在Spring Boot应用程序中调用HTTPS SOAP Webservice

Question

这是我在spring boot应用程序上的第一个任务，我正在尝试使用HTTPS SOAP webservice但是它失败了handshake_failure

我在application.yml中使用了以下服务器设置的spring boot应用application.yml

server:
  #address:
  port: 8443
  sessionTimeout: 30
  ssl:
    client-auth: need
    key-store: keystore.jks
    key-store-password: 123456
    key-alias: host
    key-password: 123456
    protocol: TLS
    trust-store: truststore.jks
    trust-store-password: 123456

环境信息：

springBootVersion = '1.5.2.RELEASE'
Gradle 3.4
Build time:   2017-02-20 14:49:26 UTC
Revision:     73f32d68824582945f5ac1810600e8d87794c3d4

Groovy:       2.4.7
Ant:          Apache Ant(TM) version 1.9.6 compiled on June 29 2015
JVM:          1.8.0_40 (Oracle Corporation 25.40-b25)
OS:           Windows 7 6.1 amd64

我的keystore.jks有2个pfx条目1是host.pfx（别名host ），带有server.cer和server.key（用于服务URL https：// localhost：8443 ），另一个是digsig.pfx（别名trustweaver ）用于使用SOAP webservice进行身份验证，pfx的内部keystore.jks具有与123456相同的密码， truststore.jks具有根CA.

当我试图调用最终调用Web服务的SOAP java存根（需要客户端证书身份验证，这是keystore.jks的一部分）时，我将使用以下堆栈跟踪获取handshake_failure 。

2017-04-17 18:18:31.155 ERROR 20440 --- [io-8443-exec-10] o.a.c.c.C.[.[.[/].[dispatcherServlet]    : Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Request processing failed; nested exception is javax.xml.ws.WebServiceException: Failed to access the WSDL at: https://tseiod-test.trustweaver.com/ts/svs.asmx?wsdl. It failed with: 
Received fatal alert: handshake_failure.] with root cause

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:154)
    at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2011)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1113)
    at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1363)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1391)
    at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1375)
    at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:563)
    at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:185)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1512)
    at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1440)
    at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:254)
    at java.net.URL.openStream(URL.java:1038)
    at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.createReader(RuntimeWSDLParser.java:984)
    at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.resolveWSDL(RuntimeWSDLParser.java:385)
    at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:216)
    at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:194)
    at com.sun.xml.internal.ws.wsdl.parser.RuntimeWSDLParser.parse(RuntimeWSDLParser.java:163)
    at com.sun.xml.internal.ws.client.WSServiceDelegate.parseWSDL(WSServiceDelegate.java:348)
    at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:306)
    at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:215)
    at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:196)
    at com.sun.xml.internal.ws.client.WSServiceDelegate.<init>(WSServiceDelegate.java:192)
    at com.sun.xml.internal.ws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:104)
    at javax.xml.ws.Service.<init>(Service.java:77)
    at com.api.trustweaver.SwitchService.<init>(SwitchService.java:48)

看起来问题是spring boot app没有使用来自keystore.jks的trustweaver别名进行webservice身份验证（或其他不确定的东西），有人可以帮我解决这个问题吗？

Answer 1

使用密钥库和信任库创建自定义SSL上下文，并在应用程序启动时加载它，如下所示

以下主要方法的变化

public static void main(String[] args) {
    System.setProperty("sun.security.ssl.allowUnsafeRenegotiation","true"); // for non prod systems
    SpringApplication.run(Application.class, args);
}
@Bean
CommandLineRunner init() {
    def customHttpsSSLConfig = new CustomHttpsSSLConfig();
    customHttpsSSLConfig.init(instance,hostnameVerification,trustweaverKeystore, trustweaverKeystoreType, trustweaverKeystorePassword, trustweaverCATrustStore, trustweaverCATrustStoreType, trustweaverCATrustStorePassword);
}

下面是我的CustomHttpsSSLConfig类

import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import javax.net.ssl.*;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.stream.Stream;

public class CustomHttpsSSLConfig {

    private static final Logger LOGGER = LoggerFactory.getLogger(CustomHttpsSSLConfig.class);
    private static final String PROD_INSTANCE = "prod";
    private static final String STG_INSTANCE1 = "staging";
    private static final String STG_INSTANCE2 = "stg";
    private static final String QA_INSTANCE   = "qa";
    private static final String DEV_INSTANCE  = "dev";
    public static void init(String instance, String hostnameVerification, String trustweaverKeystore, String trustweaverKeystoreType, String trustweaverKeystorePassword, String trustweaverCATrustStore, String trustweaverCATrustStoreType, String trustweaverCATrustStorePassword) {

        // Install the all-trusting trust manager
        try {
            // Client keystore
            KeyStore keyStore = KeyStore.getInstance(trustweaverKeystoreType);
            keyStore.load(new FileInputStream(trustweaverKeystore), trustweaverKeystorePassword.toCharArray());

            KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
            kmf.init(keyStore, trustweaverKeystorePassword.toCharArray());

            // Trusted CA keystore
            KeyStore truststore = KeyStore.getInstance(trustweaverCATrustStoreType);
            truststore.load(new FileInputStream(trustweaverCATrustStore), trustweaverCATrustStorePassword.toCharArray());

            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            tmf.init(truststore);

            SSLContext sc = SSLContext.getInstance("TLSv1.2");
            sc.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new SecureRandom());
            HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
            HttpsURLConnection.setDefaultHostnameVerifier(getHostnameVerifierForInstance(instance,hostnameVerification));
            LOGGER.info("Initialized CustomHttpsSSLConfig with keyStore = {}, truststore = {}",trustweaverKeystore,trustweaverCATrustStore);
        } catch (Exception e) {
            LOGGER.error("CustomHttpsSSLConfig Initialization failed with keyStore = {}, truststore = {}, exception = {}, stacktrace = {} ",trustweaverKeystore,trustweaverCATrustStore,e.getMessage(),e.getStackTrace());
        }
    }

    private static HostnameVerifier getHostnameVerifierForInstance(String instance,String enabled){
        return Boolean.parseBoolean(enabled)&&reject(instance) ? customHostnameVerifier() : permitAll();
    }

    private static boolean reject(String instance) {
        return rejections().anyMatch(instance.trim().toLowerCase()::startsWith);
    }

    private static Stream<String> rejections() {
        return Stream.of(PROD_INSTANCE, STG_INSTANCE1,STG_INSTANCE2, QA_INSTANCE, DEV_INSTANCE).map(String::toLowerCase);
    }

    private static HostnameVerifier customHostnameVerifier() {
         return new HostnameVerifier() {
            public boolean verify(String hostname, SSLSession session) {
                DefaultHostnameVerifier verifier = new DefaultHostnameVerifier();
                return verifier.verify(hostname, session);
            }
        };
    }

    private static HostnameVerifier permitAll() {
        return (hostname, session) -> true;
    }
}