有几篇不错的文章:
http://www.cnblogs.com/pen-ink/archive/2011/01/17/1937680.html 这个应该是最简单的示例了。 不过,当两个password不同的时候会运行不了。
http://www.cnblogs.com/yqskj/p/3142006.html 这个很不错,不过却不是完整的示例。
http://www.iteye.com/topic/1125183 非常非常好的帖子
先建立客户端、服务端两个目录
接着上文,拷贝tclient.keystore至客户端,拷贝tserver.keystore至服务端
import java.io.BufferedReader; import java.io.FileInputStream; import java.io.InputStream; import java.io.InputStreamReader; import java.security.KeyStore; import javax.net.ssl.KeyManagerFactory; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLServerSocket; import javax.net.ssl.SSLSocket; import javax.net.ssl.TrustManagerFactory; public class SSLServer { private static String SERVER_KEY_STORE_PASSWORD = "123456"; private static String SERVER_TRUST_KEY_STORE_PASSWORD = "123456"; private static int DEFAULT_PORT = 9999; public static void main(String[] arstring) { try { SSLServerSocket sslServerSocket = asfd(); SSLSocket sslsocket = (SSLSocket) sslServerSocket.accept(); InputStream inputstream = sslsocket.getInputStream(); InputStreamReader inputstreamreader = new InputStreamReader( inputstream); BufferedReader bufferedreader = new BufferedReader( inputstreamreader); String string = null; while ((string = bufferedreader.readLine()) != null) { System.out.println(string); System.out.flush(); } } catch (Exception e) { // TODO Auto-generated catch block e.printStackTrace(); } } private static SSLServerSocket asfd() throws Exception { // TODO Auto-generated method stub SSLContext ctx = SSLContext.getInstance("SSL"); KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); KeyStore ks = KeyStore.getInstance("JKS"); KeyStore tks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream("data/kserver.keystore"), SERVER_KEY_STORE_PASSWORD.toCharArray()); tks.load(new FileInputStream("data/tserver.keystore"), SERVER_TRUST_KEY_STORE_PASSWORD.toCharArray()); kmf.init(ks, SERVER_KEY_STORE_PASSWORD.toCharArray()); tmf.init(tks); ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); return (SSLServerSocket) ctx.getServerSocketFactory() .createServerSocket(DEFAULT_PORT); } }
import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.security.KeyStore;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
public class SSLClient {
private static final String DEFAULT_HOST = "127.0.0.1";
private static final int DEFAULT_PORT = 9999;
private static String CLIENT_KEY_STORE_PASSWORD = "123456";
private static String CLIENT_TRUST_KEY_STORE_PASSWORD = "123456";
public static void main(String[] arstring) throws Exception {
SSLSocket sslsocket = asf();
InputStream inputstream = System.in;
InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
BufferedReader bufferedreader = new BufferedReader(inputstreamreader);
OutputStream outputstream = sslsocket.getOutputStream();
OutputStreamWriter outputstreamwriter = new OutputStreamWriter(
outputstream);
BufferedWriter bufferedwriter = new BufferedWriter(outputstreamwriter);
String string = null;
while ((string = bufferedreader.readLine()) != null) {
bufferedwriter.write(string + '
');
bufferedwriter.flush();
}
}
private static SSLSocket asf() throws Exception {
// TODO Auto-generated method stub
SSLContext ctx = SSLContext.getInstance("SSL");
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
KeyStore ks = KeyStore.getInstance("JKS");
KeyStore tks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream("data/kclient.keystore"),
CLIENT_KEY_STORE_PASSWORD.toCharArray());
tks.load(new FileInputStream("data/tclient.keystore"),
CLIENT_TRUST_KEY_STORE_PASSWORD.toCharArray());
kmf.init(ks, CLIENT_KEY_STORE_PASSWORD.toCharArray());
tmf.init(tks);
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
return (SSLSocket) ctx.getSocketFactory().createSocket(DEFAULT_HOST,
DEFAULT_PORT);
}
}
然后分别在服务端执行java SSLServer、客户端执行java SSLClient 即可看到结果
不过,如果要是CLIENT_KEY_STORE_PASSWORD 和CLIENT_TRUST_KEY_STORE_PASSWORD 不一致需要怎么处理??
待续。。
==========
我再简单的总结一下
1 要区分密钥库-此时的密钥应该是特指私钥、授权证书、授权证书库- 专门存储证书的地方
a 生成私钥库
C:xxssl>keytool -genkey
-v -alias bluedash-ssl-demo-client -keyalg RSA -keystore
./client_ks -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass client -keypass 456456
用来生成密钥库 rsa 即是其使用的非对称算法,storepass 是指、而keypass 呢;
b 通过密钥库生成证书
C:xxssl>keytool -export -alias bluedash-ssl-demo-server -keystore ./server_ks -file server_key.cer
-file server_key.cer 指明证书名字---- 应该理解为将server_ks 的公钥export-导出到了server_key.cer中去了
c 将client_ks加入至server_key.cer中去 --说反了!。。-- 为什么要这么做、见那张图。 认证的需要。
C:xxssl>keytool -import -trustcacerts -alias bluedash-ssl-demo-server -file ./server_key.cer -keystore ./client_ks
此处的 -keystore ./client_ks,---- 可以是同之前的client_ks,也可以是个不同的证书xx_ks。 此处只是为了方便,才这样。。。、
就是说密钥库和授权证书库可以是同一个
2 上面描述的是单向认证,一般情况我们也需要双向认证。
3 密钥库、证书、证书库文件的后缀不限。 完成证书的导入-至证书库-之后,证书不在使用,可以丢弃?。。
4 代码中应该使用SSLSocket、SSLClient
5 SSL并不存在服务端和客户端,只存在谁需要信任谁
================ 和ssh的区别? ================
其实原理上、实现上好像也没太大区别
简单说ssl用于http协议安全
ssh用于telnet协议。-- tcp层?