SpringBoot服務間使用自簽名證書實現https雙向認證

以服務server-one和server-two之間使用RestTemplate以https調用為例

一、生成密鑰

需要生成server-one和server-two的客戶端密鑰和一個信任庫密鑰

1.生成TrustStore(信任庫)
  keytool -genkey -alias trustkeys -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore trustKeys.p12 -validity 36500

2.生成server-one客戶端密鑰
  keytool -genkey -alias server-one -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore server-one.p12 -validity 36500

3.生成server-two客戶端密鑰
  keytool -genkey -alias server-two -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore server-two.p12 -validity 36500

4.導出客戶端公鑰添加到信任庫
 4.1 導出server-one的公鑰
     keytool -keystore server-one.p12 -export -alias server-one -file server-one-publicKey.cer
 4.2 導出server-two的公鑰
     keytool -keystore server-two.p12 -export -alias server-two -file server-two-publicKey.cer

5.添加客戶端公鑰到信任庫
  keytool -import -alias server-one -v -file server-one-publicKey.cer -keystore trustKeys.p12
  keytool -import -alias server-two -v -file server-two-publicKey.cer -keystore trustKeys.p12

以上2、3、4和5步驟填寫信息與1基本相同，不再重復截圖展示

部分命令解釋

genkey 表示要創建一個新的密鑰。 
alias 表示 keystore 的別名。 
keyalg 表示使用的加密算法是 RSA ，一種非對稱加密算法。 
keysize 表示密鑰的長度。 
keystore 表示生成的密鑰存放位置。 
validity 表示密鑰的有效時間，單位為天。

二、配置SpringBoot支持https

1、拷貝相應密鑰到resources

2、客戶端配置文件application.properties對應的配置項

# 開啟ssl
server.ssl.enabled=true
server.ssl.client-auth=need
#server.ssl.protocol=TLS
server.ssl.key-store=classpath:ssl/server-one.p12
#server.ssl.key-password=123456
server.ssl.key-store-password=123456
server.ssl.key-store-type=PKCS12
server.ssl.keyAlias=server-one

server.ssl.trust-store=classpath:ice-ca/trustKeys.p12
server.ssl.trust-store-password=123456
server.ssl.trust-store-type=PKCS12

3、服務端配置文件application.properties對應的配置項

# 開啟ssl
server.ssl.enabled=true
server.ssl.client-auth=need
#server.ssl.protocol=TLS
server.ssl.key-store=classpath:ssl/server-two.p12
#server.ssl.key-password=123456
server.ssl.key-store-password=123456
server.ssl.key-store-type=PKCS12
server.ssl.keyAlias=server-two

server.ssl.trust-store=classpath:ice-ca/trustKeys.p12
server.ssl.trust-store-password=123456
server.ssl.trust-store-type=PKCS12

4、pom.xml配置文件添加配置項如下

<resources>
    <resource>
        <directory>src/main/java</directory>
        <includes>
            <include>**/*.xml</include>
            <include>ssl/server-one.p12</include>
            <include>ice-ca/trustKeys.p12</include>
        </includes>
    </resource>
    <resource>
        <directory>src/main/resources</directory>
    </resource>
</resources>

5、啟動服務並驗證https

瀏覽器訪問：https://localhost:8970/platformdictionary/queryDeviceType

此時無法訪問

單擊server-one.p12或server-two.p12為瀏覽器安裝證書

安裝后再次訪問

點擊確定后即可訪問到頁面

6、配置RestTemplate

pom添加httpclient支持

<dependency>
    <groupId>org.apache.httpcomponents</groupId>
    <artifactId>httpclient</artifactId>
    <version>4.5.13</version>
</dependency>

設置RestTemplate支持https請求

package com.hollysys.smartfactory.icedata.config;

import lombok.extern.slf4j.Slf4j;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;

import javax.net.ssl.*;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.*;
import java.security.cert.CertificateException;
import java.time.Duration;

/**
 * Created by chendy on 2021/12/18 15:47
 */
@Configuration
@Slf4j
public class RestTemplateConfig {
    @Value("${server.ssl.key-store-type}")
    String clientKeyType;
    @Value("${server.ssl.key-store}")
    String clientPath;
    @Value("${server.ssl.key-store-password}")
    String clientPass;
    @Value("${server.ssl.trust-store-type}")
    String trustKeyType;
    @Value("${server.ssl.trust-store}")
    String trustPath;
    @Value("${server.ssl.trust-store-password}")
    String trustPass;

    @Bean
    public RestTemplate restTemplate() {
        RestTemplate restTemplate = null;
        try {
            HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
            // 客戶端證書類型
            KeyStore clientStore = KeyStore.getInstance(clientKeyType);
            // 加載客戶端證書，即自己的私鑰
            InputStream keyStream = getClass().getClassLoader().getResourceAsStream(clientPath);
            clientStore.load(keyStream, clientPass.toCharArray());
            // 創建密鑰管理工廠實例
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            // 初始化客戶端密鑰庫
            keyManagerFactory.init(clientStore, clientPass.toCharArray());
            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

            // 創建信任庫管理工廠實例
            TrustManagerFactory trustManagerFactory = TrustManagerFactory
                    .getInstance(TrustManagerFactory.getDefaultAlgorithm());
            KeyStore trustStore = KeyStore.getInstance(trustKeyType);
            InputStream trustStream = getClass().getClassLoader().getResourceAsStream(trustPath);
            trustStore.load(trustStream, trustPass.toCharArray());

            // 初始化信任庫
            trustManagerFactory.init(trustStore);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            // 建立TLS連接
            SSLContext sslContext = SSLContext.getInstance("TLS");
            // 初始化SSLContext
            sslContext.init(keyManagers, trustManagers, new SecureRandom());
            // INSTANCE 忽略域名檢查
            SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
            CloseableHttpClient httpclient = HttpClients
                    .custom()
                    .setSSLSocketFactory(sslConnectionSocketFactory)
                    .setSSLHostnameVerifier(new NoopHostnameVerifier())
                    .build();
            requestFactory.setHttpClient(httpclient);
            requestFactory.setConnectTimeout((int) Duration.ofSeconds(15).toMillis());
            restTemplate = new RestTemplate(requestFactory);
        } catch (KeyManagementException | FileNotFoundException | NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (KeyStoreException | CertificateException | UnrecoverableKeyException | IOException e) {
            e.printStackTrace();
        }
        return restTemplate;
    }
}

7、添加測試代碼

server-one中的test添加代碼

@Autowired
RestTemplate restTemplate;
@Test
public void testHello(){
    String url = "https://127.0.0.1:8970/platformdictionary/queryDeviceType";
    ResponseEntity<String> forEntity = restTemplate.getForEntity(url, String.class);
    System.out.println(forEntity.toString());
}

server-two中的controller添加代碼

@RestController
@RequestMapping("/whiteList")
@Api(value = "whiteList", tags = "白名單管理")
public class WhiteListController extends BaseController {
    @ApiOperationSupport(order = 6)
    @ApiOperation(value = "查詢設備大類下拉選列表")
    @GetMapping(value = "/queryDeviceType")
    public AjaxResult.MutiResult<DeviceDictionaryItemVO> queryDeviceType() {
        return success(ReturnInfo.QUERY_SUCCESS_MSG, platformDictionaryService.queryDeviceType());
    }
}

測試執行結果

免責聲明！

本站轉載的文章為個人學習借鑒使用，本站對版權不負任何法律責任。如果侵犯了您的隱私權益，請聯系本站郵箱yoyou2525@163.com刪除。

猜您在找 自簽SSL證書以及https的雙向認證實現nginx雙向代理 iOS使用自簽名證書實現HTTPS請求 HTTPS雙向認證和如何生成證書[轉] 使用HttpClient4.5實現HTTPS的雙向認證 https雙向認證時證書簽發和配置 openssl實現雙向認證教程（服務端代碼+客戶端代碼+證書生成） nodejs之https雙向認證【HTTPS雙向加密認證】 Nginx https 雙向認證 https雙向認證(python)