如何使用com.sun.net.httpserver.HttpsServer要求客户端证书
申屠项明
问题内容:
问题答案:
我想要求基于Java
1.7内置HttpsServer的服务器进行客户端证书认证。
我似乎找不到任何使服务器无法通过身份验证的方法。无论客户端证书是受信任的,未知的还是完全不存在的,它都会愉快地为所有旧客户端提供数据。
我对文档的阅读建议,如果不信任客户端,则设置HttpsParameters.setNeedClientAuth(true)应该会导致身份验证失败。我发现有类似问题的人的笔记,不同地建议在SSLEngine和SSLParameters中使用相同的标志,但是都没有改变我的行为。
这是我能够创建的最简单的示例。查看事务的实质(使用Wireshark或-Djavax.net.debug =
all),我看不到任何明显类似于服务器的证书请求的内容……当然,这很明显,因为它在响应时会响应不应该。
我对Java和SSL都比较陌生。我是否误解了身份验证过程?我在适当的库中使用吗?我是否忽略解决此问题的好方法?谢谢!
编辑1:更新了示例代码以正确分离客户端密钥库和信任库。还改写了问题,以使身份验证问题更清晰。
package authserv;
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.URL;
import java.security.KeyStore;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpsConfigurator;
import com.sun.net.httpserver.HttpsExchange;
import com.sun.net.httpserver.HttpsParameters;
import com.sun.net.httpserver.HttpsServer;
public class AuthServer {
final static String SERVER_PWD = "aaaaaa";
final static String KST_SERVER = "keys/server.jks";
final static String TST_SERVER = "keys/servertrust.jks";
public static HttpsServer server;
public static void main(String[] args) throws Exception {
server = makeServer();
server.start();
//System.out.println("Server running, hit enter to stop.\n"); System.in.read();
AuthClient cl = new AuthClient();
cl.testIt();
server.stop(0);
}
public static HttpsServer makeServer() throws Exception {
server = HttpsServer.create(new InetSocketAddress(8888), 0);
//server.setHttpsConfigurator(new HttpsConfigurator(SSLContext.getInstance("TLS"))); // Default config with no auth requirement.
SSLContext sslCon = createSSLContext();
MyConfigger authconf = new MyConfigger(sslCon);
server.setHttpsConfigurator(authconf);
server.createContext("/auth", new HelloHandler());
return server;
}
private static SSLContext createSSLContext() {
SSLContext sslContext = null;
KeyStore ks;
KeyStore ts;
try{
sslContext = SSLContext.getInstance("TLS");
ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(KST_SERVER), SERVER_PWD.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, SERVER_PWD.toCharArray());
ts = KeyStore.getInstance("JKS");
ts.load(new FileInputStream(TST_SERVER), SERVER_PWD.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ts);
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
} catch (Exception e) {
e.printStackTrace();
}
return sslContext;
}
}
class MyConfigger extends HttpsConfigurator {
public MyConfigger(SSLContext sslContext) {
super(sslContext); }
@Override
public void configure(HttpsParameters params) {
SSLContext sslContext = getSSLContext();
SSLParameters sslParams = sslContext.getDefaultSSLParameters();
sslParams.setNeedClientAuth(true);
params.setNeedClientAuth(true);
params.setSSLParameters(sslParams);
super.configure(params);
/* Other configure options that don't seem to help:
SSLEngine engine = sslContext.createSSLEngine ();
engine.setNeedClientAuth(true);
params.setCipherSuites ( engine.getEnabledCipherSuites () );
params.setProtocols ( engine.getEnabledProtocols () );
*/
}
}
class HelloHandler implements HttpHandler {
public void handle(HttpExchange t) throws IOException {
HttpsExchange ts = (HttpsExchange) t;
SSLSession sess = ts.getSSLSession();
//if( sess.getPeerPrincipal() != null) System.out.println(sess.getPeerPrincipal().toString()); // Principal never populated.
t.getResponseHeaders().set("Content-Type", "text/plain");
t.sendResponseHeaders(200,0);
String response = "Hello! You seem trustworthy!\n";
OutputStream os = t.getResponseBody();
os.write(response.getBytes());
os.close();
}
}
class AuthClient{
static String KEYSTORE = "";
static String TRUSTSTORE = "keys/clienttrust.jks";
static String CLIENT_PWD = "aaaaaa";
public static void main(String[] args) throws Exception {
KEYSTORE = "keys/unauthclient.jks"; // Doesn't exist in server trust store, should fail authentication.
//KEYSTORE = "keys/authclient.jks"; // Exists in server trust store, should pass authentication.
AuthClient cl = new AuthClient();
cl.testIt();
}
public void testIt(){
try {
String https_url = "https://localhost:8888/auth/";
URL url;
url = new URL(https_url);
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(getSSLFactory());
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.setUseCaches(false);
// Print response
BufferedReader bir = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String line = null;
while((line = bir.readLine()) != null) {
System.out.println(line);
}
bir.close();
conn.disconnect();
} catch (Exception e) {
e.printStackTrace();
}
}
private static SSLSocketFactory getSSLFactory() throws Exception {
// Create key store
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
KeyManager[] kmfs = null;
if( KEYSTORE.length() > 0 ) {
keyStore.load(new FileInputStream(KEYSTORE), CLIENT_PWD.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, CLIENT_PWD.toCharArray());
kmfs = kmf.getKeyManagers();
}
// create trust store (validates the self-signed server!)
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(new FileInputStream(TRUSTSTORE), CLIENT_PWD.toCharArray());
TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmfs, trustFactory.getTrustManagers(), null);
return sslContext.getSocketFactory();
}
}
这是一个bash脚本,用于创建必要的证书和密钥库。
#!/bin/bash
LOCALNAME=localhost
PASS=aaaaaa
function main
{
gen
list
}
function gen
{
mkdir -p keys
rm -f authclient.cert authclient.jks server.cert server.jks servertrust.jks clienttrust.jks unauthclient.jks
# create the keypairs for authclient, unauthclient and for server.
keytool -genkey -alias server -keyalg RSA -keystore server.jks -validity 365 -dname "cn=$LOCALNAME, ou=Auth, o=Auth, c=CA" -storepass $PASS -keypass $PASS
keytool -genkey -alias authclient -keyalg RSA -keystore authclient.jks -validity 365 -dname "cn=$LOCALNAME, ou=Auth, o=Auth, c=CA" -storepass $PASS -keypass $PASS
keytool -genkey -alias unauthclient -keyalg RSA -keystore unauthclient.jks -validity 365 -dname "cn=$LOCALNAME, ou=Auth, o=Auth, c=CA" -storepass $PASS -keypass $PASS
keytool -export -file server.cert -keystore server.jks -storepass $PASS -alias server
keytool -export -file authclient.cert -keystore authclient.jks -storepass $PASS -alias authclient
# Create a bare client truststore with no keypair
echo yes | keytool -import -file server.cert -alias server -keystore clienttrust.jks -storepass $PASS
# Create a truststore for the server containing ONLY authclient
echo yes | keytool -import -file authclient.cert -alias authclient -keystore servertrust.jks -storepass $PASS
# Add the server's cert to the client's keystores
#echo yes | keytool -import -file server.cert -alias server -keystore authclient.jks -storepass $PASS
#echo yes | keytool -import -file server.cert -alias server -keystore unauthclient.jks -storepass $PASS
}
function list {
for x in *.jks; do
SER=$(keytool -list -v -keystore $x -storepass aaaaaa | grep Serial)
echo $x $SER
done
}
main
问题答案:
最后,有几个问题。-由Gradle设置了奇怪的合格JDK导致的API权限问题-相同的JDK问题导致了SSLparams的问题-我最初的示例未设置信任库。
有趣的是,我最终更改为wantClientAuth(true),并在处理程序中进行了身份验证。
package authserv;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManagerFactory;
import com.sun.net.httpserver.HttpExchange;
import com.sun.net.httpserver.HttpHandler;
import com.sun.net.httpserver.HttpsConfigurator;
import com.sun.net.httpserver.HttpsExchange;
import com.sun.net.httpserver.HttpsParameters;
import com.sun.net.httpserver.HttpsServer;
public class AuthServer {
final static String SERVER_PWD = "aaaaaa";
final static String KST_SERVER = "keys/server.jks";
final static String TST_SERVER = "keys/servertrust.jks";
public static HttpsServer server;
public static void main(String[] args) throws Exception {
server = makeServer();
server.start();
System.out.println("Server running, hit enter to stop.\n"); System.in.read();
//AuthClient cl = new AuthClient(); cl.testIt();
server.stop(0);
}
public static HttpsServer makeServer() throws Exception {
server = HttpsServer.create(new InetSocketAddress(8888), 0);
//server.setHttpsConfigurator(new HttpsConfigurator(SSLContext.getInstance("TLS"))); // Default config with no auth requirement.
SSLContext sslCon = createSSLContext();
MyConfigger authconf = new MyConfigger(sslCon);
server.setHttpsConfigurator(authconf);
server.createContext("/auth", new HelloHandler());
return server;
}
private static SSLContext createSSLContext() {
SSLContext sslContext = null;
KeyStore ks;
KeyStore ts;
try{
sslContext = SSLContext.getInstance("TLS");
ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(KST_SERVER), SERVER_PWD.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, SERVER_PWD.toCharArray());
ts = KeyStore.getInstance("JKS");
ts.load(new FileInputStream(TST_SERVER), SERVER_PWD.toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ts);
sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
} catch (Exception e) {
e.printStackTrace();
}
return sslContext;
}
}
class MyConfigger extends HttpsConfigurator {
public MyConfigger(SSLContext sslContext) {
super(sslContext); }
@Override
public void configure(HttpsParameters params) {
SSLContext sslContext = getSSLContext();
SSLParameters sslParams = sslContext.getDefaultSSLParameters();
sslParams.setNeedClientAuth(true);
params.setNeedClientAuth(true);
params.setSSLParameters(sslParams);
}
}
class HelloHandler implements HttpHandler {
public void handle(HttpExchange t) throws IOException {
HttpsExchange ts = (HttpsExchange) t;
SSLSession sess = ts.getSSLSession();
//if( sess.getPeerPrincipal() != null) System.out.println(sess.getPeerPrincipal().toString()); // Principal never populated.
System.out.printf("Responding to host: %s\n",sess.getPeerHost());
t.getResponseHeaders().set("Content-Type", "text/plain");
t.sendResponseHeaders(200,0);
String response = "Hello! You seem trustworthy!\n";
OutputStream os = t.getResponseBody();
os.write(response.getBytes());
os.close();
}
}
这是一个向客户展示失败和成功的客户:
package authserv;
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.net.SocketException;
import java.net.URL;
import java.security.KeyStore;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
public class AuthClient{
static String NO_KEYSTORE = "";
static String UNAUTH_KEYSTORE = "keys/unauthclient.jks"; // Doesn't exist in server trust store, should fail authentication.
static String AUTH_KEYSTORE = "keys/authclient.jks"; // Exists in server trust store, should pass authentication.
static String TRUSTSTORE = "keys/clienttrust.jks";
static String CLIENT_PWD = "aaaaaa";
public static void main(String[] args) throws Exception {
AuthClient cl = new AuthClient();
System.out.println("No keystore:");
cl.testIt(NO_KEYSTORE);
System.out.println("Unauth keystore:");
cl.testIt(UNAUTH_KEYSTORE);
System.out.println("Auth keystore:");
cl.testIt(AUTH_KEYSTORE);
}
public void testIt(String jksFile){
try {
String https_url = "https://localhost:8888/auth/";
URL url;
url = new URL(https_url);
HttpsURLConnection conn = (HttpsURLConnection)url.openConnection();
conn.setSSLSocketFactory(getSSLFactory(jksFile));
conn.setRequestMethod("POST");
conn.setDoOutput(true);
conn.setUseCaches(false);
// Print response
BufferedReader bir = new BufferedReader(new InputStreamReader(conn.getInputStream()));
String line = null;
while((line = bir.readLine()) != null) {
System.out.println(line);
}
bir.close();
conn.disconnect();
} catch (SSLHandshakeException|SocketException e) {
System.out.println(e.getMessage());
System.out.println("");
} catch (Exception e) {
e.printStackTrace();
}
}
private static SSLSocketFactory getSSLFactory(String jksFile) throws Exception {
// Create key store
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
KeyManager[] kmfs = null;
if( jksFile.length() > 0 ) {
keyStore.load(new FileInputStream(jksFile), CLIENT_PWD.toCharArray());
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, CLIENT_PWD.toCharArray());
kmfs = kmf.getKeyManagers();
}
// create trust store (validates the self-signed server!)
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(new FileInputStream(TRUSTSTORE), CLIENT_PWD.toCharArray());
TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmfs, trustFactory.getTrustManagers(), null);
return sslContext.getSocketFactory();
}
}
类似资料:
-
问题内容: 我需要从使用客户端证书进行身份验证的服务器请求URL,但是找不到为我的应用程序执行此操作的方法。 我的问题是我正在使用的Java客户端具有本地可用的证书文件,但是由于PC的限制,它将在其上运行,因此无法在密钥库中安装证书。 简而言之,我只是希望能够明确指定要用于我要检索的URL的证书。 有什么建议? 问题答案: 目前尚不清楚您所讨论的限制是什么。更具体地说,我不确定您认为本地证书文件和
-
我有一个Java服务器应用程序,它通过TLS从GRPC客户端获取数据并在服务器上处理。现在我想使用多个客户端。要向客户端分配接收到的事件,我想读取客户端证书并使用证书的DN分配事件。如何获取客户端证书? 我发现这个构建服务器:https://github.com/grpc/grpc-java/blob/master/SECURITY.md#mutual-tls 然后你应该实现一个服务器拦截器 }
-
问题内容: 在Python中,我使用了这样的请求: 非常简单。 现在,我需要使用Apache HttpClient在Java中实现相同的功能。使用HttpClient进行请求时如何通过客户端证书? 问题答案: 我认为主要区别在于,在Java中,通常将密钥和证书放在密钥存储区中,然后从那里使用它。就像您提到的那样,人们经常希望为此使用单独的库,例如提到的httpcomponents客户端(就像您在p
-
问题内容: 我有一个node.js Connect服务器,用于检查请求的Cookie。为了在节点中测试它,我需要一种写客户端请求并将cookie附加到它的方法。我知道HTTP请求对此具有’cookie’标头,但是我不确定如何设置和发送它- 我还需要在同一请求中发送POST数据,因此我目前正在使用danwrong的restler模块,但似乎没有让我添加该标头。 关于如何使用硬编码的cookie和PO
-
问题内容: 使用Websphere MQ 8.x,我们是较大环境中的一个应用程序,并且是某些数据接口的客户端。我们的应用程序是在WildFly 9上运行的Java EE应用程序,该应用程序使用资源适配器()与EAR文件一起部署在同一AS中。我们在两个方向上与MQ服务器进行交互。因此,一方面,我们有一些MDB(由于历史渊源仍是EJB 2.x格式而没有注释)列出了一些队列,并由包含激活配置属性的部署描