java + tomcat + openssl,https单向认证、双向认证(亲测)

1.生成根证书、服务端证书、客户端证书

1.1 生成CA根证书

  1. 生成跟证书私钥root_private.key
    openssl genrsa -out root_private.key 1024
    (私钥中包含附加信息,可推到出公钥。使用私钥生成的证书包含对应公钥)

  2. 生成根证书签发请求文件root.csr
    openssl req -new -key root_private.key -out root.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=Test company/OU=Test company/CN=Test company"

  3. 生成X.509格式的CA根证书root.crt
    openssl x509 -req -days 365 -in root.csr -out root.crt -signkey root_private.key

  4. 根据root.crt证书生成truststore JKS文件root.truststore,输入秘钥库密码123456。
    这一步只针对双向认证,单向不需要。
    keytool -keystore root.truststore -import -trustcacerts -file root.crt
    输入yes,信任此证书。

1.2 使用根证书签发服务端证书

(正常是先签发二级证书,由二级证书对服务端签发)

  1. 生成服务端私钥文件server_private.key
    openssl genrsa -out server_private.key 1024

  2. 签名请求文件server.csr
    openssl req -new -key server_private.key -out server.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=test-server/OU=test-server/CN=test-server"

  3. 使用根证书签发服务端证书server.crt
    openssl x509 -req -days 365 -sha1 -CA root.crt -CAkey root_private.key -CAserial ca.srl -CAcreateserial -in server.csr -out server.crt

  4. 查看证书信息
    openssl x509 -in server.crt -text -noout

  5. 将服务端证书转换为pkcs12格式,密码123456
    openssl pkcs12 -export -in server.crt -inkey server_private.key -out server.p12

  6. 生成服务端秘钥库server.keystore,秘钥库密码也为123456
    keytool -importkeystore -srckeystore server.p12 -destkeystore server.keystore -srcstoretype pkcs12

  7. 查看keystore
    keytool -list -v -keystore server.keystore

1.3 使用根证书签发客户端证书

  • 生成客户端私钥文件client_private.key
    openssl genrsa -out client_private.key 1024

  • 签名请求文件client.csr
    openssl req -new -key client_private.key -out client.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=test-client/OU=test-client/CN=test-client"

  • 使用根证书签发客户端证书client.crt
    openssl x509 -req -days 365 -sha1 -CA root.crt -CAkey root_private.key -CAserial ca.srl -CAcreateserial -in client.csr -out client.crt

  • 证书转换为pkcs12格式,密码123456
    以上生成的公私钥和证书都是PEM格式的,服务端、浏览器一般使用PKCS12格式。
    openssl pkcs12 -export -in client.crt -inkey client_private.key -out client.p12

  • 查看证书信息
    openssl x509 -in client.crt -text -noout
    openssl pkcs12 -in client.p12 -info

2.校验自签发证书:单向和双向

2.1 访问CA中心颁发证书的网站

知名CA中心的证书都会预制到系统或浏览器中,无需特别处理,会自行查询验证。例如百度使用的证书,就是CA中心颁发的,如下三行代码即可实现访问。

URL url = new URL("https://www.baidu.com");
HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection();
InputStream in = urlConnection.getInputStream();

2.2 本机搭建tomcat服务,用于https服务端验证

  1. 从http://tomcat.apache.org下载压缩包解压,执行bin目录下的startup.bat
    (使用tomcat7,最新tomcat9的配置有改变,资料较少)
  2. 启动成功后,在浏览器输入http://localhost:8080出现tomcat界面表示成功

2.3 自签证书的校验:单向验证

单向验证一般指客户端校验服务端证书,服务端并不检查客户端证书。

自签证书没有在系统中预制,需要自行实现校验。

2.3.1 首先服务端搭建https服务,并配置秘钥库server.keystore

  • 将根证书颁发的server.keystore复制到tomcat的的conf目录
  • 修改conf目录下的server.xml,添加clientAuth="false"、keystoreFile、keystorePass

  • 访问https://localhost:8443/进行验证

2.3.2 信任域名,否则域名必须跟ca证书域名内容一致
追求更要高安全性可严格校验域名,但对以后域名更换有麻烦。

HostnameVerifier hnv = new HostnameVerifier() {
    @Override
    public boolean verify(String hostname, SSLSession session) {
        // Always return true,接受任意域名服务器
        return true;
    }
};
HttpsURLConnection.setDefaultHostnameVerifier(hnv);

2.3.3 加载预制的root.crt根证书
root.crt用于验证服务端发送的证书是否有效,有没有被中间人篡改。

Certificate g_ca;

CertificateFactory cf = CertificateFactory.getInstance("X.509");
InputStream caInput = new BufferedInputStream(
        new FileInputStream("C:\\xxx\\root-ca\\root.crt"));
g_ca = cf.generateCertificate(caInput);

2.3.4 自实现X509TrustManager的checkServerTrusted()
自签证书验证,需要自行实现X509TrustManager中的checkServerTrusted()回调函数,即下文的myTrustManager

URL url = new URL("https://localhost:8443");
HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection();

//添加自定义证书校验myTrustManager
SSLContext sslcontext = SSLContext.getInstance("TLS");
TrustManager[] tm = { new myTrustManager() };

sslcontext.init(null, tm, null);
urlConnection.setSSLSocketFactory(sslcontext.getSocketFactory());

InputStream in = urlConnection.getInputStream();
  • 检查证书是否过期
  • 使用root.crt校验服务器发送的证书
class myTrustManager implements X509TrustManager {

    @Override
    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        Exception error = null;

        if (null == chain || 0 == chain.length)
        {
            error = new CertificateException("Certificate chain is invalid.");
        }
        else if (null == authType || 0 == authType.length())
        {
            error = new CertificateException("Authentication type is invalid.");
        }
        else
        {
            try
            {
                /* 自签名,服务端只发一个证书,可以不用检查证书链 */

                // 检查证书是否过期
                chain[0].checkValidity();

                // 验证是否使用了指定公钥相对应的私钥签署了此证书
                chain[0].verify(g_ca.getPublicKey());

            } catch (NoSuchAlgorithmException e) {
                error = e;
            } catch (NoSuchProviderException e) {
                error = e;
            } catch (SignatureException e) {
                error = e;
            } catch (InvalidKeyException e) {
                e.printStackTrace();
            }
        }
        if (null != error)
        {
            throw new CertificateException(error);
        }
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }
}

2.4 自签证书的校验:双向验证

在单向的基础上,服务器端新增配置root.truststore,客户端新增client.p12证书。

2.4.1 服务端:添加客户端ca的根证书

  • 将root.truststore复制到tomcat的的conf目录
  • 修改conf目录下的server.xml,添加https服务,配置clientAuth="true"、root.truststore和密码

  • 访问https://localhost:8443/进行验证
    这时直接用浏览器就无法访问了,没有客户端证书返回给服务器,只能自己用代码实现访问。

2.4.2 客户端:添加PKCS12格式秘钥库
在单向验证的基础上添加PKCS12秘钥库,SSLContext初始化时将KeyManagerFactory设置进去。

URL url = new URL("https://localhost:8443");
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();

//添加PKCS12格式秘钥库,用于客户端发送证书给服务端
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(
        new FileInputStream("C:\\xxx\\client-ca\\client.p12"),
        "123456".toCharArray());// 密钥库的密码
String tmfAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
KeyManagerFactory kmf = KeyManagerFactory.getInstance(tmfAlgorithm);
kmf.init(keyStore, "123456".toCharArray());// 密钥库的密码

//添加自定义证书校验myTrustManager
SSLContext sslcontext = SSLContext.getInstance("TLS");
TrustManager[] tm = { new myTrustManager() };


sslcontext.init(kmf.getKeyManagers(), tm, null);
urlConnection.setSSLSocketFactory(sslcontext.getSocketFactory());

InputStream in = urlConnection.getInputStream();

2.5 证书校验异常汇总

2.5.1 单向认证:证书验证fail
假如被中间人攻击,服务端传过来的证书不是root ca签发的,那么会引发Signature does not match异常:

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.SignatureException: Signature does not match.
        at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
        at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
        at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at app.testHttps$3.run(testHttps.java:129)
        at java.lang.Thread.run(Thread.java:745)
Caused by: java.security.cert.CertificateException: java.security.SignatureException: Signature does not match.
        at app.testHttps$myTrustManager.checkServerTrusted(testHttps.java:186)
        at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:922)
        at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
        ... 14 more
Caused by: java.security.SignatureException: Signature does not match.
        at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449)
        at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:392)
        at app.testHttps$myTrustManager.checkServerTrusted(testHttps.java:172)
        ... 16 more

2.5.2 双向认证:客户端没有发送自己的证书
假如服务端开启了双向验证,避免非信任客户端连接,那么没有证书的客户端进行访问,会报recv failed异常:

java.net.SocketException: Software caused connection abort: recv failed
        at java.net.SocketInputStream.socketRead0(Native Method)
        at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
        at java.net.SocketInputStream.read(SocketInputStream.java:170)
        at java.net.SocketInputStream.read(SocketInputStream.java:141)
        at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
        at sun.security.ssl.InputRecord.read(InputRecord.java:503)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961)
        at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1757)
        at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)
        at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1083)
        at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1191)
        at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1103)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:344)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at app.testHttps$1.run(testHttps.java:82)
        at java.lang.Thread.run(Thread.java:745)

2.5.3 双向认证:客户端发送的证书与服务端不匹配
加入客户端发送的证书不是服务端预制root证书签发的话,会报socket write error异常:

java.net.SocketException: Software caused connection abort: socket write error
        at java.net.SocketOutputStream.socketWrite0(Native Method)
        at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:109)
        at java.net.SocketOutputStream.write(SocketOutputStream.java:153)
        at sun.security.ssl.OutputRecord.writeBuffer(OutputRecord.java:431)
        at sun.security.ssl.OutputRecord.write(OutputRecord.java:417)
        at sun.security.ssl.SSLSocketImpl.writeRecordInternal(SSLSocketImpl.java:864)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:835)
        at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:705)
        at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1077)
        at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1191)
        at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1103)
        at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:344)
        at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
        at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
        at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
        at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
        at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
        at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
        at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
        at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
        at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
        at app.testHttps$3.run(testHttps.java:132)
        at java.lang.Thread.run(Thread.java:745)

2.5.4 双向认证:服务端未开启双向,而客户端发送证书
这种情况不会报错,正常获取。

你可能感兴趣的:(java + tomcat + openssl,https单向认证、双向认证(亲测))