The method of implementing SSL bidirectional authentication in Java

The method of implementing SSL bidirectional authentication in Java _java

Last Update:2017-01-19 Source: Internet

Author: User

Tags flush openssl ssl connection

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

This article describes the Java implementation of SSL two-way authentication method. Share to everyone for your reference, specific as follows:

Our common SSL authentication is more simply to verify that our server is true, and of course, if the URL you visit is wrong, there is no way. This is the so-called SSL one-way authentication.

In practice, however, it is possible to verify that the client meets the requirements, that is, to issue a certificate to each of our users, and that each digital certificate is unique and private. This will enable this digital certificate to ensure that the user currently accessing my server is approved by the server and inaccessible to others.

Bi-directional authentication from the first level to ensure that the server and the client are mutually recognized. Then they have to communicate between the communication protocol will be attached to the SSL protocol to ensure that the content of the communication is encrypted, even sniffer such a network sniffer tools to see are garbled. Later to give you a demonstration under the circumstances of not encrypting, with sniffer see what. I'm afraid you'll be able to raise your guard.

The following content from the network to extract the actual verification after the modification.

Simulation Scenario:

Server-side and client-side communication requires authorization and authentication, that is, the client can only accept messages from the server, and the server can only accept client messages.

Implementation technology:

JSSE (Java security Socket Extension)

Is the solution that Sun has launched to address secure communications over the Internet. It implements the SSL and TSL (Transport Layer Security) protocol. The Jsse includes data encryption, server authentication, message integrity, and client-side validation techniques. By using Jsse, developers can securely transfer data across TCP/IP protocols between the client and server.

In order to achieve message authentication.

Server needs:

1) KeyStore: The private key of the server is saved
2 Trust KeyStore: Save the client's authorization certificate

Similarly, the client needs to:

1) KeyStore: Save the client's private key
2 Trust KeyStore: Save the service-side authorization certificate
Here I also recommend using the Keytool command from Java, to generate such information files. Of course, the current very popular open-source generation of SSL certificates and OpenSSL. OpenSSL in C language, across the system. However, we may use the Java program to generate the convenience of the certificate in the future, or the keytool with the JDK itself.

1 generate the server-side private key and import it into the server-side KeyStore file

Keytool-genkey-alias Serverkey-keystore Kserver.keystore
process, each need to fill in, according to the needs of their own set on the line

KeyStore Password: 123456
First and last name: Jin
Organizational unit name: None
Organization Name: None
City or area name: BJ
State or province name: BJ
Country code: CN

Serverkey The private key password, does not fill in and keystore the password to be consistent. Pay attention here, direct return on the line, do not need to modify the password. Otherwise in the later program and can not directly apply the private key, will be an error.

You can generate Kserver.keystore files

Server.keystore is for the service side, which holds its own private key

2 Export the service-side certificate according to the private key

Keytool-export-alias Serverkey-keystore Kserver.keystore-file SERVER.CRT
SERVER.CRT is the service-side certificate

3 The service-side certificate, imported into the client's trust KeyStore

Keytool-import-alias serverkey-file Server.crt-keystore Tclient.keystore
Tclient.keystore is for the client, which holds the trusted certificate

Using the same method, generate the client's private key, the client's certificate, and import it into the service-side trust KeyStore

1) Keytool-genkey-alias Clientkey-keystore Kclient.keystore
2) Keytool-export-alias Clientkey-keystore kclient.keystore-file client.crt
3) Keytool-import-alias Clientkey-file Client.crt-keystore Tserver.keystore

Thus, the resulting file is divided into two groups

Service side Save: Kserver.keystore Tserver.keystore
Client Save: Kclient.keystore Tclient.kyestore

The following is a Java socket communication program to verify that the certificate we are generating is available.

Client:

Package Examples.ssl;
Import Java.io.BufferedInputStream;
Import Java.io.BufferedOutputStream;
Import Java.io.FileInputStream;
Import java.io.IOException;
Import Java.io.InputStream;
Import Java.io.OutputStream;
Import Java.security.KeyStore;
Import Javax.net.ssl.KeyManagerFactory;
Import Javax.net.ssl.SSLContext;
Import Javax.net.ssl.SSLSocket;
Import Javax.net.ssl.TrustManagerFactory;
 /** * SSL Client * */public class Sslclient {private static final String Default_host = "127.0.0.1";
 private static final int default_port = 7777;
 private static final String Client_key_store_password = "123456";
 private static final String Client_trust_key_store_password = "123456";
 Private Sslsocket Sslsocket;
  /** * Launch Client program * * @param args/public static void main (string[] args) {sslclient client = new Sslclient ();
  Client.init ();
 Client.process (); /** * Connects to the server via an SSL socket and sends a message */public void process () {if (Sslsocket = = null) {SYSTEM.OUT.PRIntln ("ERROR");
  Return
   try {inputstream input = Sslsocket.getinputstream ();
   OutputStream output = Sslsocket.getoutputstream ();
   Bufferedinputstream bis = new Bufferedinputstream (input);
   Bufferedoutputstream BOS = new Bufferedoutputstream (output);
   Bos.write ("Client message". GetBytes ());
   Bos.flush ();
   byte[] buffer = new BYTE[20];
   Bis.read (buffer);
   System.out.println (new String (buffer));
  Sslsocket.close ();
  catch (IOException e) {System.out.println (e); /** * <ul> * &LT;LI&GT;SSL connection Focus:</li> * <li> initialization sslsocket</li> * <li> import client private key key Store, import Client trusted KeyStore (server-side certificate) </li> * </ul>/public void init () {try {sslcontext ctx = Sslconte
   Xt.getinstance ("SSL");
   Keymanagerfactory KMF = keymanagerfactory.getinstance ("SunX509");
   Trustmanagerfactory TMF = trustmanagerfactory.getinstance ("SunX509");
   KeyStore KS = keystore.getinstance ("JKS"); KeyStore tks = keystore.getinstance ("JKS ");
   Ks.load (New FileInputStream ("E://kclient.keystore"), Client_key_store_password.tochararray ());
   Tks.load (New FileInputStream ("E://tclient.keystore"), Client_trust_key_store_password.tochararray ());
   Kmf.init (KS, Client_key_store_password.tochararray ());
   Tmf.init (TKS);
   Ctx.init (Kmf.getkeymanagers (), tmf.gettrustmanagers (), NULL);
  Sslsocket = (sslsocket) ctx.getsocketfactory (). Createsocket (Default_host, Default_port);
  catch (Exception e) {System.out.println (e);

 }
 }
}

Server-side:

Package Examples.ssl;
Import Java.io.BufferedInputStream;
Import Java.io.BufferedOutputStream;
Import Java.io.FileInputStream;
Import Java.io.InputStream;
Import Java.io.OutputStream;
Import Java.net.Socket;
Import Java.security.KeyStore;
Import Javax.net.ssl.KeyManagerFactory;
Import Javax.net.ssl.SSLContext;
Import Javax.net.ssl.SSLServerSocket;
Import Javax.net.ssl.TrustManagerFactory; /************************************************************************************************************** * <ul> * <li>1) generate the server-side private key </li> * <li>keytool-genkey-alias Serverkey-keystore kserver. keystore</li> * <li>2) in accordance with the private key, everywhere service-side Certificate </li> * <li>keytool-exoport-alias Serverkey-keystore Kserv Er.keystore-file server.crt</li> * <li>3) adds the certificate to the client trusted keystore </li> * <li>keytool-import- Alias Serverkey-file Server.crt-keystore tclient.keystore</li> * </ul> ********************************* **************//** * SSL Server * * */public class Sslserver {
 private static final int default_port = 7777;
 private static final String Server_key_store_password = "123456";
 private static final String Server_trust_key_store_password = "123456";
 Private Sslserversocket ServerSocket;
  /** * Start Program * * @param args/public static void main (string[] args) {sslserver server = new Sslserver ();
  Server.init ();
 Server.start (); /** * <ul> * <li> listening to SSL Server socket</li> * <li> because the program is not demo Socket monitor, it is simple to use single-threaded form, and only accept the client's elimination and returns the client-specified message </li> * </ul>/public void start () {if (ServerSocket = null) {SYSTEM.OUT.PRINTLN ("
   ERROR ");
  Return
    } while (true) {try {Socket s = serversocket.accept ();
    InputStream input = S.getinputstream ();
    OutputStream output = S.getoutputstream ();
    Bufferedinputstream bis = new Bufferedinputstream (input); BUfferedoutputstream BOS = new Bufferedoutputstream (output);
    byte[] buffer = new BYTE[20];
    Bis.read (buffer);
    System.out.println (new String (buffer));
    Bos.write ("Server Echo". GetBytes ());
    Bos.flush ();
   S.close ();
   catch (Exception e) {System.out.println (e); /** * <ul> * &LT;LI&GT;SSL connection Focus:</li> * <li> initialization sslserversocket</li> * <li> Import server-side private key KeyStore, import server-side trusted keystore (client's certificate) </li> * </ul>/public void init () {try {Sslcontext CTX
   = Sslcontext.getinstance ("SSL");
   Keymanagerfactory KMF = keymanagerfactory.getinstance ("SunX509");
   Trustmanagerfactory TMF = trustmanagerfactory.getinstance ("SunX509");
   KeyStore KS = keystore.getinstance ("JKS");
   KeyStore tks = keystore.getinstance ("JKS");
   Ks.load (New FileInputStream ("E://kserver.keystore"), Server_key_store_password.tochararray ()); Tks.load (New FileInputStream ("E://tserver.keystore"), Server_trust_key_store_password.tochararray());
   Kmf.init (KS, Server_key_store_password.tochararray ());
   Tmf.init (TKS);
   Ctx.init (Kmf.getkeymanagers (), tmf.gettrustmanagers (), NULL);
   ServerSocket = (sslserversocket) ctx.getserversocketfactory (). Createserversocket (Default_port);
  Serversocket.setneedclientauth (TRUE);
  catch (Exception e) {e.printstacktrace ();

 }
 }
}

More about Java-related content readers can view the site topics: "Java Data structure and algorithm tutorial", "Java Operation DOM node skills summary", "Java file and directory operation tips Summary" and "Java Cache operation Tips"

I hope this article will help you with Java programming.

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More