套接字(如果您的子類對於其方法返回Socket的方法完全不同,則可以在構造函數中使用虛擬值)。
這可能是可行的,但它可能需要大量的努力。升級到Java 8(支持TLS 1.2與傳統的JSSE類)通常會更容易(取決於您的約束)。
升級jdk 8可能會更容易(更不用說太急需了)。我知道我的項目會有一些兼容性問題,但我會開始調查。感謝您的反饋。 – zalpha314
您確定您的意思是Apache HttpClient 3.5嗎? – Bruno
@布魯諾,對不起,我的項目有commons-httpclient和httpcomponents ApacheClient。我把他們弄混了。 Spring使用的HttpClient是httpcomponents ApacheClient 4.3.5。 – zalpha314
標記爲接受的答案並不真正回答這個問題,它通過「僅」升級到Java 8來避免此問題。我們中的一些人不能「僅」這樣做。您是否有機會在不升級到Java 8的情況下解決此問題? – ThatAintWorking