基于ssl双向认证的详细例子
产生服务端证书库
keytool -genkey -alias serverkey -keystore kserver.ks
产生服务端私有密匙
keytool -export -alias serverkey -keystore kserver.ks -file server.crt
产生服务端公有密匙
keytool -import -alias serverkey -file server.crt -keystore tclient.ks
产生客户端证书库
keytool -genkey -alias clientkey -keystore kclient.ks
产生客户端私有密匙
keytool -export -alias clientkey -keystore kclient.ks -file client.crt
产生客户端公有密匙
keytool -import -alias clientkey -file client.crt -keystore tserver.ks
删除服务端证书库
keytool -delete -alias serverkey -keystore kserver.ks -storepass 123456
删除客户端证书库
keytool -delete -alias clientkey -keystore kclient.ks -storepass 456789
删除后,必须手动删除这些文件,以便重复操作
具体过程如下:
D:\>keytool -genkey -alias serverkey -keystore kserver.ks
输入keystore密码: 123456
您的名字与姓氏是什么?
[Unknown]: xuguo
您的组织单位名称是什么?
[Unknown]: fruitking
您的组织名称是什么?
[Unknown]: fruitking
您所在的城市或区域名称是什么?
[Unknown]: hangzhou
您所在的州或省份名称是什么?
[Unknown]: zhejiang
该单位的两字母国家代码是什么
[Unknown]: cn
CN=xuguo, OU=fruitking, O=fruitking, L=hangzhou, ST=zhejiang, C=cn 正确吗?
[否]: y
输入<clientkey>的主密码
(如果和 keystore 密码相同,按回车): 123456
D:\>keytool -export -alias serverkey -keystore kserver.ks -file server.crt
输入keystore密码: 123456
保存在文件中的认证 <server.crt>
D:\>keytool -import -alias serverkey -file server.crt -keystore tclient.ks
输入keystore密码: 123456
Owner: CN=xuguo, OU=fruitking, O=fruitking, L=hangzhou, ST=zhejiang, C=cn
发照者: CN=xuguo, OU=fruitking, O=fruitking, L=hangzhou, ST=zhejiang, C=cn
序号: 4a9641c2
有效期间: Thu Aug 27 16:20:18 CST 2009 至: Wed Nov 25 16:20:18 CST 2009
认证指纹:
MD5: 50:6D:45:A3:37:BF:51:45:94:F0:8B:4D:42:9F:72:8A
SHA1: A9:C6:26:7E:A2:3E:B9:68:B8:E4:FE:E0:C2:3C:C9:E0:A3:67:76:B5
信任这个认证? [否]: y
认证已添加至keystore中
D:\>F:
F:\>cd F:\testc
F:\testc>keytool -genkey -alias clientkey -keystore kclient.ks
输入keystore密码: 456789
您的名字与姓氏是什么?
[Unknown]: xuguo
您的组织单位名称是什么?
[Unknown]: pubone
您的组织名称是什么?
[Unknown]: pubone
您所在的城市或区域名称是什么?
[Unknown]: hangzhou
您所在的州或省份名称是什么?
[Unknown]: zhejiang
该单位的两字母国家代码是什么
[Unknown]: cn
CN=xuguo, OU=pubone, O=pubone, L=hangzhou, ST=zhejiang, C=cn 正确吗?
[否]: y
输入<cclientkey>的主密码
(如果和 keystore 密码相同,按回车): 456789
F:\testc>keytool -export -alias clientkey -keystore kclient.ks -file client.crt
输入keystore密码: 456789
保存在文件中的认证 <client.crt>
F:\testc>keytool -import -alias clientkey -file client.crt -keystore tserver.ks
输入keystore密码: 456789
Owner: CN=xuguo, OU=pubone, O=pubone, L=hangzhou, ST=zhejiang, C=cn
发照者: CN=xuguo, OU=pubone, O=pubone, L=hangzhou, ST=zhejiang, C=cn
序号: 4a9643c3
有效期间: Thu Aug 27 16:28:51 CST 2009 至: Wed Nov 25 16:28:51 CST 2009
认证指纹:
MD5: FB:CC:9D:5C:E0:7E:A6:70:CB:31:78:BC:06:1F:53:BC
SHA1: 97:10:7C:B2:70:78:07:5A:2B:2D:51:8E:73:B3:71:FB:4C:51:87:05
信任这个认证? [否]: y
认证已添加至keystore中
F:\testc>
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.TrustManagerFactory;
public class Server {
/**
* @param args
*/
public static void main(String[] args) throws Exception{
// TODO Auto-generated method stub
SSLContext ctx = SSLContext.getInstance("SSL");
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
KeyStore ks = KeyStore.getInstance("JKS");
KeyStore tks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("D:/kserver.ks"), "123456".toCharArray());//服务端私匙
tks.load(new FileInputStream("F:/testc/tserver.ks"), "456789".toCharArray());//客户端公匙
kmf.init(ks, "123456".toCharArray());
tmf.init(tks);
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLServerSocket serverSocket = (SSLServerSocket) ctx.getServerSocketFactory().createServerSocket(8443);
serverSocket.setNeedClientAuth(true);
while (true) {
try {
Socket s = serverSocket.accept();
InputStream input = s.getInputStream();
OutputStream output = s.getOutputStream();
BufferedInputStream bis = new BufferedInputStream(input);
BufferedOutputStream bos = new BufferedOutputStream(output);
byte[] buffer = new byte[20];
int length = bis.read(buffer);
System.out.println("Receive: " + new String(buffer, 0, length).toString());
bos.write("Hello,Xuguo,welcome to here!".getBytes());
bos.flush();
s.close();
} catch (Exception e) {
System.out.println(e);
}
}
}
}
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
public class Client {
/**
* @param args
*/
public static void main(String[] args) throws Exception{
// TODO Auto-generated method stub
SSLContext ctx = SSLContext.getInstance("SSL");
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
KeyStore ks = KeyStore.getInstance("JKS");
KeyStore tks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("F:/testc/kclient.ks"), "456789".toCharArray());//客户端私匙
tks.load(new FileInputStream("D:/tclient.ks"), "123456".toCharArray());//服务端公匙
kmf.init(ks, "456789".toCharArray());
tmf.init(tks);
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLSocket sslSocket = (SSLSocket) ctx.getSocketFactory().createSocket("localhost", 8443);
InputStream input = sslSocket.getInputStream();
OutputStream output = sslSocket.getOutputStream();
BufferedInputStream bis = new BufferedInputStream(input);
BufferedOutputStream bos = new BufferedOutputStream(output);
//bos.write("Hello".getBytes());
bos.write("Xuguo is a super man.".getBytes());
bos.flush();
byte[] buffer = new byte[20];
int length = bis.read(buffer);
System.out.println(new String(buffer, 0, length));
sslSocket.close();
}
}
keytool -genkey -alias serverkey -keystore kserver.ks
产生服务端私有密匙
keytool -export -alias serverkey -keystore kserver.ks -file server.crt
产生服务端公有密匙
keytool -import -alias serverkey -file server.crt -keystore tclient.ks
产生客户端证书库
keytool -genkey -alias clientkey -keystore kclient.ks
产生客户端私有密匙
keytool -export -alias clientkey -keystore kclient.ks -file client.crt
产生客户端公有密匙
keytool -import -alias clientkey -file client.crt -keystore tserver.ks
删除服务端证书库
keytool -delete -alias serverkey -keystore kserver.ks -storepass 123456
删除客户端证书库
keytool -delete -alias clientkey -keystore kclient.ks -storepass 456789
删除后,必须手动删除这些文件,以便重复操作
具体过程如下:
D:\>keytool -genkey -alias serverkey -keystore kserver.ks
输入keystore密码: 123456
您的名字与姓氏是什么?
[Unknown]: xuguo
您的组织单位名称是什么?
[Unknown]: fruitking
您的组织名称是什么?
[Unknown]: fruitking
您所在的城市或区域名称是什么?
[Unknown]: hangzhou
您所在的州或省份名称是什么?
[Unknown]: zhejiang
该单位的两字母国家代码是什么
[Unknown]: cn
CN=xuguo, OU=fruitking, O=fruitking, L=hangzhou, ST=zhejiang, C=cn 正确吗?
[否]: y
输入<clientkey>的主密码
(如果和 keystore 密码相同,按回车): 123456
D:\>keytool -export -alias serverkey -keystore kserver.ks -file server.crt
输入keystore密码: 123456
保存在文件中的认证 <server.crt>
D:\>keytool -import -alias serverkey -file server.crt -keystore tclient.ks
输入keystore密码: 123456
Owner: CN=xuguo, OU=fruitking, O=fruitking, L=hangzhou, ST=zhejiang, C=cn
发照者: CN=xuguo, OU=fruitking, O=fruitking, L=hangzhou, ST=zhejiang, C=cn
序号: 4a9641c2
有效期间: Thu Aug 27 16:20:18 CST 2009 至: Wed Nov 25 16:20:18 CST 2009
认证指纹:
MD5: 50:6D:45:A3:37:BF:51:45:94:F0:8B:4D:42:9F:72:8A
SHA1: A9:C6:26:7E:A2:3E:B9:68:B8:E4:FE:E0:C2:3C:C9:E0:A3:67:76:B5
信任这个认证? [否]: y
认证已添加至keystore中
D:\>F:
F:\>cd F:\testc
F:\testc>keytool -genkey -alias clientkey -keystore kclient.ks
输入keystore密码: 456789
您的名字与姓氏是什么?
[Unknown]: xuguo
您的组织单位名称是什么?
[Unknown]: pubone
您的组织名称是什么?
[Unknown]: pubone
您所在的城市或区域名称是什么?
[Unknown]: hangzhou
您所在的州或省份名称是什么?
[Unknown]: zhejiang
该单位的两字母国家代码是什么
[Unknown]: cn
CN=xuguo, OU=pubone, O=pubone, L=hangzhou, ST=zhejiang, C=cn 正确吗?
[否]: y
输入<cclientkey>的主密码
(如果和 keystore 密码相同,按回车): 456789
F:\testc>keytool -export -alias clientkey -keystore kclient.ks -file client.crt
输入keystore密码: 456789
保存在文件中的认证 <client.crt>
F:\testc>keytool -import -alias clientkey -file client.crt -keystore tserver.ks
输入keystore密码: 456789
Owner: CN=xuguo, OU=pubone, O=pubone, L=hangzhou, ST=zhejiang, C=cn
发照者: CN=xuguo, OU=pubone, O=pubone, L=hangzhou, ST=zhejiang, C=cn
序号: 4a9643c3
有效期间: Thu Aug 27 16:28:51 CST 2009 至: Wed Nov 25 16:28:51 CST 2009
认证指纹:
MD5: FB:CC:9D:5C:E0:7E:A6:70:CB:31:78:BC:06:1F:53:BC
SHA1: 97:10:7C:B2:70:78:07:5A:2B:2D:51:8E:73:B3:71:FB:4C:51:87:05
信任这个认证? [否]: y
认证已添加至keystore中
F:\testc>
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.TrustManagerFactory;
public class Server {
/**
* @param args
*/
public static void main(String[] args) throws Exception{
// TODO Auto-generated method stub
SSLContext ctx = SSLContext.getInstance("SSL");
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
KeyStore ks = KeyStore.getInstance("JKS");
KeyStore tks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("D:/kserver.ks"), "123456".toCharArray());//服务端私匙
tks.load(new FileInputStream("F:/testc/tserver.ks"), "456789".toCharArray());//客户端公匙
kmf.init(ks, "123456".toCharArray());
tmf.init(tks);
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLServerSocket serverSocket = (SSLServerSocket) ctx.getServerSocketFactory().createServerSocket(8443);
serverSocket.setNeedClientAuth(true);
while (true) {
try {
Socket s = serverSocket.accept();
InputStream input = s.getInputStream();
OutputStream output = s.getOutputStream();
BufferedInputStream bis = new BufferedInputStream(input);
BufferedOutputStream bos = new BufferedOutputStream(output);
byte[] buffer = new byte[20];
int length = bis.read(buffer);
System.out.println("Receive: " + new String(buffer, 0, length).toString());
bos.write("Hello,Xuguo,welcome to here!".getBytes());
bos.flush();
s.close();
} catch (Exception e) {
System.out.println(e);
}
}
}
}
import java.io.BufferedInputStream;
import java.io.BufferedOutputStream;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
public class Client {
/**
* @param args
*/
public static void main(String[] args) throws Exception{
// TODO Auto-generated method stub
SSLContext ctx = SSLContext.getInstance("SSL");
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
KeyStore ks = KeyStore.getInstance("JKS");
KeyStore tks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("F:/testc/kclient.ks"), "456789".toCharArray());//客户端私匙
tks.load(new FileInputStream("D:/tclient.ks"), "123456".toCharArray());//服务端公匙
kmf.init(ks, "456789".toCharArray());
tmf.init(tks);
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
SSLSocket sslSocket = (SSLSocket) ctx.getSocketFactory().createSocket("localhost", 8443);
InputStream input = sslSocket.getInputStream();
OutputStream output = sslSocket.getOutputStream();
BufferedInputStream bis = new BufferedInputStream(input);
BufferedOutputStream bos = new BufferedOutputStream(output);
//bos.write("Hello".getBytes());
bos.write("Xuguo is a super man.".getBytes());
bos.flush();
byte[] buffer = new byte[20];
int length = bis.read(buffer);
System.out.println(new String(buffer, 0, length));
sslSocket.close();
}
}