在SSL套接字工厂连接中使用多个密钥对 [英] Using more than one key-pair in SSL Socket Factory Connection

问题描述

我正在使用密钥对，并且我在考虑使用多个私钥创建ans SSL套接字工厂的可能性。

因此，我将能够共享不同的公钥并动态地为公共密钥存储区提供动态
为客户提供

Bellow是解释我如何创建此连接的源代码SSL

 。 .. 
 ... log（激活SSL连接）; 
 System.setProperty（javax.net.ssl.keyStore，myPrivateKey）; 
 System.setProperty（javax.net.ssl.keyStorePassword，myPass）; 
 
 // SSL服务器套接字工厂
 SSLServerSocketFactory sslSrvFact =（SSLServerSocketFactory）SSLServerSocketFactory.getDefault（）; 
 objServerSocket = sslSrvFact.createServerSocket（iPort）; 
 log（SSL连接已激活）; 
 ... 
  

这可能还是梦想？

Thx

解决方案

您可以通过构建自己的 SSLContext 使用您自己的 X509KeyManager 并使用其别名 //docs.oracle.com/javase/6/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias%28java.lang.String%5B%5D,%20java.security.Principal%5B%5D,% 20java.net.Socket％29rel =nofollow> chooseClientAlias 方法（或 chooseServerAlias ，取决于一方）。

这些行中的某些内容应该有效：

  //加载密钥库：如果需要，更改商店类型
 KeyStore ks = KeyStore.getInstance（KeyStore.getDefaultType（））; 
 FileInputStream fis = new FileInputStream（/ path / to / keystore）; 
 try {
 ks.load（fis，keystorePassword）; 
} finally {
 if（fis！= null）{fis.close（）; } 
} 
 
 //获取默认密钥管理器
 KeyManagerFactory kmf = KeyManagerFactory.getInstance（
 KeyManagerFactory.getDefaultAlgorithm（））; 
 kmf.init（ks，keyPassword）; 
 
 final X509KeyManager origKm =（X509KeyManager）kmf.getKeyManagers（）[0]; 
 X509KeyManager km = new X509KeyManager（）{
 public String chooseClientAlias（String [] keyType，
 Principal [] issuers，Socket socket）{
 //实现你的别名选择，可能例如，基于套接字
 //和远程IP地址。 
} 
 
 //将其他方法委托给origKm。 
} 
 
 SSLContext sslContext = SSLContext.getInstance（TLS）; 
 sslContext.init（new KeyManager [] {km}，null，null）; 
 
 SSLSocketFactory sslSocketFactory = sslContext.getSSLSocketFactory（）; 
  

（有一个这里的简短示例可能会帮助你开始。）

你实际上不必委托给原来的KeyManager（我觉得它更方便）。您可以很好地实现其所有方法，使用您已加载的KeyStore返回密钥和证书

请注意，这对于选择客户端证书非常有用。 Java不支持服务器端的服务器名称指示（SNI）（据我所知，甚至在Java 7中），因此在选择别名之前，您将无法知道客户端请求的主机名（来自服务器的观点）。

I'm using a key-pair and I thinking in the possibility to use more than one private key to create ans SSL socket factory.

So I'll be able to share distinct public keys and make the hand shake
dynamically based in the public key store provide for clients

Bellow is the source code explaining how I create this connection SSL

...
  ...log("Activating an SSL connection");
  System.setProperty("javax.net.ssl.keyStore", "myPrivateKey");
  System.setProperty("javax.net.ssl.keyStorePassword", "myPass");

  // SSL Server Socket Factory
  SSLServerSocketFactory sslSrvFact = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
  objServerSocket = sslSrvFact.createServerSocket(iPort);
  log("SSL connection actived");
...

It's possible or is a dream?

Thx

解决方案

You can do this by constructing your own SSLContext using your own X509KeyManager and choose the keystore alias using its chooseClientAlias method (or chooseServerAlias, depending on the side).

Something along these lines should work:

// Load the key store: change store type if needed
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream fis = new FileInputStream("/path/to/keystore");
try {
    ks.load(fis, keystorePassword);
} finally {
    if (fis != null) { fis.close(); }
}

// Get the default Key Manager
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
   KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, keyPassword);

final X509KeyManager origKm = (X509KeyManager)kmf.getKeyManagers()[0];
X509KeyManager km = new X509KeyManager() {
    public String chooseClientAlias(String[] keyType, 
                                    Principal[] issuers, Socket socket) {
        // Implement your alias selection, possibly based on the socket
        // and the remote IP address, for example.
    }

    // Delegate the other methods to origKm.
}

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[] { km }, null, null);

SSLSocketFactory sslSocketFactory = sslContext.getSSLSocketFactory();

(There is a short example here that may help you get started.)

You don't actually have to delegate to the original KeyManager (I just find it more convenient). You could very well implement all its methods to return the keys and certs using the KeyStore you've loaded

Note that this is mostly useful for choosing the client-certificate. Java doesn't support Server Name Indication (SNI) on the server-side (even in Java 7 as far as I know), so you won't be able to know which host name the client is requesting before choosing the alias (from a server point of view).

这篇关于在SSL套接字工厂连接中使用多个密钥对的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！