Java:如何添加SSL客户端身份验证 [英] Java: how to add SSL client-side authentication

问题描述

我有以下代码使用SSL将服务器与客户端连接，现在我想添加客户端身份验证:

I have this code to connect the server with a client using SSL, and now I want to add client-side authentication:

(我有一个服务器密钥库(JCEKS类型)和一个客户端密钥库(JKS类型)，服务器使用了一个信任库(证书)，在这里我导入了两个证书，因为我也想将此信任库用于客户端身份验证)

(I have a server keystore (JCEKS type) and a client keystore (JKS type), the server uses a truststore (cacerts) where I imported both certificates because I also want to use this truststore for client authentication)

客户代码:

System.setProperty("javax.net.ssl.trustStore", cerServer);
System.setProperty("javax.net.ssl.trustStoreType","JCEKS");
System.setProperty("javax.net.ssl.trustStorePassword", pwdCacerts);

SSLSocketFactory sslsocketfactory = (SSLSocketFactory)  SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("localhost", port);

服务器代码:

KeyStore ks = LoadKeyStore(new File(serverKeyStore), pwdKeyStore, "JCEKS");
KeyManagerFactory kmf; 
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, pwdKeyStore.toCharArray());

SSLContext sc = SSLContext.getInstance("SSL");
sc.init(kmf.getKeyManagers(),null, null);   

SSLServerSocketFactory ssf = sc.getServerSocketFactory(); 
sslserversocket = (SSLServerSocket) ssf.createServerSocket(port);

在此先感谢您的帮助.

我将此代码添加到服务器端:

edit: I add this code in the server side:

System.setProperty("javax.net.ssl.trustStore", cacerts);
System.setProperty("javax.net.ssl.trustStoreType","JKS");
System.setProperty("javax.net.ssl.trustStorePassword", pwdCacerts);

但是如果我删除cacerts中的客户端证书，则连接不会给我错误，因此我认为那是错误的方式

but if I delete the client certificate in cacerts, the connection doesn't give me error and for that I think it's wrong that way

推荐答案

如果您希望系统使用客户端证书身份验证，则需要

If you want your system to use client-certificate authentication, you'll need

• 服务器请求(或要求)客户端证书.这是通过在服务器套接字上分别设置setWantClientAuth(true)(或分别为setNeedClientAuth)来完成的.您还需要服务器公布它接受的CA，通常通过使用服务器上的信任库来完成，该信任库包含颁发客户端证书链的CA(这似乎是您通过设置javax.net.ssl.trustStore*在服务器上).

• the server to request (or require) a client certificate. This is done by setting setWantClientAuth(true) on the server socket (or setNeedClientAuth, respectively). You'll also need the server to advertise the CA it accepts, which is normally done by using a truststore on the server that contains the CA by which the client-certificate chain was issued (this seems to be what you've done by setting javax.net.ssl.trustStore* on the server).

要为客户端配置的密钥库，该密钥库包含客户端证书(如果有中间CA，则可能为链)及其私钥.可以通过设置javax.net.ssl.keyStore*(这可能会影响其他连接)或通过使用KeyManagerFactory来完成此操作，就像在服务器端一样.

the client to be configured with a keystore containing the client certificate (possible the chain if there are intermediate CAs) and its private key. This can be done by setting the javax.net.ssl.keyStore* (which may affect other connections) or by using a KeyManagerFactory in the same way as you've done it on the server side.

如果使用setWantClientAuth(true)，则可能仍未收到错误，因为服务器将接受没有客户端证书的连接(然后服务器将检查SSLSession的对等证书，以查看是否是否有证书).当客户端不提供证书时，setNeedClientAuth(true)将断开连接.

If you use setWantClientAuth(true), you might still not get an error, since the server will accept connections that don't have a client-certificate (the server would then check the SSLSession's peer certificates to see whether there was a cert or not). setNeedClientAuth(true) would break the connection when the client doesn't present a certificate.

这篇关于Java:如何添加SSL客户端身份验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！