如何在自签名服务器和客户端证书上调用 https get 方法

Question

I have set up the Apache tomcat 5 to support ssl. Created self signed certificates and imported the client certificate into the trusstore of the server and imported the p12 file into the browser and accessing the page on the https is possible. How to achieve the same using java?

Following is the code that i am attempting with but without any success...

//reference  : http://vafer.org/blog/20061010073725/    http://www.mkyong.com/java/java-//https-client-httpsurlconnection-example/

import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.URL;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;

import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import java.security.cert.Certificate;






public class HttpClientTutorial {

    @SuppressWarnings("unused")
    private static javax.net.ssl.SSLSocketFactory getFactory( File pKeyFile, String pKeyPassword ) throws NoSuchAlgorithmException, KeyStoreException, CertificateException, IOException, UnrecoverableKeyException, KeyManagementException  
    {
          KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
          KeyStore keyStore = KeyStore.getInstance("PKCS12");

          InputStream keyInput = new FileInputStream(pKeyFile);
          keyStore.load(keyInput, pKeyPassword.toCharArray());
          keyInput.close();

          keyManagerFactory.init(keyStore, pKeyPassword.toCharArray());

          SSLContext context = SSLContext.getInstance("TLS");
          context.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());

          return context.getSocketFactory();
    }

       private static void print_https_cert(HttpsURLConnection con){

            if(con!=null){

              try {

            System.out.println("Response Code : " + con.getResponseCode());
            System.out.println("Cipher Suite : " + con.getCipherSuite());
            System.out.println("\n");

            Certificate[] certs = con.getServerCertificates();
            for(Certificate cert : certs){
               System.out.println("Cert Type : " + cert.getType());
               System.out.println("Cert Hash Code : " + cert.hashCode());
               System.out.println("Cert Public Key Algorithm : " + cert.getPublicKey().getAlgorithm());
               System.out.println("Cert Public Key Format : " + cert.getPublicKey().getFormat());
               System.out.println("\n");
            }

            } catch (SSLPeerUnverifiedException e) {
                e.printStackTrace();
            } catch (IOException e){
                e.printStackTrace();
            }

             }

           }

           private static void print_content(HttpsURLConnection con){
            if(con!=null){

            try {

               System.out.println("****** Content of the URL ********");            
               BufferedReader br = 
                new BufferedReader(
                    new InputStreamReader(con.getInputStream()));

               String input;

               while ((input = br.readLine()) != null){
                  System.out.println(input);
               }
               br.close();

            } catch (IOException e) {
               e.printStackTrace();
            }

               }

           }


    public static void main(String[] args) throws IOException, UnrecoverableKeyException, KeyManagementException, NoSuchAlgorithmException, KeyStoreException, CertificateException {
        URL url = new URL("https://localhost:8443/SpringSec2");
        HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
        con.setSSLSocketFactory(getFactory(new File("src/Client.p12"), "client"));

          //dumpl all cert info
         print_https_cert(con);

         //dump all the content
         print_content(con);


    }



}


***************************************************************************************

Exception:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.fatalSE(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(Unknown Source)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Unknown Source)
at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(Unknown Source)
at sun.net.www.protocol.https.HttpsClient.afterConnect(Unknown Source)
at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(Unknown Source)
at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Unknown Source)
at java.net.HttpURLConnection.getResponseCode(Unknown Source)
at sun.net.www.protocol.https.HttpsURLConnectionImpl.getResponseCode(Unknown Source)

Answer 1

Since you are doing self signed certificate, you need to provide your own TrustManager. The line in your code

SSLContext context = SSLContext.getInstance("TLS"); context.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());

The second parameter in context.init is the TrustManager to manage which server you can trust. You basically need to create your own extension X509TrustManager . An example of that code can be found at http://www.howardism.org/Technical/Java/SelfSignedCerts.html . Search for NaiveTrustManager , you'll see that checkServerTrusted() is not implemented which implies it trusts everything. Try that first and see if that works. After it does, you might want to consider implementing stronger check.