Java:如何添加SSL客户端身份验证 [英] Java: how to add SSL client-side authentication
问题描述
我有以下代码使用SSL将服务器与客户端连接,现在我想添加客户端身份验证:
I have this code to connect the server with a client using SSL, and now I want to add client-side authentication:
(我有一个服务器密钥库(JCEKS类型)和一个客户端密钥库(JKS类型),服务器使用了一个信任库(证书),在这里我导入了两个证书,因为我也想将此信任库用于客户端身份验证)
(I have a server keystore (JCEKS type) and a client keystore (JKS type), the server uses a truststore (cacerts) where I imported both certificates because I also want to use this truststore for client authentication)
客户代码:
System.setProperty("javax.net.ssl.trustStore", cerServer);
System.setProperty("javax.net.ssl.trustStoreType","JCEKS");
System.setProperty("javax.net.ssl.trustStorePassword", pwdCacerts);
SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("localhost", port);
服务器代码:
KeyStore ks = LoadKeyStore(new File(serverKeyStore), pwdKeyStore, "JCEKS");
KeyManagerFactory kmf;
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, pwdKeyStore.toCharArray());
SSLContext sc = SSLContext.getInstance("SSL");
sc.init(kmf.getKeyManagers(),null, null);
SSLServerSocketFactory ssf = sc.getServerSocketFactory();
sslserversocket = (SSLServerSocket) ssf.createServerSocket(port);
在此先感谢您的帮助.
我将此代码添加到服务器端:
edit: I add this code in the server side:
System.setProperty("javax.net.ssl.trustStore", cacerts);
System.setProperty("javax.net.ssl.trustStoreType","JKS");
System.setProperty("javax.net.ssl.trustStorePassword", pwdCacerts);
但是如果我删除cacerts中的客户端证书,则连接不会给我错误,因此我认为那是错误的方式
but if I delete the client certificate in cacerts, the connection doesn't give me error and for that I think it's wrong that way
推荐答案
如果您希望系统使用客户端证书身份验证,则需要
If you want your system to use client-certificate authentication, you'll need
-
服务器请求(或要求)客户端证书.这是通过在服务器套接字上分别设置
setWantClientAuth(true)
(或分别为setNeedClientAuth
)来完成的.您还需要服务器公布它接受的CA,通常通过使用服务器上的信任库来完成,该信任库包含颁发客户端证书链的CA(这似乎是您通过设置javax.net.ssl.trustStore*
在服务器上).
the server to request (or require) a client certificate. This is done by setting
setWantClientAuth(true)
on the server socket (orsetNeedClientAuth
, respectively). You'll also need the server to advertise the CA it accepts, which is normally done by using a truststore on the server that contains the CA by which the client-certificate chain was issued (this seems to be what you've done by settingjavax.net.ssl.trustStore*
on the server).
要为客户端配置的密钥库,该密钥库包含客户端证书(如果有中间CA,则可能为链)及其私钥.可以通过设置javax.net.ssl.keyStore*
(这可能会影响其他连接)或通过使用KeyManagerFactory
来完成此操作,就像在服务器端一样.
the client to be configured with a keystore containing the client certificate (possible the chain if there are intermediate CAs) and its private key. This can be done by setting the javax.net.ssl.keyStore*
(which may affect other connections) or by using a KeyManagerFactory
in the same way as you've done it on the server side.
如果使用setWantClientAuth(true)
,则可能仍未收到错误,因为服务器将接受没有客户端证书的连接(然后服务器将检查SSLSession
的对等证书,以查看是否是否有证书).当客户端不提供证书时,setNeedClientAuth(true)
将断开连接.
If you use setWantClientAuth(true)
, you might still not get an error, since the server will accept connections that don't have a client-certificate (the server would then check the SSLSession
's peer certificates to see whether there was a cert or not). setNeedClientAuth(true)
would break the connection when the client doesn't present a certificate.
这篇关于Java:如何添加SSL客户端身份验证的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!