您的位置 首页 java

Java,SSL/TLS协议,单向和双向认证,命令制作及代码生成证书

概念

SSL/ TLS协议

SSL (Secure Sockets Layer),安全套接字协议,是为 网络通信 提供安全及数据完整性的一种安全协议。SSL主要是使用公开密钥体制和X.509 数字证书 技术保护信息传输的机密性和完整性,它不能保证信息的不可抵赖性,主要适用于点对点之间的信息传输。

TLS (Transport Layer Security),传输层安全,是IETF在SSL3.0的基础上设计的协议,它是SSL协议的升级版。两者差别极小,可以理解为TLS是 SSL3.1。

TLS与SSL都是在传输层与应用层之间对网络连接进行加密。

单向认证VS双向认证

单向认证,服务端部署 SSL证书 就行,任何用户都可以去访问(IP被限制除外等),只是服务端提供了身份认证。

双向认证,服务端部署SSL证书,也需要客户端提供身份认证,只有服务端允许的客户端才能访问,安全性相对于要高一些。

SSL单向认证过程、SSL双向认证过程

制作证书

命令制作用于SSL/TSL的证书

 #1、服务器端===>生成自签名证书
keytool -genkey -dname "CN=localhost" -keysize 2048 -alias server -keyalg RSA -keystore d:/server.jks -keypass 123456 -storepass 123456 -validity 36500

#2、服务器端===>从服务器端证书秘钥库中导出 Cer 证书
keytool -export -alias server -keystore d:/server.jks -storepass 123456 - file  d:/server.cer

#3、客户端==>生成自签名证书
keytool -genkey -dname "CN=localhost.client1" -keysize 2048 -alias client1 -keyalg RSA -keystore d:/client1.jks -keypass 123456 -storepass 123456 -validity 36500

#4、客户端==>从服务器端证书秘钥库中导出Cer证书
keytool -export -alias client1 -keystore d:/client1.jks -storepass 123456 -file d:/client1.cer

#5、客户端==>将客户端证书导入到服务器端证书秘钥库
keytool -import -trustcacerts -alias server - File  d:/server.cer -keystore d:/client1.jks -storepass 123456
# 6、服务器端==>将服务器端证书导入到客户端证书秘钥库
keytool -import -trustcacerts -alias client1 -file d:/client1.cer -keystore d:/server.jks -storepass 123456

# ****查看颁发证书
keytool -list -keystore D://server.jks
keytool -list -rfc -keystore d:/server.jks -storepass 123456
keytool -list -keystore D://client1.jks
keytool -list -rfc -keystore d:/client1.jks -storepass 123456  

代码制作用于SSL/TSL的证书

说明:与命令制作一致,内容必须参考: 、 ,注意没有给出 maven 相应的坐标,这次补上。

Maven(pom.xml)

 <dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcprov-jdk15to18</artifactId>
    <version>1.70</version>
</dependency>
<dependency>
    <groupId>org.bouncycastle</groupId>
    <artifactId>bcpkix-jdk15to18</artifactId>
    <version>1.70</version>
</dependency>  

制作证书代码:

 package com.what21.netty01.demo01.cert2;

import com.what21.netty01.demo01.cert.CreateData Certificate Store;
import com.what21.netty01.demo01.cert.IssueCertificate;

import java.io.FileOutputStream;
import java.io.OutputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;

public class KeyStoreTest {

    public  static   void  main(String[] args) {
        // ===============================================================================//
        // 1、服务器端===>生成自签名证书
        // ===============================================================================//
        int keyLen = 2048;
        String alias = "server";
        String storePasswd = "123456";
        String trustPasswd = "123456";
        // 注意顺序
        String fullDN = "CN=localhost";
        String storePath = "D://localhost_server.jks";
        try {
             OutputStream  storeOutput = new FileOutputStream(storePath);
            CreateDataCertificateStore.generateKeyStore(keyLen, alias, storePasswd, trustPasswd, fullDN, 10, storeOutput);
        } catch ( Exception  e) {
            e.printStackTrace();
        }
        // ===============================================================================//
        // 2、服务器端===>从服务器端证书秘钥库中导出Cer证书
        // ===============================================================================//
        KeyStoreUtils.KeyStoreParam keyStoreParam = new KeyStoreUtils.KeyStoreParam();
        keyStoreParam.setStorePath(storePath);
        keyStoreParam.setStorePasswd(storePasswd);
        keyStoreParam.setAlias(alias);
        keyStoreParam.setTrustPasswd(trustPasswd);
        KeyStoreUtils.KeyStoreEntry keyStoreEntry = KeyStoreUtils.readToKeyStoreEntry(keyStoreParam);
        CertUtils.generateCert(keyStoreEntry, "D://localhost_server.cer");
        // ===============================================================================//
        // 3、客户端==>使用服务器端签名证书生成客户端证书
        // ===============================================================================//
        KeyStore. Private KeyEntry  root PrivateKeyEntry = null;
        try {
            rootPrivateKeyEntry = Issue certificate .getRootPrivateKey(storePath, storePasswd, alias, trustPasswd);
        } catch (Exception e) {
            e.printStackTrace();
        }
        String clientAlias = "client1";
        String subjects = "CN=localhost.client1";
        String signTrustPasswd = "123456";
        int validityYears = 10;
        String trustPath = "d:/localhost_client1.jks";
        try {
            IssueCertificate.issueCertificate(rootPrivateKeyEntry, clientAlias, subjects, signTrustPasswd, validityYears, trustPath);
        } catch (Exception e) {
            e.printStackTrace();
        }
        // ===============================================================================//
        // 4、客户端==>从服务器端证书秘钥库中导出Cer证书
        // ===============================================================================//
        KeyStoreUtils.KeyStoreParam clientKeyStoreParam = new KeyStoreUtils.KeyStoreParam();
        clientKeyStoreParam.setStorePath(trustPath);
        clientKeyStoreParam.setStorePasswd(signTrustPasswd);
        clientKeyStoreParam.setAlias(clientAlias);
        clientKeyStoreParam.setTrustPasswd(signTrustPasswd);
        KeyStoreUtils.KeyStoreEntry clientKeyStoreEntry = KeyStoreUtils.readToKeyStoreEntry(clientKeyStoreParam);
        CertUtils.generateCert(clientKeyStoreEntry, "D://localhost_client1.cer");
        // ===============================================================================//
        // 5、客户端==>将客户端证书导入到服务器端证书秘钥库
        // ===============================================================================//
        Certificate clientCertificate = CertUtils.readCert("D://localhost_client1.cer");
        try {
            KeyStoreUtils.importToKeyStore(storePath, storePasswd, " client 1", clientCertificate);
        } catch (Exception e) {
            e.printStackTrace();
        }
        // keytool -list -keystore D://localhost_server.jks
        // keytool -list -rfc -keystore D://localhost_server.jks -storepass 123456
        // ===============================================================================//
        // 6、服务器端==>将服务器端证书导入到客户端证书秘钥库
        // ===============================================================================//
        Certificate serverCertificate = CertUtils.readCert("D://localhost_server.cer");
        try {
            KeyStoreUtils.importToKeyStore(storePath, signTrustPasswd, "server",  server Certificate);
        } catch (Exception e) {
            e.printStackTrace();
        }
        // keytool -list -keystore D://localhost_client1.jks
        // keytool -list -rfc -keystore D://localhost_client1.jks -storepass 123456
        // ===============================================================================//
        // The end
        // ===============================================================================//
    }

}  

依赖如下的工具类,没有找到,请到关联的文章中找~

其他工具类:

 package com.what21.netty01.demo01.cert2;

import lombok.Data;
import sun.misc.BASE64Encoder;

import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.Certificate;

public class KeyStoreUtils {

    /**
     * @param storePath   秘钥库文件路径
     * @param store Passwd  秘钥库密码
     * @param alias       证书别名
     * @param trustPasswd 证书密码
     * @return
     * @throws Exception
     */    public static KeyStoreEntry readToKeyStoreEntry(String storePath, String storePasswd, String alias, String trustPasswd)
            throws Exception {
        KeyStore keyStore = KeyStore. getInstance ("JKS");
        keyStore.load(new FileInputStream(storePath), storePasswd.toCharArray());
        PrivateKey privateKey = (PrivateKey) keyStore.getKey(alias, trustPasswd.toCharArray());
        PublicKey publicKey = keyStore.getCertificate(alias).getPublicKey();
        Certificate certificate = keyStore.getCertificate(alias);
        BASE64Encoder encoder = new BASE64Encoder();
        String privateKeyEncoded = encoder.encode(privateKey.getEncoded());
        String publicKeyEncoded = encoder.encode(publicKey.getEncoded());
        KeyStoreEntry keyStoreEntry = new KeyStoreEntry();
        keyStoreEntry.setKeyStore(keyStore);
        keyStoreEntry.setPrivateKey(privateKey);
        keyStoreEntry.setPublicKey(publicKey);
        keyStoreEntry.setCertificate(certificate);
        keyStoreEntry.setPrivateKeyEncoded(privateKeyEncoded);
        keyStoreEntry.setPublicKeyEncoded(publicKeyEncoded);
        return keyStoreEntry;
    }

    /**
     * @param storePath
     * @param storePasswd
     * @param certAlias
     * @param certificate
     * @throws Exception
     */    public static void importToKeyStore(String storePath, String storePasswd, String certAlias, Certificate certificate)
            throws Exception {
        KeyStore keyStore = KeyStore.getInstance("JKS");
         FileInputStream  keyStoreInput = new FileInputStream(storePath);
        keyStore.load(keyStoreInput, storePasswd.toCharArray());
        keyStoreInput.close();
        if (!keyStore.containsAlias(certAlias)) {
            keyStore.setCertificateEntry(certAlias, certificate);
             FileOutputStream  keyStoreOutput = new FileOutputStream(storePath);
            keyStore.store(keyStoreOutput, storePasswd.toCharArray());
            keyStoreOutput.close();
        }
    }

    @Data
    public static class KeyStoreEntry {
        private KeyStore keyStore;
        private PrivateKey privateKey;
        private PublicKey publicKey;
        private Certificate certificate;
        private String privateKeyEncoded;
        private String publicKeyEncoded;
    }

    @Data
    public static class KeyStoreParam {
        public String storePath = "d:/server.jks";
        public String storePasswd = "123456";
        public String alias = "server";
        public String trustPasswd = "123456";
    }

    /**
     * @param keyStoreParam
     * @return
     */    public static KeyStoreEntry readToKeyStoreEntry(KeyStoreParam keyStoreParam) {
        try {
            return readToKeyStoreEntry(keyStoreParam.getStorePath(), keyStoreParam.getStorePasswd(),
                    keyStoreParam.getAlias(), keyStoreParam.getTrustPasswd());
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }

    /**
     * @return
     */    public static KeyStoreEntry readToKeyStoreEntry() {
        String storePath = "d:/server.jks";
        String storePasswd = "123456";
        String alias = "server";
        String trustPasswd = "123456";
        try {
            return readToKeyStoreEntry(storePath, storePasswd, alias, trustPasswd);
        } catch (Exception e) {
            e.printStackTrace();
        }
        return null;
    }

}  
 package com.what21.netty01.demo01.cert2;

import java.io.*;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;

/**
 * CER = CRT证书的微软型式
 */public class CertUtils {

    /**
     * 打印证书内容
     *
     * @param x509Certificate
     * @return
     */    public static Certificate printInfo(X509Certificate x509Certificate) {
        System.out.println("读取Cer证书信息...");
        System.out.println("x509Certificate_SerialNumber_序列号___:" + x509Certificate.getSerialNumber());
        System.out.println("版本号:" + x509Certificate.getVersion());
        System.out.println("序列号:" + x509Certificate.getSerialNumber().toString(16));
        System.out.println("主体名:" + x509Certificate.getSubjectDN());
        System.out.println("签发者:" + x509Certificate.getIssuerDN());
        System.out.println("有效期:" + x509Certificate.getNotBefore());
        System.out.println("截止日期:" + x509Certificate.getNotAfter());
        System.out.println("签名算法:" + x509Certificate.getSigAlgName());
        System.out.println("x509Certificate_getIssuerDN_发布方标识名___:" + x509Certificate.getIssuerDN());
        System.out.println("x509Certificate_getSubjectDN_主体标识___:" + x509Certificate.getSubjectDN());
        System.out.println("x509Certificate_getSigAlgOID_证书算法OID字符串___:" + x509Certificate.getSigAlgOID());
        System.out.println("x509Certificate_getNotBefore_证书有效期___:" + x509Certificate.getNotAfter());
        System.out.println("x509Certificate_getSigAlgName_签名算法___:" + x509Certificate.getSigAlgName());
        System.out.println("x509Certificate_getVersion_版本号___:" + x509Certificate.getVersion());
        System.out.println("x509Certificate_getPublicKey_公钥___:" + x509Certificate.getPublicKey());
        return x509Certificate;
    }

    /**
     * @param keyStoreEntry
     * @param cerFile
     */    public static void generateCert(KeyStoreUtils.KeyStoreEntry keyStoreEntry, String cerFile) {
        try {
            FileOutputStream outputStream = new FileOutputStream(cerFile);
            outputStream.write(keyStoreEntry.getCertificate().getEncoded());
            outputStream.flush();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    /**
     * @param certPath
     * @return
     */    public static Certificate readCert(String certPath) {
        Certificate certificate = null;
        try {
            CertificateFactory factory = CertificateFactory.getInstance("X.509");
            FileInputStream inputStream = new FileInputStream(certPath);
            certificate = factory.generateCertificate(inputStream);
            inputStream.close();
        } catch (Exception e) {
            e.printStackTrace();
        }
        return certificate;
    }

    /**
     * @param args
     */    public static void main(String[] args) {
        KeyStoreUtils.KeyStoreEntry keyStoreEntry = KeyStoreUtils.readToKeyStoreEntry();
        // 生成cer证书
        generateCert(keyStoreEntry, "d://server.g.cer");
        // 读取cer证书
        Certificate certificate = readCert("d://server.g.cer");
        printInfo((X509Certificate) certificate);
    }

}  

文章来源:智云一二三科技

文章标题:Java,SSL/TLS协议,单向和双向认证,命令制作及代码生成证书

文章地址:https://www.zhihuclub.com/199897.shtml

关于作者: 智云科技

热门文章

发表回复

您的电子邮箱地址不会被公开。

网站地图