客户端证书认证请求实操

 问题1:什么叫做客户端证书认证?

答案:通过客户端证书(服务端分发的私人证书或者是通过第三方认证的证书)+账号密码进行身份认证的行为。

 

问题2:为什么有客户端证书这么个东西?

答案:如何加强服务器的用户身份验证系统?一个方法是通过服务端证书认证,就是通过https进行访问。另一个方法是客户端证书认证。通过暴力破解的方式任然可以获取到用户密码,尽管有强密码策略,仅仅只是依靠密码还是不太保险,这个时候就需要客户端证书认证。用户通过服务端颁发的证书+密码,可以极大的加强安全性。

 

问题3:怎么使用客户端证书认证?

答案:如下文

 

 

 

客户端证书认证

 

1.首先准备一个证书(本例以私人证书为例,证书生成方式具体请度娘),记录下证书最后的加密密码。

2.服务器配置相应的客户端证书认证设置(本例不涉及服务端配置)

3.配置java类库信任个人证书

  1 package sz.shuwen.utils;
  2 /*
  3  * Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
  4  *
  5  * Redistribution and use in source and binary forms, with or without
  6  * modification, are permitted provided that the following conditions
  7  * are met:
  8  *
  9  *   - Redistributions of source code must retain the above copyright
 10  *     notice, this list of conditions and the following disclaimer.
 11  *
 12  *   - Redistributions in binary form must reproduce the above copyright
 13  *     notice, this list of conditions and the following disclaimer in the
 14  *     documentation and/or other materials provided with the distribution.
 15  *
 16  *   - Neither the name of Sun Microsystems nor the names of its
 17  *     contributors may be used to endorse or promote products derived
 18  *     from this software without specific prior written permission.
 19  *
 20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
 21  * IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
 22  * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 23  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
 24  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
 25  * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
 26  * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
 27  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
 28  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
 29  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
 30  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 31  */
 32 /**
 33  * Originally from:
 34  * http://blogs.sun.com/andreas/resource/InstallCert.java
 35  * Use:
 36  * java InstallCert hostname
 37  * Example:
 38  *% java InstallCert ecc.fedora.redhat.com
 39  */
 40 
 41 import javax.net.ssl.*;
 42 import java.io.*;
 43 import java.security.KeyStore;
 44 import java.security.MessageDigest;
 45 import java.security.cert.CertificateException;
 46 import java.security.cert.X509Certificate;
 47 
 48 /**
 49  * Class used to add the server's certificate to the KeyStore
 50  * with your trusted certificates.
 51  */
 52 public class InstallCert {
 53 
 54     /*public static void main(String[] args) throws Exception {
 55         handle("XXX.com",443,"changeit");
 56     }*/
 57 
 58     public static void handle(String host,int port,String passphraseStr) throws Exception{
 59         char[] passphrase=passphraseStr.toCharArray();
 60         /*if ((args.length == 1) || (args.length == 2)) {
 61             String[] c = args[0].split(":");
 62             host = c[0];
 63             port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
 64             String p = (args.length == 1) ? "changeit" : args[1];
 65             passphrase = p.toCharArray();
 66         } else {
 67             System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
 68             return;
 69         }*/
 70 
 71         File file = new File("cacerts");
 72         if (file.isFile() == false) {
 73             char SEP = File.separatorChar;
 74             File dir = new File(System.getProperty("java.home") + SEP
 75                     + "lib" + SEP + "security");
 76             file = new File(dir, "jssecacerts");
 77             if (file.isFile() == false) {
 78                 file = new File(dir, "cacerts");
 79             }
 80         }
 81         System.out.println("Loading KeyStore " + file + "...");
 82         InputStream in = new FileInputStream(file);
 83         KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
 84         ks.load(in, passphrase);
 85         in.close();
 86 
 87         SSLContext context = SSLContext.getInstance("TLS");
 88         TrustManagerFactory tmf =
 89                 TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
 90         tmf.init(ks);
 91         X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
 92         SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
 93         context.init(null, new TrustManager[]{tm}, null);
 94         SSLSocketFactory factory = context.getSocketFactory();
 95 
 96         System.out.println("Opening connection to " + host + ":" + port + "...");
 97         SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
 98         socket.setSoTimeout(10000);
 99         try {
100             System.out.println("Starting SSL handshake...");
101             socket.startHandshake();
102             socket.close();
103             System.out.println();
104             System.out.println("No errors, certificate is already trusted");
105         } catch (SSLException e) {
106             System.out.println();
107             e.printStackTrace(System.out);
108         }
109 
110         X509Certificate[] chain = tm.chain;
111         if (chain == null) {
112             System.out.println("Could not obtain server certificate chain");
113             return;
114         }
115 
116         BufferedReader reader =
117                 new BufferedReader(new InputStreamReader(System.in));
118 
119         System.out.println();
120         System.out.println("Server sent " + chain.length + " certificate(s):");
121         System.out.println();
122         MessageDigest sha1 = MessageDigest.getInstance("SHA1");
123         MessageDigest md5 = MessageDigest.getInstance("MD5");
124         for (int i = 0; i < chain.length; i++) {
125             X509Certificate cert = chain[i];
126             System.out.println
127                     (" " + (i + 1) + " Subject " + cert.getSubjectDN());
128             System.out.println("   Issuer  " + cert.getIssuerDN());
129             sha1.update(cert.getEncoded());
130             System.out.println("   sha1    " + toHexString(sha1.digest()));
131             md5.update(cert.getEncoded());
132             System.out.println("   md5     " + toHexString(md5.digest()));
133             System.out.println();
134         }
135         //注释
136         /*System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
137         String line = reader.readLine().trim();*/
138         String line="1";
139         int k;
140         try {
141             k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
142         } catch (NumberFormatException e) {
143             System.out.println("KeyStore not changed");
144             return;
145         }
146 
147         X509Certificate cert = chain[k];
148         String alias = host + "-" + (k + 1);
149         ks.setCertificateEntry(alias, cert);
150 
151         OutputStream out = new FileOutputStream("jssecacerts");
152         ks.store(out, passphrase);
153         out.close();
154 
155         System.out.println();
156         System.out.println(cert);
157         System.out.println();
158         System.out.println
159                 ("Added certificate to keystore 'jssecacerts' using alias '"
160                         + alias + "'");
161     }
162 
163 
164     private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
165 
166     private static String toHexString(byte[] bytes) {
167         StringBuilder sb = new StringBuilder(bytes.length * 3);
168         for (int b : bytes) {
169             b &= 0xff;
170             sb.append(HEXDIGITS[b >> 4]);
171             sb.append(HEXDIGITS[b & 15]);
172             sb.append(' ');
173         }
174         return sb.toString();
175     }
176 
177     private static class SavingTrustManager implements X509TrustManager {
178 
179         private final X509TrustManager tm;
180         private X509Certificate[] chain;
181 
182         SavingTrustManager(X509TrustManager tm) {
183             this.tm = tm;
184         }
185 
186         public X509Certificate[] getAcceptedIssuers() {
187        
188         /** 
189          * This change has been done due to the following resolution advised for Java 1.7+
190         http://infposs.blogspot.kr/2013/06/installcert-and-java-7.html
191                 **/ 
192         
193         return new X509Certificate[0];    
194             //throw new UnsupportedOperationException();
195         }
196 
197         public void checkClientTrusted(X509Certificate[] chain, String authType)
198                 throws CertificateException {
199             throw new UnsupportedOperationException();
200         }
201 
202         public void checkServerTrusted(X509Certificate[] chain, String authType)
203                 throws CertificateException {
204             this.chain = chain;
205             tm.checkServerTrusted(chain, authType);
206         }
207     }
208 }

该类是在github上找的(感谢大佬),我注释的两处便是修改的地方,可也以取上面的链接看看大佬的代码,我把原方法通过main启动改为通过接口调用传参了。

4.调用

本例介绍两种调用方式:

a.通过postman调用

  关闭公有证书校验,因为本例是个人证书,若是公有证书可以开启。

 

  添加域名证书配置,作用是访问该域名才会携带配置的相应证书

   

  CRT FILE:证书文件(含公钥)

       KEY FILE:私钥文件

        PFX FILE: 后缀为p12的加密证书文件

       Passphrase:加密证书的密码,就是生成加密证书的那个密码

 

    这四个参数如何填写,依据生成的证书实际情况来即可,下图是我的配置:

 

打开postman控制台查看调用结果

 

b.通过java代码调用

 

 1 /**
 2      * 发送 SSL POST 请求(HTTPS),JSON形式
 3      * @param apiUrl API接口URL
 4      * @param json JSON对象
 5      * @return
 6      */
 7     public static String doPostSSL(String apiUrl, Object json) {
 8         CloseableHttpResponse response = null;
 9         String httpStr = "";
10         try {
11             response=doPostSSLRequest(apiUrl,json);
12             if (response.getStatusLine().getStatusCode() == HttpStatus.SC_OK) {
13                 httpStr = EntityUtils.toString(response.getEntity(), "UTF-8");
14             }
15         } catch (Exception e) {
16             e.printStackTrace();
17         } finally {
18             if (response != null) {
19                 try {
20                     EntityUtils.consume(response.getEntity());
21                 } catch (IOException e) {
22                     e.printStackTrace();
23                 }
24             }
25         }
26         return httpStr;
27     }
28 
29     /**
30     *@Author: pengshihao
31     *@Description:带证书
32     *@Date: 2019/7/4
33     */
34     public static CloseableHttpResponse  doPostSSLRequest(String apiUrl, Object json) throws Exception{
35         //注意PKCS12证书
36         KeyStore keyStore = KeyStore.getInstance("PKCS12");
37         //指向你的证书的绝对路径,带着证书去访问
38         FileInputStream instream = new FileInputStream(new File(Constant.SSL_CERT_PATH));
39         //证书的密码,创建证书时的密码
40         keyStore.load(instream, Constant.SSL_CERT_PASSWORD.toCharArray());
41         SSLContext sslContext = new SSLContextBuilder().loadKeyMaterial(keyStore,Constant.SSL_CERT_PASSWORD.toCharArray()).build();
42         SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslContext,
43                 new String[] { "TLSv1" },null, SSLConnectionSocketFactory.getDefaultHostnameVerifier());
44 
45         CloseableHttpClient httpClient = HttpClients.custom().setSSLSocketFactory(sslsf).build();
46 
47         HttpPost httpPost = new HttpPost(apiUrl);
48         httpPost.addHeader("Accept", "*/*");
49         httpPost.setHeader("Connection","Keep-Alive");
50         httpPost.setHeader("Content-Type","application/json;charset=utf-8");
51         httpPost.setHeader("Host",Constant.DATA_BASE_HOST);
52         httpPost.addHeader("Cache-Control", "max-age=0");
53         httpPost.setEntity(new StringEntity(json.toString(),"UTF-8"));//解决中文乱码问题
54 
55         return httpClient.execute(httpPost);
56     }

 

以上就是具体的实操。

猜你喜欢

转载自www.cnblogs.com/potatoChicken/p/11147307.html
0条评论
添加一条新回复