使用ReloadableX509TrustManager重新加载Trustore

时间:2018-12-17 11:26:57

标签: java ssl truststore trustmanager x509trustmanager

我有以下问题。我正在尝试实现truststore.jks文件的动态替换。情况如下:如果我的托管服务器中的服务器上没有客户端的证书。服务器没有通过它。当我替换文件truststore.jks被加载时,客户端被接受,服务器从客户端接收到一条消息。但是,过了一会儿,客户断开了连接并如此循环。

我的服务器代码示例:

public void run() {
    try {
        factory = getSSLContext(TRUSTSTORE_PATH).getServerSocketFactory();
        SSLServerSocket ss = (SSLServerSocket) factory.createServerSocket(port);
        while (true) {
            SSLSocket s = (SSLSocket) ss.accept();
            s.setNeedClientAuth(true);
            SSLSession sslSession = s.getSession();
            String username = null;
            try {
                javax.security.cert.X509Certificate x509Certificate = sslSession.getPeerCertificateChain()[0];
                username = x509Certificate.getSubjectDN().getName().split("CN=")[1].split(",")[0];
                x509Certificate.checkValidity();
                if (username != null) {
                    System.out.println("User" + username + " signed in.");
                    System.out.println("Welcome " + username + ", you are authenticated!");
                } else {
                    System.out.println("User" + username + " tried to sign in but was rejected by the ACL.");
                    System.out.println("Username is not valid. Connection will be closed");
                    ss.close();
                    sslSession.invalidate();
                }
            } catch (Exception e) {
                e.printStackTrace();
            }

和我的ReloadableX509TrustManager班级:

class ReloadableX509TrustManager implements X509TrustManager {
    private final String trustStorePath;
    private X509TrustManager trustManager;
    private ArrayList tempCertList = new ArrayList();

    public ReloadableX509TrustManager(String tspath) throws Exception {
        this.trustStorePath = tspath;
        reloadTrustManager();
    }

    @Override
    public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
        try {
            reloadTrustManager();
        } catch (Exception e) {
            e.printStackTrace();
        }
        trustManager.checkClientTrusted(x509Certificates, s);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
        try {
            trustManager.checkServerTrusted(x509Certificates, s);
        } catch (CertificateException cx) {
            trustManager.checkServerTrusted(x509Certificates, s);
        }
    }

    @Override
    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
        java.security.cert.X509Certificate[] issuers = trustManager.getAcceptedIssuers();
        return issuers;
    }

    private void reloadTrustManager() throws Exception {
        KeyStore ts = KeyStore.getInstance("JKS");
        InputStream in = new FileInputStream(trustStorePath);
        try {
            ts.load(in, TRUSTSTORE_PASSWORD.toCharArray());
        } finally {
            in.close();
        }

        // add all temporary certs to KeyStore (ts)
        for (Object cert : tempCertList) {
            ts.setCertificateEntry(UUID.randomUUID().toString(), (Certificate) cert);
        }
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        tmf.init(ts);

        // acquire X509 trust manager from factory
        TrustManager tms[] = tmf.getTrustManagers();
        for (int i = 0; i < tms.length; i++) {
            if (tms[i] instanceof X509TrustManager) {
                trustManager = (X509TrustManager) tms[i];
                return;
            }
        }

        throw new NoSuchAlgorithmException("No X509TrustManager in TrustManagerFactory");
    }
}

0 个答案:

没有答案