首页 > 代码库 > java-信息安全(十五)-单向认证

java-信息安全(十五)-单向认证

原文地址

http://snowolf.iteye.com/blog/398198

接下来,我们使用第三方CA签名机构完成证书签名。 
    这里我们使用thawte提供的测试用21天免费ca证书。 
    1.要在该网站上注明你的域名,这里使用www.zlex.org作为测试用域名(请勿使用该域名作为你的域名地址,该域名受法律保护!请使用其他非注册域名!)。 
    2.如果域名有效,你会收到邮件要求你访问https://www.thawte.com/cgi/server/try.exe获得ca证书。 
    3.复述密钥库的创建。 

keytool -genkey -validity 36000 -alias www.zlex.org -keyalg RSA -keystore d:\zlex.keystore

在这里我使用的密码为 123456 
控制台输出: 

输入keystore密码:  再次输入新密码:  您的名字与姓氏是什么?    [Unknown]:  www.zlex.org  您的组织单位名称是什么?    [Unknown]:  zlex  您的组织名称是什么?    [Unknown]:  zlex  您所在的城市或区域名称是什么?    [Unknown]:  BJ  您所在的州或省份名称是什么?    [Unknown]:  BJ  该单位的两字母国家代码是什么    [Unknown]:  CN  CN=www.zlex.org, OU=zlex, O=zlex, L=BJ, ST=BJ, C=CN 正确吗?    [否]:  Y    输入<tomcat>的主密码          (如果和 keystore 密码相同,按回车):  再次输入新密码:  

4.通过如下命令,从zlex.keystore中导出CA证书申请。

keytool -certreq -alias www.zlex.org -file d:\zlex.csr -keystore d:\zlex.keystore -v 

你会获得zlex.csr文件,可以用记事本打开,内容如下格式:

-----BEGIN NEW CERTIFICATE REQUEST-----  MIIBnDCCAQUCAQAwXDELMAkGA1UEBhMCQ04xCzAJBgNVBAgTAkJKMQswCQYDVQQHEwJCSjENMAsG  A1UEChMEemxleDENMAsGA1UECxMEemxleDEVMBMGA1UEAxMMd3d3LnpsZXgub3JnMIGfMA0GCSqG  SIb3DQEBAQUAA4GNADCBiQKBgQCR6DXU9Mp+mCKO7cv9JPsj0n1Ec/GpM09qvhpgX3FNad/ZWSDc  vU77YXZSoF9hQp3w1LC+eeKgd2MlVpXTvbVwBNVd2HiQPp37ic6BUUjSaX8LHtCl7l0BIEye9qQ2  j8G0kak7e8ZA0s7nb3Ymq/K8BV7v0MQIdhIc1bifK9ZDewIDAQABoAAwDQYJKoZIhvcNAQEFBQAD  gYEAMA1r2fbZPtNx37U9TRwadCH2TZZecwKJS/hskNm6ryPKIAp9APWwAyj8WJHRBz5SpZM4zmYO  oMCI8BcnY2A4JP+R7/SwXTdH/xcg7NVghd9A2SCgqMpF7KMfc5dE3iygdiPu+UhY200Dvpjx8gmJ  1UbH3+nqMUyCrZgURFslOUY=  -----END NEW CERTIFICATE REQUEST-----  

  5.将上述文件内容拷贝到https://www.thawte.com/cgi/server/try.exe中,点击next,获得回应内容,这里是p7b格式。 
内容如下:

-----BEGIN PKCS7-----  MIIF3AYJKoZIhvcNAQcCoIIFzTCCBckCAQExADALBgkqhkiG9w0BBwGgggWxMIID  EDCCAnmgAwIBAgIQA/mx/pKoaB+KGX2hveFU9zANBgkqhkiG9w0BAQUFADCBhzEL  MAkGA1UEBhMCWkExIjAgBgNVBAgTGUZPUiBURVNUSU5HIFBVUlBPU0VTIE9OTFkx  HTAbBgNVBAoTFFRoYXd0ZSBDZXJ0aWZpY2F0aW9uMRcwFQYDVQQLEw5URVNUIFRF  U1QgVEVTVDEcMBoGA1UEAxMTVGhhd3RlIFRlc3QgQ0EgUm9vdDAeFw0wOTA1Mjgw  MDIxMzlaFw0wOTA2MTgwMDIxMzlaMFwxCzAJBgNVBAYTAkNOMQswCQYDVQQIEwJC  SjELMAkGA1UEBxMCQkoxDTALBgNVBAoTBHpsZXgxDTALBgNVBAsTBHpsZXgxFTAT  BgNVBAMTDHd3dy56bGV4Lm9yZzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA  keg11PTKfpgiju3L/ST7I9J9RHPxqTNPar4aYF9xTWnf2Vkg3L1O+2F2UqBfYUKd  8NSwvnnioHdjJVaV0721cATVXdh4kD6d+4nOgVFI0ml/Cx7Qpe5dASBMnvakNo/B  tJGpO3vGQNLO5292JqvyvAVe79DECHYSHNW4nyvWQ3sCAwEAAaOBpjCBozAMBgNV  HRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBABgNVHR8E  OTA3MDWgM6Axhi9odHRwOi8vY3JsLnRoYXd0ZS5jb20vVGhhd3RlUHJlbWl1bVNl  cnZlckNBLmNybDAyBggrBgEFBQcBAQQmMCQwIgYIKwYBBQUHMAGGFmh0dHA6Ly9v  Y3NwLnRoYXd0ZS5jb20wDQYJKoZIhvcNAQEFBQADgYEATPuxZbtJJSPmXvfrr1yz  xqM06IwTZ6UU0lZRG7I0WufMjNMKdpn8hklUhE17mxAhGSpewLVVeLR7uzBLFkuC  X7wMXxhoYdJZtNai72izU6Rd1oknao7diahvRxPK4IuQ7y2oZ511/4T4vgY6iRAj  q4q76HhPJrVRL/sduaiu+gYwggKZMIICAqADAgECAgEAMA0GCSqGSIb3DQEBBAUA  MIGHMQswCQYDVQQGEwJaQTEiMCAGA1UECBMZRk9SIFRFU1RJTkcgUFVSUE9TRVMg  T05MWTEdMBsGA1UEChMUVGhhd3RlIENlcnRpZmljYXRpb24xFzAVBgNVBAsTDlRF  U1QgVEVTVCBURVNUMRwwGgYDVQQDExNUaGF3dGUgVGVzdCBDQSBSb290MB4XDTk2  MDgwMTAwMDAwMFoXDTIwMTIzMTIxNTk1OVowgYcxCzAJBgNVBAYTAlpBMSIwIAYD  VQQIExlGT1IgVEVTVElORyBQVVJQT1NFUyBPTkxZMR0wGwYDVQQKExRUaGF3dGUg  Q2VydGlmaWNhdGlvbjEXMBUGA1UECxMOVEVTVCBURVNUIFRFU1QxHDAaBgNVBAMT  E1RoYXd0ZSBUZXN0IENBIFJvb3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGB  ALV9kG+Os6x/DOhm+tKUQfzVMWGhE95sFmEtkMMTX2Zi4n6i6BvzoReJ5njzt1LF  cqu4EUk9Ji20egKKfmqRzmQFLP7+1niSdfJEUE7cKY40QoI99270PTrLjJeaMcCl  +AYl+kD+RL5BtuKKU3PurYcsCsre6aTvjMcqpTJOGeSPAgMBAAGjEzARMA8GA1Ud  EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAgozj7BkD9O8si2V0v+EZ/t7E  fz/LC8y6mD7IBUziHy5/53ymGAGLtyhXHvX+UIE6UWbHro3IqVkrmY5uC93Z2Wew  A/6edK3KFUcUikrLeewM7gmqsiASEKx2mKRKlu12jXyNS5tXrPWRDvUKtFC1uL9a  12rFAQS2BkIk7aU+ghYxAA==  -----END PKCS7-----

将其存储为zlex.p7b 
    6.将由CA签发的证书导入密钥库。

keytool -import -trustcacerts -alias www.zlex.org -file d:\zlex.p7b -keystore d:\zlex.keystore -v  

在这里我使用的密码为 123456 
    控制台输出:

输入keystore密码:    回复中的最高级认证:    所有者:CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR   TESTING PURPOSES ONLY, C=ZA  签发人:CN=Thawte Test CA Root, OU=TEST TEST TEST, O=Thawte Certification, ST=FOR   TESTING PURPOSES ONLY, C=ZA  序列号:0  有效期: Thu Aug 01 08:00:00 CST 1996 至Fri Jan 01 05:59:59 CST 2021  证书指纹:           MD5:5E:E0:0E:1D:17:B7:CA:A5:7D:36:D6:02:DF:4D:26:A4           SHA1:39:C6:9D:27:AF:DC:EB:47:D6:33:36:6A:B2:05:F1:47:A9:B4:DA:EA           签名算法名称:MD5withRSA           版本: 3    扩展:    #1: ObjectId: 2.5.29.19 Criticality=true  BasicConstraints:[    CA:true    PathLen:2147483647  ]      ... 是不可信的。 还是要安装回复? [否]:  Y  认证回复已安装在 keystore中  [正在存储 d:\zlex.keystore]  

  7.域名定位 
    将域名www.zlex.org定位到本机上。打开C:\Windows\System32\drivers\etc\hosts文件,将www.zlex.org绑定在本机上。在文件末尾追加127.0.0.1       www.zlex.org。现在通过地址栏访问http://www.zlex.org,或者通过ping命令,如果能够定位到本机,域名映射就搞定了。 

    8.配置server.xml 

<Connector      keystoreFile="conf/zlex.keystore"      keystorePass="123456"       truststoreFile="conf/zlex.keystore"          truststorePass="123456"           SSLEnabled="true"      URIEncoding="UTF-8"      clientAuth="false"                maxThreads="150"      port="443"      protocol="HTTP/1.1"      scheme="https"      secure="true"      sslProtocol="TLS" />  

将文件zlex.keystore拷贝到tomcat的conf目录下,重新启动tomcat。访问https://www.zlex.org/,我们发现联网有些迟钝。大约5秒钟后,网页正常显示,同时有如下图所示:技术分享

浏览器验证了该CA机构的有效性。 

打开证书,如下图所示:

技术分享

调整测试类: 

技术分享
import static org.junit.Assert.*;    import java.io.DataInputStream;  import java.io.InputStream;  import java.net.URL;    import javax.net.ssl.HttpsURLConnection;    import org.junit.Test;    /**  *   * @author 梁栋  * @version 1.0  * @since 1.0  */  public class CertificateCoderTest {      private String password = "123456";      private String alias = "www.zlex.org";      private String certificatePath = "d:/zlex.cer";      private String keyStorePath = "d:/zlex.keystore";        @Test      public void test() throws Exception {          System.err.println("公钥加密——私钥解密");          String inputStr = "Ceritifcate";          byte[] data =http://www.mamicode.com/ inputStr.getBytes();            byte[] encrypt = CertificateCoder.encryptByPublicKey(data,                  certificatePath);            byte[] decrypt = CertificateCoder.decryptByPrivateKey(encrypt,                  keyStorePath, alias, password);          String outputStr = new String(decrypt);            System.err.println("加密前: " + inputStr + "\n\r" + "解密后: " + outputStr);            // 验证数据一致          assertArrayEquals(data, decrypt);            // 验证证书有效          assertTrue(CertificateCoder.verifyCertificate(certificatePath));        }        @Test      public void testSign() throws Exception {          System.err.println("私钥加密——公钥解密");            String inputStr = "sign";          byte[] data =http://www.mamicode.com/ inputStr.getBytes();            byte[] encodedData =http://www.mamicode.com/ CertificateCoder.encryptByPrivateKey(data,                  keyStorePath, alias, password);            byte[] decodedData =http://www.mamicode.com/ CertificateCoder.decryptByPublicKey(encodedData,                  certificatePath);            String outputStr = new String(decodedData);          System.err.println("加密前: " + inputStr + "\n\r" + "解密后: " + outputStr);          assertEquals(inputStr, outputStr);            System.err.println("私钥签名——公钥验证签名");          // 产生签名          String sign = CertificateCoder.sign(encodedData, keyStorePath, alias,                  password);          System.err.println("签名:\r" + sign);            // 验证签名          boolean status = CertificateCoder.verify(encodedData, sign,                  certificatePath);          System.err.println("状态:\r" + status);          assertTrue(status);        }        @Test      public void testHttps() throws Exception {          URL url = new URL("https://www.zlex.org/examples/");          HttpsURLConnection conn = (HttpsURLConnection) url.openConnection();            conn.setDoInput(true);          conn.setDoOutput(true);            CertificateCoder.configSSLSocketFactory(conn, password, keyStorePath,                  keyStorePath);            InputStream is = conn.getInputStream();            int length = conn.getContentLength();            DataInputStream dis = new DataInputStream(is);          byte[] data = http://www.mamicode.com/new byte[length];          dis.readFully(data);            dis.close();          conn.disconnect();          System.err.println(new String(data));      }  }  
View Code

再次执行,验证通过!技术分享 
由此,我们了基于SSL协议的认证过程。测试类的testHttps方法模拟了一次浏览器的HTTPS访问。

 

java-信息安全(十五)-单向认证