Java implementation of SSL mutual authentication

Java implementation of SSL mutual authentication

SSL protocol handshake agreement into a two-way one-way authentication and certification, including mutual authentication with a variety of implementations, the following describes how Java implementation of SSL mutual authentication.

Simulation scenarios:
Server-side and Client-side communications, the need for identity verification and authorization, that only accept messages Client Server and Client Server can only accept messages.

Technical realization:
JSSE ( the Java  Security the Socket Extension)
is the Sun in order to solve secure communications on the Internet and the introduction of solutions. It implements the SSL and the TSL (Transport Layer Security) protocol. JSSE includes the data encryption, server authentication, client authentication, and message integrity techniques. By using JSSE, developers can TCP / IP protocol to transfer data between the client and secure server.

In order to achieve message authentication.

Server requires:
1) KeyStore: where to save the server's private key
2) Trust KeyStore: which authority certificates saved the client
the same, Client needs:
1) KeyStore: which hold the client's private key
2) Trust KeyStore: which authority certificates stored server-side

Here I recommend the use of Java comes with keytool command to generate such information file. Of course, the current generation of very popular open source SSL certificate as well as for OpenSSL. OpenSSL using C language written across systems. But we may consider the convenience of java program used to generate the certificate at a later process, or use the built-in JDK keytool.
1) generation server private key, and imported to the server KeyStore file
keytool -genkey -alias serverkey -keystore kserver.keystore
process, they are required to complete, according to the needs of their own settings on the line
keystore password: 123456
Name and Last Name: jin
organizational unit name: none
organization name: none
city or region name: BJ
state or province name: BJ
country Code: CN
serverkey private key password, and do not fill the same keystore password. We should be careful here, directly to Enter on the line, do not change your password. Otherwise, in the back of the program and can not be applied directly to the private key error.

You can generate kserver.keystore file
server.keystore to the server is used, which holds its own private key

2) According to the private key, export the server certificate
the keytool -export -alias -file serverkey -keystore kserver.keystore server.crt
server.crt end of that Certificate Services

3) The server certificate into the client's Trust KeyStore in
the keytool -import -alias -file serverkey server.crt -keystore tclient.keystore
tclient.keystore to the client is used, which holds a trusted certificate

Using the same method, the client generates a private key, the client certificate, and introduced into the service side of the Trust KeyStore
. 1) the keytool -alias -genkey ClientKey -keystore kclient.keystore
2) the keytool -export -alias ClientKey -keystore kclient.keystore - client.crt File
3) the keytool -import -alias -file client.crt -keystore tserver.keystore ClientKey

Thus, the resulting file into two
server save: kserver.keystore tserver.keystore
client save: kclient.keystore tclient.kyestore

The following is by Java Socket communication program to validate our generated certificate is available.

Client:

Client code

1. package examples.ssl;

2. 
   

3. import java.io.BufferedInputStream;

4. import java.io.BufferedOutputStream;

5. import java.io.FileInputStream;

6. import java.io.IOException;

7. import java.io.InputStream;

8. import java.io.OutputStream;

9. import java.security.KeyStore;

10. 
    

11. import javax.net.ssl.KeyManagerFactory;

12. import javax.net.ssl.SSLContext;

13. import javax.net.ssl.SSLSocket;

14. import javax.net.ssl.TrustManagerFactory;

15. 
    

16. /**

17. * SSL Client

18. *

19. */

20. public class SSLClient {

21. 
    

22. private static final String DEFAULT_HOST = “127.0.0.1”;

23. private static final int DEFAULT_PORT = 7777;

24. 
    

25. private static final String CLIENT_KEY_STORE_PASSWORD = “123456”;

26. private static final String CLIENT_TRUST_KEY_STORE_PASSWORD = “123456”;

27. 
    

28. private SSLSocket sslSocket;

29. 
    

30. /**

31. * Start the client program

32. *

33. * @param args

34. */

35. public static void main(String[] args) {

36. SSLClient client = new SSLClient();

37. init();

38. process();

39. }

40. 
    

41. /**

42. * Connected via ssl socket with the server, and sends a message

43. */

44. public void process() {

45. if (sslSocket == null) {

46. out.println(“ERROR”);

47. return;

48. }

49. try {

50. InputStream input = sslSocket.getInputStream();

51. OutputStream output = sslSocket.getOutputStream();

52. 
    

53. BufferedInputStream bis = new BufferedInputStream(input);

54. BufferedOutputStream bos = new BufferedOutputStream(output);

55. 
    

56. write(“Client Message”.getBytes());

57. flush();

58. 
    

59. byte[] buffer = new byte[20];

60. read(buffer);

61. out.println(new String(buffer));

62. 
    

63. close();

64. } catch (IOException e) {

65. out.println(e);

66. }

67. }

68. 
    

69. /**

70. * <ul>

71. * <Li> Key ssl connection: </ li>

72. * <Li> Initialization SSLSocket </ li>

73. * <Li> Import private client KeyStore, import KeyStore (the certificate server) client trusted </ li>

74. * </ul>

75. */

76. public void init() {

77. try {

78. SSLContext ctx = SSLContext.getInstance(“SSL”);

79. 
    

80. KeyManagerFactory kmf = KeyManagerFactory.getInstance(“SunX509”);

81. TrustManagerFactory tmf = TrustManagerFactory.getInstance(“SunX509”);

82. 
    

83. KeyStore ks = KeyStore.getInstance(“JKS”);

84. KeyStore tks = KeyStore.getInstance(“JKS”);

85. 
    

86. load(new FileInputStream(“E://kclient.keystore”), CLIENT_KEY_STORE_PASSWORD.toCharArray());

87. load(new FileInputStream(“E://tclient.keystore”), CLIENT_TRUST_KEY_STORE_PASSWORD.toCharArray());

88. 
    

89. init(ks, CLIENT_KEY_STORE_PASSWORD.toCharArray());

90. init(tks);

91. 
    

92. init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

93. 
    

94. sslSocket = (SSLSocket) ctx.getSocketFactory().createSocket(DEFAULT_HOST, DEFAULT_PORT);

95. } catch (Exception e) {

96. out.println(e);

97. }

98. }

99. 
    

100. }

Service-Terminal:

Java code

1. package examples.ssl;

2. 
   

3. import java.io.BufferedInputStream;

4. import java.io.BufferedOutputStream;

5. import java.io.FileInputStream;

6. import java.io.InputStream;

7. import java.io.OutputStream;

8. import java.net.Socket;

9. import java.security.KeyStore;

10. 
    

11. import javax.net.ssl.KeyManagerFactory;

12. import javax.net.ssl.SSLContext;

13. import javax.net.ssl.SSLServerSocket;

14. import javax.net.ssl.TrustManagerFactory;

15. 
    

16. /***********************************************************************************************************************

17. * <ul>

18. * <Li> 1) to generate private server </ li>

19. * <li>keytool -genkey -alias serverkey -keystore kserver.keystore</li>

20. * <Li> 2) according to the private key, the server certificate around </ li>

21. * <li>keytool -exoport -alias serverkey -keystore kserver.keystore -file server.crt</li>

22. * <Li> 3) the certificate is added to the client trusted in the keystore </ li>

23. * <li>keytool -import -alias serverkey -file server.crt -keystore tclient.keystore</li>

24. * </ul>

25. **********************************************************************************************************************/

26. 
    

27. /**

28. * SSL Server

29. *

30. */

31. public class SSLServer {

32. 
    

33. private static final int DEFAULT_PORT = 7777;

34. 
    

35. private static final String SERVER_KEY_STORE_PASSWORD = “123456”;

36. private static final String SERVER_TRUST_KEY_STORE_PASSWORD = “123456”;

37. 
    

38. private SSLServerSocket serverSocket;

39. 
    

40. /**

41. * starting program

42. *

43. * @param args

44. */

45. public static void main(String[] args) {

46. SSLServer server = new SSLServer();

47. init();

48. start();

49. }

50. 
    

51. /**

52. * <ul>

53. * <li>听SSL Server Socket</li>

54. * <Li> Since the demonstration program is not Socket monitor, a simple form of single-threaded, and only accept messages of the client, the client and returns the specified message </ li>

55. * </ul>

56. */

57. public void start() {

58. if (serverSocket == null) {

59. out.println(“ERROR”);

60. return;

61. }

62. while (true) {

63. try {

64. Socket s = serverSocket.accept();

65. InputStream input = s.getInputStream();

66. OutputStream output = s.getOutputStream();

67. 
    

68. BufferedInputStream bis = new BufferedInputStream(input);

69. BufferedOutputStream bos = new BufferedOutputStream(output);

70. 
    

71. byte[] buffer = new byte[20];

72. read(buffer);

73. out.println(new String(buffer));

74. 
    

75. write(“Server Echo”.getBytes());

76. flush();

77. 
    

78. close();

79. } catch (Exception e) {

80. out.println(e);

81. }

82. }

83. }

84. 
    

85. /**

86. * <ul>

87. * <Li> Key ssl connection: </ li>

88. * <Li> Initialization SSLServerSocket </ li>

89. * <Li> Importing server private key KeyStore, import KeyStore (the client's certificate) </ li> Trusted server

90. * </ul>

91. */

92. public void init() {

93. try {

94. SSLContext ctx = SSLContext.getInstance(“SSL”);

95. 
    

96. KeyManagerFactory kmf = KeyManagerFactory.getInstance(“SunX509”);

97. TrustManagerFactory tmf = TrustManagerFactory.getInstance(“SunX509”);

98. 
    

99. KeyStore ks = KeyStore.getInstance(“JKS”);

100. KeyStore tks = KeyStore.getInstance(“JKS”);

101. 
     

102. load(new FileInputStream(“E://kserver.keystore”), SERVER_KEY_STORE_PASSWORD.toCharArray());

103. load(new FileInputStream(“E://tserver.keystore”), SERVER_TRUST_KEY_STORE_PASSWORD.toCharArray());

104. 
     

105. init(ks, SERVER_KEY_STORE_PASSWORD.toCharArray());

106. init(tks);

107. 
     

108. init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

109. 
     

110. serverSocket = (SSLServerSocket) ctx.getServerSocketFactory().createServerSocket(DEFAULT_PORT);

111. setNeedClientAuth(true);

112. } catch (Exception e) {

113. printStackTrace ();

114. }

115. }

116. }