如何使用UnboundID SDK通过SSL服务器证书连接到LDAP服务器? [英] How to use UnboundID SDK to connect to an LDAP server with the SSL server certificate?

问题描述

我手中有一个SSL LDAP服务器证书.我想使用它使用UnboundID SDK连接到LDAP服务器.

I have in my hand an SSL LDAP server certificate. I want to use it to connect to the LDAP server using UnboundID SDK.

我不想使用com.unboundid.util.ssl.TrustAllTrustManager，如下所示: 使用UnboundID具有SSL证书文件的SDK，可以连接到Android应用中的LDAP服务器

I do not want to use com.unboundid.util.ssl.TrustAllTrustManager as was showed here: Using UnboundID SDK with an SSL certificate file to connect to LDAP server in Android app

以下TrustManager不符合我们的产品要求:

The following TrustManagers not fit our product requirements:

com.unboundid.util.ssl.PromptTrustManager
com.unboundid.util.ssl.HostNameTrustManager
com.unboundid.util.ssl.ValidityDateTrustManager

我不希望任何用户交互，也不想在TrustManager上方的列表中错过用于验证证书颁发者的内容.

I do not want any user interaction, and what I miss in the list above the TrustManager that validate the certificate issuers.

此外，我不想在任何密钥库中插入LDAP服务器证书，因此无法使用以下命令 TrustManager:

Also, I do not want to insert the LDAP server certificate in any keystore, so I can not use the following TrustManagers:

com.unboundid.util.ssl.WrapperKeyManager
com.unboundid.util.ssl.PKCS11KeyManager
com.unboundid.util.ssl.KeyStoreKeyManager

我想做类似下面的代码:

I want to do something like the code below:

CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = cf.generateCertificate(byteArrayInputStream);
SSLUtil sslUtil = new SSLUtil(new CertificateTrustManager(cert));
SSLSocketFactory socketFactory = sslUtil.createSSLSocketFactory();
LDAPConnection connection = new LDAPConnection(socketFactory,
     "server.example.com", 636);

请注意，UnboundID SDK中不存在CertificateTrustManager. 怎么可能呢?

Please note, that CertificateTrustManager does not exist in UnboundID SDK. How is possible to do it?

推荐答案

我找到了使用如何将.cer证书导入Java密钥库?(Patrick M的回答).

I found the solution using Using UnboundID SDK with an SSL certificate file to connect to LDAP server in Android app and How to import a .cer certificate into a java keystore? (answer of Patrick M).

现在，我可以从用户界面获取证书并通过SSL连接到LDAP了:)

Now I can take a certificate from UI and connect to LDAP via SSL :)

import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.util.ssl.SSLUtil;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import java.io.ByteArrayInputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;

String base64EncodedCertificateString = "...";
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(base64EncodedCertificateString.getBytes());
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
int i = 0;
while (byteArrayInputStream.available() > 0) {
    Certificate cert = cf.generateCertificate(byteArrayInputStream);
    trustStore.setCertificateEntry("cert " + i++, cert);
}

TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(trustStore);
TrustManager[] trustManagers = tmf.getTrustManagers();
SSLUtil sslUtil = new SSLUtil(trustManagers);
SSLSocketFactory socketFactory = sslUtil.createSSLSocketFactory();
LDAPConnection connection = new LDAPConnection(socketFactory);
connection.connect("place.myserver.com", 636);

这篇关于如何使用UnboundID SDK通过SSL服务器证书连接到LDAP服务器?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！