server: apache-tomcat-6.0.44 jdk1.7.0_79
client: jdk1.7.0_79
jks是JAVA的keytools证书工具支持的证书私钥格式。 pfx是微软支持的私钥格式。 cer是证书的公钥。
生成:
keytool -genkey -alias tbb -keyalg RSA -keystore D:\cert\tbb.keystore
模板:
keytool -genkey -alias yushan -keypass yushan -keyalg RSA -keysize 1024 -validity 365((默认为90天)) -keystore D:\cert\tbb.keystore -storepass 123456 -dname "CN=(名字与姓氏), OU=(组织单位名称), O=(组织名称), L=(城市或区域名称), ST=(州或省份名称), C=(单位的两字母国家代码)";(中英文即可)
验证:
keytool -selfcert -alias tbb -keystore D:\cert\tbb.keystore
导出:
keytool -export -alias tbb -keystore D:\cert\tbb.keystore -storepass 12345678 -rfc -file D:\cert\tbb.cer
转换 cer -> jks
keytool -import -alias mycert -file D:\cert\tbb.cer -keystore D:\cert\tbb.jks keystore信息的查看:
打印证书的 MD5 指纹
keytool -list -v -keystore D:\cert\tbb.keystore -storepass 12345678
可打印的编码格式输出证书
keytool -list -rfc -keystore D:\cert\tbb.keystore -storepass 12345678
生成客户端证书库
keytool -validity 36500 -genkeypair -v -alias client -keyalg RSA -storetype PKCS12 -keystore D:\cert\client.p12 -dname "CN=spring,OU=jiajianfa,O=jiajianfa,L=Wuhan,ST=HuBei,c=cn" -storepass 12345678 -keypass 12345678
从客户端证书库中导出客户端证书
keytool -export -v -alias client -keystore D:\cert\client.p12 -storetype PKCS12 -storepass 12345678 -rfc -file D:\cert\client.cer 将客户端证书导入到服务器证书库(使得服务器信任客户端证书,服务器端用此验证客户端的合法性)
keytool -import -v -alias client -file D:\cert\client.cer -keystore D:\cert\tbb.keystore -storepass 12345678 查看服务端证书中信任的客户端证书
keytool -list -keystore D:\cert\tbb.keystore -storepass 12345678
tomcat server.xml 配置:
<!-- clientAuth true:双向认证 false:单向认证-->
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" keystorePass="12345678" keystoreFile="D:\cert\tbb.keystore"
truststoreFile="D:\cert\tbb.keystore" truststorePass="12345678" />
<!-- 配置服务端项目web.xml 在<welcome-file-list>之后增加:--> <!-- 强制SSL配置,即普通的请求也会重定向为SSL请求 -->
<security-constraint>
<web-resource-collection>
<web-resource-name>SSL</web-resource-name>
<url-pattern>/*</url-pattern><!-- 全站使用SSL <url-pattern>/*</url-pattern>-->
</web-resource-collection>
<user-data-constraint>
<description>SSL required</description>
<!-- CONFIDENTIAL: 要保证服务器和客户端之间传输的数据不能够被修改,且不能被第三方查看到 -->
<!-- INTEGRAL: 要保证服务器和client之间传输的数据不能够被修改 -->
<!-- NONE: 指示容器必须能够在任一的连接上提供数据。(即用HTTP或HTTPS,由客户端来决定)-->
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
单向认证:
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.Authenticator;
import java.net.InetSocketAddress;
import java.net.PasswordAuthentication;
import java.net.Proxy;
import java.net.URL;
import java.util.Date; import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession; /**
* @Description https单向认证
* @author sprinng
*
*/
public class ClientSendDataSingle {
/**
*
* @param sendurl 请求地址
* @param res 返回结果
* @param sendData 参数
* @param timeOut 超时时间(min)
* @param useProxy 是否使用代理
* @param trustStorePath 证书路径
* @param trustStorePwd 证书密码
* @return
* @throws Exception
*/
public static String send(String sendurl, String res, String sendData, String timeOut, boolean useProxy, String trustStorePath, String trustStorePwd)throws Exception {
System.setProperty("javax.net.ssl.trustStore", trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword", trustStorePwd);
URL url = new URL(sendurl);
HttpsURLConnection connection = null;
HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String urlHostName, SSLSession session) {
return true;
}
};
System.setProperty("java.protocol.handler.pkgs","sun.net.www.protocol");
HttpsURLConnection.setDefaultHostnameVerifier(hv);
Date current = new Date(System.currentTimeMillis());
System.out.println("begint to open connection at " + current);
//使用代理
if(useProxy){
InetSocketAddress isa = new InetSocketAddress(PropertiesUtil.properties.getProperty("proxy_host"), Integer.parseInt(PropertiesUtil.properties.getProperty("proxy_port")));
Proxy proxy = new Proxy(Proxy.Type.HTTP, isa);
Authenticator.setDefault(new MyAuthenticator(PropertiesUtil.properties.getProperty("proxy_user"), PropertiesUtil.properties.getProperty("proxy_password")));
connection = (HttpsURLConnection) url.openConnection(proxy);
}else{
connection = (HttpsURLConnection) url.openConnection();
}
Date end = new Date(System.currentTimeMillis());
System.out.println("open connection ok at " + end + ",cost:"+ (end.getTime() - current.getTime()));
connection.setRequestProperty("Content-Type", "text/xml");
connection.setDoOutput(true);
connection.setDoInput(true);
connection.setRequestMethod("POST");
connection.setUseCaches(false);
connection.setReadTimeout(60 * 1000 * Integer.parseInt(timeOut));
byte data[] = sendData.getBytes();
current = new Date(System.currentTimeMillis());
System.out.println("[SSLIX]notifyEai,begint to write data at " + current);
OutputStream out = connection.getOutputStream();
out.write(data);
end = new Date(System.currentTimeMillis());
System.out.println("write data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));
StringBuffer receivedData = new StringBuffer();
current = new Date(System.currentTimeMillis());
System.out.println("begint to read data at " + current);
InputStreamReader inReader = new InputStreamReader(connection.getInputStream(), "UTF-8");
BufferedReader aReader = new BufferedReader(inReader);
String aLine;
while ((aLine = aReader.readLine()) != null) {
receivedData.append(aLine);
}
end = new Date(System.currentTimeMillis());
System.out.println("read data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));
System.out.println("开始返回状态码");
Integer statusCode = connection.getResponseCode();
System.out.println("返回状态码:" + statusCode);
aReader.close();
connection.disconnect();
res = receivedData.toString();
return res;
} public static class MyAuthenticator extends Authenticator {
private String user = "";
private String password = ""; public MyAuthenticator(String user, String password) {
this.user = user;
this.password = password;
} protected PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(user, password.toCharArray());
}
} public static void main(String[] args) throws Exception {
System.out.println(ClientSendDataSingle.send("https://localhost:8443/spdbSjptServer", "", "", "5", false, "D:/cert/tbb.jks", "12345678"));
}
}
双向认证:
import java.io.BufferedReader;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.net.Authenticator;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URL;
import java.util.Date; import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLSession; import com.pf.util.ClientSendDataSingle.MyAuthenticator; /**
*
* @Description https双向认证
* @author sprinng
*
*/
public class ClientSendDataDouble {
/**
*
* @param sendurl 请求地址
* @param res 返回结果
* @param sendData 参数
* @param timeOut 超时时间(min)
* @param useProxy 是否使用代理
* @param trustStorePath 服务器证书路径
* @param trustStorePwd 服务器证书密码
* @param keyStore 客户端证书路径
* @param keyStorePwd 客户端证书密码
* @param keyStoreType 客户端证书类型 如:JKS PKCS12等
* @return
* @throws Exception
*/
public static String send(String sendurl, String res, String sendData, String timeOut, boolean useProxy, String trustStorePath, String trustStorePwd, String keyStore, String keyStorePwd, String keyStoreType) throws Exception {
//设置客户端证书
System.setProperty("javax.net.ssl.keyStore", keyStore);
System.setProperty("javax.net.ssl.keyStorePassword",keyStorePwd);
System.setProperty("javax.net.ssl.keyStoreType", keyStoreType); //设置服务器证书
System.setProperty("javax.net.ssl.trustStore", trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword", trustStorePwd);
URL url = new URL(sendurl);
HttpsURLConnection connection = null;
HostnameVerifier hv = new HostnameVerifier() {
public boolean verify(String urlHostName, SSLSession session) {
return true;
}
};
System.setProperty("java.protocol.handler.pkgs","sun.net.www.protocol");
HttpsURLConnection.setDefaultHostnameVerifier(hv);
Date current = new Date(System.currentTimeMillis());
System.out.println("begint to open connection at " + current);
if(useProxy){//使用代理
InetSocketAddress isa = new InetSocketAddress(PropertiesUtil.properties.getProperty("proxy_host"), Integer.parseInt(PropertiesUtil.properties.getProperty("proxy_port")));
Proxy proxy = new Proxy(Proxy.Type.HTTP, isa);
Authenticator.setDefault(new MyAuthenticator(PropertiesUtil.properties.getProperty("proxy_user"), PropertiesUtil.properties.getProperty("proxy_password")));
connection = (HttpsURLConnection) url.openConnection(proxy);
}else{
connection = (HttpsURLConnection) url.openConnection();
}
Date end = new Date(System.currentTimeMillis());
System.out.println("open connection ok at " + end + ",cost:"+ (end.getTime() - current.getTime()));
connection.setRequestProperty("Content-Type", "text/xml");
connection.setDoOutput(true);
connection.setDoInput(true);
connection.setRequestMethod("POST");
connection.setUseCaches(false);
connection.setReadTimeout(30000);
byte data[] = sendData.getBytes();
current = new Date(System.currentTimeMillis());
System.out.println("[SSLIX]notifyEai,begint to write data at " + current);
OutputStream out = connection.getOutputStream();
out.write(data);
end = new Date(System.currentTimeMillis());
System.out.println("write data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));
StringBuffer receivedData = new StringBuffer();
current = new Date(System.currentTimeMillis());
System.out.println("begint to read data at " + current);
InputStreamReader inReader = new InputStreamReader(connection.getInputStream(), "UTF-8");
BufferedReader aReader = new BufferedReader(inReader);
String aLine;
while ((aLine = aReader.readLine()) != null) {
receivedData.append(aLine);
}
end = new Date(System.currentTimeMillis());
System.out.println("read data ok at " + end + ",cost:" + (end.getTime() - current.getTime()));
System.out.println("开始返回状态码");
Integer statusCode = connection.getResponseCode();
System.out.println("返回状态码:" + statusCode);
aReader.close();
connection.disconnect();
return receivedData.toString();
} public static void main(String[] args) throws Exception {
System.out.println(ClientSendDataDouble.send("https://localhost:8443/spdbSjptServer/", "", "", "5", false, "D:/cert/tbb.jks", "12345678", "D:/cert/client.p12", "12345678", "PKCS12"));
}
}
附:
import java.io.IOException;
import java.util.Properties; public class PropertiesUtil {
public static final Properties properties = new Properties();
static {
try {
properties.load(PropertiesUtil.class.getClassLoader().getResourceAsStream("config.properties"));
} catch (IOException e) {
ECommonUtil.getLog().error("初始config配置文件失败");
}
}
}