首页 > 系统相关 >openssl jni nginx证书私钥有效性校验

openssl jni nginx证书私钥有效性校验

时间:2022-12-21 16:24:02浏览次数:53  
标签:私钥 openssl nginx ----- OpenSSLUtils jni include com

 

1、安装openssl

wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz

./config --prefix=/usr/local/openssl  --shared

--shared为添加动态库,生成libssl.so,默认只有libssl.a静态库

make

make install

ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

cp /usr/local/openssl/lib/openssl/libssl.so.1.1 /lib/x86_64-linux-gnu/

cp /usr/local/openssl/lib/openssl/libcrypto.so.1.1 /lib/x86_64-linux-gnu/ 

 

2、新建jni工程(eclipse为例)

新建java工程PemCheck

src下新建class  com.jni.OpenSSLUtils.java

package com.jni;

public class OpenSSLUtils {
	public native static int checkPem(String pem,String key);
}

cd ${workspace}/PemCheck

javah -classpath . -d . com.jni.OpenSSLUtils

javah -jni com.jni.OpenSSLUtils

此时src下生成com_jni_OpenSSLUtils.h头文件

/* DO NOT EDIT THIS FILE - it is machine generated */
#include <jni.h>
/* Header for class com_jni_OpenSSLUtils */

#ifndef _Included_com_jni_OpenSSLUtils
#define _Included_com_jni_OpenSSLUtils
#ifdef __cplusplus
extern "C" {
#endif
/*
 * Class:     com_jni_OpenSSLUtils
 * Method:    checkPem
 * Signature: (Ljava/lang/String;Ljava/lang/String;)I
 */
JNIEXPORT jint JNICALL Java_com_jni_OpenSSLUtils_checkPem
  (JNIEnv *, jclass, jstring, jstring);

#ifdef __cplusplus
}
#endif
#endif

 3、新建C++工程(eclipse为例)

new project   >> C++ Project    >> ShardLibrary

 

 

 设置编译环境

include jdk的头文件path

include jdk的头文件 linux path

include openssl 头文件path

 

 

 

 

 

 

编译参数加上-fPIC

 

 

 

链接库加上ssl,crypto

 

可以配置个命令将编译后的so库cp到测试或使用的工程路径下 

 

4、编写openssl检测代码

新建src文件夹,将com_jni_OpenSSLUtils.h复制到该目录下,

同时新建com_jni_OpenSSLUtils.cpp

 

#include "com_jni_OpenSSLUtils.h"
#include "openssl/pem.h"
#include "openssl/bio.h"
#include "openssl/ssl.h"

#include <iostream>

using namespace std; // @suppress("Symbol is not resolved")
/*
 * Class:     com_jni_OpenSSLUtils
 * Method:    checkPem
 * Signature: (Ljava/lang/String;Ljava/lang/String;)I
 */
JNIEXPORT jint JNICALL Java_com_jni_OpenSSLUtils_checkPem
  (JNIEnv *env, jclass jc, jstring pem, jstring key){
		BIO* keyBIO;
		EVP_PKEY* pkey;
		BIO* pemBIO = BIO_new_mem_buf(env->GetStringUTFChars(pem,0),-1);
		X509* cert = PEM_read_bio_X509(pemBIO,NULL,NULL,NULL);
	    if (cert == NULL) {
	    	cout << "PEM_read_bio_X509_AUX() failed" << endl;
	    	if(NULL != pemBIO)
	    	  BIO_free(pemBIO);
	    	return -1;
	    }
	    keyBIO = BIO_new_mem_buf(env->GetStringUTFChars(key,0),-1);
	    pkey = PEM_read_bio_PrivateKey(keyBIO,NULL,NULL,NULL);
	    if (pkey == NULL) {
	        	cout << "PEM_read_bio_PrivateKey() failed" << endl;
	        	if(NULL != cert)
	        		X509_free(cert);
	        	if(NULL != pemBIO)
	        		BIO_free(pemBIO);
	        	if(NULL != keyBIO)
	        		BIO_free(keyBIO);
	        	return -1;
	    }
	    SSL_library_init();
	    OpenSSL_add_all_algorithms();
	    SSL_load_error_strings();
	    SSL_CTX* ctx = SSL_CTX_new(SSLv23_client_method());
	    if (ctx == NULL) {
	    	cout << "ctx create failed" << endl;
        	goto bad;
	        }
	    if(SSL_CTX_use_certificate(ctx,cert)<=0){
	    	cout << "user certificate fail" << endl;
	    	goto bad;
	    }

	    if(SSL_CTX_use_PrivateKey(ctx,pkey) <=0){
	    	cout << "user key fail" << endl;
	    	goto bad;
	    }

	    if(!SSL_CTX_check_private_key(ctx)){
	    	cout << "key does not match the certificate" << endl;
	    	goto bad;
	    }
		if(NULL != pemBIO)
			BIO_free(pemBIO);
		if(NULL != keyBIO)
			BIO_free(keyBIO);
		if(NULL != pkey)
			EVP_PKEY_free(pkey);
		if(NULL != cert)
			X509_free(cert);
		if(NULL != ctx)
			SSL_CTX_free(ctx);
		return 0;

		bad:
			if(NULL != cert)
				X509_free(cert);
			if(NULL != pemBIO)
				BIO_free(pemBIO);
			if(NULL != keyBIO)
				BIO_free(keyBIO);
			if(NULL != pkey)
				EVP_PKEY_free(pkey);
			if(NULL != ctx)
				SSL_CTX_free(ctx);
			return -1;
	}

  

 Build All.

5、测试

在java工程下新建Test 类

package com.jni;

public class Test {

	static {
		System.load("${solibpath}/libPemCheck.so");
	}
	
	public static void main(String[] args) {
		System.out.println(
		OpenSSLUtils.checkPem("-----BEGIN CERTIFICATE-----\n"
				+ "MIIDUDCCAjgCCQDcSSulgrGudTANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJD\n"
				+ "TjERMA8GA1UECAwIWmhlamlhbmcxETAPBgNVBAcMCEhhbmd6aG91MQ4wDAYDVQQK\n"
				+ "DAVtb2ZlaTEOMAwGA1UECwwFbW9mZWkxFTATBgNVBAMMDHd3dy50ZXN0LmNvbTAe\n"
				+ "Fw0yMjEyMjEwNzMzNTVaFw0zMjEyMTgwNzMzNTVaMGoxCzAJBgNVBAYTAkNOMREw\n"
				+ "DwYDVQQIDAhaaGVqaWFuZzERMA8GA1UEBwwISGFuZ3pob3UxDjAMBgNVBAoMBW1v\n"
				+ "ZmVpMQ4wDAYDVQQLDAVtb2ZlaTEVMBMGA1UEAwwMd3d3LnRlc3QuY29tMIIBIjAN\n"
				+ "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzqAHiN+76XHpcBIQKzT4+a7L/kI5\n"
				+ "cBeNr07Z0E/9zy9a0k5iVD+4boFk22yGPyoukGWZWnrK0yehAHG4WqEt5FKb8wms\n"
				+ "FEumnscPDmlq1jE+nuRfudUCyJU1PqdfkP4bI34ZKsgH9wiHONmqYAHJaAZtQTbn\n"
				+ "EfWszFEJ4Mjyv/WStN0YX3K2vUjzvvB891oR5YF6WblawG1EqK+qZKtNEOVA5mVQ\n"
				+ "YvTysbPd0dAV6VhDIcdagWSeF4y0f8BOlKrJyEKwiy6b/Mvl6ewf1/aRVF/qa4DV\n"
				+ "scQtg88TDKrmwaKJR4cSfo5JYDw8kkuuuFNazFkqlT6mcWeOrdx+awH1SwIDAQAB\n"
				+ "MA0GCSqGSIb3DQEBCwUAA4IBAQAab5Fl9DNimm3gXdhrOpo8+Gjy9OEon/jy16uF\n"
				+ "SyzOpo45U3r7rtkSSKuQOJZ5VDv3gtBKjVGhFSwbIEHAYVWg8qOliLq2LHAkWwFd\n"
				+ "eN0jVD2/cxjJMhQP7fbfYVLy7mHBp3zQ72uni3EzcjLYTc3Ly45TAko292MjTYcW\n"
				+ "uEkwp1NQiZklFnncXdJIx1vJ+TPweUi66iJk1FYJwkDcQV69GDLO9RnqMUsNHIRo\n"
				+ "q6JvvIBZ+VT8qY5TQ2nxHaWnN/55Iq/5gvZ1XI6J05oTughX0ojSRNfdzGVC8Yg2\n"
				+ "US8cG6NTgx8c1AFl1PA3vb8yGcgvESQIhS5tH60UOnVLVuT4\n"
				+ "-----END CERTIFICATE-----\n"
				+ "","-----BEGIN RSA PRIVATE KEY-----\n"
						+ "MIIEpAIBAAKCAQEAzqAHiN+76XHpcBIQKzT4+a7L/kI5cBeNr07Z0E/9zy9a0k5i\n"
						+ "VD+4boFk22yGPyoukGWZWnrK0yehAHG4WqEt5FKb8wmsFEumnscPDmlq1jE+nuRf\n"
						+ "udUCyJU1PqdfkP4bI34ZKsgH9wiHONmqYAHJaAZtQTbnEfWszFEJ4Mjyv/WStN0Y\n"
						+ "X3K2vUjzvvB891oR5YF6WblawG1EqK+qZKtNEOVA5mVQYvTysbPd0dAV6VhDIcda\n"
						+ "gWSeF4y0f8BOlKrJyEKwiy6b/Mvl6ewf1/aRVF/qa4DVscQtg88TDKrmwaKJR4cS\n"
						+ "fo5JYDw8kkuuuFNazFkqlT6mcWeOrdx+awH1SwIDAQABAoIBAG5Fub+yp/bOdGb7\n"
						+ "POXSP44BW502erD34QXObzBdgHcyLqZObuvHlgZjyA/Su1K6kF8/2bgQEG7gl2xF\n"
						+ "RL4ZhwRzkgcDAnNSbHoQgliOqhXl8iWae/wRUor6FpB5guc+tf0bLxNF7fpI8uHE\n"
						+ "SMk0Kuj5hRVo16keFDp2hW8Rz3vh/VysAjnNuG3Gofvk1TbuEeF15eaLv7k+rZJV\n"
						+ "KoFQ9cbTZD7LZPifimqBjuhCQVpsEfi8vbHidg+W7i+zt5L6e2o2Nc8X4CJE3vAs\n"
						+ "MNGkyxrgR5M+uneOz4+WsuNxwx6YiIPXKYr+kOJvze7sAV0OYNtJVwFHzvmxfQ79\n"
						+ "0XqtxQECgYEA99vSozDexH5Fh7SG+GlTFgzlw4BrmHUv2DyRpXz+ceJdfokHXFfX\n"
						+ "SRCkH0axFQ2U60Iyv/W9oACXtKFHfLOj/fPczA0w7661rF1ANHmrMcodMdE27FcU\n"
						+ "joGe0d2Wj2SnGr4JtqxnZDS/GFJfwQxTpLEI0js6eaK1PRi/krFzB80CgYEA1Wl8\n"
						+ "D7kePEq7KujegF6w9hx5du708c21/usLEhdBLmOhcTE4N3f+fUnYSG0D/3o68BRn\n"
						+ "8CmDkUfQPltLy/l8vJI4OE2kUxxlYa5RRRbvHX47cUHxRuDTK40Ip1iAgHc/EZRE\n"
						+ "HJD65HW7FuiaTSqYb8VIA3ywcLg1UGhqNY7vqXcCgYEAwy3/uTKKugEVj7/BaWzH\n"
						+ "WN3fMQy3rd7aRlWr+71qQRQYu8P8X+NsTMUl+NsaJ5ICayA+BpvlL1JIJJ28RZ7Q\n"
						+ "zPJ0NNtOZfAWcB0eqjQFc7fNNaWisooAThgUkP8FyPViAdUUoR0ybd57fROhA8xJ\n"
						+ "Ma+XWrX5Xj+aqPoMIeBKzSECgYAhLdYw55nwy7mPsUaudIpUqRalS/9e/Jl3+Xju\n"
						+ "JhlnKew2me1gilJRjkKG+BPwC0PQgYurRfkDhEO2/iCppK8k7iK5djC/DyIf7qcJ\n"
						+ "88fXMQHy2Mq3N0r9cV7QDa1ky6VNiVyRiGTJUhh1NlKO/rlWXziT+jXAQJNhXept\n"
						+ "SzytfwKBgQC72ceWLWFBo0uAVPWmxFtOKVUZOY2tN3FwLUQkEt52F+VU2vhrKnpu\n"
						+ "Ja+CRxA0ZycKg8EDYpJA+xFc7GBWZtsfI2iEN2/gH1x96sctmGbyJec9Ws36RqPb\n"
						+ "VgXM+Y6VobyMIOKyJzs/Upz5+3btRToAfUJw5wnThh9zOAIM+VGNxg==\n"
						+ "-----END RSA PRIVATE KEY-----"));
	}
}

  

 

标签:私钥,openssl,nginx,-----,OpenSSLUtils,jni,include,com
From: https://www.cnblogs.com/wuweidong/p/16996480.html

相关文章

  • nginx 拦截访问敏感信息文件
    背景安全部门在做渗透测试的时候发现前端项目可以直接访问config.js文件,里面的配置信息都可以直接被查看到,要求要将敏感信息屏蔽。这里面有三个方法:1、将config.js文件在打......
  • Web集群案例实战 -- Nginx 反向代理 -- 案例实战
    Nginx反向代理--案例实战​​前言​​前言本环境是基于Centos7.8系统构建Nginx学习环境具体构建,请参考​​Nginx-1.18.0环境部署​​环境准备rolehostipnginx-vers......
  • Web集群案例实战 -- Nginx 负载均衡 -- 案例实战
    Nginx负载均衡--案例实战​​前言​​前言本环境是基于Centos7.8系统构建Nginx学习环境具体构建,请参考​​Nginx-1.18.0环境部署​​环境准备rolehostipnginx-vers......
  • Web集群案例实战 -- Nginx 负载均衡 之 客户端访问日志优化
    Nginx负载均衡之客户端访问日志优化​​前言​​前言本环境是基于Centos7.8系统构建Nginx学习环境具体构建,请参考​​Nginx-1.18.0环境部署​​Nginx在做反向代理......
  • 30秒在Centos7安装Nginx(步骤简单)
    Nginx安装1、安装好依赖gcc、gcc-c++、pcre-devel、zlib-devel、openssl、openssl-devel、wgetyum-yinstallgccpcre-develzlib-developensslopenssl-develgcc-c++w......
  • Tomcat+redis+nginx配置
    为客户开发的一个绩效系统,采用了javaweb的开发方式,使用了一些springmvc,mybatis之类的框架。相比于oracleebs的二次开发,这种开发更加灵活,虽然和ebs集成的时候遇到一些问......
  • Windows下Nginx的安装与使用(一):配置端口转发
    Nginx配置Nginx入门Nginx负载均衡Nginx端口转发什么是端口转发当我们在服务器上搭建一个图书以及一个电影的应用,其中图书应用启动了8001端口,电......
  • 安装confluence7.19.4、jira9.4破解并使用Nginx代理
    背景略安装jira准备两个目录,一个是jira的安装目录,一个是jira的home目录,数据都存在home目录/data/jira/data/jira_home下载,解压wgethttps://product-downl......
  • nginx报499
    Nginx499错误的原因及解决方法打开Nginx的access.log发现在最后一次的提交是出现了HTTP1.14990-这样的错误,在百度搜索nginx499错误,结果都是说客户端主动断开了连接。......
  • nginx中proxy_set_header Host $host的作用
    nginx配置upstream负载均衡后请求400,配置proxy_set_headerHost$host成功.请问这是什么原理? proxy_set_headerHost$host有什么作用? ......