如何在ftp4j库中使用SSL
[英]How to use SSL in ftp4j library
问题描述
I'm currently stuck as I find the documentation on ftp4j very light. 
我目前很困惑,因为我发现ftp4j上的文档非常简单。 According to this: Document 据此: 文件
I can set up the library to connect using SSL certificates. 我可以将库设置为使用SSL证书进行连接。 The problem I'm having is figuring out how the library will know which SSL certificate to accept and which not(In case of an impostor). 我遇到的问题是弄清楚该库如何知道要接受哪个SSL证书(如果是冒名顶替者)。 Any helps? 有帮助吗? Thanks! 谢谢!
Edit : I want to know how to import the SSL certificate and make the library only connect to an specific server with the specific SSL certificate. 编辑 :我想知道如何导入SSL证书,并使该库仅连接到具有特定SSL证书的特定服务器。
1 个解决方案
解决方案1
1 已采纳 2013-03-12 22:08:34
You can use Sun's InstallCert.java to get the certificate you want to accept saved in a separate store. 您可以使用Sun的InstallCert.java来获取要接受的证书,该证书保存在单独的商店中。 Then use this separate store when you setup your FTPClient. 然后,在设置FTPClient时使用该单独的存储。
I included a version of InstallCert.java below since it's harder and harder to find on the Internet after Oracle took over... 我在下面提供了一个InstallCert.java版本,因为在Oracle接手之后在Internet上越来越难找到它。
/*
* Copyright 2006 Sun Microsystems, Inc. All Rights Reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* - Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* - Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* - Neither the name of Sun Microsystems nor the names of its
* contributors may be used to endorse or promote products derived
* from this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
* THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR
* CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
/**
* http://blogs.sun.com/andreas/resource/InstallCert.java
* Use:
* java InstallCert hostname
* Example:
*% java InstallCert ecc.fedora.redhat.com
*/
import javax.net.ssl.*;
import java.io.*;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
/**
* Class used to add the server's certificate to the KeyStore
* with your trusted certificates.
*/
public class InstallCert {
public static void main(String[] args) throws Exception {
String host;
int port;
char[] passphrase;
if ((args.length == 1) || (args.length == 2)) {
String[] c = args[0].split(":");
host = c[0];
port = (c.length == 1) ? 443 : Integer.parseInt(c[1]);
String p = (args.length == 1) ? "changeit" : args[1];
passphrase = p.toCharArray();
} else {
System.out.println("Usage: java InstallCert <host>[:port] [passphrase]");
return;
}
File file = new File("jssecacerts");
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP
+ "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
ks.load(in, passphrase);
in.close();
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0];
SavingTrustManager tm = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[]{tm}, null);
SSLSocketFactory factory = context.getSocketFactory();
System.out.println("Opening connection to " + host + ":" + port + "...");
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
socket.setSoTimeout(10000);
try {
System.out.println("Starting SSL handshake...");
socket.startHandshake();
socket.close();
System.out.println();
System.out.println("No errors, certificate is already trusted");
} catch (SSLException e) {
System.out.println();
e.printStackTrace(System.out);
}
X509Certificate[] chain = tm.chain;
if (chain == null) {
System.out.println("Could not obtain server certificate chain");
return;
}
BufferedReader reader =
new BufferedReader(new InputStreamReader(System.in));
System.out.println();
System.out.println("Server sent " + chain.length + " certificate(s):");
System.out.println();
MessageDigest sha1 = MessageDigest.getInstance("SHA1");
MessageDigest md5 = MessageDigest.getInstance("MD5");
for (int i = 0; i < chain.length; i++) {
X509Certificate cert = chain[i];
System.out.println
(" " + (i + 1) + " Subject " + cert.getSubjectDN());
System.out.println(" Issuer " + cert.getIssuerDN());
sha1.update(cert.getEncoded());
System.out.println(" sha1 " + toHexString(sha1.digest()));
md5.update(cert.getEncoded());
System.out.println(" md5 " + toHexString(md5.digest()));
System.out.println();
}
System.out.println("Enter certificate to add to trusted keystore or 'q' to quit: [1]");
String line = reader.readLine().trim();
int k;
try {
k = (line.length() == 0) ? 0 : Integer.parseInt(line) - 1;
} catch (NumberFormatException e) {
System.out.println("KeyStore not changed");
return;
}
X509Certificate cert = chain[k];
String alias = host + "-" + (k + 1);
ks.setCertificateEntry(alias, cert);
OutputStream out = new FileOutputStream("jssecacerts");
ks.store(out, passphrase);
out.close();
System.out.println();
System.out.println(cert);
System.out.println();
System.out.println
("Added certificate to keystore 'jssecacerts' using alias '"
+ alias + "'");
}
private static final char[] HEXDIGITS = "0123456789abcdef".toCharArray();
private static String toHexString(byte[] bytes) {
StringBuilder sb = new StringBuilder(bytes.length * 3);
for (int b : bytes) {
b &= 0xff;
sb.append(HEXDIGITS[b >> 4]);
sb.append(HEXDIGITS[b & 15]);
sb.append(' ');
}
return sb.toString();
}
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
throw new UnsupportedOperationException();
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
throw new UnsupportedOperationException();
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}
That code makes a copy of the certificates supplied by the JRE before adding the new certificate you supply. 在添加您提供的新证书之前,该代码将复制JRE提供的证书。 If you don't want that, but instead only store your certificate, you will need to remove this part: 如果您不想这样做,而只存储证书,则需要删除此部分:
if (file.isFile() == false) {
char SEP = File.separatorChar;
File dir = new File(System.getProperty("java.home") + SEP
+ "lib" + SEP + "security");
file = new File(dir, "jssecacerts");
if (file.isFile() == false) {
file = new File(dir, "cacerts");
}
}
Now when you have a file containing your certificate you can use this to create a SSLSocketFactory that you supply to the FTPClient. 现在,当您拥有包含证书的文件时,可以使用它来创建提供给FTPClient的SSLSocketFactory。
You can create some kind of certificate manager like this: 您可以创建某种证书管理器,如下所示:
import java.io.File;
import java.io.FileInputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
public class CertManager {
private static final char[] passphrase = "changeit".toCharArray();
private String rootPath;
private SSLSocketFactory factory;
private SavingTrustManager trustManager;
private KeyStore keyStore;
/**
* Creates a CertManager.
* @param rootPath Path to directory where the file 'jssecacerts' is located.
*/
public CertManager(String rootPath){
this.rootPath = rootPath;
}
/**
* Gets a SSLSocketFactory with the trusted certs.
* @return
* @throws Exception
*/
public SSLSocketFactory getSSLSocketFactory() throws Exception {
//Load trusted certs
File file = new File(rootPath+"jssecacerts");
System.out.println("Loading KeyStore " + file + "...");
InputStream in = new FileInputStream(file);
keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(in, passphrase);
in.close();
//Use these certs
SSLContext context = SSLContext.getInstance("TLS");
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
X509TrustManager defaultTrustManager = (X509TrustManager)tmf.getTrustManagers()[0];
trustManager = new SavingTrustManager(defaultTrustManager);
context.init(null, new TrustManager[] {trustManager}, null);
factory = context.getSocketFactory();
return factory;
}
private static class SavingTrustManager implements X509TrustManager {
private final X509TrustManager tm;
private X509Certificate[] chain;
SavingTrustManager(X509TrustManager tm) {
this.tm = tm;
}
public X509Certificate[] getAcceptedIssuers() {
return tm.getAcceptedIssuers();
}
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkClientTrusted(chain, authType);
}
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
this.chain = chain;
tm.checkServerTrusted(chain, authType);
}
}
}
Use your certificate manager to get the SSLSocketFactory that you supply to the FTPClient: 使用证书管理器来获取提供给FTPClient的SSLSocketFactory:
...
FTPClient client = new FTPClient();
CertManager certMan = new CertManager("");
SSLSocketFactory sslSocketFactory = null;
try{
sslSocketFactory = certMan.getSSLSocketFactory();
} catch (Exception e) {
e.printStackTrace();
}
client.setSSLSocketFactory(sslSocketFactory);
client.setSecurity(FTPClient.SECURITY_FTPS); // or client.setSecurity(FTPClient.SECURITY_FTPES);
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.
相关问题
如何使用 ftp4j 通过 sftp 连接到 linux - How to use ftp4j with connections to linux by sftp
双击并使用库ftp4j传输文件 - double click and transfer files using library ftp4j
使用FTP4J恢复上传进度并获得多少百分比的上传 - Use FTP4J to resume upload progress and also get how many percent uploaded
无法使用FTP4J连接到FTP - Unable to connect to FTP using FTP4J
在Java应用程序中使用ftp4j库下载/上传时出现FTP错误 - FTP error while downloading/uploading with ftp4j library in java application
在客户端上使用ftp4j忽略CentOS上的自签名ssl证书 - Ignore self-signed ssl cert on CentOS using ftp4j on client
ftp4j:client.login返回无法识别的SSL消息,纯文本连接? - ftp4j: client.login returns Unrecognized SSL message, plaintext connection?
使用ftp4j上传目录 - Uploading a Directory using ftp4j
使用FTP4J下载整个目录 - Download an Entire Directory Using FTP4J
无法使用ftp4j上传文件 - Fail to upload file using ftp4j
相关标签