java-Information Security (15)-one-way authentication

Original address

http://snowolf.iteye.com/blog/398198

Next, we use a third-party CA signing authority to complete the certificate signing.
Here we use a 21-day free CA certificate for testing provided by Thawte.
1. To indicate your domain name on this website, use www.zlex.org as the test domain name (do not use the domain name as your domain address, the domain name is protected by law!). Please use another non-registered domain name! ）。
2. If the domain name is valid, you will receive an email asking you to visit Https://www.thawte.com/cgi/server/try.exe to obtain the CA certificate.
3. Retell the creation of the KeyStore.

Keytool-genkey-validity 36000-alias www.zlex.org-keyalg Rsa-keystore d:\zlex.keystore

Here I use the password for 123456
Console output:

Enter KeyStore Password:  Enter the new password again:  What is your first and last name?    [Unknown]:  www.zlex.org  What is your organizational unit name?    [Unknown]:  zlex  What is your organization name?    [Unknown]:  Zlex  What is the name of your city or region?    [Unknown]:  BJ  What is the name of your state or province?    [Unknown]:  BJ  The unit's two-letter country code is what    [Unknown]:  cn  cn=www.zlex.org, Ou=zlex, O=zlex, L=BJ, ST=BJ, c=CN Is it correct?    [No]:  Y    Enter <tomcat> master password          (if same as KeyStore password, press ENTER):  Enter the new password again:  

4. Export the CA certificate request from Zlex.keystore with the following command.

You will get the ZLEX.CSR file that can be opened in Notepad with the following format:

-----BEGIN NEW CERTIFICATE REQUEST----- +mcko7cv9jpsj0n1ec/gpm09qvhpgx3fnad/ ZWSDC VU77YXZSOF9HQP3W1LC  + EEKGD2MLVPXTVBVWBNVD2HIQPP37IC6BUUJSAX8LHTCL7L0BIEYE9QQ2 J8G0KAK7E8ZA0S7NB3YMQ /  k8bv7v0mqidhic1bifk9zdewidaqaboaawdqyjkozihvcnaqefbqad GYEAMA1R2FBZPTNX37U9TRWADCH2TZZECWKJS / Hsknm6rypkiap9apwwayj8wjhrbz5spzm4zmyo OMCI8BCNY2A4JP  +r7/swxtdh/xcg7nvghd9a2scgqmpf7kmfc5de3iygdipu+< Span style= "color: #000000;" >UHY200DVPJX8GMJ 1ubh3  +nqmuycrzgurfslouy=-----END NEW CERTIFICATE REQUEST-----

5. Copy the above file contents to Https://www.thawte.com/cgi/server/try.exe, click Next to get the response, here is the P7B format.
The contents are as follows:

-----BEGIN PKCS7-----miif3ayjkozihvcnaqccoiifztccbckcaqexadalbgkqhkig9w0bbwggggwxmiid Edccanmgawibagiqa/mx/pkoab+Kgx2hvefu9zanbgkqhkig9w0baqufadcbhzel Makga1uebhmcwkexijagbgnvbagtguzpuiburvnusu5hifbvulbpu0vtie9otfkx  Htabbgnvbaotffroyxd0zsbdzxj0awzpy2f0aw9umrcwfqydvqqlew5urvnuifrf  U1qgvevtvdecmboga1ueaxmtvghhd3rlifrlc3qgq0egum9vddaefw0wota1mjgw  Mdixmzlafw0wota2mtgwmdixmzlamfwxczajbgnvbaytaknomqswcqydvqqiewjc  Sjelmakga1uebxmcqkoxdtalbgnvbaotbhpszxgxdtalbgnvbastbhpszxgxftat Bgnvbamtdhd3dy56bgv4lm9yzzcbnzanbgkqhkig9w0baqefaaobjqawgykcgyea keg11ptkfpgiju3l/st7i9j9rhpxqtnpar4ayf9xtwnf2vkg3l1o+2f2uqbfyukd 8nswvnniohdjjvav0721catvxdh4kd6d+4nogvfi0ml/cx7qpe5dasbmnvakno/B TJGPO3VGQNLO5292JQVYVAVE79DECHYSHNW4NYVWQ3SCAWEAAAOBPJCBOZAMBGNV  hrmbaf8eajaamb0ga1udjqqwmbqgccsgaqufbwmbbggrbgefbqcdajbabgnvhr8e  Ota3mdwgm6axhi9odhrwoi8vy3jslnroyxd0zs5jb20vvghhd3rluhjlbwl1bvnl  cnzlcknblmnybdaybggrbgefbqcbaqqmmcqwigyikwybbquhmaggfmh0dha6ly9v  Y3nwlnroyxd0zs5jb20wdqyjkozihvcnaqefbqadgyeatpuxzbtjjspmxvfrr1yz  Xqm06iwtz6uu0lzrg7i0wufmjnmkdpn8hkluhe17mxahgspewlvvelr7uzblfkuc x7wmxxhoydjztnai72izu6rd1oknao7diahvrxpk4iuq7y2oz511/4t4vgy6iraj Q4Q76HHPJRVRL/sduaiu+Gywggkzmiicaqadagecageama0gcsqgsib3dqebbaua  mighmqswcqydvqqgewjaqteimcaga1uecbmzrk9sifrfu1rjtkcgufvsue9trvmg  T05mwtedmbsga1uechmuvghhd3rlienlcnrpzmljyxrpb24xfzavbgnvbastdlrf  U1qgvevtvcburvnumrwwggydvqqdexnuagf3dgugvgvzdcbdqsbsb290mb4xdtk2  Mdgwmtawmdawmfoxdtiwmtizmtixntk1ovowgycxczajbgnvbaytalpbmsiwiayd  Vqqiexlgt1igvevtvelorybqvvjqt1nfuybptkxzmr0wgwydvqqkexruagf3dgug  Q2vydglmawnhdglvbjexmbuga1uecxmovevtvcburvnuifrfu1qxhdaabgnvbamt E1ROYXD0ZSBUZXN0IENBIFJVB3QWGZ8WDQYJKOZIHVCNAQEBBQADGY0AMIGJAOGB alv9kg+os6x/dohm+TKUQFZVMWGHE95SFMETKMMTX2ZI4N6I6BVZOREJ5NJZT1LF CQU4EUK9JI20EGKKFMQRZMQFLP7+1NISDFJEUE7CKY40QOI99270PTRLJJEAMCCL+ayl+kd+Rl5btukku3purycscsre6atvjmcqptjogespagmbaagjezarma8ga1ud EWeb/wqfmambaf8wdqyjkozihvcnaqeebqadgyeagozj7bkd9o8si2v0v+ez/t7e FZ/lc8y6md7ibuzihy5/53ymgagltyhxhvx+Uie6uwbhro3iqvkrmy5uc93z2wew A/6edk3kfucuikrleewm7gmqsiasekx2mkrklu12jxyns5txrpwrdvuktfc1ul9a 12rfaqs2bkik7au+ghyxaa==-----END PKCS7-----

Save it as zlex.p7b
6. Import the certificate issued by the CA into the KeyStore.

Keytool-Import -trustcacerts-alias www.zlex.org-file d:\zlex.p7b-keystore d:\zlex.keystore-v  

Here I use the password for 123456
Console output:

Enter KeyStore Password: The highest level of authentication in reply: Owner: CN=thawte test CA Root, ou=test test test, O=THAWTE certification, st=for testing purposes only, C=ZA issuer: CN=thawte test CA Root, ou=test test test, O=THAWTE certification, st=for testing purposes only, C=ZA serial Number:0Validity: Thu08:00:00 CST 1996 to Fri Jan 05:59:59 CST 2021Certificate thumbprint: md5:5e:e0:0e:1d:17:b7:ca:a5:7d:36:d6:02:df:4d:26: A4 SHA1:39:c6:9d:27:af:dc:eb:47:d6:33:36:6a:b2:05:f1:47: A9:B4:DA:EA Signature Algorithm Name: Md5withrsa version:3Extension: #1:objectid:2.5.29.19 criticality=truebasicconstraints:[CA:truePathLen:2147483647  ]      ... is not credible. Or do you want to install a reply? [No]: Y authentication reply is installed in KeyStore [storing D:\zlex.keystore]

7. Domain name Locator
Position the domain www.zlex.org on this computer. Open the C:\Windows\System32\drivers\etc\hosts file and bind the www.zlex.org on this computer. Append 127.0.0.1 www.zlex.org to the end of the file. Now access the http://www.zlex.org through the address bar, or ping the command, if you can navigate to this machine, the domain name mapping is done.

8. Configure Server.xml

<ConnectorKeystorefile= "Conf/zlex.keystore"Keystorepass= "123456"Truststorefile= "Conf/zlex.keystore"Truststorepass= "123456"sslenabled= "true"uriencoding= "UTF-8"ClientAuth= "false"MaxThreads= "Max"Port= "443"Protocol= "http/1.1"Scheme= "https"Secure= "true"Sslprotocol= "TLS" />  

Copy the file Zlex.keystore to Tomcat's conf directory and restart Tomcat. Visiting https://www.zlex.org/, we found the internet somewhat sluggish. After about 5 seconds, the webpage is displayed normally, as shown:

The browser verifies the validity of the CA mechanism.

Open the certificate as shown in:

To adjust the test class:

Import Staticorg.junit.assert.*; ImportJava.io.DataInputStream; ImportJava.io.InputStream; ImportJava.net.URL; Importjavax.net.ssl.HttpsURLConnection; Importorg.junit.Test; /**  *   * @authorpresent *@version1.0 *@since1.0*/   Public classCertificatecodertest {PrivateString password = "123456"; PrivateString alias = "www.zlex.org"; PrivateString Certificatepath = "D:/zlex.cer"; PrivateString Keystorepath = "D:/zlex.keystore"; @Test Public voidTest ()throwsException {System.err.println ("Public key cryptography--private key decryption"); String Inputstr= "Ceritifcate"; byte[] data =inputstr.getbytes (); byte[] Encrypt =certificatecoder.encryptbypublickey (data, Certificatepath); byte[] Decrypt =Certificatecoder.decryptbyprivatekey (Encrypt, Keystorepath, alias, password); String Outputstr=NewString (decrypt); System.err.println ("Before encryption:" + Inputstr + "\n\r" + "after decryption:" +outputstr); //Verify Data Consistencyassertarrayequals (data, decrypt); //Verify that the certificate is validasserttrue (Certificatecoder.verifycertificate (Certificatepath)); } @Test Public voidTestsign ()throwsException {System.err.println ("Private key encryption--public key decryption"); String Inputstr= "Sign"; byte[] data =inputstr.getbytes (); byte[] Encodeddata =certificatecoder.encryptbyprivatekey (data, Keystorepath, alias, password); byte[] Decodeddata =Certificatecoder.decryptbypublickey (Encodeddata, Certificatepath); String Outputstr=NewString (Decodeddata); System.err.println ("Before encryption:" + Inputstr + "\n\r" + "after decryption:" +outputstr);            Assertequals (Inputstr, OUTPUTSTR); System.err.println ("Private key signature--public key verification signature"); //Generate SignatureString sign =certificatecoder.sign (Encodeddata, Keystorepath, alias, password); System.err.println ("Signature: \ r" +Sign ); //Verifying Signatures        BooleanStatus =certificatecoder.verify (Encodeddata, sign, certificatepath); System.err.println ("Status: \ r" +status);        Asserttrue (status); } @Test Public voidTesthttps ()throwsException {URL url=NewURL ("https://www.zlex.org/examples/"); Httpsurlconnection Conn=(httpsurlconnection) url.openconnection (); Conn.setdoinput (true); Conn.setdooutput (true);            Certificatecoder.configsslsocketfactory (conn, password, Keystorepath, Keystorepath); InputStream is=Conn.getinputstream (); intLength =conn.getcontentlength (); DataInputStream Dis=NewDataInputStream (IS); byte[] data =New byte[length];            dis.readfully (data);          Dis.close ();          Conn.disconnect (); System.err.println (NewString (data)); }  }  

View Code

Execute again, verify through!
Thus, we have the authentication process based on the SSL protocol. The Testhttps method of the test class simulates HTTPS access for a single browser.

java-Information Security (15)-one-way authentication