Learn and share.
MD5自身是不可逆的,但是目前网路上有很多数据库支持反查询。如果用户密码数据库不小心被泄露黑客就可以通过反查询方式获得用户密码或者对于数据库中出现频率较高的hash码(即很多人使用的)进行暴力破解(因为它通常都是弱口令)。
盐值就是在密码hash过程中添加的额外的随机值,比如我的id是abc,密码是123456,存在数据库中的时候就可以对字符串123456idabc进行hash,而验证密码的时候也以字符串(要验证的密码)+idabc进行验证。
这样有另外一个用户密码是123456的时候,依然能构造出不同的hash值,并且能成功的验证,但这时候我的id就作为盐值为密码进行复杂hash了。
可见,盐值最大的作用之一就是减少数据库泄露带来的损失。
AXIS2启用HTTPS,只需要设置truststore及密码,然后对于HTTPS协议,就会自动启用SSL通信了。
System.setProperty("javax.net.ssl.trustStore", PATH_TO_TRUSTSTORE);
System.setProperty("javax.net.ssl.trustStorePassword", PASSWORD_OF_TRUSTSTORE);
但有时,基于种种原因,比如证书链有问题,比如证书HOST有问题,比如证书本身就有问题,说多了都是泪,这是后就要绕过HTTPS的证书验证了。总起来说,AXIS2有下面几种方式可以跳过HTTPS证书验证:
1、通过设置TrustAllTrustManager来绕过证书验证
这是一种局部设置方式,方式适合用wsdl2java生成stub代码的程序来执行,比如,客户端可以:
SSLContext sslCtx = SSLContext.getInstance("TLS");
sslCtx.init(null, new TrustManager[] {new TrustAllTrustManager()}, null);
stub._getServiceClient().getOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLER,
new Protocol("https",(ProtocolSocketFactory)new SSLProtocolSocketFactory(sslCtx),443));
2、通过设置CUSTOM_PROTOCOL_HANDLER来绕过证书验证
这是一种全局设置的方式。
Protocol myProtocolHandler = new Protocol("https", new NeoSecureSocketFactory(), 443);
//中心端注册CUSTOM_PROTOCOL_HANDLER
messageContext.getOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLER, myProtocolHandler);
//客户端注册CUSTOM_PROTOCOL_HANDLER
stub._getServiceClient().getOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLER, myProtocolHandler);
3、注册Protocol来绕过证书验证
这是一种全局设置的方式。
Protocol.registerProtocol("https", new Protocol("https", new NeoSecureSocketFactory(), 443));
4、最后是NeoSecureSocketFactory.java
package com.neohope.axis2test;
import javax.net.ssl.*;
import java.io.*;
import java.net.*;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import javax.net.SocketFactory;
import org.apache.commons.httpclient.ConnectTimeoutException;
import org.apache.commons.httpclient.params.HttpConnectionParams;
import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;
/**
*
* @author Hansen
*/
public class NeoSecureSocketFactory implements ProtocolSocketFactory {
private static SSLContext ssl = null;
private static TrustManager[ ] getTrustManagers() {
TrustManager[ ] certs = new TrustManager[ ] {
new X509TrustManager() {
public X509Certificate[ ] getAcceptedIssuers() { return null; }
public void checkClientTrusted(X509Certificate[ ] certs, String t) { }
public void checkServerTrusted(X509Certificate[ ] certs, String t) { }
}
};
return certs;
}
private static SSLContext createSSLContext() {
try {
TrustManager[] trustManagers = getTrustManagers();
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, trustManagers, null);
return sslContext;
} catch (KeyManagementException e) {
;
} catch (NoSuchAlgorithmException e) {
;
}
return null;
}
private static SSLContext getSSLContext() {
if (ssl == null) {
ssl = createSSLContext();
}
return ssl;
}
@Override
public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException {
return getSSLContext().getSocketFactory().createSocket(host, port,
clientHost, clientPort);
}
@Override
public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort, HttpConnectionParams params) throws IOException, UnknownHostException, ConnectTimeoutException {
if (params == null) {
throw new IllegalArgumentException("Parameters may not be null");
}
int timeout = params.getConnectionTimeout();
SocketFactory socketfactory = getSSLContext().getSocketFactory();
if (timeout == 0) {
return socketfactory.createSocket(host, port, clientHost,
clientPort);
}
Socket socket = socketfactory.createSocket();
SocketAddress localaddr = new InetSocketAddress(clientHost, clientPort);
SocketAddress remoteaddr = new InetSocketAddress(host, port);
socket.bind(localaddr);
try {
socket.connect(remoteaddr, timeout);
} catch (Exception e) {
throw new ConnectTimeoutException(e.getMessage(), e);
}
return socket;
}
@Override
public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
return getSSLContext().getSocketFactory().createSocket(host, port);
}
}
最近尝试了用两级自签名证书来验证SUN PKIX、AXIS2及C#在HTTPS认证方式的区别。
两级证书为:
1、CA证书NMyCA1024
2、服务器证书serversigned
其中,AXIS2通过验证是最简单的,
1、服务端设置serversigned证书的Key Store
2、客户端设置NMyCA1024或serversigned的Trust Store
3、通过验证。
如果要SUN PKIX通过验证(Oracle的JDK/JRE自带)
1、那需要服务端设置serversigned证书的Key Store
2、客户端设置NMyCA1024或serversigned的Trust Store
3、客户端把NMyCA1024证书导入JDK或JRE的CA证书列表cacerts
4、通过验证。
如果要C#通过验证
1、那需要服务端设置serversigned证书的P12文件
2、客户端设置NMyCA1024或serversigned的Trust Store
3、客户端双击NMyCA1024证书导入IE的CA证书列表
4、通过验证。
package com.neohope.utils;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
public class NDigest
{
/**
* Bytes to Hex String
*
* @param hexBytes
*
* @return hex string
*/
private static String bytesToHexString(byte[] hexBytes)
{
StringBuffer buf = new StringBuffer();
for (int i = 0; i < hexBytes.length; i++)
{
if ((hexBytes[i] & 0xff) < 0x10)
{
buf.append("0");
}
buf.append(Long.toString(hexBytes[i] & 0xff, 16));
}
return buf.toString();
}
/**
* calc MD5 for string
*
* @param textIn
*
* @return md5 digest string
* @throws NoSuchAlgorithmException
*/
public static String MD5Digest(String textIn)
throws NoSuchAlgorithmException
{
byte[] textData = textIn.getBytes();
MessageDigest md = null;
md = MessageDigest.getInstance("MD5");
md.reset();
md.update(textData);
byte[] encodedData = md.digest();
return bytesToHexString(encodedData);
}
/**
* calc SHA1 for string
*
* @param textIn
*
* @return sha1 digest string
* @throws NoSuchAlgorithmException
*/
public static String SHA1Digest(String textIn)
throws NoSuchAlgorithmException
{
byte[] textData = textIn.getBytes();
MessageDigest md = null;
md = MessageDigest.getInstance("SHA1");
md.reset();
md.update(textData);
byte[] encodedData = md.digest();
return bytesToHexString(encodedData);
}
/**
* Encode a string using Base64 encoding.
*
* @param textIn
* @return String
*/
public static String base64Encode(String textIn)
{
sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
return encoder.encodeBuffer(textIn.getBytes()).trim();
}
/**
* Decode a string using Base64 encoding.
*
* @param textIn
* @return String
* @throws IOException
*/
public static String decodeString(String textIn) throws IOException
{
sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder();
return new String(dec.decodeBuffer(textIn));
}
/**
* 使用 HMAC-SHA-1 签名方法对对textIn进行摘要
*
* @param textIn
* @param keyIn
* @return
* @throws Exception
*/
public static String HmacSHA1Digest(String textIn, String keyIn)
throws Exception
{
final String MAC_NAME = "HmacSHA1";
final String ENCODING = "UTF-8";
byte[] keyData = keyIn.getBytes(ENCODING);
SecretKey secretKey = new SecretKeySpec(keyData, MAC_NAME);
Mac mac = Mac.getInstance(MAC_NAME);
mac.init(secretKey);
byte[] textData = textIn.getBytes(ENCODING);
byte[] encodedData = mac.doFinal(textData);
return bytesToHexString(encodedData);
}
// 我就是那个测试函数。。。
public static void main(String args[]) throws Exception
{
String key = "Y9zTQxRvxwrHOi45OoKNnIoxboerNqt3";
String text = "Good good study, day day up.";
String hmacSHA1 = HmacSHA1Digest(text, key );
String base64 = base64Encode(hmacSHA1);
System.out.println(hmacSHA1 );
System.out.println(cbase64);
}
}
一、证书相关文件类型说明
KEY
通常用来存放私钥(或公钥),可能是PEM或DER格式。私钥可以对证书/程序进行签名,也可以用解密公钥加密郭的HTTP消息,是一定要妥善保管的,是不能交给别人的。比如下面是一个典型的私钥:
-----BEGIN RSA PRIVATE KEY----- MIICXgIBAAKBgQC0oavm8KvMLbXqIPheGjeKJ5yCQ2DUBFjmcDuQzpZgHO+NC50f 9sMFZo/MO2HCvejIWHCzbxzFeGgNN/1IEH2oSbJdeAlXTpwNqBqwQBDj/5neM98E a6dvi+FF3loGhhodb0FvSC+TLldfGJodm+kveu3kkp6txeYjaIpcKBr2bwIDAQAB AoGBAJYs//WeTMcRjfgc90GNfHWRX07x49QB1UOpNey7xUwdYpCagkTr7NJVpeI/ 0JSPPbUrym90RrBq3d93mE3M4BqeODGoh2vy1/sArlwFut9SrNA/i7e7wikCQsLa eQRaiNRbDlooxb6J0LLS6M0bb8p/YivFBYIN5G2hs7bgJwCpAkEA63clQ7IQfhGw YuHSaW29GR4YV4MsAcqTQBpjIpQxtrCKCWJElE5Si0wyb48buMZlrhNRpc5Dz+FW HitDUwu2fQJBAMRiVreK4GX48O/f4+dSW8q/lbXQQp4vLB6KxjL+lqEgvzOMhEzJ 6z8BP52J2C3AS/Qen9cH+y0iD5atEYNI+FsCQQDjIUXX2/6erQ95Ap3Fxu4+OVJ/ r+8WN0L89bck1tBxii9Mx/ahHD/xUGniRKgX/4B7fvUmPCYbcyBv74l8pPK9AkAw PDsyb8D4KvH66RIQQjFblj0OYC3Mrqd2hP1zjwauYt2zqqLgPYQzgHoAltfrPN0r A86cwVAXYNNVXgL8LRMbAkEAm5kTm8CsNF4fAcAFFLZMHbz3vkidsnCvHiqXd9vq GCrms/STzQq3LVQqHll1g2SJAYy80SXPSoZVbCxA9pBgzw== -----END RSA PRIVATE KEY-----
查看私钥信息:
openssl rsa -in test.key -text -noout openssl rsa -in test.key -text -noout -inform der
CSR
证书签名请求,即Certificate Signing Request,可能是PEM或DER格式,是向权威证书颁发机构获得签名证书的申请,是一个用私钥签名的,包括了公钥+证书申请者信息的文件。比如下面是一个典型的CSR文件:
-----BEGIN CERTIFICATE REQUEST----- MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5nSGFpMREw DwYDVQQHDAhTaGFuZ0hhaTEQMA4GA1UECgwHTkVPSE9QRTEUMBIGA1UECwwLRGV2 ZWxvcG1lbnQxEjAQBgNVBAMMCU5NeUNBMTAyNDCBnzANBgkqhkiG9w0BAQEFAAOB jQAwgYkCgYEAtKGr5vCrzC216iD4Xho3iiecgkNg1ARY5nA7kM6WYBzvjQudH/bD BWaPzDthwr3oyFhws28cxXhoDTf9SBB9qEmyXXgJV06cDagasEAQ4/+Z3jPfBGun b4vhRd5aBoYaHW9Bb0gvky5XXxiaHZvpL3rt5JKercXmI2iKXCga9m8CAwEAAaAA MA0GCSqGSIb3DQEBBQUAA4GBAA5BUPQcmpUVliu1DHqflVTXR7zOfhtd6UX1uU90 TEGAYlzaggU+dZRtXC86ha+MoiCX2598w4OaM/7vErSOUbwU3Nou9/ooyh+eLt8U ozwHAC6Xpw2phm9d/RkbTpGXCoCRFykV7K8OfS2BYgdQstOJWRti08VD/03NjESd wMIf -----END CERTIFICATE REQUEST-----
查看CSR信息:
openssl req -noout -text -in test.csr openssl req -noout -text -in test.csr -inform der
PEM
PEM证书,即Privacy Enhanced Mail,多用于linux服务器,是Base64编码的文本文件,可以用文本编辑器打开直接查看。PEM证书是互联网中最常使用的证书格式,可用于保存服务器证书、中级证书、私钥等。一个PEM文件中可以保持多个证书及私钥(但一般大家会把证书及私钥放到不同的PEM文件中)。PEM文件的常用后缀有:.pem、.crt、.cer、.key等。 。比如下面是一个典型的PEM文件:
-----BEGIN CERTIFICATE----- MIICrDCCAhWgAwIBAgIJAMUPP9qD0sTlMA0GCSqGSIb3DQEBBQUAMG8xCzAJBgNV BAYTAkNOMREwDwYDVQQIDAhTaGFuZ0hhaTERMA8GA1UEBwwIU2hhbmdIYWkxEDAO BgNVBAoMB05FT0hPUEUxFDASBgNVBAsMC0RldmVsb3BtZW50MRIwEAYDVQQDDAlO TXlDQTEwMjQwHhcNMTYwMzI1MTM0MDI3WhcNMTkwMzI1MTM0MDI3WjBvMQswCQYD VQQGEwJDTjERMA8GA1UECAwIU2hhbmdIYWkxETAPBgNVBAcMCFNoYW5nSGFpMRAw DgYDVQQKDAdORU9IT1BFMRQwEgYDVQQLDAtEZXZlbG9wbWVudDESMBAGA1UEAwwJ Tk15Q0ExMDI0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0oavm8KvMLbXq IPheGjeKJ5yCQ2DUBFjmcDuQzpZgHO+NC50f9sMFZo/MO2HCvejIWHCzbxzFeGgN N/1IEH2oSbJdeAlXTpwNqBqwQBDj/5neM98Ea6dvi+FF3loGhhodb0FvSC+TLldf GJodm+kveu3kkp6txeYjaIpcKBr2bwIDAQABo1AwTjAdBgNVHQ4EFgQUMeG4c9MI Dl8jMTZ3w/V4fAYdNMgwHwYDVR0jBBgwFoAUMeG4c9MIDl8jMTZ3w/V4fAYdNMgw DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCG6ROpwc+j9GoMk02YnRwb VlgYkMjtH2vIb/+zDYmgjOQL0uYJ2xt7LHf2zrRP053rgIJskznNn6CLrM85Dwb0 DqkgwccHYd2439hTZhdZ5BMe7FxUCfeZvKgJ7VjOf1aaBrdUfy5RgikfO6CX6v1L eaV1orOAEma0muLIyE9igQ== -----END CERTIFICATE-----
查看PEM信息:
openssl x509 -in test.pem -text -noout
DER
DER证书,即Distinguished Encoding Rules,多用于Windows服务器及Java平台,为二进制格式,不可以用文本编辑器打开直接查看。DER文件的常用后缀有:.der、.cer等。 所以当您拿到一个证书文件时,可以用文本工具打开看一下,如果可读,一般是PEM格式,如果是二进制文件,一般是DER格式。
查看DER信息:
openssl x509 -in test.der -inform der -text -noout
PKCS#7/P7B
PKCS#7/P7B证书是是Base64编码的文本文件, 证书以”—–BEGIN PKCS7—–“开始,以”—–END PKCS7—–“结束。PKCS#7/P7B证书的常用后缀名有.p7b、.p7c。 PKCS#7/P7B文件中只有证书及证书链,不会包含私钥。Windows及Tomcat都支持这种证书。
openssl pkcs7 -in test.p7b -noout
PKCS#12/P12/PFX
PKCS#12/P12/PFX证书是经过加密的二进制格式,可用于保存服务器证书、中级证书、私钥等。PKCS#12/P12/PFX证书的常用后缀名有 .pfx、.p12。PKCS#12/P12/PFX证书通常用于Windows平台上的证书及私钥的导入及导出。导入及导出时,需要输入PKCS#12/P12/PFX文件的秘密。
openssl pkcs12 -in test.p12 -noout
JKS
JKS,即Java Key Storage,是JAVA程序最常用的证书存储方式。JKS按使用方式,一般会人为的区分为CASTORE,KEYSTORE和TRUSTSTORE,其中CASTORE是JDK/JRE环境自带的,用于存储JAVA信任的CA证书,通常是%JAVA_HOME%/lib/security/cacerts这个文件,相当于一个专门用于存储CA证书的全局TRUSTSTORE;KEYSTORE用于存储私钥,在通讯过程中进行解密,或则用于进行签名;TRUSTSTORE存放的是可以信任的证书,如果是自签名证书的话,建议CASTORE中也事先导入会好一些,会避免很多问题。
查看JKS文件:
keytool -list -v -keystore test.jks -storepass password
总结
其实,咱们总结一下:
1、KEY一般为私钥
2、CSR只是获取证书时用一下
3、常用的证书格式只有PEM和DER两种,区别为是否加密
4、P7B、P12、JKS,只是存放证书的小数据库而已
但有件事情,让这个问题变的复杂了一些,那就是后缀名并不能让你直接区分格式,比如CRT、CER这样的后缀名,只告诉你这是一个证书,但没有告诉你是什么格式。所以要么自己用文本工具及openssl查看一下,判断一下格式咯。
二、常用证书格式转换
#PEM to DER openssl x509 -outform der -in certificate.pem -out certificate.der #PEM to P7B openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer #PEM to PFX/P12 openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt -certfile CACert.crt #DER to PEM openssl x509 -inform der -in certificate.cer -out certificate.pem #P7B to PEM openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer #P7B to PFX/P12 openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.p12 -certfile CACert.cer #PFX/P12 to PEM openssl pkcs12 -in certificate.p12 -out certificate.cer -nodes #JKS to P12 keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12 #P12 to JKS keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks
1、Soap Https Soap Client
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Net;
using System.Security.Cryptography.X509Certificates;
using System.Net.Security;
namespace IISSoapClientTest
{
class Program
{
public static void HelloHttp(string url)
{
Hello h = new Hello(url);
string ans = h.HelloWorld("C# http client");
Console.WriteLine(ans);
Console.WriteLine();
}
//同样的证书,IIS可以过,Tomcat过不去
public static void HelloHttps(string url,String certPath)
{
X509CertificateCollection certs = new X509CertificateCollection();
X509Certificate cert = X509Certificate.CreateFromCertFile(certPath);
Hello h = new Hello(url);
h.ClientCertificates.Add(cert);
string ans = h.HelloWorld("C# https client");
Console.WriteLine(ans);
Console.WriteLine();
}
//绕过证书检查
public static void HelloHttpsWithRemoteCertificateValidationCallback(string url)
{
//ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(RemoteCertificateValidationCallback);
Hello h = new Hello(url);
string ans = h.HelloWorld("C# https client");
Console.WriteLine(ans);
Console.WriteLine();
}
private static bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate,
X509Chain chain, SslPolicyErrors sslPolicyErrors)
{
return true;
}
static void Main(string[] args)
{
//HelloHttp("http://127.0.0.1:80/Hello.asmx");
//HelloHttps("https://127.0.0.1:443/Hello.asmx");
//HelloHttpsWithRemoteCertificateValidationCallback("https://127.0.0.1:443/Hello.asmx");
//HelloHttp("http://127.0.0.1:8080/SoapTest/services/HelloService");
HelloHttps("https://127.0.0.1:8443/SoapTest/services/HelloService", @"D:\DiskE\Projects\VS2010\TestProjects\SSLSocket\myKeyStore.cer");
//HelloHttpsWithRemoteCertificateValidationCallback("https://127.0.0.1:8443/SoapTest/services/HelloService");
}
}
}
1、%Tomcat%/server/server.xml
找到下面一段:
<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->
替换为:
<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" disableUploadTimeout="true" enableLookups="false" keystoreFile="D:/JavaContainer/apache-tomcat-6.0.35-x86/myKeyStore.jks" keystorePass="sslTestPwd" />
这样,就可以用https://127.0.0.1:8443访问Tomcat了。
2、在需要使用https项目的axis2.xml文件中,增加下面内容
<!--修改-->
<transportReceiver name="http"
class="org.apache.axis2.transport.http.AxisServletListener">
<parameter name="port">8080</parameter>
</transportReceiver>
<!--新增-->
<transportReceiver name="https"
class="org.apache.axis2.transport.http.AxisServletListener">
<parameter name="port">8443</parameter>
</transportReceiver>
这样,该WebService就可以使用https进行访问了:)
1、首先准备一个p12格式的服务端证书
无论是购买,还是用openssl或java keytool生成自签名证书都可以
2、在IIS7的根目录,选中“安全性->根目录证书”,选择“导入”即可
3、如果显示证书链有问题,则在IE中导入CA证书就好了
4、在需要HTTPS的网站上,选择“绑定”,绑定类型为https,选择需要的证书
5、在客户端的IE中,导入CA证书就好了
1、SoapClient
package com.neohope;
import java.net.URL;
import java.rmi.RemoteException;
public class SoapClientTest {
public static void HelloHttp(String url) throws RemoteException
{
HelloStub h = new HelloStub(url);
com.neohope.HelloStub.HelloWorld hello = new com.neohope.HelloStub.HelloWorld();
hello.setName("Java http client");
com.neohope.HelloStub.HelloWorldResponse rsp = h.helloWorld(hello);
System.out.println(rsp.getHelloWorldResult());
}
public static void HelloHttps(String url,String trustStorePath,String trustStorePwd) throws RemoteException
{
URL jksurl = SoapClientTest.class.getClassLoader().getResource(
"myTrustStore.jks");
String jks = jksurl.getFile();
System.setProperty("javax.net.ssl.trustStore", jks);
System.setProperty("javax.net.ssl.trustStorePassword", trustStorePwd);
HelloStub h = new HelloStub(url);
com.neohope.HelloStub.HelloWorld hello = new com.neohope.HelloStub.HelloWorld();
hello.setName("Java https client");
com.neohope.HelloStub.HelloWorldResponse rsp = h.helloWorld(hello);
System.out.println(rsp.getHelloWorldResult());
}
public static void main(String[] args) throws RemoteException
{
//HelloHttp("http://localhost:80/Hello.asmx");
HelloHttps("https://localhost:443/Hello.asmx","myTrustStore.jks","sslTestPwd");
}
}
2、SoapClientWithContextTest
package com.neohope;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URL;
import java.rmi.RemoteException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
public class SoapClientWithContextTest {
public static void HelloHttp(String url) throws RemoteException
{
HelloStub h = new HelloStub(url);
com.neohope.HelloStub.HelloWorld hello = new com.neohope.HelloStub.HelloWorld();
hello.setName("Java http client");
com.neohope.HelloStub.HelloWorldResponse rsp = h.helloWorld(hello);
System.out.println(rsp.getHelloWorldResult());
}
public static void HelloHttps(String url,String trustStorePath,String trustStorePwd) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, CertificateException, FileNotFoundException, IOException
{
URL jksurl = SoapClientTest.class.getClassLoader().getResource(
"myTrustStore.jks");
String jks = jksurl.getFile();
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(new FileInputStream(jks), trustStorePwd.toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509");
trustManagerFactory.init(trustStore);
SSLContext sslContext = SSLContext.getInstance("TLSv1");
//SSLContext sslContext = SSLContext.getInstance("SSLv3");
sslContext.init(new KeyManager[0], trustManagerFactory.getTrustManagers(), null);
SSLContext.setDefault(sslContext);
HelloStub h = new HelloStub(url);
com.neohope.HelloStub.HelloWorld hello = new com.neohope.HelloStub.HelloWorld();
hello.setName("Java https client");
com.neohope.HelloStub.HelloWorldResponse rsp = h.helloWorld(hello);
System.out.println(rsp.getHelloWorldResult());
}
public static void main(String[] args) throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, CertificateException, FileNotFoundException, IOException
{
//HelloHttp("http://localhost:80/Hello.asmx");
HelloHttps("https://localhost:443/Hello.asmx","myTrustStore.jks","sslTestPwd");
}
}
3、SoapClientWithTrustManagerTest
可以绕过证书检查
package com.neohope;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.rmi.RemoteException;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
public class SoapClientWithTrustManagerTest {
public static void HelloHttp(String url) throws RemoteException
{
HelloStub h = new HelloStub(url);
com.neohope.HelloStub.HelloWorld hello = new com.neohope.HelloStub.HelloWorld();
hello.setName("Java http client");
com.neohope.HelloStub.HelloWorldResponse rsp = h.helloWorld(hello);
System.out.println(rsp.getHelloWorldResult());
}
public static void HelloHttps(String url,String trustStorePath,String trustStorePwd) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, CertificateException, FileNotFoundException, IOException
{
SSLContext sslContext = SSLContext.getInstance("TLSv1");
//SSLContext sslContext = SSLContext.getInstance("SSLv3");
sslContext.init(new KeyManager[0], new TrustManager[] { new DefaultTrustManager() }, new SecureRandom());
SSLContext.setDefault(sslContext);
HelloStub h = new HelloStub(url);
com.neohope.HelloStub.HelloWorld hello = new com.neohope.HelloStub.HelloWorld();
hello.setName("Java https client");
com.neohope.HelloStub.HelloWorldResponse rsp = h.helloWorld(hello);
System.out.println(rsp.getHelloWorldResult());
}
private static class DefaultTrustManager implements X509TrustManager {
@Override
public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return null;
}
}
public static void main(String[] args) throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, CertificateException, FileNotFoundException, IOException
{
//HelloHttp("http://localhost:80/Hello.asmx");
HelloHttps("https://localhost:443/Hello.asmx","myTrustStore.jks","sslTestPwd");
}
}
1、证书生成
generateKey.bat
Set Path=%JAVA_HOME%\bin;%PATH% #生成私钥 keytool -validity 10000 -genkey -alias sslTestKey -keystore myKeyStore.jks -keypass sslTestPwd -storepass sslTestPwd -dname "CN=AtlasTiger, OU=AtlasTiger, O=AtlasTiger, L=ShangHai, ST=ShangHai, C=CN" pause
2、导出公钥证书Cert
exportCert.bat
Set Path=%JAVA_HOME%\bin;%PATH% #导出证书 keytool -export -keystore myKeyStore.jks -storepass sslTestPwd -keypass sslTestPwd -alias sslTestKey -file myKeyStore.crt pause
3、导出TurstStore
exportTrustSotre.bat
Set Path=%JAVA_HOME%\bin;%PATH% #导入证书生成TurstStore keytool -import -file myKeyStore.crt -alias sslTestKey -keystore myTrustStore.jks -keypass sslTestPwd -storepass sslTestPwd pause
4、导出私钥P12格式
exportP12.bat
Set Path=%JAVA_HOME%\bin;%PATH% keytool -importkeystore -srckeystore myKeyStore.jks -destkeystore myKeyStore.p12 -deststoretype PKCS12 -srcstorepass password -deststorepass password pause