如何使用 UnboundID SDK 连接带有 SSL 服务器证书的 LDAP 服务器? [英] How to use UnboundID SDK to connect to an LDAP server with the SSL server certificate?

问题描述

我手里有一个 SSL LDAP 服务器证书.我想用它来使用 UnboundID SDK 连接到 LDAP 服务器.

I have in my hand an SSL LDAP server certificate. I want to use it to connect to the LDAP server using UnboundID SDK.

我不想像这里显示的那样使用 com.unboundid.util.ssl.TrustAllTrustManager:使用 UnboundID带有 SSL 证书文件的 SDK，用于连接 Android 应用中的 LDAP 服务器

I do not want to use com.unboundid.util.ssl.TrustAllTrustManager as was showed here: Using UnboundID SDK with an SSL certificate file to connect to LDAP server in Android app

以下 TrustManager 不符合我们的产品要求:

The following TrustManagers not fit our product requirements:

com.unboundid.util.ssl.PromptTrustManager
com.unboundid.util.ssl.HostNameTrustManager
com.unboundid.util.ssl.ValidityDateTrustManager

我不想要任何用户交互，以及我在验证证书颁发者的 TrustManager 上方的列表中遗漏的内容.

I do not want any user interaction, and what I miss in the list above the TrustManager that validate the certificate issuers.

另外，我不想在任何密钥库中插入 LDAP 服务器证书，所以我不能使用以下信任管理器:

Also, I do not want to insert the LDAP server certificate in any keystore, so I can not use the following TrustManagers:

com.unboundid.util.ssl.WrapperKeyManager
com.unboundid.util.ssl.PKCS11KeyManager
com.unboundid.util.ssl.KeyStoreKeyManager

我想做如下代码:

CertificateFactory cf = CertificateFactory.getInstance("X.509");
Certificate cert = cf.generateCertificate(byteArrayInputStream);
SSLUtil sslUtil = new SSLUtil(new CertificateTrustManager(cert));
SSLSocketFactory socketFactory = sslUtil.createSSLSocketFactory();
LDAPConnection connection = new LDAPConnection(socketFactory,
     "server.example.com", 636);

请注意，UnboundID SDK 中不存在 CertificateTrustManager.怎么可能呢?

Please note, that CertificateTrustManager does not exist in UnboundID SDK. How is possible to do it?

推荐答案

我使用 使用带有 SSL 证书文件的 UnboundID SDK 连接到 Android 应用程序中的 LDAP 服务器 和 如何将 .cer 证书导入 java 密钥库?(Patrick M 的回答).

I found the solution using Using UnboundID SDK with an SSL certificate file to connect to LDAP server in Android app and How to import a .cer certificate into a java keystore? (answer of Patrick M).

现在我可以从 UI 获取证书并通过 SSL 连接到 LDAP :)

Now I can take a certificate from UI and connect to LDAP via SSL :)

import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.util.ssl.SSLUtil;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import java.io.ByteArrayInputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;

String base64EncodedCertificateString = "...";
ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(base64EncodedCertificateString.getBytes());
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null);
CertificateFactory cf = CertificateFactory.getInstance("X.509");
int i = 0;
while (byteArrayInputStream.available() > 0) {
    Certificate cert = cf.generateCertificate(byteArrayInputStream);
    trustStore.setCertificateEntry("cert " + i++, cert);
}

TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(trustStore);
TrustManager[] trustManagers = tmf.getTrustManagers();
SSLUtil sslUtil = new SSLUtil(trustManagers);
SSLSocketFactory socketFactory = sslUtil.createSSLSocketFactory();
LDAPConnection connection = new LDAPConnection(socketFactory);
connection.connect("place.myserver.com", 636);

这篇关于如何使用 UnboundID SDK 连接带有 SSL 服务器证书的 LDAP 服务器?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！