在Servlet中讀取客戶端證書

Question

我在JBOSS和瀏覽器客戶端中有一個客戶端服務器通信方案（JAVA程序）。最初在建立連接時，客戶端將其證書發送到服務器。服務器從證書中提取客戶端的公鑰，因此通信將繼續。
現在我的問題是
如何將證書（.cer）從客戶端發送到服務器？
如何接收證書並在服務器中提取其公鑰？

Answer 1

如何將證書（.cer）從客戶端發送到服務器？

首先應將客戶端證書（.cer，.crt，.pem）及其相應的私鑰（.key）打包到PKCS＃12（.p12，.pfx）或JKS（.jks）容器中（keystore ）。您還應該將服務器的CA證書打包爲JKS（信任庫）。

示例使用HttpClient 3.x：

HttpClient client = new HttpClient(); 
// truststore 
KeyStore trustStore = KeyStore.getInstance("JKS", "SUN"); 
trustStore.load(TestSupertype.class.getResourceAsStream("/client-truststore.jks"), "amber%".toCharArray()); 
String alg = KeyManagerFactory.getDefaultAlgorithm(); 
TrustManagerFactory fac = TrustManagerFactory.getInstance(alg); 
fac.init(trustStore); 
// keystore 
KeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE"); 
keystore.load(X509Test.class.getResourceAsStream("/etomcat_client.p12"), "etomcat".toCharArray()); 
String keyAlg = KeyManagerFactory.getDefaultAlgorithm(); 
KeyManagerFactory keyFac = KeyManagerFactory.getInstance(keyAlg); 
keyFac.init(keystore, "etomcat".toCharArray()); 
// context 
SSLContext ctx = SSLContext.getInstance("TLS", "SunJSSE"); 
ctx.init(keyFac.getKeyManagers(), fac.getTrustManagers(), new SecureRandom()); 
SslContextedSecureProtocolSocketFactory secureProtocolSocketFactory = new SslContextedSecureProtocolSocketFactory(ctx); 
Protocol.registerProtocol("https", new Protocol("https", (ProtocolSocketFactory) secureProtocolSocketFactory, 8443)); 
// test get 
HttpMethod get = new GetMethod("https://127.0.0.1:8443/etomcat_x509"); 
client.executeMethod(get); 
// get response body and do what you need with it 
byte[] responseBody = get.getResponseBody(); 

您可能會發現工作示例的this project看到X509Test類。

隨着HttpClient 4.x配置和語法會稍有不同：

HttpClient httpclient = new DefaultHttpClient(); 
// truststore 
KeyStore ts = KeyStore.getInstance("JKS", "SUN"); 
ts.load(PostService.class.getResourceAsStream("/truststore.jks"), "amber%".toCharArray()); 
// if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing truststore 
if(0 == ts.size()) throw new IOException("Error loading truststore"); 
// tmf 
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); 
tmf.init(ts); 
// keystore 
KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE"); 
ks.load(PostService.class.getResourceAsStream("/" + certName), certPwd.toCharArray()); 
// if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing keystore 
if(0 == ks.size()) throw new IOException("Error loading keystore"); 
// kmf 
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); 
kmf.init(ks, certPwd.toCharArray()); 
// SSL 
SSLContext ctx = SSLContext.getInstance("TLS"); 
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); 
// socket 
SSLSocketFactory socketFactory = new SSLSocketFactory(ctx, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); 
Scheme sch = new Scheme("https", 8443, socketFactory); 
httpclient.getConnectionManager().getSchemeRegistry().register(sch); 
// request 
HttpMethod get = new GetMethod("https://localhost:8443/foo"); 
client.executeMethod(get); 
IOUtils.copy(get.getResponseBodyAsStream(), System.out); 

如何接收證書並提取服務器的公鑰呢？

您的服務器必須配置爲需要X.509客戶端證書身份驗證。然後，在SSL握手過程中，servlet容器將接收證書，並根據trustore進行檢查，並將其作爲請求屬性提供給應用程序。 在通常情況下與單一證書，你可以使用servlet的環境中，該方法提取證書：

protected X509Certificate extractCertificate(HttpServletRequest req) { 
    X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate"); 
    if (null != certs && certs.length > 0) { 
     return certs[0]; 
    } 
    throw new RuntimeException("No X.509 client certificate found in request"); 
}