[英]Sending HTTP request with SSL authontication using Apache HttpClient
我是 Java 中 SSL 身份验证和 Httpclient 请求主题的新手。 而且我需要执行到服务提供者的安全连接才能从服务提供者 api 获取一些数据。
我制作了一个包含私钥和 csr 请求的 .jks 密钥库,我已将其发送给远程服务提供商。 我有一个签名的 .cer 证书。 到目前为止,我已经通过将私钥导出到 pem 文件并通过 Postman 设置中的 CRT+KEY+Keypassword 设置客户端证书在我的 Postman 中对其进行了测试。 请求运行得很好。 现在,我必须使用 Java 来实现这个问题,而且我之前已经使用 Apache fluent-hc 发送未经身份验证的 POST 请求。 我应该采取什么措施来实现客户端证书保护的 HTTP 请求?
我使用 PrivateKey 将我的 .CER 签名证书导入到现有的 jks 密钥库中:
keytool -importcert -file ./signed.cer -keystore trusted.jks -alias mykey
列出密钥库时,我得到两个条目:PrivateKeyEntry 和trustedCertEntry
然后我从资源加载我的密钥库:
public KeyStore loadKeyStore() throws Exception {
KeyStore keystore = KeyStore.getInstance("JKS");
try (InputStream is = new ClassPathResource(authProperties.getKeyStore()
+ ".jks").getInputStream()) {
keystore.load(is, authProperties.getKeyPass().toCharArray());
}
return keystore;
}
加载似乎没问题,我对其进行了测试并获得了私钥和证书。 但不是证书链,不确定我是否需要它。
然后我创建一个 SSLContext 并从同一个密钥库加载 TrustMaterial 和 KeyMaterial:
public SSLContext loadSSLContext() throws Exception {
return new SSLContextBuilder()
.loadTrustMaterial(loadKeyStore(), (x509Certificates, s) -> true)
.loadKeyMaterial(loadKeyStore(), authProperties.getKeyPass().toCharArray())
.build();
}
然后,我创建一个 SSLConnectionSocketFactory:
SSLContext context = loadSSLContext();
SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(context,
new NoopHostnameVerifier());
我使用 SSLConnectionSocketFactory 创建了一个 CloseableHttpClient:
CloseableHttpClient httpclient = HttpClients.custom()
.setSSLSocketFactory(sslsf)
.build();
并执行 GET 请求:
HttpGet request = new HttpGet("/private/openapi");
HttpResponse httpresponse = httpclient.execute(request);
运行这个时,我得到了
javax.net.ssl.SSLHandshakeException:收到致命警报:handshake_failure
什么可能是原因? 我在谷歌上搜索了这个问题,但似乎主要对应于协议和密码套件不匹配。 我不确定,如果这是我的情况。 请帮忙,任何想法或链接都会非常受欢迎! 这是堆栈跟踪和调试输出(请忽略奇怪的 IP 地址):
16:46:08.727 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> CONNECT api.serviceprovider.com:443 HTTP/1.1 16:46:08.727 [main] DEBUG org.apache.http。标头 - http-outgoing-0 >> 主机:api.serviceprovider.com:443 16:46:08.727 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> 用户代理:Apache-HttpClient/ 4.5.3 (Java/1.8.0_232) 16:46:08.727 [main] 调试 org.apache.http.wire - http-outgoing-0 >> "CONNECT api.serviceprovider.com:443 HTTP/1.1[\\r] [\\n]" 16:46:08.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host: api.serviceprovider.com:443[\\r][\\n]" 16: 46:08.727 [main] 调试 org.apache.http.wire - http-outgoing-0 >>“用户代理:Apache-HttpClient/4.5.3 (Java/1.8.0_232)[\\r][\\n]” 16:46:08.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\\r][\\n]" 16:46:08.878 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 200 连接建立[\\r][\\n]" 16:46:08.879 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "[ \\r][\\n]" 16:46:08.880 [麦 n] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 200 建立连接 16:46:08.881 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - 目标隧道已创建。 16:46:08.906 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 启用协议:[TLSv1, TLSv1.1, TLSv1.2] 16:46:08.906 [main] DEBUG org.apache.http。 conn.ssl.SSLConnectionSocketFactory - 启用的密码套件:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 , TLS_DHE_DSS_WITH_AES_128_CBC_SHA256 ,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 16:46:08.906 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 开始握手 16:46:08.997 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Secure ses sion 建立 16:46:08.997 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 协商协议:TLSv1.2 16:46:08.997 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory -协商密码套件:TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 16:46:08.998 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - peer principal: CN=api.serviceprovider.com, OU=IT Department, O=ServiceProv, L=Moscow C=RU 16:46:08.998 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 对等替代名称:[api.serviceprovider.com, developer.serviceprovider.com] 16:46:08.999 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - 发行方主体:CN=Thawte TLS RSA CA G1,OU=www.digicert.com,O=DigiCert Inc,C=US 16:46:08.999 [main] DEBUG org. apache.http.impl.execchain.MainClientExec - 执行请求 GET /private/openapi HTTP/1.1 16:46:08.999 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - 目标身份验证状态:UNCHALLENGED 16:46 :08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET /private/openapi HTTP/1.1 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing- 0 >> 主机:api.serviceprovider.com:443 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> 连接:Keep-Alive 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_232) 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "GET /private/openapi HTTP/1.1[\\r ][\\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host: api.serviceprovider.com:443[\\r][\\n]" 16 :46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Connection: Keep-Alive[\\r][\\n]" 16:46:08.999 [main] DEBUG org.apache .http.wire - http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_232)[\\r][\\n]" 16:46:08.999 [main] DEBUG 或 g.apache.http.wire - http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\\r][\\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire - http -outgoing-0 >> "[\\r][\\n]" 16:46:09.037 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "[read] I/O error: Received致命警报:handshake_failure” 16:46:09.037 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0:关闭连接 16:46:09.037 [main] DEBUG org.apache.http.impl .conn.DefaultManagedHttpClientConnection - http-outgoing-0:关闭连接 16:46:09.037 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - 连接被丢弃 16:46:09.038 [main] DEBUG org.apache.http .impl.conn.PoolingHttpClientConnectionManager - 连接已发布:[id: 0][route: {tls}-> http://xxx120:8080- > https://api.serviceprovider.com:443 ][总保持活跃:0 ; 分配的路由:0 of 2; 总分配:0 of 20] javax.net.ssl.SSLHandshakeException:收到致命警报:sun.security.ssl.Alerts.getSSLException(Alerts.ssl.Alerts.getSSLException(Alerts.getSSLException(Alerts. java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl) .java:933) at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) at org.apache.http.impl.conn.LoggingInputStream.read(LoggingInputStream.java:84) at org.apache.http。 impl.io.SessionInputBufferImpl.streamRead(SessionInputBufferImpl.java:137) at org.apache.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:153) at org.apache.http.impl.io.SessionInputBufferImpl.readLine( SessionInputBufferImpl.java:282) 在 org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:138) 在 org.apache.http.impl.conn.DefaultHt tpResponseParser.parseHead(DefaultHttpResponseParser.java:56) at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:259) at org.apache.http.impl.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:163)在 org.apache.http.impl.conn.CPoolProxy.receiveResponseHeader(CPoolProxy.java:165) 在 org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:273) 在 org.apache.http.protocol.HttpRequestExecutor .execute(HttpRequestExecutor.java:125) 在 org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:272) 在 org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) ) 在 org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) 在 org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) 在 org.apache.http。 impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) 在 org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpCl ient.java:118) 在 ru.bcs.creditmarkt.delivery.adapter.ServProvAuthTest.testConn(ServProvAuthTest.java:99)
问题解决了。 问题出在 jks 密钥库中,而不是代码中。 我已经导入了客户端证书,但它也需要一个带有根证书的证书链。 一旦使用客户端证书导入整个链,它就可以工作。
使用HttpClient - Java发送带有HTTP POST请求的XML有效负载
[英]Sending XML payloads with HTTP POST request using HttpClient--Java
使用SSL时Apache HttpClient抛出SocketTimeoutException
[英]Apache HttpClient throws SocketTimeoutException when using SSL
使用代理和SSL时,Apache HttpClient 4.5.2(Request&HttpGet)在第二次调用时失败
[英]Apache HttpClient 4.5.2 (Request & HttpGet) fail on 2nd call when using Proxy and SSL
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.