2015-04-13 202 views
0

當我嘗試使用自簽名證書連接到URL時,Java不允許我這樣做。在我的情況下,我無法使用自定義SSL套接字工廠而無需進行證書檢查,因此我需要使用PKS12證書並將其添加到可信存儲區中。 我的問題是 - 我有什麼行動來獲得PKS12證書?我通過瀏覽器工具(它是X.509)從URL導出證書,那我該怎麼辦?帶自簽名證書的SSL

+0

查看Javadoc的'keytool'。這裏都有描述。 – EJP

回答

0

你可以嘗試做這樣的事情:

來自

How do I accept a self-signed certificate with a Java HttpsURLConnection?

HttpsURLConnection connection = (HttpsURLConnection) URL.openConnection(); 
connection.setSSLSocketFactory(SSLFACTORY); 
connection.setMethod("POST"); 

KeyStore KEY_STORE = KeyStore.getInstance(KeyStore.getDefaultType()); 
keyStore.load(TRUST_STORE, PASSWORD); 
TRUST_STORE.close(); 

TrustManagerFactory managerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); 
managerFactory.init(KEY_STORE); 
SSLSocketFactoryEx SSLFACTORY = new SSLSocketFactoryEx(); 
connection.setSSLSocketFactory(factory); 
connection.setRequestProperty("charset", "utf-8"); 

摘自:

Which Cipher Suites to enable for SSL Socket?

感謝@jww

class SSLSocketFactoryEx extends SSLSocketFactory 
{ 
    public SSLSocketFactoryEx() throws NoSuchAlgorithmException, KeyManagementException 
    { 
     initSSLSocketFactoryEx(null,null,null); 
    } 

    public SSLSocketFactoryEx(KeyManager[] km, TrustManager[] tm, SecureRandom random) throws NoSuchAlgorithmException, KeyManagementException 
    { 
     initSSLSocketFactoryEx(km, tm, random); 
    } 

    public SSLSocketFactoryEx(SSLContext ctx) throws NoSuchAlgorithmException, KeyManagementException 
    { 
     initSSLSocketFactoryEx(ctx); 
    } 

    public String[] getDefaultCipherSuites() 
    { 
     return m_ciphers; 
    } 

    public String[] getSupportedCipherSuites() 
    { 
     return m_ciphers; 
    } 

    public String[] getDefaultProtocols() 
    { 
     return m_protocols; 
    } 

    public String[] getSupportedProtocols() 
    { 
     return m_protocols; 
    } 

    public Socket createSocket(Socket s, String host, int port, boolean autoClose) throws IOException 
    { 
     SSLSocketFactory factory = m_ctx.getSocketFactory(); 
     SSLSocket ss = (SSLSocket)factory.createSocket(s, host, port, autoClose); 

     ss.setEnabledProtocols(m_protocols); 
     ss.setEnabledCipherSuites(m_ciphers); 

     return ss; 
    } 

    public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException 
    { 
     SSLSocketFactory factory = m_ctx.getSocketFactory(); 
     SSLSocket ss = (SSLSocket)factory.createSocket(address, port, localAddress, localPort); 

     ss.setEnabledProtocols(m_protocols); 
     ss.setEnabledCipherSuites(m_ciphers); 

     return ss; 
    } 

    public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException 
    { 
     SSLSocketFactory factory = m_ctx.getSocketFactory(); 
     SSLSocket ss = (SSLSocket)factory.createSocket(host, port, localHost, localPort); 

     ss.setEnabledProtocols(m_protocols); 
     ss.setEnabledCipherSuites(m_ciphers); 

     return ss; 
    } 

    public Socket createSocket(InetAddress host, int port) throws IOException 
    { 
     SSLSocketFactory factory = m_ctx.getSocketFactory(); 
     SSLSocket ss = (SSLSocket)factory.createSocket(host, port); 

     ss.setEnabledProtocols(m_protocols); 
     ss.setEnabledCipherSuites(m_ciphers); 

     return ss; 
    } 

    public Socket createSocket(String host, int port) throws IOException 
    { 
     SSLSocketFactory factory = m_ctx.getSocketFactory(); 
     SSLSocket ss = (SSLSocket)factory.createSocket(host, port); 

     ss.setEnabledProtocols(m_protocols); 
     ss.setEnabledCipherSuites(m_ciphers); 

     return ss; 
    } 

    private void initSSLSocketFactoryEx(KeyManager[] km, TrustManager[] tm, SecureRandom random) 
    throws NoSuchAlgorithmException, KeyManagementException 
    { 
     m_ctx = SSLContext.getInstance("TLS"); 
     m_ctx.init(km, tm, random); 

     m_protocols = GetProtocolList(); 
     m_ciphers = GetCipherList(); 
    } 

    private void initSSLSocketFactoryEx(SSLContext ctx) 
    throws NoSuchAlgorithmException, KeyManagementException 
    { 
     m_ctx = ctx; 

     m_protocols = GetProtocolList(); 
     m_ciphers = GetCipherList(); 
    } 

    protected String[] GetProtocolList() 
    { 
     String[] preferredProtocols = { "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" }; 
     String[] availableProtocols = null; 

     SSLSocket socket = null; 

     try 
     { 
      SSLSocketFactory factory = m_ctx.getSocketFactory(); 
      socket = (SSLSocket)factory.createSocket(); 

      availableProtocols = socket.getSupportedProtocols(); 
      Arrays.sort(availableProtocols); 
     } 
     catch(Exception e) 
     { 
      return new String[]{ "TLSv1" }; 
     } 
     finally 
     { 
      if(socket != null) 
       socket.close(); 
     } 

     List<String> aa = new ArrayList<String>(); 
     for(int i = 0; i < preferredProtocols.length; i++) 
     { 
      int idx = Arrays.binarySearch(availableProtocols, preferredProtocols[i]); 
      if(idx >= 0) 
       aa.add(preferredProtocols[i]); 
     } 

     return aa.toArray(new String[0]); 
    } 

    protected String[] GetCipherList() 
    { 
     String[] preferredCiphers = { 

      // *_CHACHA20_POLY1305 are 3x to 4x faster than existing cipher suites. 
      // http://googleonlinesecurity.blogspot.com/2014/04/speeding-up-and-strengthening-https.html 
      // Use them if available. Normative names can be found at (TLS spec depends on IPSec spec): 
      // http://tools.ietf.org/html/draft-nir-ipsecme-chacha20-poly1305-01 
      // http://tools.ietf.org/html/draft-mavrogiannopoulos-chacha-tls-02 
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", 
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", 
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_SHA", 
      "TLS_ECDHE_RSA_WITH_CHACHA20_SHA", 

      "TLS_DHE_RSA_WITH_CHACHA20_POLY1305", 
      "TLS_RSA_WITH_CHACHA20_POLY1305", 
      "TLS_DHE_RSA_WITH_CHACHA20_SHA", 
      "TLS_RSA_WITH_CHACHA20_SHA", 

      // Done with bleeding edge, back to TLS v1.2 and below 
      "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", 
      "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", 
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", 
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", 

      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", 
      "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", 
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", 
      "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", 

      // TLS v1.0 (with some SSLv3 interop) 
      "TLS_DHE_RSA_WITH_AES_256_CBC_SHA384", 
      "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", 
      "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", 
      "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", 

      "TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA", 
      "TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA", 
      "SSL_DH_RSA_WITH_3DES_EDE_CBC_SHA", 
      "SSL_DH_DSS_WITH_3DES_EDE_CBC_SHA", 

      // RSA key transport sucks, but they are needed as a fallback. 
      // For example, microsoft.com fails under all versions of TLS 
      // if they are not included. If only TLS 1.0 is available at 
      // the client, then google.com will fail too. TLS v1.3 is 
      // trying to deprecate them, so it will be interesteng to see 
      // what happens. 
      "TLS_RSA_WITH_AES_256_CBC_SHA256", 
      "TLS_RSA_WITH_AES_256_CBC_SHA", 
      "TLS_RSA_WITH_AES_128_CBC_SHA256", 
      "TLS_RSA_WITH_AES_128_CBC_SHA" 
     }; 

     String[] availableCiphers = null; 

     try 
     { 
      SSLSocketFactory factory = m_ctx.getSocketFactory(); 
      availableCiphers = factory.getSupportedCipherSuites(); 
      Arrays.sort(availableCiphers); 
     } 
     catch(Exception e) 
     { 
      return new String[] { 
       "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", 
       "TLS_DHE_DSS_WITH_AES_256_CBC_SHA", 
       "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", 
       "TLS_DHE_RSA_WITH_AES_256_CBC_SHA", 
       "TLS_RSA_WITH_AES_256_CBC_SHA256", 
       "TLS_RSA_WITH_AES_256_CBC_SHA", 
       "TLS_RSA_WITH_AES_128_CBC_SHA256", 
       "TLS_RSA_WITH_AES_128_CBC_SHA", 
       "TLS_EMPTY_RENEGOTIATION_INFO_SCSV" 
      }; 
     } 

     List<String> aa = new ArrayList<String>(); 
     for(int i = 0; i < preferredCiphers.length; i++) 
     { 
      int idx = Arrays.binarySearch(availableCiphers, preferredCiphers[i]); 
      if(idx >= 0) 
       aa.add(preferredCiphers[i]); 
     } 

     aa.add("TLS_EMPTY_RENEGOTIATION_INFO_SCSV"); 

     return aa.toArray(new String[0]); 
    } 

    private SSLContext m_ctx; 

    private String[] m_ciphers; 
    private String[] m_protocols; 
} 
+0

請注意:SSLContext.getInstance(「TLS」);'。它返回'SSL'和'TLS'協議;而不僅僅是「TLS」。例如,請參閱[SSLSocketFactoryEx](http://stackoverflow.com/a/23365536)以強制TLS(並刪除SSL)。 – jww

+0

@jww更新!謝謝 – dosdebug

0

我推薦使用名爲InstallCert的工具。它將下載自簽名證書並將其導入新的信任庫/密鑰庫。