我尝试针对自签名根CA验证自签名证书(由将调用我的服务的服务提供商提供)。现在,如果我启用双向ssl一切正常,但SSL要求是全局强制执行的。我只需要为一个请求和一个用户使用它。其他服务不应该受到影响,因为没有办法(除非我误解)为特定路径启用它,我停用了两个ssl,而是在我的控制器中执行此操作:
String auth = request.getHeader("Authorization");
X509Certificate[] cert = (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
ResourceLoader resourceLoader = new DefaultResourceLoader();
try {
KeyStore trustStore = KeyStore.getInstance("JKS");
InputStream certInStream = resourceLoader.getClassLoader().getResourceAsStream("keystore/CaCertificate.jks");
trustStore.load(certInStream, "changeit".toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
trustManagerFactory.init(trustStore);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
for (TrustManager tm: trustManagerFactory.getTrustManagers())
((X509TrustManager)tm).checkClientTrusted(cert, "RSA");
}
因此我的问题是,这种验证证书的方法是否与默认值相同? 另一件事是除非我正确配置以下内容:
server.ssl.trust-store=keystore/truststore.jks
server.ssl.trust-store-password=pass
server.ssl.trust-store-type= JKS
server.ssl.client-auth=want
然后getAttribute方法返回null。我非常想知道它为什么会发生。因此,证书仍然会进行验证,但是如果客户端证书不受信任,请求不会失败,并且不会设置其属性(SSL one)?所以基本上我写的代码是无用的,我可以检查以下是否为空?
X509Certificate[] cert = (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
请帮助我彻底失去。
编辑: 出于测试目的,我使用.net 4.5 HttpWebRequest。有了这个:
ServicePointManager.ServerCertificateValidationCallback += (sender, cert, chain, sslPolicyErrors) =>
{
return true;
}