我正在尝试使用双向TLS将https请求发送到我的服务器。我成功使用TLS的服务器。但是我不知道如何在客户端(Android应用程序)上执行此操作。我在Java服务器上使用spring。来自Android应用的请求是使用HttpsUrlConnection()发出的。
我设法能够调用HttpsUrlConnection()来修改我的代码:
public void test() {
try {
URL url = new URL(this.apiUrl);
HttpsURLConnection urlConnection = (HttpsURLConnection) url.openConnection();
urlConnection.setSSLSocketFactory(sslContext.getSocketFactory());
InputStream in = urlConnection.getInputStream();
System.out.print(in);
} catch (Exception e) {
e.printStackTrace();
}
}
我的服务器配置为使用TLSv1.2协议。
运行test()会引发以下错误:
W/System.err: javax.net.ssl.SSLHandshakeException: Handshake failed
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:288)
at com.android.okhttp.internal.io.RealConnection.connectTls(RealConnection.java:196)
at com.android.okhttp.internal.io.RealConnection.connectSocket(RealConnection.java:153)
at com.android.okhttp.internal.io.RealConnection.connect(RealConnection.java:116)
at com.android.okhttp.internal.http.StreamAllocation.findConnection(StreamAllocation.java:186)
at com.android.okhttp.internal.http.StreamAllocation.findHealthyConnection(StreamAllocation.java:128)
at com.android.okhttp.internal.http.StreamAllocation.newStream(StreamAllocation.java:97)
at com.android.okhttp.internal.http.HttpEngine.connect(HttpEngine.java:289)
at com.android.okhttp.internal.http.HttpEngine.sendRequest(HttpEngine.java:232)
W/System.err: at com.android.okhttp.internal.huc.HttpURLConnectionImpl.execute(HttpURLConnectionImpl.java:465)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getResponse(HttpURLConnectionImpl.java:411)
at com.android.okhttp.internal.huc.HttpURLConnectionImpl.getInputStream(HttpURLConnectionImpl.java:248)
at com.android.okhttp.internal.huc.DelegatingHttpsURLConnection.getInputStream(DelegatingHttpsURLConnection.java:211)
W/System.err: at com.android.okhttp.internal.huc.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:30)
at nl.management.finance.client.RaboClient.test(RaboClient.java:64)
at nl.management.finance.MainActivity$RESTTask.doInBackground(MainActivity.java:31)
at nl.management.finance.MainActivity$RESTTask.doInBackground(MainActivity.java:25)
at android.os.AsyncTask$3.call(AsyncTask.java:378)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at android.os.AsyncTask$SerialExecutor$1.run(AsyncTask.java:289)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1167)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
at java.lang.Thread.run(Thread.java:919)
Caused by: javax.net.ssl.SSLProtocolException: SSL handshake aborted: ssl=0x703daa2ff448: Failure in SSL library, usually a protocol error
error:10000412:SSL routines:OPENSSL_internal:SSLV3_ALERT_BAD_CERTIFICATE (external/boringssl/src/ssl/tls_record.cc:587 0x703daa2b1148:0x00000001)
at com.android.org.conscrypt.NativeCrypto.SSL_do_handshake(Native Method)
at com.android.org.conscrypt.NativeSsl.doHandshake(NativeSsl.java:387)
at com.android.org.conscrypt.ConscryptFileDescriptorSocket.startHandshake(ConscryptFileDescriptorSocket.java:226)
... 22 more
为什么在堆栈跟踪中看到SSLV3?是否不使用TLSv1.2? Wireshark显示了此https://ibb.co/27mpG4r
此代码(来自@ Hakan54)使SSLContext:
public class SSLTrustManagerHelper {
private InputStream keyStore;
private String keyStorePassword;
private InputStream trustStore;
private String trustStorePassword;
public SSLTrustManagerHelper(InputStream keyStore,
String keyStorePassword,
InputStream trustStore,
String trustStorePassword) throws ClientException {
if (keyStore == null || keyStorePassword.trim().isEmpty() || trustStore == null || trustStorePassword.trim().isEmpty()) {
throw new ClientException("TrustStore or KeyStore details are empty, which are required to be present when SSL is enabled");
}
this.keyStore = keyStore;
this.keyStorePassword = keyStorePassword;
this.trustStore = trustStore;
this.trustStorePassword = trustStorePassword;
}
public SSLContext clientSSLContext() throws ClientException {
try {
TrustManagerFactory trustManagerFactory = getTrustManagerFactory(trustStore, trustStorePassword);
KeyManagerFactory keyManagerFactory = getKeyManagerFactory(keyStore, keyStorePassword);
this.keyStore.close();
this.trustStore.close();
return getSSLContext(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers());
} catch (UnrecoverableKeyException | NoSuchAlgorithmException | CertificateException | KeyStoreException | IOException | KeyManagementException e) {
e.printStackTrace();
throw new ClientException(e);
}
}
private static SSLContext getSSLContext(KeyManager[] keyManagers, TrustManager[] trustManagers) throws NoSuchAlgorithmException, KeyManagementException {
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(keyManagers, trustManagers, null);
return sslContext;
}
private static KeyManagerFactory getKeyManagerFactory(InputStream keystore, String keystorePassword) throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException, UnrecoverableKeyException, ClientException {
KeyStore keyStore = loadKeyStore(keystore, keystorePassword);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keystorePassword.toCharArray());
return keyManagerFactory;
}
private static TrustManagerFactory getTrustManagerFactory(InputStream truststore, String truststorePassword) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, ClientException {
KeyStore trustStore = loadKeyStore(truststore, truststorePassword);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
return trustManagerFactory;
}
private static KeyStore loadKeyStore(InputStream keystoreStream, String keystorePassword) throws ClientException, IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException {
if (keystoreStream == null) {
throw new ClientException("keystore was null.");
}
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(keystoreStream, keystorePassword.toCharArray());
return keystore;
}
}
答案 0 :(得分:1)
您正在寻找的是基于证书的相互认证。服务器和客户端都需要彼此信任才能进行通信。而且,如果服务器仅信任该特定客户端,则其他任何客户端都不可能发出请求。
上面的示例看起来还可以,但是使用以下示例进行配置会更容易:
import static java.util.Objects.isNull;
import static org.apache.commons.lang3.StringUtils.isBlank;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
public class SSLTrustManagerHelper {
private String keyStore;
private String keyStorePassword;
private String trustStore;
private String trustStorePassword;
public SSLTrustManagerHelper(String keyStore,
String keyStore,
String keyStorePassword,
String trustStore,
String trustStorePassword) {
if (isBlank(keyStore) || isBlank(keyStorePassword) || isBlank(trustStore) || isBlank(trustStorePassword)) {
throw new ClientException("TrustStore or KeyStore details are empty, which are required to be present when SSL is enabled");
}
this.keyStore = keyStore;
this.keyStorePassword = keyStorePassword;
this.trustStore = trustStore;
this.trustStorePassword = trustStorePassword;
}
public SSLContext clientSSLContext() {
try {
TrustManagerFactory trustManagerFactory = getTrustManagerFactory(trustStore, trustStorePassword);
KeyManagerFactory keyManagerFactory = getKeyManagerFactory(keyStore, keyStorePassword);
return getSSLContext(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers());
} catch (UnrecoverableKeyException | NoSuchAlgorithmException | CertificateException | KeyStoreException | IOException | KeyManagementException e) {
throw new ClientException(e);
}
}
private static SSLContext getSSLContext(KeyManager[] keyManagers, TrustManager[] trustManagers) throws NoSuchAlgorithmException, KeyManagementException {
SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
sslContext.init(keyManagers, trustManagers, null);
return sslContext;
}
private static KeyManagerFactory getKeyManagerFactory(String keystorePath, String keystorePassword) throws NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException, UnrecoverableKeyException {
KeyStore keyStore = loadKeyStore(keystorePath, keystorePassword);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keystorePassword.toCharArray());
return keyManagerFactory;
}
private static TrustManagerFactory getTrustManagerFactory(String truststorePath, String truststorePassword) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
KeyStore trustStore = loadKeyStore(truststorePath, truststorePassword);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
return trustManagerFactory;
}
private static KeyStore loadKeyStore(String keystorePath, String keystorePassword) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
try(InputStream keystoreInputStream = SSLTrustManagerHelper.class.getClassLoader().getResourceAsStream(keystorePath)) {
if (isNull(keystoreInputStream)) {
throw new ClientException(String.format("Could not find the keystore file with the given location %s", keystorePath));
}
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
keystore.load(keystoreInputStream, keystorePassword.toCharArray());
return keystore;
}
}
}
在这里,您需要提供密钥库和信任库的位置,以及密码。公共类将为您提供ssl上下文,您可以将其加载到http客户端中。
确保您具有一个包含私钥和公钥的客户端密钥库,以及一个拥有服务器的公钥的信任库。并确保服务器在其信任库中具有客户端的公钥。您还需要在application.yml文件中为服务器提供其他属性,以强制服务器验证客户端。该属性是:client-auth: need
请参阅此处的为服务器和客户端设置相互认证的完整示例,包括示例项目spring-boot-mutual-tls-sll