将证书添加到BouncyCastle TLSSocketConnectionFactory

Question

有关于如何将证书包含在Bouncy Castle TLSSocketConnectionFactory中的问题吗？

例如，我在之前的版本中使用过此代码，它适用于TLS1.0：

        SSLContext sslcontext = SSLContext.getInstance("TLS");
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        InputStream is = new FileInputStream("c:/cert/test-tls.cer");
        InputStream caInput = new BufferedInputStream(is);
        Certificate ca;
        try {
            ca = cf.generateCertificate(caInput);
        } finally {
            caInput.close();
        }
        String keyStoreType = KeyStore.getDefaultType();
        KeyStore keyStore = KeyStore.getInstance(keyStoreType);
        keyStore.load(null, null);
        keyStore.setCertificateEntry("ca", ca);

        // Create a TrustManager that trusts the CAs in our KeyStore
        String tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm();
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(tmfAlgorithm);
        tmf.init(keyStore);

        TrustManager[] tm = tmf.getTrustManagers();
        sslcontext.init(kmf.getKeyManagers(), tm, null);
        SSLSocketFactory sslSocketFactory = sslcontext.getSocketFactory();
        HttpsURLConnection.setDefaultSSLSocketFactory(sslSocketFactory);

现在我必须使用Bouncy Castle，因为Java 1.6不支持TLS1.1 / TLS1.2

所以第一步是扩展SSLSocketFactory类..
我的是：

@Override
    public void startHandshake() throws IOException {
        tlsClientProtocol.connect(new DefaultTlsClient() {
            @Override
            public Hashtable<Integer, byte[]> getClientExtensions() throws IOException {
                Hashtable<Integer, byte[]> clientExtensions = super.getClientExtensions();
                if (clientExtensions == null) {
                    clientExtensions = new Hashtable<Integer, byte[]>();
                }

                //Add host_name
                byte[] host_name = host.getBytes();

                final ByteArrayOutputStream baos = new ByteArrayOutputStream();
                final DataOutputStream dos = new DataOutputStream(baos);
                dos.writeShort(host_name.length + 3); // entry size
                dos.writeByte(0); // name type = hostname
                dos.writeShort(host_name.length);
                dos.write(host_name);
                dos.close();
                clientExtensions.put(ExtensionType.server_name, baos.toByteArray());
                return clientExtensions;
            }

            @Override
            public TlsAuthentication getAuthentication()
                    throws IOException {
                return new TlsAuthentication() {

                    @Override
                    public void notifyServerCertificate(Certificate serverCertificate) throws IOException {

                        try {

                            CertificateFactory cf = CertificateFactory.getInstance("X.509");

                            InputStream is = new FileInputStream("c:/ascert/test-tls.cer"); //"c:/cert/test-tls.cer");
                            InputStream caInput = new BufferedInputStream(is);
                            java.security.cert.Certificate ca;
                            try {
                                ca = cf.generateCertificate(caInput);
                                System.out.println("ca=" + ((java.security.cert.X509Certificate) ca).getSubjectDN());
                            } finally {
                                caInput.close();
                            }

                            List<java.security.cert.Certificate> certs = new LinkedList<java.security.cert.Certificate>();
                            for (org.bouncycastle.asn1.x509.Certificate c : serverCertificate.getCertificateList()) {
                                certs.add(cf.generateCertificate(new ByteArrayInputStream(c.getEncoded())));
                                System.out.println(c.getIssuer());
                            }
                            peertCerts = certs.toArray(new java.security.cert.Certificate[0]);
                        } catch (Exception e) {
                            System.out.println("Failed to cache server certs" + e);
                            throw new IOException(e);
                        }

                    }

                    @Override
                    public TlsCredentials getClientCredentials(CertificateRequest arg0)
                            throws IOException {
                        return null;
                    }

                };

当我运行一个简单的例子时：

public class Test {
public static void main(String[] args)
{
   String url = "https://blagajne-test.fu.gov.si:9002/v1/cash_registers";
    try {
        URLConnection connection = new URL(url).openConnection();
        HttpsURLConnection httpsURLConnection = (HttpsURLConnection) connection;
        httpsURLConnection.setSSLSocketFactory(new TSLSocketConnectionFactory());
         int responseCode = httpsURLConnection.getResponseCode();

    } catch (MalformedURLException ex) {
        Logger.getLogger(Test.class.getName()).log(Level.SEVERE, null, ex);
    } catch (IOException ex) {
        Logger.getLogger(Test.class.getName()).log(Level.SEVERE, null, ex);
    }

}

}

我收到此错误： SEVERE: null org.bouncycastle.crypto.tls.TlsFatalAlertReceived: handshake_failure(40) at org.bouncycastle.crypto.tls.TlsProtocol.handleAlertMessage(Unknown Source)

我不知道如何正确编写SSLSocketFactory以使用证书进行远程服务器的身份验证。谢谢你的帮助。

Answer 1

最新版本的BouncyCastle在bctls-jdk15on-159 jar中包含一个JSSE提供程序（＆＃34; BCJSSE＆＃34;，在类org.bouncycastle.jsse.provider.BouncyCastleJsseProvider中）。如果您安装此提供程序的优先级高于默认提供程序，则原始代码示例应自动选择BCJSSE提供程序。

BCJSSE支持TLS 1.2回到JDK 1.5。 org.bouncycastle.jsse包中还有一些特定于BCJSSE的扩展，用于访问早期JDK（或根本不是）SunJSSE不支持的TLS功能，例如：服务器名称指示。

与SunJSSE相比，仍然缺少一些小功能，但对于大多数用户来说，它应该是一个简单的替代品，当然比自己实施SSLSocketFactory更好。