使用 HttpClient 4.0.1 对 x509 证书进行相互身份验证

2022-09-04 08:24:10

有没有人对如何使用 HTTPClient 4.0.1 通过 x509 证书执行客户端身份验证有任何友好的提示?


答案 1

下面是一些代码,可帮助您继续学习。是包含客户端证书的对象。如果服务器使用的是自签名证书或未由 CA 签名的证书,如包含的 cacerts 文件中的 JVM 所识别,则需要使用 .否则,要使用缺省 cacerts 文件,请传入 信任库参数。KeyStoreTrustStorenullSSLSockeFactory

import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.scheme.SchemeRegistry;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.impl.conn.tsccm.ThreadSafeClientConnManager;
import org.apache.http.params.BasicHttpParams;
import org.apache.http.params.HttpParams;

...

final HttpParams httpParams = new BasicHttpParams();

// load the keystore containing the client certificate - keystore type is probably jks or pkcs12
final KeyStore keystore = KeyStore.getInstance("pkcs12");
InputStream keystoreInput = null;
// TODO get the keystore as an InputStream from somewhere
keystore.load(keystoreInput, "keystorepassword".toCharArray());

// load the trustore, leave it null to rely on cacerts distributed with the JVM - truststore type is probably jks or pkcs12
KeyStore truststore = KeyStore.getInstance("pkcs12");
InputStream truststoreInput = null;
// TODO get the trustore as an InputStream from somewhere
truststore.load(truststoreInput, "truststorepassword".toCharArray());

final SchemeRegistry schemeRegistry = new SchemeRegistry();
schemeRegistry.register(new Scheme("https", new SSLSocketFactory(keystore, keystorePassword, truststore), 443));

final DefaultHttpClient httpClient = new DefaultHttpClient(new ThreadSafeClientConnManager(httpParams, schemeRegistry), httpParams);

答案 2

另一个解决方案(从另一个示例复制)。我使用相同的密钥库进行“信任”(trustStore)和身份验证(keyStore)。

 KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());
 FileInputStream instream = new FileInputStream(new File("miller.keystore"));
 try {
     trustStore.load(instream, "pw".toCharArray());
 } finally {
     instream.close();
 }

 SSLContext sslcontext = SSLContexts.custom()
         .loadTrustMaterial(trustStore) /* this key store must contain the certs needed & trusted to verify the servers cert */
         .loadKeyMaterial(trustStore, "pw".toCharArray()) /* this keystore must contain the key/cert of the client */
         .build();

 SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(sslcontext,
         SSLConnectionSocketFactory.BROWSER_COMPATIBLE_HOSTNAME_VERIFIER);
 CloseableHttpClient httpclient = HttpClients.custom()
         .setSSLSocketFactory(sslsf)
         .build();
 try {

     HttpGet httpget = new HttpGet("https://localhost");

     System.out.println("executing request" + httpget.getRequestLine());

     CloseableHttpResponse response = httpclient.execute(httpget);
     try {
         HttpEntity entity = response.getEntity();

         System.out.println("----------------------------------------");
         System.out.println(response.getStatusLine());
         if (entity != null) {
             System.out.println("Response content length: " + entity.getContentLength());
         }
         EntityUtils.consume(entity);
     } finally {
         response.close();
     }
 } finally {
     httpclient.close();
 }

推荐