首先我們先回顧一下常規的Java Socket編程。在Java下寫一個Socket服務器和客戶端的例子還是比較簡單的。以下是服務端的代碼:
- package org.bluedash.tryssl;
- import java.io.BufferedReader;
- import java.io.IOException;
- import java.io.InputStreamReader;
- import java.io.PrintWriter;
- import java.net.ServerSocket;
- import java.net.Socket;
- public class Server extends Thread {
- private Socket socket;
- public Server(Socket socket) {
- this.socket = socket;
- }
- public void run() {
- try {
- BufferedReader reader = new BufferedReader(new InputStreamReader(socket.getInputStream()));
- PrintWriter writer = new PrintWriter(socket.getOutputStream());
- String data = reader.readLine();
- writer.println(data);
- writer.close();
- socket.close();
- } catch (IOException e) {
- }
- }
- public static void main(String[] args) throws Exception {
- while (true) {
- new Server((new ServerSocket(8080)).accept()).start();
- }
- }
- }
服務端很簡單:偵聽8080端口,並把客戶端發來的字符串返回去。下面是客戶端的代碼:
- package org.bluedash.tryssl;
- import java.io.BufferedReader;
- import java.io.InputStreamReader;
- import java.io.PrintWriter;
- import java.net.Socket;
- public class Client {
- public static void main(String[] args) throws Exception {
- Socket s = new Socket("localhost", 8080);
- PrintWriter writer = new PrintWriter(s.getOutputStream());
- BufferedReader reader = new BufferedReader(new InputStreamReader(s.getInputStream()));
- writer.println("hello");
- writer.flush();
- System.out.println(reader.readLine());
- s.close();
- }
- }
客戶端也非常簡單:向服務端發起請求,發送一個"hello"字串,然後獲得服務端的返回。把服務端運行起來後,執行客戶端,我們將得到"hello"的返回。
就是這樣一套簡單的網絡通信的代碼,我們來把它改造成使用SSL通信。在SSL通信協議中,我們都知道首先服務端必須有一個數字證書,當客戶端連接到服務端時,會得到這個證書,然後客戶端會判斷這個證書是否是可信的,如果是,則交換信道加密密鑰,進行通信。如果不信任這個證書,則連接失敗。
因此,我們首先要爲服務端生成一個數字證書。Java環境下,數字證書是用keytool生成的,這些證書被存儲在store的概念中,就是證書倉庫。我們來調用keytool命令爲服務端生成數字證書和保存它使用的證書倉庫:
- keytool -genkey -v -alias bluedash-ssl-demo-server -keyalg RSA -keystore ./server_ks -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass server -keypass 123123
這樣,我們就將服務端證書bluedash-ssl-demo-server保存在了server_ksy這個store文件當中。有關keytool的用法在本文中就不再多贅述。執行上面的命令得到如下結果:
- Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days
- for: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
- [Storing ./server_ks]
然後,改造我們的服務端代碼,讓服務端使用這個證書,並提供SSL通信:
- package org.bluedash.tryssl;
- import java.io.BufferedReader;
- import java.io.FileInputStream;
- import java.io.IOException;
- import java.io.InputStreamReader;
- import java.io.PrintWriter;
- import java.net.ServerSocket;
- import java.net.Socket;
- import java.security.KeyStore;
- import javax.net.ServerSocketFactory;
- import javax.net.ssl.KeyManagerFactory;
- import javax.net.ssl.SSLContext;
- import javax.net.ssl.SSLServerSocket;
- public class SSLServer extends Thread {
- private Socket socket;
- public SSLServer(Socket socket) {
- this.socket = socket;
- }
- public void run() {
- try {
- BufferedReader reader = new BufferedReader(new InputStreamReader(socket.getInputStream()));
- PrintWriter writer = new PrintWriter(socket.getOutputStream());
- String data = reader.readLine();
- writer.println(data);
- writer.close();
- socket.close();
- } catch (IOException e) {
- }
- }
- private static String SERVER_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/server_ks";
- private static String SERVER_KEY_STORE_PASSWORD = "123123";
- public static void main(String[] args) throws Exception {
- System.setProperty("javax.net.ssl.trustStore", SERVER_KEY_STORE);
- SSLContext context = SSLContext.getInstance("TLS");
- KeyStore ks = KeyStore.getInstance("jceks");
- ks.load(new FileInputStream(SERVER_KEY_STORE), null);
- KeyManagerFactory kf = KeyManagerFactory.getInstance("SunX509");
- kf.init(ks, SERVER_KEY_STORE_PASSWORD.toCharArray());
- context.init(kf.getKeyManagers(), null, null);
- ServerSocketFactory factory = context.getServerSocketFactory();
- ServerSocket _socket = factory.createServerSocket(8443);
- ((SSLServerSocket) _socket).setNeedClientAuth(false);
- while (true) {
- new SSLServer(_socket.accept()).start();
- }
- }
- }
可以看到,服務端的Socket準備設置工作大大增加了,增加的代碼的作用主要是將證書導入並進行使用。此外,所使用的Socket變成了SSLServerSocket,另外端口改到了8443(這個不是強制的,僅僅是爲了遵守習慣)。另外,最重要的一點,服務端證書裏面的CN一定和服務端的域名統一,我們的證書服務的域名是localhost,那麼我們的客戶端在連接服務端時一定也要用localhost來連接,否則根據SSL協議標準,域名與證書的CN不匹配,說明這個證書是不安全的,通信將無法正常運行。
有了服務端,我們原來的客戶端就不能使用了,必須要走SSL協議。由於服務端的證書是我們自己生成的,沒有任何受信任機構的簽名,所以客戶端是無法驗證服務端證書的有效性的,通信必然會失敗。所以我們需要爲客戶端創建一個保存所有信任證書的倉庫,然後把服務端證書導進這個倉庫。這樣,當客戶端連接服務端時,會發現服務端的證書在自己的信任列表中,就可以正常通信了。
因此現在我們要做的是生成一個客戶端的證書倉庫,因爲keytool不能僅生成一個空白倉庫,所以和服務端一樣,我們還是生成一個證書加一個倉庫(客戶端證書加倉庫):
- keytool -genkey -v -alias bluedash-ssl-demo-client -keyalg RSA -keystore ./client_ks -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass client -keypass 456456
結果如下:
- Generating 1,024 bit RSA key pair and self-signed certificate (SHA1withRSA) with a validity of 90 days
- for: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
- [Storing ./client_ks]
接下來,我們要把服務端的證書導出來,並導入到客戶端的倉庫。第一步是導出服務端的證書:
- keytool -export -alias bluedash-ssl-demo-server -keystore ./server_ks -file server_key.cer
執行結果如下:
- Enter keystore password: server
- Certificate stored in file <server_key.cer>
然後是把導出的證書導入到客戶端證書倉庫:
- keytool -import -trustcacerts -alias bluedash-ssl-demo-server -file ./server_key.cer -keystore ./client_ks
結果如下:
- Enter keystore password: client
- Owner: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
- Issuer: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
- Serial number: 4c57c7de
- Valid from: Tue Aug 03 15:40:14 CST 2010 until: Mon Nov 01 15:40:14 CST 2010
- Certificate fingerprints:
- MD5: FC:D4:8B:36:3F:1B:30:EA:6D:63:55:4F:C7:68:3B:0C
- SHA1: E1:54:2F:7C:1A:50:F5:74:AA:63:1E:F9:CC:B1:1C:73:AA:34:8A:C4
- Signature algorithm name: SHA1withRSA
- Version: 3
- Trust this certificate? [no]: yes
- Certificate was added to keystore
好,準備工作做完了,我們來撰寫客戶端的代碼:
- package org.bluedash.tryssl;
- import java.io.BufferedReader;
- import java.io.InputStreamReader;
- import java.io.PrintWriter;
- import java.net.Socket;
- import javax.net.SocketFactory;
- import javax.net.ssl.SSLSocketFactory;
- public class SSLClient {
- private static String CLIENT_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/client_ks";
- public static void main(String[] args) throws Exception {
- // Set the key store to use for validating the server cert.
- System.setProperty("javax.net.ssl.trustStore", CLIENT_KEY_STORE);
- System.setProperty("javax.net.debug", "ssl,handshake");
- SSLClient client = new SSLClient();
- Socket s = client.clientWithoutCert();
- PrintWriter writer = new PrintWriter(s.getOutputStream());
- BufferedReader reader = new BufferedReader(new InputStreamReader(s
- .getInputStream()));
- writer.println("hello");
- writer.flush();
- System.out.println(reader.readLine());
- s.close();
- }
- private Socket clientWithoutCert() throws Exception {
- SocketFactory sf = SSLSocketFactory.getDefault();
- Socket s = sf.createSocket("localhost", 8443);
- return s;
- }
- }
可以看到,除了把一些類變成SSL通信類以外,客戶端也多出了使用信任證書倉庫的代碼。以上,我們便完成了SSL單向握手通信。即:客戶端驗證服務端的證書,服務端不認證客戶端的證書。
以上便是Java環境下SSL單向握手的全過程。因爲我們在客戶端設置了日誌輸出級別爲DEBUG:
- System.setProperty("javax.net.debug", "ssl,handshake");
因此我們可以看到SSL通信的全過程,這些日誌可以幫助我們更具體地瞭解通過SSL協議建立網絡連接時的全過程。
結合日誌,我們來看一下SSL雙向認證的全過程:
第一步: 客戶端發送ClientHello消息,發起SSL連接請求,告訴服務器自己支持的SSL選項(加密方式等)。
- *** ClientHello, TLSv1
第二步: 服務器響應請求,回覆ServerHello消息,和客戶端確認SSL加密方式:
- *** ServerHello, TLSv1
第三步: 服務端向客戶端發佈自己的公鑰。
第四步: 客戶端與服務端的協通溝通完畢,服務端發送ServerHelloDone消息:
- *** ServerHelloDone
第五步: 客戶端使用服務端給予的公鑰,創建會話用密鑰(SSL證書認證完成後,爲了提高性能,所有的信息交互就可能會使用對稱加密算法),並通過ClientKeyExchange消息發給服務器:
- *** ClientKeyExchange, RSA PreMasterSecret, TLSv1
第六步: 客戶端通知服務器改變加密算法,通過ChangeCipherSpec消息發給服務端:
- main, WRITE: TLSv1 Change Cipher Spec, length = 1
第七步: 客戶端發送Finished消息,告知服務器請檢查加密算法的變更請求:
- *** Finished
第八步:服務端確認算法變更,返回ChangeCipherSpec消息
- main, READ: TLSv1 Change Cipher Spec, length = 1
第九步:服務端發送Finished消息,加密算法生效:
- *** Finished
那麼如何讓服務端也認證客戶端的身份,即雙向握手呢?其實很簡單,在服務端代碼中,把這一行:
- ((SSLServerSocket) _socket).setNeedClientAuth(false);
改成:
- ((SSLServerSocket) _socket).setNeedClientAuth(true);
就可以了。但是,同樣的道理,現在服務端並沒有信任客戶端的證書,因爲客戶端的證書也是自己生成的。所以,對於服務端,需要做同樣的工作:把客戶端的證書導出來,並導入到服務端的證書倉庫:
- keytool -export -alias bluedash-ssl-demo-client -keystore ./client_ks -file client_key.cer
- Enter keystore password: client
- Certificate stored in file <client_key.cer>
- keytool -import -trustcacerts -alias bluedash-ssl-demo-client -file ./client_key.cer -keystore ./server_ks
- Enter keystore password: server
- Owner: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
- Issuer: CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn
- Serial number: 4c57c80b
- Valid from: Tue Aug 03 15:40:59 CST 2010 until: Mon Nov 01 15:40:59 CST 2010
- Certificate fingerprints:
- MD5: DB:91:F4:1E:65:D1:81:F2:1E:A6:A3:55:3F:E8:12:79
- SHA1: BF:77:56:61:04:DD:95:FC:E5:84:48:5C:BE:60:AF:02:96:A2:E1:E2
- Signature algorithm name: SHA1withRSA
- Version: 3
- Trust this certificate? [no]: yes
- Certificate was added to keystore
完成了證書的導入,還要在客戶端需要加入一段代碼,用於在連接時,客戶端向服務端出示自己的證書:
- package org.bluedash.tryssl;
- import java.io.BufferedReader;
- import java.io.FileInputStream;
- import java.io.InputStreamReader;
- import java.io.PrintWriter;
- import java.net.Socket;
- import java.security.KeyStore;
- import javax.net.SocketFactory;
- import javax.net.ssl.KeyManagerFactory;
- import javax.net.ssl.SSLContext;
- import javax.net.ssl.SSLSocketFactory;
- public class SSLClient {
- private static String CLIENT_KEY_STORE = "/Users/liweinan/projs/ssl/src/main/resources/META-INF/client_ks";
- private static String CLIENT_KEY_STORE_PASSWORD = "456456";
- public static void main(String[] args) throws Exception {
- // Set the key store to use for validating the server cert.
- System.setProperty("javax.net.ssl.trustStore", CLIENT_KEY_STORE);
- System.setProperty("javax.net.debug", "ssl,handshake");
- SSLClient client = new SSLClient();
- Socket s = client.clientWithCert();
- PrintWriter writer = new PrintWriter(s.getOutputStream());
- BufferedReader reader = new BufferedReader(new InputStreamReader(s.getInputStream()));
- writer.println("hello");
- writer.flush();
- System.out.println(reader.readLine());
- s.close();
- }
- private Socket clientWithoutCert() throws Exception {
- SocketFactory sf = SSLSocketFactory.getDefault();
- Socket s = sf.createSocket("localhost", 8443);
- return s;
- }
- private Socket clientWithCert() throws Exception {
- SSLContext context = SSLContext.getInstance("TLS");
- KeyStore ks = KeyStore.getInstance("jceks");
- ks.load(new FileInputStream(CLIENT_KEY_STORE), null);
- KeyManagerFactory kf = KeyManagerFactory.getInstance("SunX509");
- kf.init(ks, CLIENT_KEY_STORE_PASSWORD.toCharArray());
- context.init(kf.getKeyManagers(), null, null);
- SocketFactory factory = context.getSocketFactory();
- Socket s = factory.createSocket("localhost", 8443);
- return s;
- }
- }
通過比對單向認證的日誌輸出,我們可以發現雙向認證時,多出了服務端認證客戶端證書的步驟:
- *** CertificateRequest
- Cert Types: RSA, DSS
- Cert Authorities:
- <CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn>
- <CN=localhost, OU=cn, O=cn, L=cn, ST=cn, C=cn>
- *** ServerHelloDone
- *** CertificateVerify
- main, WRITE: TLSv1 Handshake, length = 134
- main, WRITE: TLSv1 Change Cipher Spec, length = 1
在 @*** ServerHelloDone@ 之前,服務端向客戶端發起了需要證書的請求 @*** CertificateRequest@ 。
在客戶端向服務端發出 @Change Cipher Spec@ 請求之前,多了一步客戶端證書認證的過程 @*** CertificateVerify@ 。
客戶端與服務端互相認證證書的情景,可參考下圖: