在Java HTTP连接中将客户端证书设置为请求属性?
我有一个Java应用程序通过带有SSL的套接字连接到另一个Java应用程序,所以我的客户端JVM已经有 -Djavax.net.ssl.keyStore 和 -Djavax.net.ssl.trustStore 属性设置。
I have a Java application that connects to another Java app through a socket with SSL, so my client JVM already has the -Djavax.net.ssl.keyStore and -Djavax.net.ssl.trustStore properties set.
此应用程序需要向Web服务器发出一些HTTP请求这需要客户端身份验证我可以在Java中使用 URLConnection 打开连接,返回 HTTPSURLConnectionImpl 。
This application needs to make some HTTP requests to a web server that requires client authentication. I can open the connection by using a URLConnection in Java which returns an HTTPSURLConnectionImpl.
我想在请求中向Web服务器提供的客户端证书与作为我的JVM系统属性设置的客户端证书不同。有没有办法设置客户端证书。作为 HTTPSURLConnectionImpl 中的请求属性?
The client certificate I want to present to the web server in the request is different than the one set as my JVM system property. Is there a way I can set a client cert. as a request property in the HTTPSURLConnectionImpl ?
设置SSL客户端证书不足以直接通过 HTTPSURLConnectionImpl 的请求属性,因为还需要数字签名来证明您拥有证书。 SSL已经自动执行了所有操作,因此使用该图层是有意义的。
Setting a SSL "client certificate" is not adequate directly through HTTPSURLConnectionImpl's request properties, because a digital signature is also required to prove you own the certificate. SSL already does all that automatically, so to makes sense to use that layer.
您有两种方法可以解决您的问题。
You have two ways to solve your issue going forward.
您可以将客户端密钥和证书添加到JVM KeyStore,当服务器要求您运行时,它应该在运行时获取客户端SSL身份验证。 (SSL / TLS就是为此而设计的:服务器将要求提供由其受信任的权限签名的客户端证书,这允许SSL引擎选择正确的证书,即使您的KeyStore拥有多个证书也是如此。)
You can add you client key and certificate to your JVM KeyStore, it should be picked up at Runtime when the server asks for your client-side SSL authentication. (SSL/TLS is designed for that : the server will ask for a client certificate that is signed by it's trusted authority, which allows the SSL Engine to choose the right certificate, even when your KeyStore holds many).
您可以使用自定义的 SSLContext C $ C>密钥库 / 信任库秒。
这有点复杂(我不会详细说明如何在Java中构建 Keystore 实例),但它的要点在于:
You can roll you own SSLContext using custom made KeyStore/TrustStores.
This is a bit complex (I won't elaborate on how to build Keystore instances in Java), but the gist of it is here :
public static void main(String[] args) throws Exception {
KeyStore clientKeyStore = ... // Whatever
KeyStore clientTrustStore = ... // Whatever you need to load
// We build the KeyManager (SSL client credentials we can send)
KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(clientKeyStore, "password".toCharArray());
KeyManager[] km = keyFactory.getKeyManagers();
// We build the TrustManager (Server certificates we trust)
TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(clientTrustStore);
TrustManager[] tm = trustFactory.getTrustManagers();
// We build a SSLContext with both our trust/key managers
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(km, tm, null);
SSLSocketFactory sslSf = sslContext.getSocketFactory();
// We prepare a URLConnection
URL url = new URL("https://www.google.com");
URLConnection urlConnection = url.openConnection();
// Before actually opening the sockets, we affect the SSLSocketFactory
HttpsURLConnection httpsUrlConnection = (HttpsURLConnection) urlConnection;
httpsUrlConnection.setSSLSocketFactory(sslSf);
// Ready to go !
}