在 SSL 套接字工厂连接中使用多个密钥对

本教程将介绍在 SSL 套接字工厂连接中使用多个密钥对的处理方法,这篇教程是从别的地方看到的,然后加了一些国外程序员的疑问与解答,希望能对你有所帮助,好了,下面开始学习吧。

在 SSL 套接字工厂连接中使用多个密钥对 教程 第1张

问题描述

I'm using a key-pair and I thinking in the possibility to use more than one private key to create ans SSL socket factory.

So I'll be able to share distinct public keys and make the hand shake
dynamically based in the public key store provide for clients

Bellow is the source code explaining how I create this connection SSL

...
  ...log("Activating an SSL connection");
  System.setProperty("javax.net.ssl.keyStore", "myPrivateKey");
  System.setProperty("javax.net.ssl.keyStorePassword", "myPass");

  // SSL Server Socket Factory
  SSLServerSocketFactory sslSrvFact = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
  objServerSocket = sslSrvFact.createServerSocket(iPort);
  log("SSL connection actived");
...

It's possible or is a dream?

Thx

解决方案

You can do this by constructing your own SSLContext using your own X509KeyManager and choose the keystore alias using its chooseClientAlias method (or chooseServerAlias, depending on the side).

Something along these lines should work:

// Load the key store: change store type if needed
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream fis = new FileInputStream("/path/to/keystore");
try {
 ks.load(fis, keystorePassword);
} finally {
 if (fis != null) { fis.close(); }
}

// Get the default Key Manager
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, keyPassword);

final X509KeyManager origKm = (X509KeyManager)kmf.getKeyManagers()[0];
X509KeyManager km = new X509KeyManager() {
 public String chooseClientAlias(String[] keyType, 
Principal[] issuers, Socket socket) {
  // Implement your alias selection, possibly based on the socket
  // and the remote IP address, for example.
 }

 // Delegate the other methods to origKm.
}

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[] { km }, null, null);

SSLSocketFactory sslSocketFactory = sslContext.getSSLSocketFactory();

(There is a short example here that may help you get started.)

You don't actually have to delegate to the original KeyManager (I just find it more convenient). You could very well implement all its methods to return the keys and certs using the KeyStore you've loaded

Note that this is mostly useful for choosing the client-certificate. Java doesn't support Server Name Indication (SNI) on the server-side (even in Java 7 as far as I know), so you won't be able to know which host name the client is requesting before choosing the alias (from a server point of view).

好了关于在 SSL 套接字工厂连接中使用多个密钥对的教程就到这里就结束了,希望趣模板源码网找到的这篇技术文章能帮助到大家,更多技术教程可以在站内搜索。