SSLSocket 客户端、服务端通信

1.SSL安全套接层

SSL:(Secure Socket Layer) 安全套接层,于 1994 年由网景公司设计,并于 1995 年发布了 3.0 版本
TLS:(Transport Layer Security)传输层安全性协议,是 IETF 在 SSL3.0 的基础上设计的协议

这两种协议总体差别不大,实现的功能类似,以下都以SSL统称。

ssl处于网络层次中的会话层,位于传输层TCP之上,相比于TCP层上的Socke的连接,SSL上是SSLSocket,基于socket但比socket安全,安全在于认证通信两端身份、加密传输应用数据

之前https://blog.csdn.net/sarafina527/article/details/89449006 TCP的通信,SSL是比TCP多了一层握手和加密传输

1.1 服务端实现

package communication.sslSocket;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.*;
import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.InputStreamReader;
import java.io.PrintWriter;
import java.security.KeyStore;
import java.util.Arrays;

public class SSlServer {
    private static final Logger logger = LoggerFactory.getLogger(SSlServer.class);
    private static final char[] ksPass = "123456".toCharArray();
    private static final char[] keyPass = "123456".toCharArray();
    private static final int port = 8443;


    public static void main(String[] args) throws Exception{
        // 类似于serverSocket
        SSLServerSocket sslServerSocket = createSSLServerSocket();
        // 等待客户端连接 阻塞
        SSLSocket socket = (SSLSocket) sslServerSocket.accept();
        logger.info("客户端连接 " + socket.getInetAddress()+ " " +socket.getPort());
        // 读取
        InputStreamReader reader = new InputStreamReader(socket.getInputStream());
        BufferedReader br = new BufferedReader(reader);
        // 写入
        PrintWriter writer = new PrintWriter(socket.getOutputStream());
        String msg = br.readLine();
        try{
            while (true) {
                while (msg != null) {
                    if("bye".equals(msg)) {
                        break;
                    }
                    System.out.println(msg);
                    writer.println(msg);
                    writer.flush();
                    msg = br.readLine();
                }
            }
        }finally {
            if(socket != null) {
                socket.close();
            }
        }


    }
    // 创建服务端socket
    public static SSLServerSocket createSSLServerSocket() throws Exception{
        SSLContext sslContext = createContext();
        SSLServerSocketFactory sslssf = sslContext.getServerSocketFactory();
        // 绑定服务端口
        SSLServerSocket serverSocket = (SSLServerSocket) sslssf.createServerSocket(port);
        // 设置加密算法套件
        String[] supported = sslssf.getSupportedCipherSuites();
        serverSocket.setEnabledCipherSuites(supported);
        logger.info("服务端可支持的加密算法套件有:" + Arrays.toString(supported));
        return serverSocket;
    }

    // 创建上下文环境,主要用于保存安全通信的基本信息,如协议版本、证书管理方式
    public static SSLContext createContext() throws Exception{
        logger.info("开始服务端创建sslContext上下文......" );
        SSLContext sslContext = SSLContext.getInstance("TLS");

        logger.info(sslContext.getProtocol());
        // 管理本端 的密钥(发送本端的证书用于对方认证我的身份)
        logger.info(KeyManagerFactory.getDefaultAlgorithm());
        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        // 管理对端证书的信任证书,用于认证对方的身份
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("X.509");
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(new FileInputStream("/Users/wangying49/certs/sslTestServer.jks"),ksPass);
        kmf.init(ks,keyPass);
        tmf.init(ks); // 信任证书和服务端私钥 放在同一个库里
        // 上下文 初始化、两端证书的加载
        sslContext.init(kmf.getKeyManagers(),tmf.getTrustManagers(),null);
        logger.info("上下文信息:" + sslContext.getProtocol() + sslContext.getSocketFactory());

        return sslContext;
    }
}

1.2 客户端

package communication.sslSocket;

import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.*;
import java.io.*;
import java.security.KeyStore;

/**
 * 〈一句话功能简述〉
* 〈避免需要证书用于进行Https请求的HttpClient 〉 */ public class SSLClient { private static final Logger logger = LoggerFactory.getLogger(SSLClient.class); private static final char[] ksPass = "123456".toCharArray(); private static final char[] keyPass = "123456".toCharArray(); private static final String protocol = "TLS"; public static void main(String[] args) throws Exception{ String host = "localhost"; String charset = "utf-8"; int port = 8443; String msg = "hello ssl"; BufferedReader reader = null; BufferedWriter writer = null; SSLSocketFactory ssf = createSocketFactory(); SSLSocket socket = (SSLSocket) ssf.createSocket(host, port); socket.setSoTimeout(10000); msg = socket.getNeedClientAuth() + " " ; // 写入请求 writer = new BufferedWriter(new OutputStreamWriter(socket.getOutputStream(), charset)); logger.info("send data to {}:{}", new Object[] { host, port }); logger.info("发送 REQUEST:{}", msg); writer.write(msg + "\n"); writer.flush();// 在真正发送的时候才会握手 // 读取响应 reader = new BufferedReader(new InputStreamReader(socket.getInputStream(), charset)); String result = reader.readLine(); logger.info("接收响应 :" + result); } @SuppressWarnings("unchecked") public static SSLSocketFactory createSocketFactory() throws Exception { KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream("/Users/wangying49/certs/sslTestClient.jks"), ksPass); // sun.security.validator.ValidatorException: PKIX path building failed: 选择不匹配的信任证书 // ks.load(new FileInputStream("/Users/wangying49/certs/ceb0305.jks"), ksPass); if (ks == null) { throw new Exception("没有证书库配置"); } TrustManagerFactory tmf = TrustManagerFactory.getInstance("X.509"); tmf.init(ks); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(ks, keyPass); // 这里是私钥的密码 // SSLContext ctx = SSLContext.getInstance(protocol); ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); SSLSocketFactory ssf = ctx.getSocketFactory(); return ssf; } }

1.3 执行结果

上文代码中的证书库里的证书是两对匹配的密钥,如sslTestServer.jks存放的是服务端的私钥,和客户端的信任证书,由于此处是用的自签名的证书,所以信任证书就是客户端证书  

SSLSocket 客户端、服务端通信_第1张图片

客户端的证书库存放的是客户端的私钥和服务端的信任证书

SSLSocket 客户端、服务端通信_第2张图片匹配时效果与普通的TCP通信差不多,但是当证书不匹配时,如我将客户端的证书库更换了,(见代码注释内容),就会报如下错误:

SSLSocket 客户端、服务端通信_第3张图片 

可见多了一个握手的过程,默认使用X509TrustManagerImpl来校验服务端证书

你可能感兴趣的:(通信)