tbwshc

SSL介绍与Java实例

有关SSL的原理和介绍在网上已经有不少,对于Java下使用keytool生成证书,配置SSL通信的教程也非常多。但如果我们不能够亲自动手做一个SSL Sever和SSL Client,可能就永远也不能深入地理解Java环境下,SSL的通信是如何实现的。对SSL中的各种概念的认识也可能会仅限于可以使用的程度。本文通过构造一个简单的SSL Server和SSL Client来讲解Java环境下SSL的通信原理。

首先我们先回顾一下常规的Java Socket编程。在Java下写一个Socket服务器和客户端的例子还是比较简单的。以下是服务端的代码:


Java代码 
1.package org.bluedash.tryssl;  
2. 
3.import java.io.BufferedReader;  
4.import java.io.IOException;  
5.import java.io.InputStbreamReader;  
6.import java.io.PrintWriter;  
7.import java.net.ServerSocket;  
8.import java.net.Socket;  
9. 
10.public class Server extends Thread {  
11.    private Socket socket;  
12. 
13.    public Server(Socket socket) {  
14.        this.socket = socket;  
15.    }  
16. 
17.    public void run() {  
18.        try {  
19.            BufferedReader reader = new BufferedReader(new InputStreamReader(socket.getInputStream()));  
20.            PrintWriter writer = new PrintWriter(socket.getOutputStream());  
21. 
22.            String data = reader.readLine();  
23.            writer.println(data);  
24.            writer.close();  
25.            socket.close();  
26.        } catch (IOException e) {  
27. 
28.        }  
29.    }  
30.      
31.    public static void main(String[] args) throws Exception {  
32.        while (true) {  
33.            new Server((new ServerSocket(8080)).accept()).start();  
34.        }  
35.    }  
36.} 
package org.bluedash.tryssl;

import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.ServerSocket;
import java.net.Socket;

public class Server extends Thread {
 private Socket socket;

 public Server(Socket socket) {
  this.socket = socket;
 }

 public void run() {
  try {
   BufferedReader reader = new BufferedReader(new InputStreamReader(socket.getInputStream()));
   PrintWriter writer = new PrintWriter(socket.getOutputStream());

   String data = reader.readLine();
   writer.println(data);
   writer.close();
   socket.close();
  } catch (IOException e) {

  }
 }
 
 public static void main(String[] args) throws Exception {
  while (true) {
   new Server((new ServerSocket(8080)).accept()).start();
  }
 }
}


服务端很简单:侦听8080端口,并把客户端发来的字符串返回去。下面是客户端的代码:


Java代码 
1.package org.bluedash.tryssl;  
2. 
3.import java.io.BufferedReader;  
4.import java.io.InputStreamReader;  
5.import java.io.PrintWriter;  
6.import java.net.Socket;  
7. 
8.public class Client {  
9. 
10.    public static void main(String[] args) throws Exception {  
11. 
12.        Socket s = new Socket("localhost", 8080);  
13. 
14.        PrintWriter writer = new PrintWriter(s.getOutputStream());  
15.        BufferedReader reader = new BufferedReader(new InputStreamReader(s.getInputStream()));  
16.        writer.println("hello");  
17.        writer.flush();  
18.        System.out.println(reader.readLine());  
19.        s.close();  
20.    }  
21. 
22.} 
package org.bluedash.tryssl;

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.Socket;

public class Client {

 public static void main(String[] args) throws Exception {

  Socket s = new Socket("localhost", 8080);

  PrintWriter writer = new PrintWriter(s.getOutputStream());
  BufferedReader reader = new BufferedReader(new InputStreamReader(s.getInputStream()));
  writer.println("hello");
  writer.flush();
  System.out.println(reader.readLine());
  s.close();
 }

}


客户端也非常简单:向服务端发起请求,发送一个"hello"字串,然后获得服务端的返回。把服务端运行起来后,执行客户端,我们将得到"hello"的返回。

就是这样一套简单的网络通信的代码,我们来把它改造成使用SSL通信。在SSL通信协议中,我们都知道首先服务端必须有一个数字证书,当客户端连接到服务端时,会得到这个证书,然后客户端会判断这个证书是否是可信的,如果是,则交换信道加密密钥,进行通信。如果不信任这个证书,则连接失败。

因此,我们首先要为服务端生成一个数字证书。Java环境下,数字证书是用keytool生成的,这些证书被存储在store的概念中,就是证书仓库。我们来调用keytool命令为服务端生成数字证书和保存它使用的证书仓库:


Bash代码 
1.keytool -genkey -v -alias bluedash-ssl-demo-server -keyalg RSA -keystore ./server_ks -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass server -keypass 123123 
keytool -genkey -v -alias bluedash-ssl-demo-server -keyalg RSA -keystore ./server_ks -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass server -keypass 123123


这样,我们就将服务端证书bluedash-ssl-demo-server保存在了server_ksy这个store文件当中。有关keytool的用法在本文中就不再多赘述。执行上面的命令得到如下结果:


Bash代码 
1.Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days  
2.        for: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn  
3.[Storing ./server_ks] 
Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days
        for: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
[Storing ./server_ks]


然后,改造我们的服务端代码,让服务端使用这个证书,并提供SSL通信:


Java代码 
1.package org.bluedash.tryssl;  
2. 
3.import java.io.BufferedReader;  
4.import java.io.FileInputStream;  
5.import java.io.IOException;  
6.import java.io.InputStreamReader;  
7.import java.io.PrintWriter;  
8.import java.net.ServerSocket;  
9.import java.net.Socket;  
10.import java.security.KeyStore;  
11. 
12.import javax.net.ServerSocketFactory;  
13.import javax.net.ssl.KeyManagerFactory;  
14.import javax.net.ssl.SSLContext;  
15.import javax.net.ssl.SSLServerSocket;  
16. 
17.public class SSLServer extends Thread {  
18.    private Socket socket;  
19. 
20.    public SSLServer(Socket socket) {  
21.        this.socket = socket;  
22.    }  
23. 
24.    public void run() {  
25.        try {  
26.            BufferedReader reader = new BufferedReader(new InputStreamReader(socket.getInputStream()));  
27.            PrintWriter writer = new PrintWriter(socket.getOutputStream());  
28. 
29.            String data = reader.readLine();  
30.            writer.println(data);  
31.            writer.close();  
32.            socket.close();  
33.        } catch (IOException e) {  
34. 
35.        }  
36.    }  
37. 
38.    private static String SERVER_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/server_ks";  
39.    private static String SERVER_KEY_STORE_PASSWORD = "123123";  
40. 
41.    public static void main(String[] args) throws Exception {  
42.        System.setProperty("javax.net.ssl.trustStore", SERVER_KEY_STORE);  
43.        SSLContext context = SSLContext.getInstance("TLS");  
44.          
45.        KeyStore ks = KeyStore.getInstance("jceks");  
46.        ks.load(new FileInputStream(SERVER_KEY_STORE), null);  
47.        KeyManagerFactory kf = KeyManagerFactory.getInstance("SunX509");  
48.        kf.init(ks, SERVER_KEY_STORE_PASSWORD.toCharArray());  
49.          
50.        context.init(kf.getKeyManagers(), null, null);  
51. 
52.        ServerSocketFactory factory = context.getServerSocketFactory();  
53.        ServerSocket _socket = factory.createServerSocket(8443);  
54.        ((SSLServerSocket) _socket).setNeedClientAuth(false);  
55. 
56.        while (true) {  
57.            new SSLServer(_socket.accept()).start();  
58.        }  
59.    }  
60.} 
package org.bluedash.tryssl;

import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.ServerSocket;
import java.net.Socket;
import java.security.KeyStore;

import javax.net.ServerSocketFactory;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;

public class SSLServer extends Thread {
 private Socket socket;

 public SSLServer(Socket socket) {
  this.socket = socket;
 }

 public void run() {
  try {
   BufferedReader reader = new BufferedReader(new InputStreamReader(socket.getInputStream()));
   PrintWriter writer = new PrintWriter(socket.getOutputStream());

   String data = reader.readLine();
   writer.println(data);
   writer.close();
   socket.close();
  } catch (IOException e) {

  }
 }

 private static String SERVER_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/server_ks";
 private static String SERVER_KEY_STORE_PASSWORD = "123123";

 public static void main(String[] args) throws Exception {
  System.setProperty("javax.net.ssl.trustStore", SERVER_KEY_STORE);
  SSLContext context = SSLContext.getInstance("TLS");
  
  KeyStore ks = KeyStore.getInstance("jceks");
  ks.load(new FileInputStream(SERVER_KEY_STORE), null);
  KeyManagerFactory kf = KeyManagerFactory.getInstance("SunX509");
  kf.init(ks, SERVER_KEY_STORE_PASSWORD.toCharArray());
  
  context.init(kf.getKeyManagers(), null, null);

  ServerSocketFactory factory = context.getServerSocketFactory();
  ServerSocket _socket = factory.createServerSocket(8443);
  ((SSLServerSocket) _socket).setNeedClientAuth(false);

  while (true) {
   new SSLServer(_socket.accept()).start();
  }
 }
}


可以看到,服务端的Socket准备设置工作大大增加了,增加的代码的作用主要是将证书导入并进行使用。此外,所使用的Socket变成了SSLServerSocket,另外端口改到了8443(这个不是强制的,仅仅是为了遵守习惯)。另外,最重要的一点,服务端证书里面的CN一定和服务端的域名统一,我们的证书服务的域名是localhost,那么我们的客户端在连接服务端时一定也要用localhost来连接,否则根据SSL协议标准,域名与证书的CN不匹配,说明这个证书是不安全的,通信将无法正常运行。

有了服务端,我们原来的客户端就不能使用了,必须要走SSL协议。由于服务端的证书是我们自己生成的,没有任何受信任机构的签名,所以客户端是无法验证服务端证书的有效性的,通信必然会失败。所以我们需要为客户端创建一个保存所有信任证书的仓库,然后把服务端证书导进这个仓库。这样,当客户端连接服务端时,会发现服务端的证书在自己的信任列表中,就可以正常通信了。

因此现在我们要做的是生成一个客户端的证书仓库,因为keytool不能仅生成一个空白仓库,所以和服务端一样,我们还是生成一个证书加一个仓库(客户端证书加仓库):


Bash代码 
1.keytool -genkey -v -alias bluedash-ssl-demo-client -keyalg RSA -keystore ./client_ks -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass client -keypass 456456 
keytool -genkey -v -alias bluedash-ssl-demo-client -keyalg RSA -keystore ./client_ks -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass client -keypass 456456


结果如下:


Bash代码 
1.Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days  
2.        for: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn  
3.[Storing ./client_ks] 
Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days
        for: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
[Storing ./client_ks]

接下来,我们要把服务端的证书导出来,并导入到客户端的仓库。第一步是导出服务端的证书:


Bash代码 
1.keytool -export -alias bluedash-ssl-demo-server -keystore ./server_ks -file server_key.cer 
keytool -export -alias bluedash-ssl-demo-server -keystore ./server_ks -file server_key.cer

执行结果如下:


Bash代码 
1.Enter keystore password:  server  
2.Certificate stored in file <server_key.cer> 
Enter keystore password:  server
Certificate stored in file <server_key.cer>

然后是把导出的证书导入到客户端证书仓库:


Bash代码 
1.keytool -import -trustcacerts -alias bluedash-ssl-demo-server -file ./server_key.cer -keystore ./client_ks 
keytool -import -trustcacerts -alias bluedash-ssl-demo-server -file ./server_key.cer -keystore ./client_ks

结果如下:


Bash代码 
1.Enter keystore password:  client  
2.Owner: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn  
3.Issuer: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn  
4.Serial number: 4c57c7de  
5.Valid from: Tue Aug 03 15:40:14 CST 2010 until: Mon Nov 01 15:40:14 CST 2010 
6.Certificate fingerprints:  
7.         MD5:  FC:D4:8B:36:3F:1B:30:EA:6D:63:55:4F:C7:68:3B:0C  
8.         SHA1: E1:54:2F:7C:1A:50:F5:74:AA:63:1E:F9:CC:B1:1C:73:AA:34:8A:C4  
9.         Signature algorithm name: SHA1withRSA  
10.         Version: 3 
11.Trust this certificate? [no]:  yes  
12.Certificate was added to keystore 
Enter keystore password:  client
Owner: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
Issuer: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
Serial number: 4c57c7de
Valid from: Tue Aug 03 15:40:14 CST 2010 until: Mon Nov 01 15:40:14 CST 2010
Certificate fingerprints:
         MD5:  FC:D4:8B:36:3F:1B:30:EA:6D:63:55:4F:C7:68:3B:0C
         SHA1: E1:54:2F:7C:1A:50:F5:74:AA:63:1E:F9:CC:B1:1C:73:AA:34:8A:C4
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore

好,准备工作做完了,我们来撰写客户端的代码:


Java代码 
1.package org.bluedash.tryssl;  
2. 
3.import java.io.BufferedReader;  
4.import java.io.InputStreamReader;  
5.import java.io.PrintWriter;  
6.import java.net.Socket;  
7. 
8.import javax.net.SocketFactory;  
9.import javax.net.ssl.SSLSocketFactory;  
10. 
11.public class SSLClient {  
12. 
13.    private static String CLIENT_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/client_ks";  
14. 
15.    public static void main(String[] args) throws Exception {  
16.        // Set the key store to use for validating the server cert.  
17.        System.setProperty("javax.net.ssl.trustStore", CLIENT_KEY_STORE);  
18.          
19.        System.setProperty("javax.net.debug", "ssl,handshake");  
20. 
21.        SSLClient client = new SSLClient();  
22.        Socket s = client.clientWithoutCert();  
23. 
24.        PrintWriter writer = new PrintWriter(s.getOutputStream());  
25.        BufferedReader reader = new BufferedReader(new InputStreamReader(s  
26.                .getInputStream()));  
27.        writer.println("hello");  
28.        writer.flush();  
29.        System.out.println(reader.readLine());  
30.        s.close();  
31.    }  
32. 
33.    private Socket clientWithoutCert() throws Exception {  
34.        SocketFactory sf = SSLSocketFactory.getDefault();  
35.        Socket s = sf.createSocket("localhost", 8443);  
36.        return s;  
37.    }  
38.} 
package org.bluedash.tryssl;

import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.Socket;

import javax.net.SocketFactory;
import javax.net.ssl.SSLSocketFactory;

public class SSLClient {

 private static String CLIENT_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/client_ks";

 public static void main(String[] args) throws Exception {
  // Set the key store to use for validating the server cert.
  System.setProperty("javax.net.ssl.trustStore", CLIENT_KEY_STORE);
  
  System.setProperty("javax.net.debug", "ssl,handshake");

  SSLClient client = new SSLClient();
  Socket s = client.clientWithoutCert();

  PrintWriter writer = new PrintWriter(s.getOutputStream());
  BufferedReader reader = new BufferedReader(new InputStreamReader(s
    .getInputStream()));
  writer.println("hello");
  writer.flush();
  System.out.println(reader.readLine());
  s.close();
 }

 private Socket clientWithoutCert() throws Exception {
  SocketFactory sf = SSLSocketFactory.getDefault();
  Socket s = sf.createSocket("localhost", 8443);
  return s;
 }
}


可以看到,除了把一些类变成SSL通信类以外,客户端也多出了使用信任证书仓库的代码。以上,我们便完成了SSL单向握手通信。即:客户端验证服务端的证书,服务端不认证客户端的证书。

以上便是Java环境下SSL单向握手的全过程。因为我们在客户端设置了日志输出级别为DEBUG:


Java代码 
1.System.setProperty("javax.net.debug", "ssl,handshake"); 
System.setProperty("javax.net.debug", "ssl,handshake");

因此我们可以看到SSL通信的全过程,这些日志可以帮助我们更具体地了解通过SSL协议建立网络连接时的全过程。

结合日志,我们来看一下SSL双向认证的全过程:

 

第一步: 客户端发送ClientHello消息,发起SSL连接请求,告诉服务器自己支持的SSL选项(加密方式等)。


Bash代码 
1.*** ClientHello, TLSv1 
*** ClientHello, TLSv1


第二步: 服务器响应请求,回复ServerHello消息,和客户端确认SSL加密方式:


Bash代码 
1.*** ServerHello, TLSv1 
*** ServerHello, TLSv1


第三步: 服务端向客户端发布自己的公钥。

第四步: 客户端与服务端的协通沟通完毕,服务端发送ServerHelloDone消息:


Bash代码 
1.*** ServerHelloDone 
*** ServerHelloDone


第五步: 客户端使用服务端给予的公钥,创建会话用密钥(SSL证书认证完成后,为了提高性能,所有的信息交互就可能会使用对称加密算法),并通过ClientKeyExchange消息发给服务器:


Bash代码 
1.*** ClientKeyExchange, RSA PreMasterSecret, TLSv1 
*** ClientKeyExchange, RSA PreMasterSecret, TLSv1


第六步: 客户端通知服务器改变加密算法,通过ChangeCipherSpec消息发给服务端:


Bash代码 
1.main, WRITE: TLSv1 Change Cipher Spec, length = 1 
main, WRITE: TLSv1 Change Cipher Spec, length = 1


第七步: 客户端发送Finished消息,告知服务器请检查加密算法的变更请求:


Bash代码 
1.*** Finished 
*** Finished


第八步:服务端确认算法变更,返回ChangeCipherSpec消息


Bash代码 
1.main, READ: TLSv1 Change Cipher Spec, length = 1 
main, READ: TLSv1 Change Cipher Spec, length = 1


第九步:服务端发送Finished消息,加密算法生效:


Bash代码 
1.*** Finished 
*** Finished


那么如何让服务端也认证客户端的身份,即双向握手呢?其实很简单,在服务端代码中,把这一行:


Java代码 
1.((SSLServerSocket) _socket).setNeedClientAuth(false); 
((SSLServerSocket) _socket).setNeedClientAuth(false);

改成:


Java代码 
1.((SSLServerSocket) _socket).setNeedClientAuth(true); 
((SSLServerSocket) _socket).setNeedClientAuth(true);

就可以了。但是,同样的道理,现在服务端并没有信任客户端的证书,因为客户端的证书也是自己生成的。所以,对于服务端,需要做同样的工作:把客户端的证书导出来,并导入到服务端的证书仓库:


Bash代码 
1.keytool -export -alias bluedash-ssl-demo-client -keystore ./client_ks -file client_key.cer  
2.Enter keystore password:  client  
3.Certificate stored in file <client_key.cer> 
keytool -export -alias bluedash-ssl-demo-client -keystore ./client_ks -file client_key.cer
Enter keystore password:  client
Certificate stored in file <client_key.cer>


Bash代码 
1.keytool -import -trustcacerts -alias bluedash-ssl-demo-client -file ./client_key.cer -keystore ./server_ks  
2.Enter keystore password:  server  
3.Owner: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn  
4.Issuer: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn  
5.Serial number: 4c57c80b  
6.Valid from: Tue Aug 03 15:40:59 CST 2010 until: Mon Nov 01 15:40:59 CST 2010 
7.Certificate fingerprints:  
8.         MD5:  DB:91:F4:1E:65:D1:81:F2:1E:A6:A3:55:3F:E8:12:79 
9.         SHA1: BF:77:56:61:04:DD:95:FC:E5:84:48:5C:BE:60:AF:02:96:A2:E1:E2  
10.         Signature algorithm name: SHA1withRSA  
11.         Version: 3 
12.Trust this certificate? [no]:  yes  
13.Certificate was added to keystore 
keytool -import -trustcacerts -alias bluedash-ssl-demo-client -file ./client_key.cer -keystore ./server_ks
Enter keystore password:  server
Owner: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
Issuer: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
Serial number: 4c57c80b
Valid from: Tue Aug 03 15:40:59 CST 2010 until: Mon Nov 01 15:40:59 CST 2010
Certificate fingerprints:
         MD5:  DB:91:F4:1E:65:D1:81:F2:1E:A6:A3:55:3F:E8:12:79
         SHA1: BF:77:56:61:04:DD:95:FC:E5:84:48:5C:BE:60:AF:02:96:A2:E1:E2
         Signature algorithm name: SHA1withRSA
         Version: 3
Trust this certificate? [no]:  yes
Certificate was added to keystore

完成了证书的导入,还要在客户端需要加入一段代码,用于在连接时,客户端向服务端出示自己的证书:


Java代码 
1.package org.bluedash.tryssl;  
2. 
3.import java.io.BufferedReader;  
4.import java.io.FileInputStream;  
5.import java.io.InputStreamReader;  
6.import java.io.PrintWriter;  
7.import java.net.Socket;  
8.import java.security.KeyStore;  
9.import javax.net.SocketFactory;  
10.import javax.net.ssl.KeyManagerFactory;  
11.import javax.net.ssl.SSLContext;  
12.import javax.net.ssl.SSLSocketFactory;  
13. 
14.public class SSLClient {  
15.    private static String CLIENT_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/client_ks";  
16.    private static String CLIENT_KEY_STORE_PASSWORD = "456456";  
17.      
18.    public static void main(String[] args) throws Exception {  
19.        // Set the key store to use for validating the server cert.  
20.        System.setProperty("javax.net.ssl.trustStore", CLIENT_KEY_STORE);  
21.        System.setProperty("javax.net.debug", "ssl,handshake");  
22.        SSLClient client = new SSLClient();  
23.        Socket s = client.clientWithCert();  
24.          
25.        PrintWriter writer = new PrintWriter(s.getOutputStream());  
26.        BufferedReader reader = new BufferedReader(new InputStreamReader(s.getInputStream()));  
27.        writer.println("hello");  
28.        writer.flush();  
29.        System.out.println(reader.readLine());  
30.        s.close();  
31.    }  
32. 
33.    private Socket clientWithoutCert() throws Exception {  
34.        SocketFactory sf = SSLSocketFactory.getDefault();  
35.        Socket s = sf.createSocket("localhost", 8443);  
36.        return s;  
37.    }  
38. 
39.    private Socket clientWithCert() throws Exception {  
40.        SSLContext context = SSLContext.getInstance("TLS");  
41.        KeyStore ks = KeyStore.getInstance("jceks");  
42.          
43.        ks.load(new FileInputStream(CLIENT_KEY_STORE), null);  
44.        KeyManagerFactory kf = KeyManagerFactory.getInstance("SunX509");  
45.        kf.init(ks, CLIENT_KEY_STORE_PASSWORD.toCharArray());  
46.        context.init(kf.getKeyManagers(), null, null);  
47.          
48.        SocketFactory factory = context.getSocketFactory();  
49.        Socket s = factory.createSocket("localhost", 8443);  
50.        return s;  
51.    }  
52.} 
package org.bluedash.tryssl;

import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.net.Socket;
import java.security.KeyStore;
import javax.net.SocketFactory;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;

public class SSLClient {
 private static String CLIENT_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/client_ks";
 private static String CLIENT_KEY_STORE_PASSWORD = "456456";
 
 public static void main(String[] args) throws Exception {
  // Set the key store to use for validating the server cert.
  System.setProperty("javax.net.ssl.trustStore", CLIENT_KEY_STORE);
  System.setProperty("javax.net.debug", "ssl,handshake");
  SSLClient client = new SSLClient();
  Socket s = client.clientWithCert();
  
  PrintWriter writer = new PrintWriter(s.getOutputStream());
  BufferedReader reader = new BufferedReader(new InputStreamReader(s.getInputStream()));
  writer.println("hello");
  writer.flush();
  System.out.println(reader.readLine());
  s.close();
 }

 private Socket clientWithoutCert() tbhrows Exception {
  SocketFactory sf = SSLSocketFactory.getDefault();
  Socket s = sf.createSocket("localhost", 8443);
  return s;
 }

 private Socket clientWithCert() throws Exception {
  SSLContext context = SSLContext.getInstance("TLS");
  KeyStore ks = KeyStore.getInstance("jceks");
  
  ks.load(new FileInputStream(CLIENT_KEY_STORE), null);
  KeyManagerFactory kf = KeyManagerFactory.getInstance("SunX509");
  kf.init(ks, CLIENT_KEY_STORE_PASSWORD.toCharArray());
  context.init(kf.getKeyManagers(), null, null);
  
  SocketFactory factory = context.getSocketFactory();
  Socket s = factory.createSocket("localhost", 8443);
  return s;
 }
}

通过比对单向认证的日志输出,我们可以发现双向认证时,多出了服务端认证客户端证书的步骤:


Bash代码 
1.*** CertificateRequest  
2.Cert Types: RSA, DSS  
3.Cert Authorities:  
4.<CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn>  
5.<CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn>  
6.*** ServerHelloDone 
*** CertificateRequest
Cert Types: RSA, DSS
Cert Authorities:
<CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn>
<CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn>
*** ServerHelloDone

 

Bash代码 
1.*** CertificateVerify  
2.main, WRITE: TLSv1 Handshake, length = 134 
3.main, WRITE: TLSv1 Change Cipher Spec, length = 1 
*** CertificateVerify
main, WRITE: TLSv1 Handshake, length = 134
main, WRITE: TLSv1 Change Cipher Spec, length = 1


在 @*** ServerHelloDone@ 之前,服务端向客户端发起了需要证书的请求 @*** CertificateRequest@ 。

在客户端向服务端发出 @Change Cipher Spec@ 请求之前,多了一步客户端证书认证的过程 @*** CertificateVerify@ 。

客户端与服务端互相认证证书的情景

posted on 2012-07-13 13:50 chen11-1 阅读(3375) 评论(0)  编辑  收藏


只有注册用户登录后才能发表评论。


网站导航: