如何使用BouncyCastle进行TLS?

有人知道BouncyCastle的TLS示例吗? 互联网上缺乏它们让我感到惊讶。 如果确实没有,那就让我们收集它们作为答案。

这是一个非常基本的示例,仅使用服务器身份validation和自签名证书。 该代码基于BC 1.49,主要是轻量级API:

ServerSocket serverSocket = new ServerSocket(SERVER_PORT); final KeyPair keyPair = ... final Certificate bcCert = new Certificate(new org.spongycastle.asn1.x509.Certificate[] { new X509V3CertificateStrategy().selfSignedCertificateHolder(keyPair).toASN1Structure()}); while (true) { Socket socket = serverSocket.accept(); TlsServerProtocol tlsServerProtocol = new TlsServerProtocol( socket.getInputStream(), socket.getOutputStream(), secureRandom); tlsServerProtocol.accept(new DefaultTlsServer() { protected TlsSignerCredentials getRSASignerCredentials() throws IOException { return tlsSignerCredentials(context); } }); new PrintStream(tlsServerProtocol.getOutputStream()).println("Hello TLS"); } 

哪里

 private TlsSignerCredentials tlsSignerCredentials(TlsContext context) throws IOException { return new DefaultTlsSignerCredentials(context, bcCert, PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded())); } 

这是客户端代码:

 Socket socket = new Socket(, SERVER_PORT); TlsClientProtocol tlsClientProtocol = new TlsClientProtocol( socket.getInputStream(), socket.getOutputStream()); tlsClientProtocol.connect(new DefaultTlsClient() { public TlsAuthentication getAuthentication() throws IOException { return new ServerOnlyTlsAuthentication() { public void notifyServerCertificate(Certificate serverCertificate) throws IOException { validateCertificate(serverCertificate); } }; } }); String message = new BufferedReader( new InputStreamReader(tlsClientProtocol.getInputStream())).readLine(); 

您需要使用来自tlsClient / ServerProtocol的输入和输出流来读取和写入加密数据(例如tlsClientProtocol.getInputStream())。 否则,如果您使用了例如socket.getOutputStream(),则只需编写未加密的数据。

如何实现validateCertificate? 我使用的是自签名证书。 这意味着我只需在没有任何证书链的密钥存储区中查找它们。 这是我创建密钥库的方式:

 KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null, password); X509Certificate certificate = ...; keyStore.setCertificateEntry(alias, certificate); 

这是validation:

 private void validateCertificate(org.spongycastle.crypto.tls.Certificate cert) throws IOException, CertificateException, KeyStoreException { byte[] encoded = cert.getCertificateList()[0].getEncoded(); java.security.cert.Certificate jsCert = CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(encoded)); String alias = keyStore.getCertificateAlias(jsCert); if(alias == null) { throw new IllegalArgumentException("Unknown cert " + jsCert); } } 

令人困惑的是三种不同的证书类。 你必须在它们之间进行转换,如上所示。

场景:我们的生产服务器使用的是JDK1.6。 但是,客户服务器升级为仅在TLS 1.2中进行通信。 两台服务器之间的SSL通信中断。 但我们不能简单地将JDK6升级到8(默认情况下支持TLS 1.2),因为这会导致其他库兼容性问题。

以下示例代码使用jdk1.6.0_45和bcprov-jdk15on-153.jar(Bouncy Castle SIGNED JAR FILES)连接到使用TLS的任何服务器。

 import java.io.IOException; import java.io.BufferedReader; import java.io.InputStreamReader; import java.net.Socket; import org.bouncycastle.crypto.tls.CertificateRequest; import org.bouncycastle.crypto.tls.DefaultTlsClient; import org.bouncycastle.crypto.tls.TlsAuthentication; import org.bouncycastle.crypto.tls.TlsClientProtocol; import org.bouncycastle.crypto.tls.TlsCredentials; public class TestHttpClient { // Reference: http://boredwookie.net/index.php/blog/how-to-use-bouncy-castle-lightweight-api-s-tlsclient/ // bcprov-jdk15on-153.tar\src\org\bouncycastle\crypto\tls\test\TlsClientTest.java public static void main(String[] args) throws Exception { java.security.SecureRandom secureRandom = new java.security.SecureRandom(); Socket socket = new Socket(java.net.InetAddress.getByName("www.google.com"), 443); TlsClientProtocol protocol = new TlsClientProtocol(socket.getInputStream(), socket.getOutputStream(),secureRandom); DefaultTlsClient client = new DefaultTlsClient() { public TlsAuthentication getAuthentication() throws IOException { TlsAuthentication auth = new TlsAuthentication() { // Capture the server certificate information! public void notifyServerCertificate(org.bouncycastle.crypto.tls.Certificate serverCertificate) throws IOException { } public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException { return null; } }; return auth; } }; protocol.connect(client); java.io.OutputStream output = protocol.getOutputStream(); output.write("GET / HTTP/1.1\r\n".getBytes("UTF-8")); output.write("Host: www.google.com\r\n".getBytes("UTF-8")); output.write("Connection: close\r\n".getBytes("UTF-8")); // So the server will close socket immediately. output.write("\r\n".getBytes("UTF-8")); // HTTP1.1 requirement: last line must be empty line. output.flush(); java.io.InputStream input = protocol.getInputStream(); BufferedReader reader = new BufferedReader(new InputStreamReader(input)); String line; while ((line = reader.readLine()) != null) { System.out.println(line); } } } 

示例输出显示JDK 6可以在TLS中获取服务器页面,而不是某些SSLexception:

 HTTP/1.1 302 Found Cache-Control: private Content-Type: text/html; charset=UTF-8 Location: https://www.google.com.sg/?gfe_rd=cr&ei=WRgeVovGEOTH8Afcx4XYAw Content-Length: 263 Date: Wed, 14 Oct 2015 08:54:49 GMT Server: GFE/2.0 Alternate-Protocol: 443:quic,p=1 Alt-Svc: quic="www.google.com:443"; p="1"; ma=600,quic=":443"; p="1"; ma=600 Connection: close  302 Moved 

302 Moved

The document has moved here.

还有一个例子,建立在仅服务器的身份validation答案之上:带有客户身份validation的自签名证书的TLS(我只显示已更改的部分)。 这是服务器部分:

 tlsServerProtocol.accept(new DefaultTlsServer() { protected TlsSignerCredentials getRSASignerCredentials() throws IOException { return tlsSignerCredentials(context); } public void notifyClientCertificate(Certificate clientCertificate) throws IOException { validateCertificate(clientCertificate); } public CertificateRequest getCertificateRequest() { return new CertificateRequest(new short[] { ClientCertificateType.rsa_sign }, new Vector()); } }); 

这是客户端部分:

 tlsClientProtocol.connect(new DefaultTlsClient() { public TlsAuthentication getAuthentication() throws IOException { return new TlsAuthentication() { public void notifyServerCertificate(Certificate serverCertificate) throws IOException { validateCertificate(serverCertificate); } public TlsCredentials getClientCredentials(CertificateRequest certificateRequest) throws IOException { return tlsSignerCredentials(context); } }; } });