在 Servlet 中读取客户端证书
Posted
技术标签:
【中文标题】在 Servlet 中读取客户端证书【英文标题】:Reading Client Certificate in Servlet 【发布时间】:2012-04-11 16:12:53 【问题描述】:我在 JBOSS 和浏览器中有一个客户端服务器通信场景作为客户端(JAVA PROGRAM)。最初,当建立连接时,客户端将其证书发送到服务器。服务器从证书中提取客户端的公钥,因此通信将继续。 现在我的问题是如何将证书(.cer)从客户端发送到服务器?如何在服务器中接收证书并提取其公钥?
【问题讨论】:
【参考方案1】:如何将证书(.cer)从客户端发送到服务器?
客户端证书(.cer、.crt、.pem)及其对应的私钥(.key)应首先打包到 PKCS#12(.p12、.pfx)或 JKS(.jks)容器中(密钥库)。您还应该将服务器的 CA 证书打包为 JKS(信任库)。
使用HttpClient 3.x的示例:
HttpClient client = new HttpClient();
// truststore
KeyStore trustStore = KeyStore.getInstance("JKS", "SUN");
trustStore.load(TestSupertype.class.getResourceAsStream("/client-truststore.jks"), "amber%".toCharArray());
String alg = KeyManagerFactory.getDefaultAlgorithm();
TrustManagerFactory fac = TrustManagerFactory.getInstance(alg);
fac.init(trustStore);
// keystore
KeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE");
keystore.load(X509Test.class.getResourceAsStream("/etomcat_client.p12"), "etomcat".toCharArray());
String keyAlg = KeyManagerFactory.getDefaultAlgorithm();
KeyManagerFactory keyFac = KeyManagerFactory.getInstance(keyAlg);
keyFac.init(keystore, "etomcat".toCharArray());
// context
SSLContext ctx = SSLContext.getInstance("TLS", "SunJSSE");
ctx.init(keyFac.getKeyManagers(), fac.getTrustManagers(), new SecureRandom());
SslContextedSecureProtocolSocketFactory secureProtocolSocketFactory = new SslContextedSecureProtocolSocketFactory(ctx);
Protocol.registerProtocol("https", new Protocol("https", (ProtocolSocketFactory) secureProtocolSocketFactory, 8443));
// test get
HttpMethod get = new GetMethod("https://127.0.0.1:8443/etomcat_x509");
client.executeMethod(get);
// get response body and do what you need with it
byte[] responseBody = get.getResponseBody();
您可以在this project 中找到工作示例,请参阅X509Test 类。
使用HttpClient 4.x 配置和语法会略有不同:
HttpClient httpclient = new DefaultHttpClient();
// truststore
KeyStore ts = KeyStore.getInstance("JKS", "SUN");
ts.load(PostService.class.getResourceAsStream("/truststore.jks"), "amber%".toCharArray());
// if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing truststore
if(0 == ts.size()) throw new IOException("Error loading truststore");
// tmf
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ts);
// keystore
KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE");
ks.load(PostService.class.getResourceAsStream("/" + certName), certPwd.toCharArray());
// if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing keystore
if(0 == ks.size()) throw new IOException("Error loading keystore");
// kmf
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, certPwd.toCharArray());
// SSL
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
// socket
SSLSocketFactory socketFactory = new SSLSocketFactory(ctx, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
Scheme sch = new Scheme("https", 8443, socketFactory);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
// request
HttpMethod get = new GetMethod("https://localhost:8443/foo");
client.executeMethod(get);
IOUtils.copy(get.getResponseBodyAsStream(), System.out);
如何在服务器中接收证书并提取其公钥?
您的服务器必须配置为需要 X.509 客户端证书身份验证。然后在 SSL 握手期间,servlet 容器将接收证书,将其与 trustore 进行检查,并将其作为请求属性提供给应用程序。 在通常情况下使用单个证书,您可以在 servlet 环境中使用此方法来提取证书:
protected X509Certificate extractCertificate(HttpServletRequest req)
X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate");
if (null != certs && certs.length > 0)
return certs[0];
throw new RuntimeException("No X.509 client certificate found in request");
【讨论】:
我来自 .Net 的角度,正在寻找与 ASP.NetPage.Request.ClientCertificate.Certificate 等效的 Java,HttpServletRequest 中的 javax.servlet.request.X509Certificate 属性是否与此等效? -- 如果有人知道...?以上是关于在 Servlet 中读取客户端证书的主要内容,如果未能解决你的问题,请参考以下文章