HTTPS=HTTP+SSL/TLS,位于应用层。SSL/TLS协议本身是带加密信息的传输层协议,数字证书正是为这种协议提供相关加密/解密信息。
SSL/TLS协议涉及多种加密算法,包括:
消息摘要算法:MD5和SHA1
对称加密算法:RC2、RC4、IDEA、DES、Triple DES和AES
非对称加密算法:RSA和DH
数字签名算法:RSA和DSA
模型分析
1、协商算法
服务端和客户端进行握手协议的第一阶段主要是协商算法,此时,产生随机数RNC、RNS
对等协商加密算法
2、验证证书
客户证书认证不一定必要,服务端身份得以认证,可以进行服务端单向认证为基础的交互。
客户端验证服务器证书
如果客户证书也得以确认,那么可以进行双向认证为基础的加密交互(eg:电子商务)。
服务器端验证客户端证书
3、产生密钥
根据随机数PMS、RNC、RNS,构建主密钥MS
构建主密钥MS
根据主密钥构建会话密钥,完成握手协议
构建会话密钥
4、加密交互
进入正式会话阶段,服务端和客户端使用会话密钥进行加密交互
加密交互
单向认证服务
1、证书导入
导入证书
导入证书
2、服务器配置
修改tomcat的conf/server.xml文件,并打开SSL/TLS的注释,并配置密钥库文件keystoreFile,和密钥库密码keysotrePass,密钥库类型参数keystoreType(默认JKS)
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="D:\MyData\majx2\crazyxing.keystore.old"
keysotrePass="123456" />
备注:如果构建双向认证,clientAuth需设置为true
使用https访问
3、代码验证
通过一个自己实现的客户端访问上述服务。
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.SecureRandom;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
public abstract class HTTPSCoder {
/**
* 协议
*/
public static final String PROTOCOL = "TLS";
/**
* 获得KeyStore
*
* @param keyStorePath
* 密钥库路径
* @param password
* 密码
* @return KeyStore 密钥库
* @throws Exception
*/
private static KeyStore getKeyStore(String keyStorePath, String password)
throws Exception {
// 实例化密钥库
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// 获得密钥库文件流
FileInputStream is = new FileInputStream(keyStorePath);
// 加载密钥库
ks.load(is, password.toCharArray());
// 关闭密钥库文件流
is.close();
return ks;
}
/**
* 获得SSLSocektFactory
*
* @param password
* 密码
* @param keyStorePath
* 密钥库路径
* @param trustStorePath
* 信任库路径
* @return SSLSocketFactory
* @throws Exception
*/
private static SSLSocketFactory getSSLSocketFactory(String password,
String keyStorePath, String trustStorePath) throws Exception {
// 实例化密钥库
KeyManagerFactory keyManagerFactory = KeyManagerFactory
.getInstance(KeyManagerFactory.getDefaultAlgorithm());
// 获得密钥库
KeyStore keyStore = getKeyStore(keyStorePath, password);
// 初始化密钥工厂
keyManagerFactory.init(keyStore, password.toCharArray());
// 实例化信任库
TrustManagerFactory trustManagerFactory = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
// 获得信任库
KeyStore trustStore = getKeyStore(trustStorePath, password);
// 初始化信任库
trustManagerFactory.init(trustStore);
// 实例化SSL上下文
SSLContext ctx = SSLContext.getInstance(PROTOCOL);
// 初始化SSL上下文
ctx.init(keyManagerFactory.getKeyManagers(), trustManagerFactory
.getTrustManagers(), new SecureRandom());
// 获得SSLSocketFactory
return ctx.getSocketFactory();
}
/**
* 为HttpsURLConnection配置SSLSocketFactory
*
* @param conn
* HttpsURLConnection
* @param password
* 密码
* @param keyStorePath
* 密钥库路径
* @param trustKeyStorePath
* 信任库路径
* @throws Exception
*/
public static void configSSLSocketFactory(HttpsURLConnection conn,
String password, String keyStorePath, String trustKeyStorePath)
throws Exception {
// 获得SSLSocketFactory
SSLSocketFactory sslSocketFactory = getSSLSocketFactory(password,
keyStorePath, trustKeyStorePath);
// 设置SSLSocketFactory
conn.setSSLSocketFactory(sslSocketFactory);
}
}
相应的单元测试
import org.junit.Test;
import javax.net.ssl.HttpsURLConnection;
import java.io.DataInputStream;
import java.net.URL;
import static org.junit.Assert.assertNotNull;
public class HTTPSCoderTest {
/**
* 密钥库/信任库密码
*/
private String password = "123456";
/**
* 密钥库文件路径
*/
private String keyStorePath = "D:/MyData/majx2/crazyxing.keystore.old";
/**
* 信任库文件路径
*/
private String trustStorePath = "D:/MyData/majx2/crazyxing.keystore.old";
/**
* 访问地址
*/
private String httpsUrl = "https://www.crazyxing.com:8443/ssl/";
/**
* HTTPS验证
*
* @throws Exception
*/
@Test
public void test() throws Exception {
// 建立HTTPS链接
URL url = new URL(httpsUrl);
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
conn.setRequestMethod("GET");
// 打开输入输出流
conn.setDoInput(true);
// conn.setDoOutput(true);
// 为HttpsURLConnection配置SSLSocketFactory
HTTPSCoder.configSSLSocketFactory(conn, password, keyStorePath,
trustStorePath);
// 鉴别内容长度
int length = conn.getContentLength();
byte[] data = null;
// 如果内容长度为-1,则放弃解析
if (length != -1) {
DataInputStream dis = new DataInputStream(conn.getInputStream());
data = new byte[length];
dis.readFully(data);
dis.close();
System.err.println(new String(data));
}
conn.disconnect();
// 验证
assertNotNull(data);
}
}
双向认证服务
1、导入证书
导入客户端证书到个人TAB
导入客户端证书
导入CA证书到财新人的根证书颁发机构
导入CA证书
2、服务器配置
修改tomcat的conf/server.xml文件,并打开SSL/TLS的注释,并配置密钥库文件keystoreFile、truststoreFile,和密钥库密码keysotrePass、truststorePass,密钥库类型参数keystoreType、truststoreType,clientAuth设置为true
<Connector
port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="true"
sslProtocol="TLS"
keystoreFile="D:\MyData\majx2\demoCA\certs\server.p12"
keystorePass="123456"
keystoreType="PKCS12"
truststoreFile="D:\MyData\majx2\demoCA\certs\ca.p12"
truststorePass="123456"
truststoreType="PKCS12" />
3、代码验证
通过一个自己实现的客户端访问上述服务。
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.SecureRandom;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
public abstract class HTTPSCoder {
/**
* 协议
*/
public static final String PROTOCOL = "TLS";
/**
* 获得KeyStore
*
* @param keyStorePath
* 密钥库路径
* @param password
* 密码
* @return KeyStore 密钥库
* @throws Exception
*/
private static KeyStore getKeyStore(String keyStorePath, String password)
throws Exception {
// 实例化密钥库
KeyStore ks = KeyStore.getInstance("PKCS12");
// KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
// 获得密钥库文件流
FileInputStream is = new FileInputStream(keyStorePath);
// 加载密钥库
ks.load(is, password.toCharArray());
// 关闭密钥库文件流
is.close();
return ks;
}
/**
* 获得SSLSocektFactory
*
* @param password
* 密码
* @param keyStorePath
* 密钥库路径
* @param trustStorePath
* 信任库路径
* @return SSLSocketFactory
* @throws Exception
*/
private static SSLSocketFactory getSSLSocketFactory(String password,
String keyStorePath, String trustStorePath) throws Exception {
// 实例化密钥库
KeyManagerFactory keyManagerFactory = KeyManagerFactory
.getInstance(KeyManagerFactory.getDefaultAlgorithm());
// 获得密钥库
KeyStore keyStore = getKeyStore(keyStorePath, password);
// 初始化密钥工厂
keyManagerFactory.init(keyStore, password.toCharArray());
// 实例化信任库
TrustManagerFactory trustManagerFactory = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
// 获得信任库
KeyStore trustStore = getKeyStore(trustStorePath, password);
// 初始化信任库
trustManagerFactory.init(trustStore);
// 实例化SSL上下文
SSLContext ctx = SSLContext.getInstance(PROTOCOL);
// 初始化SSL上下文
ctx.init(keyManagerFactory.getKeyManagers(), trustManagerFactory
.getTrustManagers(), new SecureRandom());
// 获得SSLSocketFactory
return ctx.getSocketFactory();
}
/**
* 为HttpsURLConnection配置SSLSocketFactory
*
* @param conn
* HttpsURLConnection
* @param password
* 密码
* @param keyStorePath
* 密钥库路径
* @param trustKeyStorePath
* 信任库路径
* @throws Exception
*/
public static void configSSLSocketFactory(HttpsURLConnection conn,
String password, String keyStorePath, String trustKeyStorePath)
throws Exception {
// 获得SSLSocketFactory
SSLSocketFactory sslSocketFactory = getSSLSocketFactory(password,
keyStorePath, trustKeyStorePath);
// 设置SSLSocketFactory
conn.setSSLSocketFactory(sslSocketFactory);
}
}
相应的单元测试
import org.junit.Test;
import javax.net.ssl.HttpsURLConnection;
import java.io.DataInputStream;
import java.net.URL;
import static org.junit.Assert.assertNotNull;
public class HTTPSCoderTest {
/**
* 密钥库/信任库密码
*/
private String password = "123456";
/**
* 密钥库文件路径
*/
private String keyStorePath = "D:\\MyData\\majx2\\demoCA\\certs\\server.p12";
/**
* 信任库文件路径
*/
private String trustStorePath = "D:\\MyData\\majx2\\demoCA\\certs\\ca.p12";
/**
* 访问地址
*/
private String httpsUrl = "https://www.crazyxing.com:8443/ssl/";
/**
* HTTPS验证
*
* @throws Exception
*/
@Test
public void test() throws Exception {
// 建立HTTPS链接
URL url = new URL(httpsUrl);
HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();
// conn.setRequestMethod(method);
// 打开输入输出流
conn.setDoInput(true);
// conn.setDoOutput(true);
// 为HttpsURLConnection配置SSLSocketFactory
HTTPSCoder.configSSLSocketFactory(conn, password, keyStorePath,
trustStorePath);
// 鉴别内容长度
int length = conn.getContentLength();
byte[] data = null;
// 如果内容长度为-1,则放弃解析
if (length != -1) {
DataInputStream dis = new DataInputStream(conn.getInputStream());
data = new byte[length];
dis.readFully(data);
dis.close();
System.err.println(new String(data));
}
conn.disconnect();
// 验证
assertNotNull(data);
}
}
