问题:
Java/放心:如何在代码中使用SSL证书
甘英光
我尝试使用REST-assured来执行一些需要SSL身份验证的API调用。我收到:
- . p12文件
- 密码
- .cert.pem文件
- .key.pem文件
当我把这一切放在例如。邮递员,它只是工作。现在我想在我的Java代码中使用这个...这就是我被困的地方。我看到人们使用单独的工具来导入密钥等,但我想在代码中做任何事情:)
我发现有人在使用:
RestAssured.config = RestAssured.config().sslConfig(SSLConfig.sslConfig()
.trustStore(TRUST_STORE_PATH, TRUST_STORE_PASS).trustStoreType("JKS")
.keyStore(KEY_STORE_PATH, KEY_STORE_PASS).keystoreType("PKCS12"));
其中KEY_STORE_*是P12文件密码(?),信任存储是证书密钥(?)。但是,这会导致一个错误,“无效的密钥库格式”。我已经把这辆车改装了。使用openssl将cert.pem文件转换为(二进制/x509),但这不会改变任何东西。。。我错过了什么?我需要调用什么黑魔法才能让它在代码中运行?
这些评论给了我一个想法;也许. p12文件不是一个“合适的”密钥库。所以:我使用keyool将cert密钥转换为JKS信任存储,并使用OpenSSL将. p12密码转换为. pkcs12密钥存储。
现在的代码是:
RestAssured.config = RestAssured.config().sslConfig(SSLConfig.sslConfig()
.trustStore(JKS_PATH, JKS_PASS).trustStoreType("JKS")
.keyStore(PKCS12_PATH, PKCS12_PASS).keystoreType("PKCS12"));
RestAssured.useRelaxedHTTPSValidation();
我添加了useRelaxedHTTPSValiadion调用,以确保我没有遇到奇怪的签名问题;也许我可以不用它,但首先我想让它工作。这将编译并运行--前进!然而,现在当REST-assured执行实际的POST:javax时,我遇到了一个错误。网ssl。SSLHandshakeException:收到致命警报:握手失败。如前所述,我在邮递员那里工作,证书很好;然而,不知何故,REST-assured/Java并不是很好。
根据其中一条注释中的要求,一些SSL调试/日志记录:
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.103 CEST|ServerHello.java:891|Consuming ServerHello handshake message (
"ServerHello": {
"server version" : "TLSv1.2",
"random" : <snip>,
"session id" : "",
"cipher suite" : "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256(0xC02F)",
"compression methods" : "00",
"extensions" : [
"renegotiation_info (65,281)": {
"renegotiated connection": [<no renegotiated connection>]
},
"ec_point_formats (11)": {
"formats": [uncompressed]
},
"extended_master_secret (23)": {
<empty>
}
]
}
)
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.103 CEST|SSLExtensions.java:173|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.103 CEST|ServerHello.java:987|Negotiated protocol version: TLSv1.2
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.103 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.104 CEST|SSLExtensions.java:173|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.104 CEST|SSLExtensions.java:173|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.104 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.104 CEST|SSLExtensions.java:192|Consumed extension: ec_point_formats
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.104 CEST|SSLExtensions.java:173|Ignore unavailable extension: status_request_v2
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.104 CEST|SSLExtensions.java:192|Consumed extension: extended_master_secret
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.104 CEST|SSLExtensions.java:173|Ignore unavailable extension: session_ticket
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.105 CEST|SSLExtensions.java:163|Ignore unsupported extension: supported_versions
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.105 CEST|SSLExtensions.java:163|Ignore unsupported extension: key_share
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.105 CEST|SSLExtensions.java:192|Consumed extension: renegotiation_info
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.105 CEST|SSLExtensions.java:163|Ignore unsupported extension: pre_shared_key
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.105 CEST|ServerHello.java:1131|Locally assigned Session Id: <snip>
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.105 CEST|SSLExtensions.java:207|Ignore unavailable extension: server_name
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.105 CEST|SSLExtensions.java:207|Ignore unavailable extension: max_fragment_length
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.105 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.106 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: ec_point_formats
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.106 CEST|SSLExtensions.java:207|Ignore unavailable extension: application_layer_protocol_negotiation
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.106 CEST|SSLExtensions.java:207|Ignore unavailable extension: status_request_v2
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.106 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: extended_master_secret
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.106 CEST|SSLExtensions.java:207|Ignore unavailable extension: session_ticket
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.106 CEST|SSLExtensions.java:207|Ignore unavailable extension: supported_versions
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.106 CEST|SSLExtensions.java:207|Ignore unavailable extension: key_share
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.106 CEST|SSLExtensions.java:215|Ignore impact of unsupported extension: renegotiation_info
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.106 CEST|SSLExtensions.java:207|Ignore unavailable extension: pre_shared_key
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.112 CEST|CertificateMessage.java:357|Consuming server Certificate handshake message (<snip>)
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.177 CEST|CertificateRequest.java:670|Consuming CertificateRequest handshake message (
"CertificateRequest": {
"certificate types": [rsa_sign, dss_sign, ecdsa_sign]
"supported signature algorithms": [rsa_pkcs1_sha256, dsa_sha256, ecdsa_secp256r1_sha256, rsa_pkcs1_sha384, dsa_sha384, ecdsa_secp384r1_sha384, rsa_pkcs1_sha512, dsa_sha512, ecdsa_secp521r1_sha512, rsa_pkcs1_sha1, dsa_sha1, ecdsa_sha1]
"certificate authorities": [<snip>]
}
)
javax.net.ssl|ALL|01|main|2020-09-24 09:27:51.179 CEST|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.179 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha256
javax.net.ssl|ALL|01|main|2020-09-24 09:27:51.180 CEST|X509Authentication.java:246|No X.509 cert selected for DSA
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.180 CEST|CertificateRequest.java:764|Unavailable authentication scheme: dsa_sha256
javax.net.ssl|ALL|01|main|2020-09-24 09:27:51.181 CEST|X509Authentication.java:246|No X.509 cert selected for EC
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.181 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp256r1_sha256
javax.net.ssl|ALL|01|main|2020-09-24 09:27:51.181 CEST|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.181 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha384
javax.net.ssl|ALL|01|main|2020-09-24 09:27:51.182 CEST|X509Authentication.java:246|No X.509 cert selected for EC
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.182 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp384r1_sha384
javax.net.ssl|ALL|01|main|2020-09-24 09:27:51.182 CEST|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.182 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha512
javax.net.ssl|ALL|01|main|2020-09-24 09:27:51.182 CEST|X509Authentication.java:246|No X.509 cert selected for EC
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.182 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_secp521r1_sha512
javax.net.ssl|ALL|01|main|2020-09-24 09:27:51.183 CEST|X509Authentication.java:246|No X.509 cert selected for RSA
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.183 CEST|CertificateRequest.java:764|Unavailable authentication scheme: rsa_pkcs1_sha1
javax.net.ssl|ALL|01|main|2020-09-24 09:27:51.183 CEST|X509Authentication.java:246|No X.509 cert selected for DSA
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.183 CEST|CertificateRequest.java:764|Unavailable authentication scheme: dsa_sha1
javax.net.ssl|ALL|01|main|2020-09-24 09:27:51.184 CEST|X509Authentication.java:246|No X.509 cert selected for EC
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.184 CEST|CertificateRequest.java:764|Unavailable authentication scheme: ecdsa_sha1
javax.net.ssl|WARNING|01|main|2020-09-24 09:27:51.184 CEST|CertificateRequest.java:774|No available authentication scheme
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.184 CEST|ServerHelloDone.java:151|Consuming ServerHelloDone handshake message (
<empty>
)
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.184 CEST|CertificateMessage.java:290|No X.509 certificate for client authentication, use empty Certificate message instead
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.185 CEST|CertificateMessage.java:321|Produced client Certificate handshake message (
"Certificates": <empty list>
)
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.189 CEST|ECDHClientKeyExchange.java:400|Produced ECDHE ClientKeyExchange handshake message (
"ECDH ClientKeyExchange": {
"ecdh public": {
<snip>
},
}
)
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.196 CEST|ChangeCipherSpec.java:115|Produced ChangeCipherSpec message
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.197 CEST|Finished.java:398|Produced client Finished handshake message (
"Finished": {
"verify data": {
<snip>
}'}
)
javax.net.ssl|DEBUG|01|main|2020-09-24 09:27:51.248 CEST|Alert.java:238|Received alert message (
"Alert": {
"level" : "fatal",
"description": "handshake_failure"
}
)
javax.net.ssl|ERROR|01|main|2020-09-24 09:27:51.251 CEST|TransportContext.java:361|Fatal (HANDSHAKE_FAILURE): Received fatal alert: handshake_failure
我认为这是罪魁祸首,没有用于客户端身份验证的X.509证书,请使用空证书消息代替。。。这似乎很奇怪。
共有1个答案
龚承嗣
你对邮递员所做的在java中也是可能的。RESTASTER已经支持keystore文件,也支持不同的格式,如jks和pcsk12。在您的例子中,当将p12文件作为keystore对象加载时,可以使用pcsk12类型。然而,对于其他文件,它不支持开箱即用的pem文件。您可以将这些文件合并到一个密钥库中,就像凯文·布恩建议的那样,请参阅这里获取转换文件的所有选项: Opensl备忘单您还可以使用一个额外的库-SSLContext Kickstart来加载和创建ssl配置并提供它要重新保证,请参阅下面的示例。
X509ExtendedKeyManager keyManager = PemUtils.loadIdentityMaterial("cert.pem", "key.pem", "password".toCharArray());
SSLFactory sslFactory = SSLFactory.builder()
.withIdentityMaterial(keyManager)
.withTrustMaterial("truststore.p12", "password".toCharArray(), "PKCS12")
.build();
RestAssured.config().sslConfig(SSLConfig.sslConfig().sslSocketFactory(new SSLSocketFactory(sslFactory.getSslContext())));
我把p12作为信任材料的例子,把pem文件作为身份材料。
类似资料:
-
问题内容: 如何使用Python解码经过pem编码的(base64)证书?例如,这来自github.com: 根据ssl-shopper的说法,应该是这样的: 如何使用python获取此纯文本? 问题答案: Python的标准库,即使是最新版本,也不包含任何可解码X.509证书的内容。但是,附加软件包确实支持此功能。引用文档中的示例: 另一个可选的附加软件包是。这是围绕OpenSSL C API的
-
我需要使用restAssuret-java创建测试来测试REST API。为了获得一个身份验证令牌(OAuth2.0),我需要发送来自邮递员的请求,如下面的屏幕所示。但是,在java测试中,我不能使用Postman。你知道获取身份验证令牌的java代码应该是什么样子吗?
-
问题内容: 在尝试使用HttpClient调用使用自签名证书的https站点时,我有些困惑。我有下面的代码,这使我可以拨打电话,但是随后出现错误,就像我从Web浏览器下载了证书并了解可以将其导入密钥库一样,但我宁愿将其放入代码并以这种方式使用它,有没有办法做到这一点? 问题答案: 假设您的证书为PEM格式。您可以在代码中嵌入它,并使用BouncyCastle的的把它变成一个实例。完成此操作后,在内
-
我正在创建一个Java程序来从服务器获取信息,但我必须从Java程序与服务器执行ssl握手。 我有文件证书用于身份验证,但我不知道如何用java加载该证书,以便java程序可以与我想要从中获取信息的服务器进行“握手”。从哪里开始?
-
问题内容: 我需要编写一个代码来比较Java 和Scala的性能。我很难在我的Java代码中使用Scala 。有人可以发布一个真正简单的“ hello world”示例,该示例如何使用Java代码(在文件中)创建Scala 并在其中添加100个随机数吗? PS:我非常擅长Java,但从未使用过Scala。 问题答案: 与其他方式相比,在Scala中使用Java集合要容易得多,但是由于您提出了以下要
-
另一个没有密码,使用以下命令: 在spring boot应用程序中,我可以使用下面的属性成功地使用带有密码的结果: 但是,当我试图使用一个没有密码是我的首选,我得到sslhandshake异常。