JSSE(Java Security Socket Extension)是Sun公司为了解决互联网信息安全传输提出的一个解决方案,它实现了SSL和TSL协议,包含了数据加密、服务器验证、消息完整性和客户端验证等技术。通过使用JSSE简洁的API,可以在客户端和服务器端之间通过SSL/TSL协议安全地传输数据。
首先,需要将OpenSSL生成根证书CA及签发子证书一文中生成的客户端及服务端私钥和数字证书进行导出,生成Java环境可用的keystore文件。
客户端私钥与证书的导出:
1
2
|
openssl pkcs12 -
export
-clcerts -name www.mydomain.com \
-inkey private
/client-key
.pem -
in
certs
/client
.cer -out certs
/client
.keystore
|
服务器端私钥与证书的导出:
1
2
|
openssl pkcs12 -
export
-clcerts -name www.mydomain.com \
-inkey private
/server-key
.pem -
in
certs
/server
.cer -out certs
/server
.keystore
|
受信任的CA证书的导出:
1
2
|
keytool -importcert -trustcacerts -
alias
www.mydomain.com -
file
certs
/ca
.cer \
-keystore certs
/ca-trust
.keystore
|
之后,便会在certs文件夹下生成ca-trust.keystore文件。加上上面生成的server.keystore和client.keystore,certs下会生成这三个文件:
Java实现的SSL通信客户端:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
package
com.demo.ssl;
import
java.io.FileInputStream;
import
java.io.InputStream;
import
java.io.OutputStream;
import
java.security.KeyStore;
import
javax.net.ssl.KeyManagerFactory;
import
javax.net.ssl.SSLContext;
import
javax.net.ssl.SSLSocket;
import
javax.net.ssl.TrustManagerFactory;
public
class
SSLClient {
private
SSLSocket sslSocket;
public
static
void
main(String[] args)
throws
Exception {
SSLClient client =
new
SSLClient();
client.init();
System.out.println(
"SSLClient initialized."
);
client.process();
}
//客户端将要使用到client.keystore和ca-trust.keystore
public
void
init()
throws
Exception {
String host =
"127.0.0.1"
;
int
port =
1234
;
String keystorePath =
"/home/user/CA/certs/client.keystore"
;
String trustKeystorePath =
"/home/user/CA/certs/ca-trust.keystore"
;
String keystorePassword =
"abc123_"
;
SSLContext context = SSLContext.getInstance(
"SSL"
);
//客户端证书库
KeyStore clientKeystore = KeyStore.getInstance(
"pkcs12"
);
FileInputStream keystoreFis =
new
FileInputStream(keystorePath);
clientKeystore.load(keystoreFis, keystorePassword.toCharArray());
//信任证书库
KeyStore trustKeystore = KeyStore.getInstance(
"jks"
);
FileInputStream trustKeystoreFis =
new
FileInputStream(trustKeystorePath);
trustKeystore.load(trustKeystoreFis, keystorePassword.toCharArray());
//密钥库
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
"sunx509"
);
kmf.init(clientKeystore, keystorePassword.toCharArray());
//信任库
TrustManagerFactory tmf = TrustManagerFactory.getInstance(
"sunx509"
);
tmf.init(trustKeystore);
//初始化SSL上下文
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(),
null
);
sslSocket = (SSLSocket)context.getSocketFactory().createSocket(host, port);
}
public
void
process()
throws
Exception {
//往SSLSocket中写入数据
String hello =
"hello boy!"
;
OutputStream out = sslSocket.getOutputStream();
out.write(hello.getBytes(),
0
, hello.getBytes().length);
out.flush();
//从SSLSocket中读取数据
InputStream in = sslSocket.getInputStream();
byte
[] buffer =
new
byte
[
50
];
in.read(buffer);
System.out.println(
new
String(buffer));
}
}
|
初始化时,首先取得SSLContext、KeyManagerFactory、TrustManagerFactory实例,然后加载客户端的密钥库和信任库到相应的KeyStore,对KeyManagerFactory和TrustManagerFactory进行初始化,最后用KeyManagerFactory和TrustManagerFactory对SSLContext进行初始化,并创建SSLSocket。
Java实现的SSL通信服务器端:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
|
package
com.demo.ssl;
import
java.io.FileInputStream;
import
java.io.InputStream;
import
java.io.OutputStream;
import
java.net.Socket;
import
java.security.KeyStore;
import
javax.net.ssl.KeyManagerFactory;
import
javax.net.ssl.SSLContext;
import
javax.net.ssl.SSLServerSocket;
import
javax.net.ssl.TrustManagerFactory;
public
class
SSLServer {
private
SSLServerSocket sslServerSocket;
public
static
void
main(String[] args)
throws
Exception {
SSLServer server =
new
SSLServer();
server.init();
System.out.println(
"SSLServer initialized."
);
server.process();
}
//服务器端将要使用到server.keystore和ca-trust.keystore
public
void
init()
throws
Exception {
int
port =
1234
;
String keystorePath =
"/home/user/CA/certs/server.keystore"
;
String trustKeystorePath =
"/home/user/CA/certs/ca-trust.keystore"
;
String keystorePassword =
"abc123_"
;
SSLContext context = SSLContext.getInstance(
"SSL"
);
//客户端证书库
KeyStore keystore = KeyStore.getInstance(
"pkcs12"
);
FileInputStream keystoreFis =
new
FileInputStream(keystorePath);
keystore.load(keystoreFis, keystorePassword.toCharArray());
//信任证书库
KeyStore trustKeystore = KeyStore.getInstance(
"jks"
);
FileInputStream trustKeystoreFis =
new
FileInputStream(trustKeystorePath);
trustKeystore.load(trustKeystoreFis, keystorePassword.toCharArray());
//密钥库
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
"sunx509"
);
kmf.init(keystore, keystorePassword.toCharArray());
//信任库
TrustManagerFactory tmf = TrustManagerFactory.getInstance(
"sunx509"
);
tmf.init(trustKeystore);
//初始化SSL上下文
context.init(kmf.getKeyManagers(), tmf.getTrustManagers(),
null
);
//初始化SSLSocket
sslServerSocket = (SSLServerSocket)context.getServerSocketFactory().createServerSocket(port);
//设置这个SSLServerSocket需要授权的客户端访问
sslServerSocket.setNeedClientAuth(
true
);
}
public
void
process()
throws
Exception {
String bye =
"Bye!"
;
byte
[] buffer =
new
byte
[
50
];
while
(
true
) {
Socket socket = sslServerSocket.accept();
InputStream in = socket.getInputStream();
in.read(buffer);
System.out.println(
"Received: "
+
new
String(buffer));
OutputStream out = socket.getOutputStream();
out.write(bye.getBytes());
out.flush();
}
}
}
|
先运行服务器端,再运行客户端。服务器端执行结果:
客户端执行结果: