最后,基于此示例,我仅提出以下解决方案。我将
<Connector>实例添加到Tomcat配置中,并带有
sslImplementationName指向自定义
JSSEImplementation类名称的属性,并
JSSEImplementation通过自定义
JSSESocketFactory和
X509KeyManager类进行扩展。
Tomcat配置如下所示:
<Connector protocol="org.apache.coyote.http11.Http11Protocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" clientAuth="true" sslProtocol="TLS" SSLEnabled="true" sslImplementationName="x.y.z.CustomJSSEImplementation" keyAlias="alias_of_key_in_HSM_and_cert_in_JKS"/>
CustomJSSEImplementation类是:
public class CustomJSSEImplementation extends JSSEImplementation { @Override public ServerSocketFactory getServerSocketFactory(AbstractEndpoint endpoint) { return new CustomSslContextSocketFactory(endpoint); } @Override public SSLUtil getSSLUtil(AbstractEndpoint endpoint) { return new CustomSslContextSocketFactory(endpoint); }}CustomSslContextSocketFactory类是:
public class CustomSslContextSocketFactory extends JSSESocketFactory { public static final AtomicReference<CustomSslContext> customSslContext = new AtomicReference<CustomSslContext>(); public CustomSslContextSocketFactory(AbstractEndpoint endpoint) { super(endpoint); } @Override public KeyManager[] getKeyManagers() throws Exception { return (customSslContext.get() == null ? super.getKeyManagers() : customSslContext.get().getKeyManagers(this)); }}CustomSslContext界面是:
interface CustomSslContext { KeyManager[] getKeyManagers(JSSESocketFactory factory) throws Exception;}HsmKeyManagerImpl通过
keyAlias属性在HSM中引用私钥的形式如下:
public class HsmKeyManagerImpl implements X509KeyManager { ... @Override public PrivateKey getPrivateKey(String alias) { // HSM Vendor specific API calls }}我没有显示代码如何获取与私有证书相对应的证书,但是使用的
keyAlias属性定义的相同别名
<Connector>用于从JKS 获取证书。
