回答
下面是一些代码,让你去。 KeyStore
是包含客户端证书的对象。如果服务器正在使用自签名证书或由JVM在附带的cacerts文件中识别的未由CA签名的证书,那么您将需要使用TrustStore
。否则使用默认cacerts文件,在传递到null
为SSLSockeFactory
信任存储参数..
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
import org.apache.http.params.BasicHttpParams;
import org.apache.http.params.HttpParams;
...
final HttpParams httpParams = new BasicHttpParams();
// load the keystore containing the client certificate - keystore type is probably jks or pkcs12
final KeyStore keystore = KeyStore.getInstance("pkcs12");
InputStream keystoreInput = null;
// TODO get the keystore as an InputStream from somewhere
keystore.load(keystoreInput, "keystorepassword".toCharArray());
// load the trustore, leave it null to rely on cacerts distributed with the JVM - truststore type is probably jks or pkcs12
KeyStore truststore = KeyStore.getInstance("pkcs12");
InputStream truststoreInput = null;
// TODO get the trustore as an InputStream from somewhere
truststore.load(truststoreInput, "truststorepassword".toCharArray());
final SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("https", new SSLSocketFactory(keystore, keystorePassword, truststore), 443));
final DefaultHttpClient httpClient = new DefaultHttpClient(new ThreadSafeClientConnManager(httpParams, schemeRegistry), httpParams);
另一种解决方案(从另一示例复制)。我使用了'trusting'(trustStore)和用于验证自己(keyStore)的相同密钥库。
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream instream = new FileInputStream(new File("miller.keystore"));
try {
trustStore.load(instream, "pw".toCharArray());
} finally {
instream.close();
}
SSLContext sslcontext = SSLContexts.custom()
.loadTrustMaterial(trustStore) /* this key store must contain the certs needed & trusted to verify the servers cert */
.loadKeyMaterial(trustStore, "pw".toCharArray()) /* this keystore must contain the key/cert of the client */
.build();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext,
SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
CloseableHttpClient httpclient = HttpClients.custom()
.setSSLSocketFactory(sslsf)
.build();
try {
HttpGet httpget = new HttpGet("https://localhost");
System.out.println("executing request" + httpget.getRequestLine());
CloseableHttpResponse response = httpclient.execute(httpget);
try {
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
if (entity != null) {
System.out.println("Response content length: " + entity.getContentLength());
}
EntityUtils.consume(entity);
} finally {
response.close();
}
} finally {
httpclient.close();
}
我从HttpClient网站上的示例代码(如果我没有记错的话,自定义SSL上下文)使用以下代码。
{
KeyStore keyStore = KeyStore.getInstance("PKCS12"); //client certificate holder
FileInputStream instream = new FileInputStream(new File(
"client-p12-keystore.p12"));
try {
trustStore.load(instream, "password".toCharArray());
} finally {
instream.close();
}
// Trust own CA and all self-signed certs
SSLContext sslcontext = SSLContexts.custom()
.loadKeyMaterial(keyStore, "password".toCharArray())
// .loadTrustMaterial(trustStore, new TrustSelfSignedStrategy()) //if you have a trust store
.build();
// Allow TLSv1 protocol only
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(
sslcontext, new String[] { "TLSv1" }, null,
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
CloseableHttpClient httpclient = HttpClients
.custom()
.setHostnameVerifier(
SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER) //todo
.setSSLSocketFactory(sslsf).build();
try {
HttpGet httpget = new HttpGet("https://localhost:8443/secure/index");
System.out.println("executing request" + httpget.getRequestLine());
CloseableHttpResponse response = httpclient.execute(httpget);
try {
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
if (entity != null) {
System.out.println("Response content length: "
+ entity.getContentLength());
}
EntityUtils.consume(entity);
} finally {
response.close();
}
} finally {
httpclient.close();
}
}
链接到源将是有益的... – 2015-01-08 01:07:47
@EvilRaat http://hc.apache.org/httpcomponents-client-4.3.x/httpclient/examples/org/apache/http/examples/client/ClientCustomSSL.java从http:// HC .apache.org/httpcomponents-客户版本4.3.x/examples.html – EpicPandaForce 2015-01-08 09:04:04
- 1. 使用Java API验证X509证书
- 2. 使用X509证书验证SOAP请求
- 3. x509证书验证C
- 4. 验证X509证书时验证签名
- 5. JSCEP与x509证书和属性证书
- 6. 如何验证C中的X509证书
- 7. WCF身份验证-X509证书
- 8. Android手册X509证书链验证
- 9. Java X509证书解析和验证
- 10. rsacryptoserviceprovider使用x509证书c#
- 11. 为X509证书
- 12. X509证书与主题UID
- 13. dotnetcore相互证书认证?
- 14. Apache HTTPClient在相互身份验证期间不发送客户端证书
- 15. 龙卷风与自我签名证书相互验证
- 16. 验证远程服务器x509证书使用CA证书文件
- 17. 使用x509证书进行S/MIME验证
- 18. X509使用SerialNumber或公钥进行证书验证
- 19. HttpClient的与客户端证书认证
- 20. X509证书格式
- 21. 请求X509证书
- 22. x509证书信息
- 23. 信任所有证书? X509证书
- 24. 如何使用SSL通配符证书通过X509相互验证多个WCF服务器?
- 25. 用于终止X509证书并验证它的C++代码
- 26. x509证书为byte []在Java和回X509证书在C#
- 27. X509证书的颁发与围棋smtp.SendMail
- 28. WCF和证书的糟糕表现(相互验证)
- 29. 集群环境中的相互WCF证书身份验证/ SSL
- 30. Java EE基于证书的相互验证
谢谢。我会很快检查出来的。 – hooknc 2010-07-30 22:10:41
此解决方案完美工作。谢谢您的帮助。 仅供参考,由于SSL握手重新谈判的问题,我不得不设置以下虚拟机属性: -Dsun.security.ssl.allowUnsafeRenegotiation =真 我/是与Java 1.6.0_20和Tomcat 6.0.29工作。 – hooknc 2010-08-18 16:52:01
使用jdk 1.6.0_24或更高版本时,不再需要上述注释。 – hooknc 2011-04-05 15:43:49