Java HTTPS客户端证书认证

小开

JKS文件只是一个证书和密钥对的容器。在客户端身份验证场景中，密钥的各个部分位于这里:

客户端的存储将包含客户端的私人和公共密钥对。它被称为密钥存储库。
服务器的存储将包含客户端的公共键。它被称为信任存储库。

信任存储库和密钥存储库的分离不是强制的，但建议使用。它们可以是相同的物理文件。

要设置两个存储的文件系统位置，使用以下系统属性:

-Djavax.net.ssl.keyStore=clientsidestore.jks

在服务器端:

-Djavax.net.ssl.trustStore=serversidestore.jks

若要将客户端证书(公钥)导出到文件，以便将其复制到服务器，请使用

keytool -export -alias MYKEY -file publicclientkey.cer -store clientsidestore.jks

要将客户端的公钥导入到服务器的密钥存储库中，使用(正如海报中提到的，服务器管理员已经完成了这一操作)

keytool -import -file publicclientkey.cer -store serversidestore.jks

小开

最佳答案

最终解决了所有问题，所以我来回答我自己的问题。这些是我用来解决我的特定问题的设置/文件;

客户端的密钥存储库是一个包含

客户端的公共证书(在本例中由自签名CA签名)
客户端的私人键

例如，为了生成它，我使用了OpenSSL的pkcs12命令;

openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name "Whatever"

提示:确保你得到最新的OpenSSL，不版本0.9.8h，因为它似乎有一个错误，不允许你正确生成PKCS#12文件。

当服务器显式地请求客户端进行身份验证时，Java客户端将使用这个PKCS#12文件向服务器提供客户端证书。请参阅关于TLS的维基百科文章，了解客户端证书认证协议的实际工作原理(也解释了为什么这里需要客户端私钥)。

客户的信任库是一个直接的包含根或中间CA证书的JKS格式文件。这些CA证书将决定允许您与哪些端点通信，在这种情况下，它将允许您的客户端连接到提供由信任存储库的CA之一签名的证书的任何服务器。

例如，你可以使用标准的Java keytool来生成它;

keytool -genkey -dname "cn=CLIENT" -alias truststorekey -keyalg RSA -keystore ./client-truststore.jks -keypass whatever -storepass whatever
keytool -import -keystore ./client-truststore.jks -file myca.crt -alias myca

使用此信任库，您的客户端将尝试与所有提供由myca.crt标识的CA签名的证书的服务器进行完整的SSL握手。

上面的文件严格地只针对客户端。当您还想设置服务器时，服务器需要自己的密钥和信任库文件。在这个网站中可以找到一个为Java客户端和服务器(使用Tomcat)设置一个完全工作示例的很好的步骤。

问题/评论/建议

客户端证书认证只能由服务器强制执行。
(重要!)当服务器请求客户端证书(作为TLS握手的一部分)时，它还将提供一个受信任CA的列表作为证书请求的一部分。当你希望提供用于身份验证的客户端证书是由这些CA之一签名的不时，它根本不会被显示(在我看来，这是奇怪的行为，但我相信这是有原因的)。这是我的问题的主要原因，因为另一方没有正确配置他们的服务器以接受我的自签名客户端证书，我们认为问题出在我没有在请求中正确提供客户端证书。
Wireshark。它有很好的SSL/HTTPS数据包分析，将是一个巨大的帮助调试和发现问题。它类似于-Djavax.net.debug=ssl，但更结构化，(可以说)更容易解释，如果你不喜欢Java SSL调试输出。

使用Apache httpclient库是完全可能的。如果你想使用httpclient，只需将目标URL替换为HTTPS等效，并添加以下JVM参数(这对于任何其他客户端都是一样的，不管你想使用什么库通过HTTP/HTTPS发送/接收数据):

-Djavax.net.debug=ssl
-Djavax.net.ssl.keyStoreType=pkcs12
-Djavax.net.ssl.keyStore=client.p12
-Djavax.net.ssl.keyStorePassword=whatever
-Djavax.net.ssl.trustStoreType=jks
-Djavax.net.ssl.trustStore=client-truststore.jks
-Djavax.net.ssl.trustStorePassword=whatever

小开

Maven pom.xml:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>some.examples</groupId>
<artifactId>sslcliauth</artifactId>
<version>1.0-SNAPSHOT</version>
<packaging>jar</packaging>
<name>sslcliauth</name>
<dependencies>
<dependency>
<groupId>org.apache.httpcomponents</groupId>
<artifactId>httpclient</artifactId>
<version>4.4</version>
</dependency>
</dependencies>
</project>

Java代码:

package some.examples;


import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.net.ssl.SSLContext;
import org.apache.http.HttpEntity;
import org.apache.http.HttpHost;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.util.EntityUtils;
import org.apache.http.entity.InputStreamEntity;


public class SSLCliAuthExample {


private static final Logger LOG = Logger.getLogger(SSLCliAuthExample.class.getName());


private static final String CA_KEYSTORE_TYPE = KeyStore.getDefaultType(); //"JKS";
private static final String CA_KEYSTORE_PATH = "./cacert.jks";
private static final String CA_KEYSTORE_PASS = "changeit";


private static final String CLIENT_KEYSTORE_TYPE = "PKCS12";
private static final String CLIENT_KEYSTORE_PATH = "./client.p12";
private static final String CLIENT_KEYSTORE_PASS = "changeit";


public static void main(String[] args) throws Exception {
requestTimestamp();
}


public final static void requestTimestamp() throws Exception {
SSLConnectionSocketFactory csf = new SSLConnectionSocketFactory(
createSslCustomContext(),
new String[]{"TLSv1"}, // Allow TLSv1 protocol only
null,
SSLConnectionSocketFactory.getDefaultHostnameVerifier());
try (CloseableHttpClient httpclient = HttpClients.custom().setSSLSocketFactory(csf).build()) {
HttpPost req = new HttpPost("https://changeit.com/changeit");
req.setConfig(configureRequest());
HttpEntity ent = new InputStreamEntity(new FileInputStream("./bytes.bin"));
req.setEntity(ent);
try (CloseableHttpResponse response = httpclient.execute(req)) {
HttpEntity entity = response.getEntity();
LOG.log(Level.INFO, "*** Reponse status: {0}", response.getStatusLine());
EntityUtils.consume(entity);
LOG.log(Level.INFO, "*** Response entity: {0}", entity.toString());
}
}
}


public static RequestConfig configureRequest() {
HttpHost proxy = new HttpHost("changeit.local", 8080, "http");
RequestConfig config = RequestConfig.custom()
.setProxy(proxy)
.build();
return config;
}


public static SSLContext createSslCustomContext() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, KeyManagementException, UnrecoverableKeyException {
// Trusted CA keystore
KeyStore tks = KeyStore.getInstance(CA_KEYSTORE_TYPE);
tks.load(new FileInputStream(CA_KEYSTORE_PATH), CA_KEYSTORE_PASS.toCharArray());


// Client keystore
KeyStore cks = KeyStore.getInstance(CLIENT_KEYSTORE_TYPE);
cks.load(new FileInputStream(CLIENT_KEYSTORE_PATH), CLIENT_KEYSTORE_PASS.toCharArray());


SSLContext sslcontext = SSLContexts.custom()
//.loadTrustMaterial(tks, new TrustSelfSignedStrategy()) // use it to customize
.loadKeyMaterial(cks, CLIENT_KEYSTORE_PASS.toCharArray()) // load client certificate
.build();
return sslcontext;
}


}

小开

其他回答说明如何全局配置客户端证书。但是，如果希望以编程方式为某个特定连接定义客户机密钥，而不是跨JVM上运行的每个应用程序全局定义它，则可以像这样配置自己的SSLContext:

String keyPassphrase = "";


KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(new FileInputStream("cert-key-pair.pfx"), keyPassphrase.toCharArray());


SSLContext sslContext = SSLContexts.custom()
.loadKeyMaterial(keyStore, null)
.build();


HttpClient httpClient = HttpClients.custom().setSSLContext(sslContext).build();
HttpResponse response = httpClient.execute(new HttpGet("https://example.com"));

小开

我认为这里的修复是密钥库类型，pkcs12(pfx)总是有私钥和JKS类型可以存在没有私钥。除非您在代码中指定或通过浏览器选择证书，否则服务器无法知道它在另一端代表客户端。

小开

对于那些只想建立双向身份验证(服务器和客户端证书)的人来说，这两个链接的组合将使您达到目的:

双向认证设置:

https://linuxconfig.org/apache-web-server-ssl-authentication

你不需要使用他们提到的openssl配置文件;只使用

$ openssl genrsa -des3 -out ca.key 4096

$ openssl req -new -x509 -days 365 -key ca.key out ca.crt . out

生成您自己的CA证书，然后通过以下方式生成并签署服务器和客户端密钥:

$ openssl genrsa -des3 -out服务器。关键的4096

$ openssl req -new -key服务器。输入-out server.csr

$ openssl x509 -req -days 365 -in server。csr -CA ca.crt -CAkey ca.key -set_serial 100 -out server.crt

而且

$ openssl genrsa -des3 -out客户端关键的4096

$ openssl req -new -key客户端。输出client.csr

$ openssl x509 -req -days 365 -in客户端csr -CA ca.crt -CAkey ca.key -set_serial 101 -out client.crt

其余的请按照链接中的步骤进行操作。Chrome的证书管理方法与上面提到的firefox的证书管理方法相同。

接下来，通过以下方式设置服务器:

https://www.digitalocean.com/community/tutorials/how-to-create-a-ssl-certificate-on-apache-for-ubuntu-14-04

请注意，您已经创建了服务器的.crt和.key，因此您不必再执行这一步。

小开

我已经用Spring Boot用双向SSL(客户端和服务器证书)连接到银行。所以在这里描述我所有的步骤，希望它能帮助到别人(我发现了最简单的工作解决方案):

生成证书请求:

生成私钥

     openssl genrsa -des3 -passout pass:MY_PASSWORD -out user.key 2048

生成证书请求:

     openssl req -new -key user.key -out user.csr -passin pass:MY_PASSWORD

保存user.key(和密码)并向银行发送证书请求

Receive 2 certificate:我的客户端根证书user.pem和银行根证书bank.crt
创建Java密钥库(输入密钥密码并设置密钥库密码):
```
openssl pkcs12 -export -in user.pem -inkey user.key -out keystore.p12 -name clientId -CAfile ca.crt -caname root
```
不要注意输出:unable to write 'random state'。Java PKCS12 keystore.p12已创建。

将bank.crt添加到密钥库中(为简单起见，我使用了一个密钥库):

keytool -import -alias bankca -file bank.crt -keystore keystore.p12 -storepass MY_PASS

通过以下方法检查keystore证书:

keytool -list -keystore keystore.p12

准备好Java代码:)我已经使用Spring Boot RestTemplate添加org.apache.httpcomponents.httpcore依赖:

@Bean("sslRestTemplate")
public RestTemplate sslRestTemplate() throws Exception {
char[] storePassword = appProperties.getSslStorePassword().toCharArray();
URL keyStore = new URL(appProperties.getSslStore());


SSLContext sslContext = new SSLContextBuilder()
.loadTrustMaterial(keyStore, storePassword)
// use storePassword twice (with key password do not work)!!
.loadKeyMaterial(keyStore, storePassword, storePassword)
.build();


// Solve "Certificate doesn't match any of the subject alternative names"
SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);


CloseableHttpClient client = HttpClients.custom().setSSLSocketFactory(socketFactory).build();
HttpComponentsClientHttpRequestFactory factory = new HttpComponentsClientHttpRequestFactory(client);
RestTemplate restTemplate = new RestTemplate(factory);
// restTemplate.setMessageConverters(List.of(new Jaxb2RootElementHttpMessageConverter()));
return restTemplate;
}

小开

给定一个包含证书和私钥的p12文件(例如，由openssl生成)，下面的代码将对特定的HttpsURLConnection使用该文件:

    KeyStore keyStore = KeyStore.getInstance("pkcs12");
keyStore.load(new FileInputStream(keyStorePath), keystorePassword.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, keystorePassword.toCharArray());
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers(), null, null);
SSLSocketFactory sslSocketFactory = ctx.getSocketFactory();


HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();
connection.setSSLSocketFactory(sslSocketFactory);

SSLContext需要一些时间来初始化，所以你可能想要缓存它。

小开

有一个比手动导航到https://url更好的方法，知道在什么浏览器中点击哪个按钮，知道在哪里以及如何保存“证书”。文件，最后知道的魔法咒语的关键工具安装在本地。

只要这样做:

将下面的代码保存到InstallCert.java
打开命令行并执行:javac InstallCert.java
像这样运行:java InstallCert <host>[:port] [passphrase](端口和密码短语是可选的)

下面是InstallCert的代码，请注意标题中的年份，将需要修改“;later”的一些部分。java版本:

/*
* Copyright 2006 Sun Microsystems, Inc.  All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
*   - Redistributions of source code must retain the above copyright
*     notice, this list of conditions and the following disclaimer.
*
*   - Redistributions in binary form must reproduce the above copyright
*     notice, this list of conditions and the following disclaimer in the
*     documentation and/or other materials provided with the distribution.
*
*   - Neither the name of Sun Microsystems nor the names of its
*     contributors may be used to endorse or promote products derived
*     from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/


import java.io.*;
import java.net.URL;


import java.security.*;
import java.security.cert.*;


import javax.net.ssl.*;


public class InstallCert {


public static void main(String[] args) throws Exception {
String host;
int port;
char[] passphrase;
if ((args.length == 1) || (args.length == 2)) {
String[] c = args[0].split(":");
host = c[0];
port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
String p = (args.length == 1) ? "changeit" : args[1];
passphrase = p.toCharArray();
} else {
System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
return;
}


File file = new File("jssecacerts");
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP
+ "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();


SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[] {tm}, null);
SSLSocketFactory factory = context.getSocketFactory();


System.out.println("Opening connection to " + host + ":" + port + "...");
SSLSocket socket = (SSLSocket)factory.createSocket(host, port);
socket.setSoTimeout(10000);
try {
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println();
System.out.println("No errors, certificate is already trusted");
} catch (SSLException e) {
System.out.println();
e.printStackTrace(System.out);
}


X509Certificate[] chain = tm.chain;
if (chain == null) {
System.out.println("Could not obtain server certificate chain");
return;
}


BufferedReader reader =
new BufferedReader(new InputStreamReader(System.in));


System.out.println();
System.out.println("Server sent " + chain.length + " certificate(s):");
System.out.println();
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
System.out.println
(" " + (i + 1) + " Subject " + cert.getSubjectDN());
System.out.println("   Issuer  " + cert.getIssuerDN());
sha1.update(cert.getEncoded());
System.out.println("   sha1    " + toHexString(sha1.digest()));
md5.update(cert.getEncoded());
System.out.println("   md5     " + toHexString(md5.digest()));
System.out.println();
}


System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = reader.readLine().trim();
int k;
try {
k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
} catch (NumberFormatException e) {
System.out.println("KeyStore not changed");
return;
}


X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
ks.setCertificateEntry(alias, cert);


OutputStream out = new FileOutputStream("jssecacerts");
ks.store(out, passphrase);
out.close();


System.out.println();
System.out.println(cert);
System.out.println();
System.out.println
("Added certificate to keystore 'jssecacerts' using alias '"
+ alias + "'");
}


private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();


private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
b &= 0xff;
sb.append(HEXDIGITS[b >> 4]);
sb.append(HEXDIGITS[b & 15]);
sb.append(' ');
}
return sb.toString();
}


private static class SavingTrustManager implements X509TrustManager {


private final X509TrustManager tm;
private X509Certificate[] chain;


SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}


public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
}


public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
}


public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}


}