标签:getInstance 证书 KeyManagerFactory public SSL X509Certificate new 链接
1、示例代码
private CloseableHttpClient createSslKeyClient(String keyStorePwd) throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException, UnrecoverableKeyException, KeyManagementException {
KeyStore clientStore = KeyStore.getInstance("PKCS12");
if(inStream == null) {
log.warn("PFX Key File not exist");
} else {
clientStore.load(inStream, keyStorePwd.toCharArray());
}
//Trust everybody
X509TrustManager tm = new X509TrustManager() {
@Override
public void checkClientTrusted(java.security.cert.X509Certificate[] arg0, String arg1){}
@Override
public void checkServerTrusted(java.security.cert.X509Certificate[] arg0, String arg1) {}
@Override
public java.security.cert.X509Certificate[] getAcceptedIssuers() {return null;}
};
SSLContext sslCtx = SSLContext.getInstance("TLS");
KeyManagerFactory kmFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmFactory.init(clientStore, keyStorePwd.toCharArray());
KeyManager[] keyManagers = kmFactory.getKeyManagers();
sslCtx.init(keyManagers, new TrustManager[]{tm}, null);
SSLConnectionSocketFactory sslConnectionFactory = new SSLConnectionSocketFactory(sslCtx);
Registry<ConnectionSocketFactory> registry = RegistryBuilder.<ConnectionSocketFactory>create().register("https", sslConnectionFactory).register("http", new PlainConnectionSocketFactory()).build();
PoolingHttpClientConnectionManager pcm = new PoolingHttpClientConnectionManager(registry);
HttpClientBuilder hcb = HttpClientBuilder.create().setConnectionManager(pcm).setDefaultCookieStore(cookieStore)
.setKeepAliveStrategy((response, context) -> 60 * 1000 * 40).setDefaultRequestConfig(REQUEST_CONFIG);
return hcb.build();
}
2、代码解释:
SSLContext sslCtx = SSLContext.getInstance("TLS");
说明:获取ssl上下文,这里指定TLS表示支持所有TLS协议
sslCtx.init(keyManagers, new TrustManager[]{tm}, null);
说明:
SSL构造方法的三个重要参数:
1、keyManagers : 密钥管理
2、TrustManager: 信任管理器
3、第三个参数:随机数生成器,它用于加密操作
构造参数说明-keyManagers
KeyStore clientStore = KeyStore.getInstance("PKCS12");
KeyManagerFactory kmFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmFactory.init(clientStore, keyStorePwd.toCharArray());
KeyManager[] keyManagers = kmFactory.getKeyManagers();
说明:
1、创建了一个KeyStore实例,指定了密钥库的类型为"PKCS12"。PKCS#12是一种广泛使用的密钥库格式,它支持存储私钥、公钥证书以及其他类型的证书
2、KeyManagerFactory 类用于生成和管理密钥管理器,这些密钥管理器负责提供参与SSL/TLS握手过程中所需的密钥。密钥管理器通常用于客户端身份验证,或者用于服务器端,
以便在SSL握手期间提供私钥和证书链。KeyManagerFactory 的 getInstance 方法用于获取 KeyManagerFactory 的实例,并且你需要指定一个算法名称。getDefaultAlgorithm
方法返回默认的密钥管理器工厂算法,这通常是最常用的算法,例如 "SunX509"
构造参数说明-TrustManager
import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;
public class TrustAllCertificates implements X509TrustManager {
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType) {
// Trust all certificates
}
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType) {
// Trust all certificates
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[]{};
}
}
说明:
X509TrustManager 是一个接口,用于验证X.509证书。当你创建一个 X509TrustManager 实例时,你通常需要实现这个接口的方法,
以便在SSL/TLS握手过程中验证服务器的证书
在这个例子中,checkClientTrusted 和 checkServerTrusted 方法被实现为不接受任何证书的验证。这意味着使用这个 X509TrustManager
的SSL连接将不会验证服务器的证书,这在测试环境中可能是有用的,但在生产环境中是非常不安全的,因为它使连接容易受到中间人攻击
标签:getInstance,
证书,
KeyManagerFactory,
public,
SSL,
X509Certificate,
new,
链接
From: https://www.cnblogs.com/xzlnuli/p/18459943