SSLContext 用于 Java web 应用程序。

huangapple
未分类评论55阅读模式
英文:

SSLContext for java web application

问题

在我的桌面Java应用程序中,有一个类通过HTTPS连接使用客户端证书与其他系统进行连接。此连接的一部分是SSLContext,它接收KeyManager[]和TrustManager[],以便实现用户证书和信任存储以与远程服务器进行握手。该类使用Windows存储库获取机器上可用证书的列表,以便用户可以选择合适的证书进行连接。问题是,我正在将此应用程序迁移到云Web服务器(Tomcat),获取证书的过程有很大不同。在Tomcat中,我能够将用户转发到一个HTTPS页面,该页面请求由CA颁发的有效证书。一旦用户访问此页面,浏览器会弹出一个窗口,显示机器上可用的证书列表,以便用户可以选择一个进行身份验证。我的问题是,我应该怎样才能从浏览器身份验证中仅创建一次此SSLContext?我只能获取用户选择的x509证书,但没有私钥。我的问题是,我是否漏掉了某些步骤来获取证书的私钥?我知道Windows存储库不共享私钥,但是当从桌面应用程序调用此过程时,至少提供了密钥的“摘要或标头”(RSAPrivateKey[大小=2048位,类型=交换,容器={########}),这仍然有效。但是通过浏览器,我无法获取此信息。或者是否有另一种方法可以仅使用x509证书创建KeyManager[],而无需提供私钥?

以下是创建与服务器的连接的代码片段:

  1. // 创建连接
  2. SocketFactoryDinamico socketFactory = new SocketFactoryDinamico(X509certificate, PrivateKey);
  3. socketFactory.setFileCacerts(getClass().getResourceAsStream("cacerts"));
  5. KeyManager[] keyManagers = socketFactory.createKeyManagers();
  6. TrustManager[] trustManagers = socketFactory.createTrustManagers();
  8. SSLContext sslc = SSLContext.getInstance("TLS");
  9. sslc.init(keyManagers, trustManagers, null);
  11. HttpsURLConnection.setDefaultSSLSocketFactory(sslc.getSocketFactory());
  13. String url = "https://someserver.com";
  15. URL obj = new URL(url);
  16. HttpsURLConnection con = (HttpsURLConnection) obj.openConnection();

以下是从.jsp中获取x509证书的代码片段:

  1. X509Certificate[] certs = (X509Certificate[]) 
  2. request.getAttribute("javax.servlet.request.X509Certificate");
  3. if (null != certs && certs.length > 0) {
  4.     X509Certificate cert = certs[0];
  5. }

以下是配置服务器以请求证书身份验证的代码片段:

  1. <Connector
  2.     clientAuth="true" 
  3.     port="8443" 
  4.     protocol="HTTP/1.1" 
  5.     SSLEnabled="true"
  6.     scheme="https" 
  7.     secure="true"
  8.     keystoreFile="C:/JavaWeb/tomcat"
  9.     keystoreType="JKS" keystorePass="pswd"
  10.     truststoreFile="C:/JavaWeb/myTrustStore"
  11.     truststoreType="JKS" truststorePass="changeit"
  12.     SSLVerifyClient="require" SSLVerifyDepth="10" sslProtocol="TLS"
  13. />

我尝试从客户端使用JavaScript进行此连接,但是我收到以下错误:

Access to XMLHttpRequest at 'https://remoteserver.com' from origin 'http://localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

以下是我的代码:

  1. var httpRequest = new XMLHttpRequest();        
  2. httpRequest.open("POST", "https://remoteserver.com");
  3. httpRequest.setRequestHeader("Role-Type", "role");
  5. httpRequest.onreadystatechange = function () {
  6.     if (this.readyState === 4) {
  7.         if (httpRequest.status === 200) {
  8.             console.log('Status:', this.status);
  9.             console.log('Headers:', this.getAllResponseHeaders());
  10.             console.log('Body:', this.responseText);
  11.             console.log(httpRequest);
  12.         } else {
  13.             console.log("Error");
  14.             console.log(httpRequest);
  15.         }
  16.     }
  17. };
  19. httpRequest.send();
英文:

In my desktop java application there is a class that connects with other system through HTTPS connection using a client certificate. Part of this connection is the SSLContext which receives the KeyManager[] and the TrustManager[] in order to implement the user certificate and the trsut store to get the handshack with the remote server. This class uses the Windows repository to get the list of certificates available on the machine so the user can pick the right one to connect. The problem is that I'm migrating this application to a cloud web server (tomcat) and the procedute to get the certificate is quite different. With tomcat I'm able to forward the user to a https page that requests a valid certificate issued by a CA. Once the user access this page, the browser pops up a window with the certificates available on the machine, so the user can pick one authenticate. My problem now is to create this SSLContext once, from the browser authentication, I can get only the x509 cert selected by the user, but without the Private Key. My question is. Am I missing something to get the certificate Private Key? I know that windows repository does not share the private key, but when this procedure is called from a desktop application, at least the "resume or header" (RSAPrivateKey[size = 2048 bits, type = Exchange, container = {########}) of the key is provided, which still works. But through the browser, I cannot get this information. Or is there another way to create the KeyManager[] with just the x509 certificate without provide the private key?

here is a piece of the code which creates the connection with the server..

  1. // create the connection
  2. SocketFactoryDinamico socketFactory = new SocketFactoryDinamico(X509certificate, PrivateKey);
  3. socketFactory.setFileCacerts(getClass().getResourceAsStream(&quot;cacerts&quot;));
  5. KeyManager[] keyManagers = socketFactory.createKeyManagers();
  6. TrustManager[] trustManagers = socketFactory.createTrustManagers();
  8. SSLContext sslc = SSLContext.getInstance(&quot;TLS&quot;);
  9. sslc.init(keyManagers, trustManagers, null);
  11. HttpsURLConnection.setDefaultSSLSocketFactory(sslc.getSocketFactory());
  13. String url = &quot;https://someserver.com&quot;;
  15. URL obj = new URL(url);
  16. HttpsURLConnection con = (HttpsURLConnection) obj.openConnection();

and here is the code which gets the x509 certificate on the .jsp...

  1. X509Certificate[] certs = (X509Certificate[]) 
  2. request.getAttribute(&quot;javax.servlet.request.X509Certificate&quot;);
  3. if (null != certs &amp;&amp; certs.length &gt; 0) {
  5.     X509Certificate cert = certs[0];
  6. }

and here is the server configuration to request the certificate authentication

  1. &lt;Connector
  2.     clientAuth=&quot;true&quot; 
  3.     port=&quot;8443&quot; 
  4.     protocol=&quot;HTTP/1.1&quot; 
  5.     SSLEnabled=&quot;true&quot;
  6.     scheme=&quot;https&quot; 
  7.     secure=&quot;true&quot;
  8.     keystoreFile=&quot;C:/JavaWeb/tomcat&quot;
  9.     keystoreType=&quot;JKS&quot; keystorePass=&quot;pswd&quot;
  10.     truststoreFile=&quot;C:/JavaWeb/myTrustStore&quot;
  11.     truststoreType=&quot;JKS&quot; truststorePass=&quot;changeit&quot;
  12.     SSLVerifyCLient=&quot;require&quot; SSLVerifyDepth=&quot;10&quot; sslProtocol=&quot;TLS&quot;
  13. /&gt;

I´ve tried to make this connection from the client side with javascript, however I get this error:
Access to XMLHttpRequest at 'https://remoteserver.com' from origin 'http://localhost' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Here is my code:

  1.     var httpRequest = new XMLHttpRequest();        
  2.     httpRequest.open(&quot;POST&quot;, &quot;https://remoteserver.com&quot;);
  3.     httpRequest.setRequestHeader(&quot;Role-Type&quot;, &quot;role&quot;);
  4.     
  5.     httpRequest.onreadystatechange = function () {
  6.         
  7.         if (this.readyState === 4) {
  8.             if (httpRequest.status === 200) {
  9.                 console.log(&#39;Status:&#39;, this.status);
  10.                 console.log(&#39;Headers:&#39;, this.getAllResponseHeaders());
  11.                 console.log(&#39;Body:&#39;, this.responseText);
  12.                 
  13.                 console.log(httpRequest);
  14.                 
  15.             } else {
  16.                 console.log(&quot;Erro&quot;);
  17.                 console.log(httpRequest);
  18.             }
  19.         }
  20.     };
  22.     httpRequest.send();

huangapple
  • 本文由 发表于 2020年4月11日 07:34:17
  • 转载请务必保留本文链接:https://java.coder-hub.com/61150213.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定