如何将证书(.cer)从客户端发送到服务器?
客户端证书(.cer,.crt,.pem)及其对应的私钥(.key)应首先包装到PKCS#12(.p12,.pfx)或JKS(.jks)容器中(密钥库)。您还应该将服务器的CA证书打包为JKS(信任库)。
使用HttpClient 3.x的示例:
HttpClient client = new HttpClient();// truststoreKeyStore trustStore = KeyStore.getInstance("JKS", "SUN");trustStore.load(TestSupertype.class.getResourceAsStream("/client-truststore.jks"), "amber%".toCharArray());String alg = KeyManagerFactory.getDefaultAlgorithm();TrustManagerFactory fac = TrustManagerFactory.getInstance(alg);fac.init(trustStore);// keystoreKeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE");keystore.load(X509Test.class.getResourceAsStream("/etomcat_client.p12"), "etomcat".toCharArray());String keyAlg = KeyManagerFactory.getDefaultAlgorithm();KeyManagerFactory keyFac = KeyManagerFactory.getInstance(keyAlg);keyFac.init(keystore, "etomcat".toCharArray());// contextSSLContext ctx = SSLContext.getInstance("TLS", "SunJSSE");ctx.init(keyFac.getKeyManagers(), fac.getTrustManagers(), new SecureRandom());SslContextedSecureProtocolSocketFactory secureProtocolSocketFactory = new SslContextedSecureProtocolSocketFactory(ctx);Protocol.registerProtocol("https", new Protocol("https", (ProtocolSocketFactory) secureProtocolSocketFactory, 8443));// test getHttpMethod get = new GetMethod("https://127.0.0.1:8443/etomcat_x509");client.executeMethod(get);// get response body and do what you need with itbyte[] responseBody = get.getResponseBody();您可以在该项目中找到工作示例,请参见
X509Test类。
使用HttpClient 4.x时,配置和语法会稍有不同:
HttpClient httpclient = new DefaultHttpClient();// truststoreKeyStore ts = KeyStore.getInstance("JKS", "SUN");ts.load(PostService.class.getResourceAsStream("/truststore.jks"), "amber%".toCharArray());// if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing truststoreif(0 == ts.size()) throw new IOException("Error loading truststore");// tmfTrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());tmf.init(ts);// keystoreKeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");ks.load(PostService.class.getResourceAsStream("/" + certName), certPwd.toCharArray());// if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing keystoreif(0 == ks.size()) throw new IOException("Error loading keystore");// kmfKeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());kmf.init(ks, certPwd.toCharArray());// SSLSSLContext ctx = SSLContext.getInstance("TLS");ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);// socketSSLSocketFactory socketFactory = new SSLSocketFactory(ctx, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);Scheme sch = new Scheme("https", 8443, socketFactory);httpclient.getConnectionManager().getSchemeRegistry().register(sch);// requestHttpMethod get = new GetMethod("https://localhost:8443/foo");client.executeMethod(get);IOUtils.copy(get.getResponseBodyAsStream(), System.out);如何在服务器中接收证书并提取其公钥?
您的服务器必须配置为要求X.509客户端证书身份验证。然后,在SSL握手期间,servlet容器将接收证书,对照trustore进行检查,并将其作为请求属性提供给应用程序。通常,对于单个证书,您可以在servlet环境中使用此方法来提取证书:
protected X509Certificate extractCertificate(HttpServletRequest req) { X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate"); if (null != certs && certs.length > 0) { return certs[0]; } throw new RuntimeException("No X.509 client certificate found in request");}
