美文网首页
java + tomcat + openssl,https单向认

java + tomcat + openssl,https单向认

作者: 十八砖 | 来源:发表于2019-10-17 20:39 被阅读0次

    1.生成根证书、服务端证书、客户端证书

    1.1 生成CA根证书

    1. 生成跟证书私钥root_private.key
      openssl genrsa -out root_private.key 1024
      (私钥中包含附加信息,可推到出公钥。使用私钥生成的证书包含对应公钥)

    2. 生成根证书签发请求文件root.csr
      openssl req -new -key root_private.key -out root.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=Test company/OU=Test company/CN=Test company"

    3. 生成X.509格式的CA根证书root.crt
      openssl x509 -req -days 365 -in root.csr -out root.crt -signkey root_private.key

    4. 根据root.crt证书生成truststore JKS文件root.truststore,输入秘钥库密码123456。
      这一步只针对双向认证,单向不需要。
      keytool -keystore root.truststore -import -trustcacerts -file root.crt
      输入yes,信任此证书。

    1.2 使用根证书签发服务端证书

    (正常是先签发二级证书,由二级证书对服务端签发)

    1. 生成服务端私钥文件server_private.key
      openssl genrsa -out server_private.key 1024

    2. 签名请求文件server.csr
      openssl req -new -key server_private.key -out server.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=test-server/OU=test-server/CN=test-server"

    3. 使用根证书签发服务端证书server.crt
      openssl x509 -req -days 365 -sha1 -CA root.crt -CAkey root_private.key -CAserial ca.srl -CAcreateserial -in server.csr -out server.crt

    4. 查看证书信息
      openssl x509 -in server.crt -text -noout

    5. 将服务端证书转换为pkcs12格式,密码123456
      openssl pkcs12 -export -in server.crt -inkey server_private.key -out server.p12

    6. 生成服务端秘钥库server.keystore,秘钥库密码也为123456
      keytool -importkeystore -srckeystore server.p12 -destkeystore server.keystore -srcstoretype pkcs12

    7. 查看keystore
      keytool -list -v -keystore server.keystore

    1.3 使用根证书签发客户端证书

    • 生成客户端私钥文件client_private.key
      openssl genrsa -out client_private.key 1024

    • 签名请求文件client.csr
      openssl req -new -key client_private.key -out client.csr -subj "/C=CN/ST=GuangDong/L=ShenZhen/O=test-client/OU=test-client/CN=test-client"

    • 使用根证书签发客户端证书client.crt
      openssl x509 -req -days 365 -sha1 -CA root.crt -CAkey root_private.key -CAserial ca.srl -CAcreateserial -in client.csr -out client.crt

    • 证书转换为pkcs12格式,密码123456
      以上生成的公私钥和证书都是PEM格式的,服务端、浏览器一般使用PKCS12格式。
      openssl pkcs12 -export -in client.crt -inkey client_private.key -out client.p12

    • 查看证书信息
      openssl x509 -in client.crt -text -noout
      openssl pkcs12 -in client.p12 -info

    2.校验自签发证书:单向和双向

    2.1 访问CA中心颁发证书的网站

    知名CA中心的证书都会预制到系统或浏览器中,无需特别处理,会自行查询验证。例如百度使用的证书,就是CA中心颁发的,如下三行代码即可实现访问。

    URL url = new URL("https://www.baidu.com");
    HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection();
    InputStream in = urlConnection.getInputStream();
    

    2.2 本机搭建tomcat服务,用于https服务端验证

    1. http://tomcat.apache.org下载压缩包解压,执行bin目录下的startup.bat
      (使用tomcat7,最新tomcat9的配置有改变,资料较少)
    2. 启动成功后,在浏览器输入http://localhost:8080出现tomcat界面表示成功

    2.3 自签证书的校验:单向验证

    单向验证一般指客户端校验服务端证书,服务端并不检查客户端证书。

    自签证书没有在系统中预制,需要自行实现校验。

    2.3.1 首先服务端搭建https服务,并配置秘钥库server.keystore

    • 将根证书颁发的server.keystore复制到tomcat的的conf目录
    • 修改conf目录下的server.xml,添加clientAuth="false"、keystoreFile、keystorePass
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                keystoreFile="conf/server.keystore"
                keystorePass="123456"
                clientAuth="false" sslProtocol="TLS" />
    

    2.3.2 信任域名,否则域名必须跟ca证书域名内容一致
    追求更要高安全性可严格校验域名,但对以后域名更换有麻烦。

    HostnameVerifier hnv = new HostnameVerifier() {
        @Override
        public boolean verify(String hostname, SSLSession session) {
            // Always return true,接受任意域名服务器
            return true;
        }
    };
    HttpsURLConnection.setDefaultHostnameVerifier(hnv);
    

    2.3.3 加载预制的root.crt根证书
    root.crt用于验证服务端发送的证书是否有效,有没有被中间人篡改。

    Certificate g_ca;
    
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    InputStream caInput = new BufferedInputStream(
            new FileInputStream("C:\\xxx\\root-ca\\root.crt"));
    g_ca = cf.generateCertificate(caInput);
    

    2.3.4 自实现X509TrustManager的checkServerTrusted()
    自签证书验证,需要自行实现X509TrustManager中的checkServerTrusted()回调函数,即下文的myTrustManager

    URL url = new URL("https://localhost:8443");
    HttpsURLConnection urlConnection = (HttpsURLConnection)url.openConnection();
    
    //添加自定义证书校验myTrustManager
    SSLContext sslcontext = SSLContext.getInstance("TLS");
    TrustManager[] tm = { new myTrustManager() };
    
    sslcontext.init(null, tm, null);
    urlConnection.setSSLSocketFactory(sslcontext.getSocketFactory());
    
    InputStream in = urlConnection.getInputStream();
    
    • 检查证书是否过期
    • 使用root.crt校验服务器发送的证书
    class myTrustManager implements X509TrustManager {
    
        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
        }
    
        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
            Exception error = null;
    
            if (null == chain || 0 == chain.length)
            {
                error = new CertificateException("Certificate chain is invalid.");
            }
            else if (null == authType || 0 == authType.length())
            {
                error = new CertificateException("Authentication type is invalid.");
            }
            else
            {
                try
                {
                    /* 自签名,服务端只发一个证书,可以不用检查证书链 */
    
                    // 检查证书是否过期
                    chain[0].checkValidity();
    
                    // 验证是否使用了指定公钥相对应的私钥签署了此证书
                    chain[0].verify(g_ca.getPublicKey());
    
                } catch (NoSuchAlgorithmException e) {
                    error = e;
                } catch (NoSuchProviderException e) {
                    error = e;
                } catch (SignatureException e) {
                    error = e;
                } catch (InvalidKeyException e) {
                    e.printStackTrace();
                }
            }
            if (null != error)
            {
                throw new CertificateException(error);
            }
        }
    
        @Override
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }
    

    2.4 自签证书的校验:双向验证

    在单向的基础上,服务器端新增配置root.truststore,客户端新增client.p12证书。

    2.4.1 服务端:添加客户端ca的根证书

    • 将root.truststore复制到tomcat的的conf目录
    • 修改conf目录下的server.xml,添加https服务,配置clientAuth="true"、root.truststore和密码
    <Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                keystoreFile="conf/server.keystore"
                keystorePass="123456"
                truststoreFile="conf/root.truststore"
                truststorePass="123456"
                clientAuth="true" sslProtocol="TLS" />
    
    • 访问https://localhost:8443/进行验证
      这时直接用浏览器就无法访问了,没有客户端证书返回给服务器,只能自己用代码实现访问。

    2.4.2 客户端:添加PKCS12格式秘钥库
    在单向验证的基础上添加PKCS12秘钥库,SSLContext初始化时将KeyManagerFactory设置进去。

    URL url = new URL("https://localhost:8443");
    HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
    
    //添加PKCS12格式秘钥库,用于客户端发送证书给服务端
    KeyStore keyStore = KeyStore.getInstance("PKCS12");
    keyStore.load(
            new FileInputStream("C:\\xxx\\client-ca\\client.p12"),
            "123456".toCharArray());// 密钥库的密码
    String tmfAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
    KeyManagerFactory kmf = KeyManagerFactory.getInstance(tmfAlgorithm);
    kmf.init(keyStore, "123456".toCharArray());// 密钥库的密码
    
    //添加自定义证书校验myTrustManager
    SSLContext sslcontext = SSLContext.getInstance("TLS");
    TrustManager[] tm = { new myTrustManager() };
    
    
    sslcontext.init(kmf.getKeyManagers(), tm, null);
    urlConnection.setSSLSocketFactory(sslcontext.getSocketFactory());
    
    InputStream in = urlConnection.getInputStream();
    

    2.5 证书校验异常汇总

    2.5.1 单向认证:证书验证fail
    假如被中间人攻击,服务端传过来的证书不是root ca签发的,那么会引发Signature does not match异常:

    javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: java.security.SignatureException: Signature does not match.
            at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
            at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1937)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)
            at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1478)
            at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:212)
            at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
            at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
            at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
            at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
            at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
            at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
            at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
            at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
            at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
            at app.testHttps$3.run(testHttps.java:129)
            at java.lang.Thread.run(Thread.java:745)
    Caused by: java.security.cert.CertificateException: java.security.SignatureException: Signature does not match.
            at app.testHttps$myTrustManager.checkServerTrusted(testHttps.java:186)
            at sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:922)
            at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1460)
            ... 14 more
    Caused by: java.security.SignatureException: Signature does not match.
            at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:449)
            at sun.security.x509.X509CertImpl.verify(X509CertImpl.java:392)
            at app.testHttps$myTrustManager.checkServerTrusted(testHttps.java:172)
            ... 16 more
    

    2.5.2 双向认证:客户端没有发送自己的证书
    假如服务端开启了双向验证,避免非信任客户端连接,那么没有证书的客户端进行访问,会报recv failed异常:

    java.net.SocketException: Software caused connection abort: recv failed
            at java.net.SocketInputStream.socketRead0(Native Method)
            at java.net.SocketInputStream.socketRead(SocketInputStream.java:116)
            at java.net.SocketInputStream.read(SocketInputStream.java:170)
            at java.net.SocketInputStream.read(SocketInputStream.java:141)
            at sun.security.ssl.InputRecord.readFully(InputRecord.java:465)
            at sun.security.ssl.InputRecord.read(InputRecord.java:503)
            at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:961)
            at sun.security.ssl.SSLSocketImpl.waitForClose(SSLSocketImpl.java:1757)
            at sun.security.ssl.HandshakeOutStream.flush(HandshakeOutStream.java:124)
            at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1083)
            at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1191)
            at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1103)
            at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:344)
            at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
            at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
            at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
            at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
            at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
            at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
            at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
            at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
            at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
            at app.testHttps$1.run(testHttps.java:82)
            at java.lang.Thread.run(Thread.java:745)
    

    2.5.3 双向认证:客户端发送的证书与服务端不匹配
    加入客户端发送的证书不是服务端预制root证书签发的话,会报socket write error异常:

    java.net.SocketException: Software caused connection abort: socket write error
            at java.net.SocketOutputStream.socketWrite0(Native Method)
            at java.net.SocketOutputStream.socketWrite(SocketOutputStream.java:109)
            at java.net.SocketOutputStream.write(SocketOutputStream.java:153)
            at sun.security.ssl.OutputRecord.writeBuffer(OutputRecord.java:431)
            at sun.security.ssl.OutputRecord.write(OutputRecord.java:417)
            at sun.security.ssl.SSLSocketImpl.writeRecordInternal(SSLSocketImpl.java:864)
            at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:835)
            at sun.security.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:705)
            at sun.security.ssl.Handshaker.sendChangeCipherSpec(Handshaker.java:1077)
            at sun.security.ssl.ClientHandshaker.sendChangeCipherAndFinish(ClientHandshaker.java:1191)
            at sun.security.ssl.ClientHandshaker.serverHelloDone(ClientHandshaker.java:1103)
            at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:344)
            at sun.security.ssl.Handshaker.processLoop(Handshaker.java:979)
            at sun.security.ssl.Handshaker.process_record(Handshaker.java:914)
            at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1050)
            at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
            at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
            at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
            at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
            at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
            at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
            at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
            at app.testHttps$3.run(testHttps.java:132)
            at java.lang.Thread.run(Thread.java:745)
    

    2.5.4 双向认证:服务端未开启双向,而客户端发送证书
    这种情况不会报错,正常获取。

    相关文章

      网友评论

          本文标题:java + tomcat + openssl,https单向认

          本文链接:https://www.haomeiwen.com/subject/bwavmctx.html