SSL two-way authentication JAVA Implementation

This article introduces the JAVA Implementation of SSL two-way authentication through simulation scenarios.

By default, I think the reader has a certain understanding of the SSL principle, so I will not detail the SSL principle in this article.
If you need this, you can find many such articles through Google.

Simulation Scenario:
For communications between the server and the client, authorization and authentication are required. That is, the client can only accept messages from the server, and the server can only accept messages from the client.

Implementation Technology:
JSSE (Java security socket extension)
It is a solution that sun has launched to solve secure communication on the Internet. It implements SSL and TSL (Transport Layer Security) protocols. JSSE includes data encryption, server verification, message integrity, client verification, and other technologies. By using JSSE, developers can transmit data securely between the client and the server through the TCP/IP protocol.

To Implement Message Authentication.
Server needs:
1) keystore: stores the private key of the server.
2) Trust keystore: stores the client's authorization certificate
Similarly, the client needs:
1) keystore: stores the client's private key.
2) Trust keystore: stores the server's authorization certificate

We can use the keytool command that comes with Java to generate such an information file.
1) generate the private key of the server and import it to the keystore file of the server.
Keytool-genkey-alias serverkey-keystore kserver. keystore
In the process, you need to fill them in separately, and set them as needed.
Keystore password: 123456
Name and surname: Stone
Organizational unit name: eulic
Organization Name: eulic
City or region name: Hz
State or province name: ZJ
Country code: CN
The password of the serverkey private key, which is the same as that of the keystore: 123456
You can generate the kserver. keystore file.
Server. keystore is used by the server, where the private key is saved.

2) Export the server certificate based on the private key
Keytool-export-alias serverkey-keystore kserver. keystore-file server. CRT
Server. CRT is the server certificate.

3) import the server certificate to the trust keystore of the client.
Keytool-import-alias serverkey-file server. CRT-keystore tclient. keystore
Tclient. keystore is used by the client, where a trusted certificate is saved.

Generate the private key and certificate of the client in the same way, and import them to the trust keystore of the server.
1) keytool-genkey-alias clientkey-keystore kclient. keystore
2) keytool-export-alias clientkey-keystore kclient. keystore-file client. CRT
3) keytool-import-alias clientkey-file client. CRT-keystore tserver. keystore

In this way, the generated files are divided into two groups.
Save on the server: kserver. keystore tserver. keystore
Save the client: kclient. keystore tclient. kyestore

Next, use JSSE to generate sslserversocket and sslsocket respectively.

Server, generate sslserversocket code Sslcontext CTX = sslcontext. getinstance ("SSL ");

Keymanagerfactory kmf = keymanagerfactory. getinstance ("sunx509 ");
Trustmanagerfactory TMF = trustmanagerfactory. getinstance ("sunx509 ");

Keystore Ks = keystore. getinstance ("jks ");
Keystore TKs = keystore. getinstance ("jks ");

KS. Load (New fileinputstream ("Data/kserver. keystore"), server_key_store_password.tochararray ());
TKs. Load (New fileinputstream ("Data/tserver. keystore"), server_trust_key_store_password.tochararray ());

Kmf. INIT (KS, server_key_store_password.tochararray ());
TMF. INIT (TKs );

CTX. INIT (kmf. getkeymanagers (), TMF. gettrustmanagers (), null );

Return (sslserversocket) CTX. getserversocketfactory (). createserversocket (default_port );

Client to generate sslsocket code. Sslcontext CTX = sslcontext. getinstance ("SSL ");

Keymanagerfactory kmf = keymanagerfactory. getinstance ("sunx509 ");
Trustmanagerfactory TMF = trustmanagerfactory. getinstance ("sunx509 ");

Keystore Ks = keystore. getinstance ("jks ");
Keystore TKs = keystore. getinstance ("jks ");

KS. Load (New fileinputstream ("Data/kclient. keystore"), client_key_store_password.tochararray ());
TKs. Load (New fileinputstream ("Data/tclient. keystore"), client_trust_key_store_password.tochararray ());

Kmf. INIT (KS, client_key_store_password.tochararray ());
TMF. INIT (TKs );

CTX. INIT (kmf. getkeymanagers (), TMF. gettrustmanagers (), null );

Return (sslsocket) CTX. getsocketfactory (). createsocket (default_host, default_port );

In this way, the authentication-based interaction between the server and the client is completed.

The client uses the clientkey private key in kclient. keystore for data encryption and sends it to the server.
The server decrypts the data using the client. CRT Certificate in tserver. keystore (including the public key of the clientkey). If the decryption succeeds, it indicates that the message comes from the client and performs logical processing.

The server uses the serverkey private key in kserver. keystore to call the data meter and send it to the client.
The client decrypts the data using the server. CRT Certificate in tclient. keystore (including the public key of the serverkey). If the decryption succeeds, it proves that the message comes from the server and performs logical processing.

If the decryption fails, the message source is incorrect. No logical processing is performed. This completes two-way identity authentication.

Below I will attach a simple sslserver. Java sslclient. Java for your demonstration.
When starting the server, you may try to connect to the server through Telnet 127.0.0.1 7777 to see if the message can be delivered.

SSL demo
Note:
The demo uses Maven to build the project.
The demo file is encoded using utf8. To avoid Chinese garbled characters, set the workspace to utf8 encoding.

 

 

 

 

Note later:

I tried it using your method. It does implement SSL encrypted transmission, but after I regenerate the client certificate, it is not loaded to the server-side trust database tserver. keystore, but still can communicate, so that I can generate a client certificate as long as there is a server certificate to communicate, without truly achieving two-way authentication, how to solve this problem, please advise

 

Thank you, wangpeng. I found a problem in the previous demo.
Because in the server program, the initialized sslservresocket
Serversocket = (sslserversocket) CTX. getserversocketfactory (). createserversocket (default_port );
Write less: serversocket. setneedclientauth (true); // indicates the identity of the client.

Because the original demo program does not require client authentication, communication can be completed even if the server does not have a client certificate.

Due to the limited understanding of JSSE, the above article only covers the very surface content of JSSE.
I recommend an article on the IBM website to write JSSE and SSL in depth.
Customized for advanced JSSE developers:Http://www.ibm.com/developerworks/cn/java/j-customssl/