我正在使用Apache HttpClient 3.5和Spring Web Services 2.1.0开发Java 6项目。
My Spring WebServicesTemplate使用apache HttpClient发送WebServices请求。但是,我联系的服务已淘汰了TLS 1.0,转而支持TLS 1.2。 Java 6不支持TLS 1.2。我被带到了bouncycastle,它应该给我TLS 1.2支持。
如何将bouncycastle与Spring或我的HttpClient集成,以便我可以发送支持TLS 1.2的请求?我找到了一个提供扩展SSLSocketFactory的解决方案。但是,HttpClient只接受SSLConnectionSocketFactory。
在短期内升级到Java 8是不可行的,但如果有人能够确认它能解决我的问题,我可以将其作为长期优先事项。
答案 0 :(得分:4)
我提出了一个不需要升级到Java 8的解决方案。作为免责声明,我对https安全性知之甚少,而且我确信有一些知识渊博的人可能会注意到这些问题。这个方法需要使用内置的HttpsURLConnection,如果你习惯使用像Unirest这样的东西,甚至是apache HttpClient,这是非常原始的。
首先,您需要将BouncyCastle添加到pom。
<dependency>
<groupId>org.bouncycastle</groupId>
<artifactId>bcprov-jdk15on</artifactId>
<version>1.54</version>
</dependency>
然后您将创建SSLSocketFactory的扩展。警告!此套接字工厂将接受所有证书,因此使用风险自负。
import java.io.*;
import java.net.UnknownHostException;
import java.security.*;
import java.security.cert.*;
import java.util.*;
import javax.net.ssl.*;
import javax.security.cert.X509Certificate;
import org.bouncycastle.crypto.tls.*;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
public class TLSSocketConnectionFactory extends SSLSocketFactory {
static {
if (Security.getProvider(BouncyCastleProvider.PROVIDER_NAME) == null) {
Security.addProvider(new BouncyCastleProvider());
}
}
@Override
public Socket createSocket(Socket socket, final String host, int port,
boolean arg3) throws IOException {
if (socket == null) {
socket = new Socket();
}
if (!socket.isConnected()) {
socket.connect(new InetSocketAddress(host, port));
}
final TlsClientProtocol tlsClientProtocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(), new SecureRandom());
return _createSSLSocket(host, tlsClientProtocol);
}
@Override public String[] getDefaultCipherSuites() { return null; }
@Override public String[] getSupportedCipherSuites() { return null; }
@Override public Socket createSocket(String host, int port) throws IOException, UnknownHostException { throw new UnsupportedOperationException(); }
@Override public Socket createSocket(InetAddress host, int port) throws IOException { throw new UnsupportedOperationException(); }
@Override public Socket createSocket(String host, int port, InetAddress localHost, int localPort) throws IOException, UnknownHostException { return null; }
@Override public Socket createSocket(InetAddress address, int port, InetAddress localAddress, int localPort) throws IOException { throw new UnsupportedOperationException(); }
private SSLSocket _createSSLSocket(final String host, final TlsClientProtocol tlsClientProtocol) {
return new SSLSocket() {
private java.security.cert.Certificate[] peertCerts;
@Override public InputStream getInputStream() throws IOException { return tlsClientProtocol.getInputStream(); }
@Override public OutputStream getOutputStream() throws IOException { return tlsClientProtocol.getOutputStream(); }
@Override public synchronized void close() throws IOException { tlsClientProtocol.close(); }
@Override public void addHandshakeCompletedListener( HandshakeCompletedListener arg0) { }
@Override public boolean getEnableSessionCreation() { return false; }
@Override public String[] getEnabledCipherSuites() { return null; }
@Override public String[] getEnabledProtocols() { return null; }
@Override public boolean getNeedClientAuth() { return false; }
@Override
public SSLSession getSession() {
return new SSLSession() {
@Override
public int getApplicationBufferSize() {
return 0;
}
@Override public String getCipherSuite() { throw new UnsupportedOperationException(); }
@Override public long getCreationTime() { throw new UnsupportedOperationException(); }
@Override public byte[] getId() { throw new UnsupportedOperationException(); }
@Override public long getLastAccessedTime() { throw new UnsupportedOperationException(); }
@Override public java.security.cert.Certificate[] getLocalCertificates() { throw new UnsupportedOperationException(); }
@Override public Principal getLocalPrincipal() { throw new UnsupportedOperationException(); }
@Override public int getPacketBufferSize() { throw new UnsupportedOperationException(); }
@Override public X509Certificate[] getPeerCertificateChain() throws SSLPeerUnverifiedException { return null; }
@Override public java.security.cert.Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException { return peertCerts; }
@Override public String getPeerHost() { throw new UnsupportedOperationException(); }
@Override public int getPeerPort() { return 0; }
@Override public Principal getPeerPrincipal() throws SSLPeerUnverifiedException { return null; }
@Override public String getProtocol() { throw new UnsupportedOperationException(); }
@Override public SSLSessionContext getSessionContext() { throw new UnsupportedOperationException(); }
@Override public Object getValue(String arg0) { throw new UnsupportedOperationException(); }
@Override public String[] getValueNames() { throw new UnsupportedOperationException(); }
@Override public void invalidate() { throw new UnsupportedOperationException(); }
@Override public boolean isValid() { throw new UnsupportedOperationException(); }
@Override public void putValue(String arg0, Object arg1) { throw new UnsupportedOperationException(); }
@Override public void removeValue(String arg0) { throw new UnsupportedOperationException(); }
};
}
@Override public String[] getSupportedProtocols() { return null; }
@Override public boolean getUseClientMode() { return false; }
@Override public boolean getWantClientAuth() { return false; }
@Override public void removeHandshakeCompletedListener(HandshakeCompletedListener arg0) { }
@Override public void setEnableSessionCreation(boolean arg0) { }
@Override public void setEnabledCipherSuites(String[] arg0) { }
@Override public void setEnabledProtocols(String[] arg0) { }
@Override public void setNeedClientAuth(boolean arg0) { }
@Override public void setUseClientMode(boolean arg0) { }
@Override public void setWantClientAuth(boolean arg0) { }
@Override public String[] getSupportedCipherSuites() { return null; }
@Override
public void startHandshake() throws IOException {
tlsClientProtocol.connect(new DefaultTlsClient() {
@SuppressWarnings("unchecked")
@Override
public Hashtable<Integer, byte[]> getClientExtensions() throws IOException {
Hashtable<Integer, byte[]> clientExtensions = super.getClientExtensions();
if (clientExtensions == null) {
clientExtensions = new Hashtable<Integer, byte[]>();
}
//Add host_name
byte[] host_name = host.getBytes();
final ByteArrayOutputStream baos = new ByteArrayOutputStream();
final DataOutputStream dos = new DataOutputStream(baos);
dos.writeShort(host_name.length + 3);
dos.writeByte(0);
dos.writeShort(host_name.length);
dos.write(host_name);
dos.close();
clientExtensions.put(ExtensionType.server_name, baos.toByteArray());
return clientExtensions;
}
@Override
public TlsAuthentication getAuthentication() throws IOException {
return new TlsAuthentication() {
@Override
public void notifyServerCertificate(Certificate serverCertificate) throws IOException {
try {
KeyStore ks = _loadKeyStore();
CertificateFactory cf = CertificateFactory.getInstance("X.509");
List<java.security.cert.Certificate> certs = new LinkedList<java.security.cert.Certificate>();
boolean trustedCertificate = false;
for ( org.bouncycastle.asn1.x509.Certificate c : serverCertificate.getCertificateList()) {
java.security.cert.Certificate cert = cf.generateCertificate(new ByteArrayInputStream(c.getEncoded()));
certs.add(cert);
String alias = ks.getCertificateAlias(cert);
if(alias != null) {
if (cert instanceof java.security.cert.X509Certificate) {
try {
( (java.security.cert.X509Certificate) cert).checkValidity();
trustedCertificate = true;
} catch(CertificateExpiredException cee) {
// Accept all the certs!
}
}
} else {
// Accept all the certs!
}
}
if (!trustedCertificate) {
// Accept all the certs!
}
peertCerts = certs.toArray(new java.security.cert.Certificate[0]);
} catch (Exception ex) {
ex.printStackTrace();
throw new IOException(ex);
}
}
@Override
public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException {
return null;
}
private KeyStore _loadKeyStore() throws Exception {
FileInputStream trustStoreFis = null;
try {
KeyStore localKeyStore = null;
String trustStoreType = System.getProperty("javax.net.ssl.trustStoreType")!=null?System.getProperty("javax.net.ssl.trustStoreType"):KeyStore.getDefaultType();
String trustStoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider")!=null?System.getProperty("javax.net.ssl.trustStoreProvider"):"";
if (trustStoreType.length() != 0) {
if (trustStoreProvider.length() == 0) {
localKeyStore = KeyStore.getInstance(trustStoreType);
} else {
localKeyStore = KeyStore.getInstance(trustStoreType, trustStoreProvider);
}
char[] keyStorePass = null;
String str5 = System.getProperty("javax.net.ssl.trustStorePassword")!=null?System.getProperty("javax.net.ssl.trustStorePassword"):"";
if (str5.length() != 0) {
keyStorePass = str5.toCharArray();
}
localKeyStore.load(trustStoreFis, keyStorePass);
if (keyStorePass != null) {
for (int i = 0; i < keyStorePass.length; i++) {
keyStorePass[i] = 0;
}
}
}
return localKeyStore;
} finally {
if (trustStoreFis != null) {
trustStoreFis.close();
}
}
}
};
}
});
} // startHandshake
};
}
}
接下来,您需要使用新的套接字工厂。如果您使用Spring处理Web服务调用,则可以扩展现有的HttpUrlConnectionMessageSender以便为您发送呼叫。只需确保在spring配置中更新您的消息发送方bean以使用此类。
import java.io.IOException;
import java.net.*;
import javax.net.ssl.HttpsURLConnection;
import org.springframework.ws.transport.WebServiceConnection;
import org.springframework.ws.transport.http.*;
public class HttpsUrlConnectionMessageSender extends HttpUrlConnectionMessageSender {
@Override
public WebServiceConnection createConnection(URI uri) throws IOException {
URL url = uri.toURL();
URLConnection connection = url.openConnection();
if (!(connection instanceof HttpsURLConnection)) {
throw new HttpTransportException("URI [" + uri + "] is not an HTTPS URL");
} else {
HttpsURLConnection httpsURLConnection = (HttpsURLConnection) connection;
httpsURLConnection.setSSLSocketFactory(new TLSSocketConnectionFactory());
prepareConnection(httpsURLConnection);
return new HttpsUrlConnection(httpsURLConnection);
}
}
private static class HttpsUrlConnection extends HttpUrlConnection {
private HttpsUrlConnection(HttpsURLConnection connection) {
super(connection);
}
}
}
或者,如果您不使用Spring或使用Rest,您可以像上面的类一样手动创建HttpsURLConnection,并使用输出流发送消息。
请注意,如果您与之通信的服务使用Cookie,则需要设置系统范围的Cookie管理器。但是,Java 6 cookie管理器是错误的。您可能需要从Java 8 CookieManager复制源代码才能使cookie正常工作。
if (CookieHandler.getDefault() == null) {
CookieHandler.setDefault(new CookieManager());
}
答案 1 :(得分:1)
你将面对Bouncy Castle的主要问题是它的TLS实现没有实现JSSE API。实际上,这意味着您不会获得SSLSocket,SSLSocketFactory(或HttpsURLConnection的任何支持,但是当您使用Apache HTTP客户端时无关紧要。)
此外,TLS并不是Bouncy Castle最好的记录功能,它将使您的工作更加困难。 this other question的答案中有一些例子。
您可能以某种方式能够编写自定义Socket实现,该实现包含对Bouncy Castle的TLS API的必要调用。然后,您可以从自定义org.apache.http.conn.ssl.SSLConnectionSocketFactory实现中返回此类套接字(如果您的子类为其返回Socket的方法执行完全不同的操作,则可能在构造函数中使用虚拟值。)
这可能是可行的,但可能需要付出相当大的努力。升级到Java 8(支持使用传统JSSE类的TLS 1.2)通常会更容易(取决于您的约束)。