使用Java进行双向认证的SSL链接及使用OpenSSL生产证书链附源程序(转).doc

这几天被SSL和证书搞得头昏脑胀的。不过还好终于把这个SSL搞定了。用SSL进行双向身份验证意思就是在客户机连接服务器时，链接双方都要对彼此的数字证书进行验证，保证这是经过授权的才能够连接（我们链接一般的SSL时采用的是单向验证，客户机只验证服务器的证书，服务器不验证客户机的证书。而连接网上银行时使用的U盾就是用来存储进行双向验证所需要的客户端证书的）。JDK里面内置了一个数字证书生产工具：keytool。但是这个工具只能生成自签名的数字证书。所谓自签名就是指证书只能保证自己是完整的，没有经过非法修改的。但是无法保证这个证书是属于谁的。其实用这种自签名的证书也是可以进行双向验证的(用keytool生成的自签名证书进行双向验证请看这里，向这位仁兄致意：/stone2083/archive/2007/12/20/169015.html），但是这种验证有一个缺点：对于每一个要链接的服务器，都要保存一个证书的验证副本。而且一旦服务器更换证书，所有客户端就需要重新部署这些副本。对于比较大型的应用来说，这一点是不可接受的。所以就需要证书链进行双向认证。证书链是指对证书的签名又一个预先部署的，众所周知的签名方签名完成，这样每次需要验证证书时只要用这个公用的签名方的公钥进行验证就可以了。比如我们使用的浏览器就保存了几个常用的CA_ROOT。每次连接到网站时只要这个网站的证书是经过这些CA_ROOT签名过的。就可以通过验证了。但是这些共用的CA_ROOT的服务不是免费的。而且价格不菲。所以我们有必要自己生成一个CA_ROOT的密钥对，然后部署应用时，只要把这个CA_ROOT的私钥部署在所有节点就可以完成验证了。要进行CA_ROOT的生成，需要OpenSSL（/）。你也可以在/products/Win32OpenSSL.html找到Windows下的版本安装好OpenSSL以后就可以生成证书链了，我写了一个BAT解决这些东西： echo offset Cset PWD_SERVER_KS=serverksset PWD_SERVER_KEY=serverkeyset PWD_CLIENT_KS=clientksset PWD_CLIENT_KEY=clientkeyif not exist ca.key ( echo Generating a ca root key file. openssl req -new -x509 -keyout ca.key -out ca.crt -config %CONFIG%) else ( echo ca.key already exists.)if not exist server.keystore ( echo Generating servers private key. keytool -genkey -alias logon_server_private_key -validity 365 -keyalg RSA -keysize 1024 -keystore server.keystore -keypass %PWD_SERVER_KEY% -storepass %PWD_SERVER_KS%) else ( echo server.keystore already exits.)if not exist client.keystore ( echo Generating clients private key. keytool -genkey -alias ipclient_private_key -validity 365 -keyalg RSA -keysize 1024 -keystore client.keystore -keypass %PWD_CLIENT_KEY% -storepass %PWD_CLIENT_KS%) else ( echo client.keystore already exits.)echo =Finished key generation=if not exist logon_server_private_key.csr ( echo Generating servers singature request file. keytool -certreq -alias logon_server_private_key -sigalg MD5withRSA -file logon_server_private_key.csr -keypass %PWD_SERVER_KEY% -storepass %PWD_SERVER_KS% -keystore server.keystore) else ( echo logon_server_private_key.csr already exits.)if not exist ipclient_private_key.csr ( echo Generating clients singature request file. keytool -certreq -alias ipclient_private_key -sigalg MD5withRSA -file ipclient_private_key.csr -keypass %PWD_CLIENT_KEY% -storepass %PWD_CLIENT_KS% -keystore client.keystore) else ( echo ipclient_private_key.csr already exits.)if not exist logon_server_private_key.crt ( openssl ca -in logon_server_private_key.csr -out logon_server_private_key.crt -cert ca.crt -keyfile ca.key -notext -config %CONFIG%) else ( echo logon_server_private_key.crt already exits.)if not exist ipclient_private_key.crt ( openssl ca -in ipclient_private_key.csr -out ipclient_private_key.crt -cert ca.crt -keyfile ca.key -notext -config %CONFIG%) else ( echo ipclient_private_key.crt already exits.)echo =Finished ca root signaturing=echo Importing ca root certs into keystore.keytool -import -v -trustcacerts-alias ca_root -file ca.crt -storepass %PWD_SERVER_KS% -keystore server.keystorekeytool -import -v -trustcacerts-alias ca_root -file ca.crt -storepass %PWD_CLIENT_KS% -keystore client.keystoreecho Importing signatured keys.keytool -import -v -alias logon_server_private_key -file logon_server_private_key.crt -keypass %PWD_SERVER_KEY% -storepass %PWD_SERVER_KS% -keystore server.keystorekeytool -import -v -alias ipclient_private_key -file ipclient_private_key.crt -keypass %PWD_CLIENT_KEY% -storepass %PWD_CLIENT_KS% -keystore client.keystoreecho All done!运行这个批处理，期间需要回答一些问题，然后就可以得到一些文件其中client.keystore是需要在客户端部署的，server.keystore是在服务器部署的。ca.*是root_ca的密钥文件。然后可以用下面的代码测试： /* Copyrights (C) 2008 Bearice (BeariceG)* Release under GNU/GPL Version 2.*/package cn.bearice.ipcontroller.ccserver;import java.io.BufferedReader;import java.io.FileInputStream;import java.io.InputStreamReader;import java.io.PrintWriter;import java.security.KeyStore;import java.security.cert.X509Certificate;import java.util.logging.Level;import java.util.logging.Logger;import .ssl.KeyManagerFactory;import .ssl.SSLContext;import .ssl.SSLPeerUnverifiedException;import .ssl.SSLServerSocket;import .ssl.SSLServerSocketFactory;import .ssl.SSLSession;import .ssl.SSLSocket;import .ssl.SSLSocketFactory;import .ssl.TrustManagerFactory;/* author Bearice*/public class NewClass extends Thread Override public void run() try sleep(100); SSLContext ctx = SSLContext.getInstance(SSL); KeyManagerFactory kmf = KeyManagerFactory.getInstance(SunX509); TrustManagerFactory tmf = TrustManagerFactory.getInstance(SunX509); KeyStore ks = KeyStore.getInstance(JKS); /KeyStore tks = KeyStore.getInstance(JKS); ks.load(new FileInputStream(e:/certs/client.keystore), clientks.toCharArray(); /tks.load(new FileInputStream(e:/certs/tclient.keystore), clientks.toCharArray(); kmf.init(ks, clientkey.toCharArray(); tmf.init(ks); ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); SSLSocketFactory factory = ctx.getSocketFactory(); SSLSocket socket = (SSLSocket) factory.createSocket(, 4433); showCerts(socket.getSession(); PrintWriter pw = new PrintWriter(socket.getOutputStream(); pw.println(GET /index.html HTTP/1.0); pw.println(Server: ); pw.println(Connection: close); pw.println(); pw.flush(); BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream(); String ln; while (ln = in.readLine() != null) System.err.println(ln); catch (Exception ex) Logger.getLogger(NewClass.class.getName().log(Level.SEVERE, null, ex); public static void showCerts(SSLSession session) X509Certificate cert = null; try cert = (X509Certificate) session.getPeerCertificates()0; catch (SSLPeerUnverifiedException e) e.printStackTrace(); System.err.println(session.getPeerHost() + did not present a valid certificate); /System.exit(1); return; System.out.println(session.getPeerHost() + has presented a certificate belonging to + + cert.getSubjectDN() + n + The certificate was issued by: t + + cert.getIssuerDN() + ); public static void main(String args) throws Exception SSLContext ctx = SSLContext.getInstance(SSL); KeyManagerFactory kmf = KeyManagerFactory.getInstance(SunX509); TrustManagerFactory tmf = TrustManagerFactory.getInstance(SunX509); KeyStore ks = KeyStore.getInstance(JKS); /KeyStore tks = KeyStore.getInstance(JKS); ks.load(new FileInputStream(e:/certs/server.keystore), serverks.toCharArray(); /tks.load(new FileInputStream(e:/certs/tserver.keystore), serverks.toCharArray(); kmf.init(ks, serverkey.toCharArray(); tmf.init(ks); ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); SSLServerSocketFactory factory = ctx.getServerSocketFactory(); SSLServerSocket serverSocket = (SSLServerSocket) factory.createServerSocket(4433); serverSocket.setNeedClientAuth(true); new NewClass().start(); SSLSocket socket = (SSLSocket) serverSocket.accept(); try