我在JBOSS和瀏覽器客戶端中有一個客戶端服務器通信方案(JAVA程序)。最初在建立連接時,客戶端將其證書發送到服務器。服務器從證書中提取客戶端的公鑰,因此通信將繼續。
現在我的問題是
如何將證書(.cer)從客戶端發送到服務器?
如何接收證書並在服務器中提取其公鑰?在Servlet中讀取客戶端證書
14
A
回答
23
如何將證書(.cer)從客戶端發送到服務器?
首先應將客戶端證書(.cer,.crt,.pem)及其相應的私鑰(.key)打包到PKCS#12(.p12,.pfx)或JKS(.jks)容器中(keystore )。您還應該將服務器的CA證書打包爲JKS(信任庫)。
示例使用HttpClient 3.x:
HttpClient client = new HttpClient();
// truststore
KeyStore trustStore = KeyStore.getInstance("JKS", "SUN");
trustStore.load(TestSupertype.class.getResourceAsStream("/client-truststore.jks"), "amber%".toCharArray());
String alg = KeyManagerFactory.getDefaultAlgorithm();
TrustManagerFactory fac = TrustManagerFactory.getInstance(alg);
fac.init(trustStore);
// keystore
KeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
keystore.load(X509Test.class.getResourceAsStream("/etomcat_client.p12"), "etomcat".toCharArray());
String keyAlg = KeyManagerFactory.getDefaultAlgorithm();
KeyManagerFactory keyFac = KeyManagerFactory.getInstance(keyAlg);
keyFac.init(keystore, "etomcat".toCharArray());
// context
SSLContext ctx = SSLContext.getInstance("TLS", "SunJSSE");
ctx.init(keyFac.getKeyManagers(), fac.getTrustManagers(), new SecureRandom());
SslContextedSecureProtocolSocketFactory secureProtocolSocketFactory = new SslContextedSecureProtocolSocketFactory(ctx);
Protocol.registerProtocol("https", new Protocol("https", (ProtocolSocketFactory) secureProtocolSocketFactory, 8443));
// test get
HttpMethod get = new GetMethod("https://127.0.0.1:8443/etomcat_x509");
client.executeMethod(get);
// get response body and do what you need with it
byte[] responseBody = get.getResponseBody();
您可能會發現工作示例的this project看到X509Test
類。
隨着HttpClient 4.x配置和語法會稍有不同:
HttpClient httpclient = new DefaultHttpClient();
// truststore
KeyStore ts = KeyStore.getInstance("JKS", "SUN");
ts.load(PostService.class.getResourceAsStream("/truststore.jks"), "amber%".toCharArray());
// if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing truststore
if(0 == ts.size()) throw new IOException("Error loading truststore");
// tmf
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ts);
// keystore
KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");
ks.load(PostService.class.getResourceAsStream("/" + certName), certPwd.toCharArray());
// if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing keystore
if(0 == ks.size()) throw new IOException("Error loading keystore");
// kmf
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, certPwd.toCharArray());
// SSL
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
// socket
SSLSocketFactory socketFactory = new SSLSocketFactory(ctx, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
Scheme sch = new Scheme("https", 8443, socketFactory);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
// request
HttpMethod get = new GetMethod("https://localhost:8443/foo");
client.executeMethod(get);
IOUtils.copy(get.getResponseBodyAsStream(), System.out);
如何接收證書並提取服務器的公鑰呢?
您的服務器必須配置爲需要X.509客戶端證書身份驗證。然後,在SSL握手過程中,servlet容器將接收證書,並根據trustore進行檢查,並將其作爲請求屬性提供給應用程序。 在通常情況下與單一證書,你可以使用servlet的環境中,該方法提取證書:
protected X509Certificate extractCertificate(HttpServletRequest req) {
X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
if (null != certs && certs.length > 0) {
return certs[0];
}
throw new RuntimeException("No X.509 client certificate found in request");
}
相關問題
- 1. socket.io如何讀取客戶端證書
- 2. 客戶端證書
- 3. 客戶端證書
- 4. 驗證客戶端證書
- 5. 客戶端證書認證
- 6. 使用activeX獲取客戶端證書
- 7. 在HttpWebRequest中發送客戶端證書
- 8. Java中的客戶端證書認證
- 9. 驗證PyOpenSSL中的客戶端證書
- 10. SignalR和客戶端證書
- 11. Android客戶端證書403
- 12. 客戶端的SSL證書
- 13. 鏈式客戶端證書
- 14. tls客戶端證書
- 15. Android和客戶端證書
- 16. iPhone客戶端證書
- 17. 客戶端證書和FireFox
- 18. SecTrustSetAnchorCertificates與客戶端證書
- 19. 請求客戶端證書
- 20. 證書java客戶端https
- 21. 客戶端證書iOS
- 22. 客戶端證書和NSURLSession
- 23. Apache Camel,客戶端證書
- 24. JxBrowser的客戶端證書
- 25. 客戶端證書和HttpWebRequest
- 26. 如何配置jboss服務器來讀取客戶端證書
- 27. 客戶端身份驗證 - 處理客戶端證書
- 28. 如何在Android中使用p12證書(客戶端證書)
- 29. 在證書存儲區中使用客戶端證書
- 30. 在C#客戶端從流中讀取Java servlet字節
我從.NET的角度來和尋找相當於Java的ASP.Net'Page.Request的。 ClientCertificate.Certificate'是'HttpServletRequest'中的'javax.servlet.request.X509Certificate'屬性等同於那個? - 如果有人知道......? – 2016-06-14 11:41:00