在Servlet中读取客户端证书

如何将证书（.cer）从客户端发送到服务器？

客户端证书（.cer，.crt，.pem）及其对应的私钥（.key）应首先打包到PKCS＃12（.p12，.pfx）或JKS（.jks）容器中（密钥库）。 您还应该将服务器的CA证书打包为JKS（信任库）。

使用HttpClient 3.x的示例：

HttpClient client = new HttpClient(); // truststore KeyStore trustStore = KeyStore.getInstance("JKS", "SUN"); trustStore.load(TestSupertype.class.getResourceAsStream("/client-truststore.jks"), "amber%".toCharArray()); String alg = KeyManagerFactory.getDefaultAlgorithm(); TrustManagerFactory fac = TrustManagerFactory.getInstance(alg); fac.init(trustStore); // keystore KeyStore keystore = KeyStore.getInstance("PKCS12", "SunJSSE"); keystore.load(X509Test.class.getResourceAsStream("/etomcat_client.p12"), "etomcat".toCharArray()); String keyAlg = KeyManagerFactory.getDefaultAlgorithm(); KeyManagerFactory keyFac = KeyManagerFactory.getInstance(keyAlg); keyFac.init(keystore, "etomcat".toCharArray()); // context SSLContext ctx = SSLContext.getInstance("TLS", "SunJSSE"); ctx.init(keyFac.getKeyManagers(), fac.getTrustManagers(), new SecureRandom()); SslContextedSecureProtocolSocketFactory secureProtocolSocketFactory = new SslContextedSecureProtocolSocketFactory(ctx); Protocol.registerProtocol("https", new Protocol("https", (ProtocolSocketFactory) secureProtocolSocketFactory, 8443)); // test get HttpMethod get = new GetMethod("https://127.0.0.1:8443/etomcat_x509"); client.executeMethod(get); // get response body and do what you need with it byte[] responseBody = get.getResponseBody(); 

您可以在此项目中找到工作示例，请参阅X509Test类。

使用HttpClient 4.x配置和语法会略有不同：

 HttpClient httpclient = new DefaultHttpClient(); // truststore KeyStore ts = KeyStore.getInstance("JKS", "SUN"); ts.load(PostService.class.getResourceAsStream("/truststore.jks"), "amber%".toCharArray()); // if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing truststore if(0 == ts.size()) throw new IOException("Error loading truststore"); // tmf TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ts); // keystore KeyStore ks = KeyStore.getInstance("PKCS12", "SunJSSE"); ks.load(PostService.class.getResourceAsStream("/" + certName), certPwd.toCharArray()); // if you remove me, you've got 'javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated' on missing keystore if(0 == ks.size()) throw new IOException("Error loading keystore"); // kmf KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(ks, certPwd.toCharArray()); // SSL SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); // socket SSLSocketFactory socketFactory = new SSLSocketFactory(ctx, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER); Scheme sch = new Scheme("https", 8443, socketFactory); httpclient.getConnectionManager().getSchemeRegistry().register(sch); // request HttpMethod get = new GetMethod("https://localhost:8443/foo"); client.executeMethod(get); IOUtils.copy(get.getResponseBodyAsStream(), System.out); 

如何在服务器中接收证书并提取其公钥？

您必须将服务器配置为需要X.509客户端证书身份validation。 然后在SSL握手期间，servlet容器将接收证书，将其与trustore一起检查并将其作为请求属性提供给应用程序。 在单一证书的通常情况下，您可以在servlet环境中使用此方法来提取证书：

 protected X509Certificate extractCertificate(HttpServletRequest req) { X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate"); if (null != certs && certs.length > 0) { return certs[0]; } throw new RuntimeException("No X.509 client certificate found in request"); }