亚洲AV无码成人精品区日韩,亚洲av无码专区亚洲av不卡,亚洲电影唐人社一区二区

用OpenSSL與JAVA(JSSE)通信

概念
JAVA使用keystore文件來存儲所有KEY，keystore文件可以存放多個KEY，訪問它需要密碼。
下面我介紹下如何將用OpenSSL做自簽名的證書一文中介紹的OpenSSL產(chǎn)生的KEY與JAVA的KEY轉(zhuǎn)換后使用，從而達(dá)到JAVA與OpenSSL通信的目的。

用OpenSSL生成CA根證書，即(P1,V1)
此步驟參見用OpenSSL做自簽名的證書一文

在JAVA環(huán)境下生成自己的KEY，即(P2,V2)

keytool -genkey -alias clientapp -keystore mycerts

注意：這里會提示輸入訪問keystore的密碼，以及組織、城市、省份，一定要與CA根證書的一致，否則不能被CA簽名。

從keystore中導(dǎo)出public key，即P2

keytool -keystore mycerts -certreq -alias clientapp -file clientapp.crs

用CA根證書為這個public key進(jìn)行簽名，即用V1給P2加密

openssl ca -out clientapp.pem -config ./openssl.cnf -infiles?clientapp.crs
?

轉(zhuǎn)換PEM到DER格式

openssl x509 -in clientapp.pem -out clientapp.der -outform DER

導(dǎo)入CA證書，即P1

keytool -keystore mycerts -alias systemca -import -file cacert.pem

導(dǎo)入用戶證書，即被V1加密過的P2

keytool -keystore mycerts -alias clientapp -import -file clientapp.der

注意：這里一定要先導(dǎo)入CA證書再導(dǎo)入用戶證書，否則會報(bào)錯。

現(xiàn)在我們就生成了JAVA服務(wù)器使用的所有KEY了，在程序中將mycerts這個keystore導(dǎo)入就可以了。
如果客戶端是使用OpenSSL的程序，那么用CA證書cacert.pem就能正常通信了，如果也是JAVA程序，那么我們需要將CA證書也轉(zhuǎn)換成keystore：

keytool -import -keystore clikeystore -import -trustcacerts -file cacert.pem

生成的clikeystore供JAVA客戶端使用，就能通信。

再附上SVR和CLI的JAVA程序，我已經(jīng)用上面的KEY都測試通過：
SVR端：

import ?java.io. * ;

import ?java.net. * ;

import ?com.sun.net.ssl.KeyManagerFactory;

import ?com.sun.net.ssl.KeyManager;

import ?com.sun.net.ssl.TrustManagerFactory;

import ?com.sun.net.ssl.TrustManager;

import ?com.sun.net.ssl.SSLContext;

import ?javax.net.ServerSocketFactory;

import ?java.security.KeyStore;

public ? class ?svr? implements ?Runnable {

?? public ? static ? final ? int ?PORT? = ? 5555 ;

?? public ? static ? final ?String?HOST? = ? " localhost " ;

?? public ? static ? final ?String?QUESTION? = ? " Knock,?knock. " ;

?? public ? static ? final ?String?ANSWER? = ? " Who's?there? " ;

?? // ?The?new?constants?that?are?used?during?setup.

?? public ? static ? final ?String?KEYSTORE_FILE? = ? " mycerts " ; // "server_keystore";

?? public ? static ? final ?String?ALGORITHM? = ? " sunx509 " ;

?? public ? static ? final ?String?PASSWORD? = ? " churchillobjects " ;

?? public ? static ? void ?main(String[]?args) {

???? new ?Thread( new ?svr()).start();

??}

?? public ? void ?run() {

????ServerSocket?ss? = ? null ;

???? try ? {

?????? // ?Local?references?used?for?clarity.?Their?presence

?????? // ?here?is?part?of?the?reason?we?need?to?import

?????? // ?so?many?classes.

??????KeyManagerFactory?kmf;

??????KeyManager[]?km;

??????KeyStore?ks;

??????TrustManagerFactory?tmf;

??????TrustManager[]?tm;

??????SSLContext?sslc;

??????

?????? // ?Create?a?keystore?that?will?read?the?JKS?(Java?KeyStore)

?????? // ?file?format?which?was?created?by?the?keytool?utility.

??????ks? = ?KeyStore.getInstance( " JKS " );

??????

?????? // ?Load?the?keystore?object?with?the?binary?keystore?file?and

?????? // ?a?byte?array?representing?its?password.

??????ks.load( new ?FileInputStream(KEYSTORE_FILE),?PASSWORD.toCharArray());

??????

?????? // ?Gives?us?a?factory?for?key?managers?that?will?let

?????? // ?us?handle?the?asymetric?keys?we?created?earlier.

??????kmf? = ?KeyManagerFactory.getInstance(ALGORITHM);

?????? // ?Initialize?the?key?manager?factory?with?the?keystore?object,

?????? // ?again?using?the?same?password?for?security?since?it?is?going?to

?????? // ?access?the?private?key.

??????kmf.init(ks,?PASSWORD.toCharArray());

??????

?????? // ?Now?we?can?get?the?key?managers?from?the?factory,?since?it?knows

?????? // ?what?type?we?are?using?now.

??????km? = ?kmf.getKeyManagers();

??????

?????? // ?Next,?create?a?trust?manager?factory?using?the?same?algorithm.

?????? // ?This?is?to?avoid?using?the?certificates?in?cacerts?that

?????? // ?represent?an?authentication?security?risk.

??????tmf? = ?TrustManagerFactory.getInstance(ALGORITHM);

??????

?????? // ?

then?initialize?it?with?the?keystore?object.?This?time?we?don't

?????? // ?need?the?keystore?password.?This?is?because?trusted?certificates

?????? // ?are?not?a?sensitive?element?in?the?keystore,?unlike?the

?????? // ?private?keys.

??????tmf.init(ks);

??????

?????? // ?Once?that's?initialized,?get?the?trust?managers?from?the?factory.

??????tm? = ?tmf.getTrustManagers();

??????

?????? // ?Almost?done,?we?need?a?context?object?that?will?get?our

?????? // ?server?socket?factory.?We?specify?TLS?to?indicate?that?we?will

?????? // ?need?a?server?socket?factory?that?supports?SSL.

??????sslc? = ?SSLContext.getInstance( " TLS " );

??????

?????? // ?Initialize?the?context?object?with?the?key?managers?and?trust

?????? // ?managers?we?got?earlier.?The?third?parameter?is?an?optional

?????? // ?SecureRandom?object.?By?passing?in?null,?we?are?letting?the

?????? // ?context?object?create?its?own.

??????sslc.init(km,?tm,? null );

??????

?????? // ?Finally,?we?get?the?ordinary-looking?server?socket?factory

?????? // ?from?the?context?object.

??????ServerSocketFactory?ssf? = ?sslc.getServerSocketFactory();

??????

?????? // ?From?the?factory,?we?simply?ask?for?an?ordinary-looking

?????? // ?server?socket?on?the?port?we?wish.

??????ss? = ?ssf.createServerSocket(PORT);

??????listen(ss);

????}

???? catch (Exception?e) {

??????e.printStackTrace();

????}

???? finally {

?????? if (ss != null ) {

???????? try {

??????????ss.close();

????????}

???????? catch (IOException?e) {

?????????? // ?oh,?well

????????}

??????}

??????System.exit( 0 );

????}

??}

?? static ? void ?listen(ServerSocket?ss)? throws ?Exception {

????System.out.println( " Ready?for?connections. " );

???? while ( true ) {

??????Socket?s? = ?ss.accept();

??????BufferedWriter?bw? = ? new ?BufferedWriter(

???????? new ?OutputStreamWriter(s.getOutputStream()));

??????BufferedReader?br? = ? new ?BufferedReader(

???????? new ?InputStreamReader(s.getInputStream()));

??????String?q? = ?br.readLine();

?????? if ( ! QUESTION.equals(q)) {

???????? throw ? new ?RuntimeException( " Wrong?question:?\ "" ?+?q?+? " \ "" );

??????}

??????System.out.println( " Question:?\ "" ?+?q?+? " \ "" );

??????bw.write(ANSWER + " \n " );

??????bw.flush();

??????s.close();

????}

??}

}

CLI端程序：

import ?java.io. * ;

import ?java.net. * ;

import ?com.sun.net.ssl.KeyManagerFactory;

import ?com.sun.net.ssl.TrustManagerFactory;

import ?com.sun.net.ssl.SSLContext;

import ?java.security.KeyStore;

import ?javax.net.SocketFactory;

public ? class ?cli? implements ?Runnable {

?? public ? static ? final ? int ?PORT? = ? 5555 ;

?? public ? static ? final ?String?HOST? = ? " localhost " ;

?? public ? static ? final ?String?KEYSTORE_FILE? = ? " clikeystore " ; // "client_keystore";

?? public ? static ? final ?String?ALGORITHM? = ? " sunx509 " ;

?? public ? static ? final ?String?PASSWORD? = ? " churchillobjects " ;

?? public ? static ? final ?String?QUESTION? = ? " Knock,?knock. " ;

?? public ? static ? final ?String?ANSWER? = ? " Who's?there? " ;

?? public ? static ? void ?main(String[]?args) {

???? new ?Thread( new ?cli()).start();

??}

?? public ? void ?run() {

????Socket?socket? = ? null ;

???? try {

??????KeyManagerFactory?kmf;

??????KeyStore?ks;

??????TrustManagerFactory?tmf;

??????SSLContext?sslc;

??????kmf? = ?KeyManagerFactory.getInstance(ALGORITHM);

??????ks? = ?KeyStore.getInstance(? " JKS " ?);

??????ks.load( new ?FileInputStream(KEYSTORE_FILE),?PASSWORD.toCharArray());

??????kmf.init(ks,?PASSWORD.toCharArray());

??????tmf? = ?TrustManagerFactory.getInstance(ALGORITHM);

??????tmf.init(ks);

??????sslc? = ?SSLContext.getInstance( " TLS " );

??????sslc.init(kmf.getKeyManagers(),?tmf.getTrustManagers(),? null );

?????? // ?The?process?is?different?from?here?on?the?client.?Instead?of

?????? // ?getting?a?ServerSocketFactory,?we?ask?for?a?SocketFactory?from

?????? // ?the?SSL?context.

??????SocketFactory?sf? = ?sslc.getSocketFactory();

?????? // ?Then?we?get?the?socket?from?the?factory?and?treat?it

?????? // ?as?if?it?were?a?standard?(plain)?socket.

??????socket? = ?sf.createSocket(HOST,?PORT);

????

??????doQuery(socket);

????}

???? catch (Exception?e) {

??????e.printStackTrace();

????}

???? finally {

?????? if (socket != null ) {

???????? try {

??????????socket.close();

????????}

???????? catch (IOException?e) {

?????????? // ?oh,?well

????????}

??????}

??????System.exit( 0 );

????}

??}

?? private ? void ?doQuery(Socket?s)? throws ?Exception {

????BufferedWriter?bw? = ? new ?BufferedWriter( new ?OutputStreamWriter(s.getOutputStream()));

????BufferedReader?br? = ? new ?BufferedReader( new ?InputStreamReader(s.getInputStream()));

????bw.write(QUESTION + " \n " );

????bw.flush();

????String?response? = ?br.readLine();

???? if ( ! ANSWER.equals(response)) {

?????? throw ? new ?RuntimeException( " Wrong?answer:?\ "" ?+?response?+? " \ "" );

????}

????System.out.println( " Got?the?right?answer:?\ "" ?+?response?+? " \ "" );

??}

}

以上方法主要參考了如下兩個網(wǎng)頁：

http://www.churchillobjects.com/c/11201g.html

http://mark.foster.cc/kb/openssl-keytool.html

posted on 2006-12-03 12:36 我愛佳娃閱讀(11850) 評論(7) 編輯收藏所屬分類: SSL

常用鏈接

留言簿(19)

隨筆分類(134)

隨筆檔案(123)

我的博客

最新隨筆

搜索

積分與排名

最新評論

閱讀排行榜

評論排行榜


只有注冊用戶登錄后才能發(fā)表評論。




網(wǎng)站導(dǎo)航: 博客園 IT新聞 Chat2DB C++博客博問管理
相關(guān)文章: 轉(zhuǎn)的:果然是5分鐘配成TOMCAT使用SSL(https) Perl與Java的SSL通信示例用OpenSSL與JAVA(JSSE)通信用OpenSSL做自簽名的證書在windows下編譯openssl