在 SSL 套接字工厂连接中使用多个密钥对

发布于 2025-01-03 16:35:23 字数 587 浏览 2 评论 0原文

我正在使用一对密钥，并且我考虑是否可以使用多个私钥来创建 SSL 套接字工厂。

这样我就能够共享不同的公钥并进行握手
动态地基于为客户端提供的公钥存储中，

下面是解释我如何创建此连接的源代码 SSL

...
  ...log("Activating an SSL connection");
  System.setProperty("javax.net.ssl.keyStore", "myPrivateKey");
  System.setProperty("javax.net.ssl.keyStorePassword", "myPass");

  // SSL Server Socket Factory
  SSLServerSocketFactory sslSrvFact = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
  objServerSocket = sslSrvFact.createServerSocket(iPort);
  log("SSL connection actived");
...

这是可能的还是一个梦想？

谢谢

原文

I'm using a key-pair and I thinking in the possibility to use more than one private key to create ans SSL socket factory.

So I'll be able to share distinct public keys and make the hand shake
dynamically based in the public key store provide for clients

Bellow is the source code explaining how I create this connection SSL

...
  ...log("Activating an SSL connection");
  System.setProperty("javax.net.ssl.keyStore", "myPrivateKey");
  System.setProperty("javax.net.ssl.keyStorePassword", "myPass");

  // SSL Server Socket Factory
  SSLServerSocketFactory sslSrvFact = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
  objServerSocket = sslSrvFact.createServerSocket(iPort);
  log("SSL connection actived");
...

It's possible or is a dream?

Thx

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

绮筵 2025-01-10 16:35:23

您可以通过使用自己的 X509KeyManager 构造自己的 SSLContext 并使用其选择密钥库别名来完成此操作href="http://docs.oracle.com/javase/6/docs/api/javax/net/ssl/X509KeyManager.html#chooseClientAlias%28java.lang.String%5B%5D,%20java.security.Principal% 5B%5D,%20java.net.Socket%29" rel="nofollow">chooseClientAlias 方法（或选择ServerAlias，具体取决于侧面）。

按照这些思路应该可以工作：（

// Load the key store: change store type if needed
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream fis = new FileInputStream("/path/to/keystore");
try {
    ks.load(fis, keystorePassword);
} finally {
    if (fis != null) { fis.close(); }
}

// Get the default Key Manager
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
   KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, keyPassword);

final X509KeyManager origKm = (X509KeyManager)kmf.getKeyManagers()[0];
X509KeyManager km = new X509KeyManager() {
    public String chooseClientAlias(String[] keyType, 
                                    Principal[] issuers, Socket socket) {
        // Implement your alias selection, possibly based on the socket
        // and the remote IP address, for example.
    }

    // Delegate the other methods to origKm.
}

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[] { km }, null, null);

SSLSocketFactory sslSocketFactory = sslContext.getSSLSocketFactory();

有一个

java/org/jsslutils/sslcontext/keymanagers/FixedServerAliasKeyManager.java" rel="nofollow">这里的简短示例可能会帮助您实际上不必委托给原始的 KeyManager （我只是发现它更方便）。您可以很好地实现它的所有方法，以使用您加载的 KeyStore 返回密钥和证书。

请注意，这对于选择客户端证书最有用。 Java 在服务器端不支持服务器名称指示（SNI）（即使在 Java 7 中也是如此），因此在选择别名之前您将无法知道客户端正在请求哪个主机名（来自服务器的角度）。

You can do this by constructing your own SSLContext using your own X509KeyManager and choose the keystore alias using its chooseClientAlias method (or chooseServerAlias, depending on the side).

Something along these lines should work:

// Load the key store: change store type if needed
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream fis = new FileInputStream("/path/to/keystore");
try {
    ks.load(fis, keystorePassword);
} finally {
    if (fis != null) { fis.close(); }
}

// Get the default Key Manager
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
   KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, keyPassword);

final X509KeyManager origKm = (X509KeyManager)kmf.getKeyManagers()[0];
X509KeyManager km = new X509KeyManager() {
    public String chooseClientAlias(String[] keyType, 
                                    Principal[] issuers, Socket socket) {
        // Implement your alias selection, possibly based on the socket
        // and the remote IP address, for example.
    }

    // Delegate the other methods to origKm.
}

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[] { km }, null, null);

SSLSocketFactory sslSocketFactory = sslContext.getSSLSocketFactory();

(There is a short example here that may help you get started.)

You don't actually have to delegate to the original KeyManager (I just find it more convenient). You could very well implement all its methods to return the keys and certs using the KeyStore you've loaded

Note that this is mostly useful for choosing the client-certificate. Java doesn't support Server Name Indication (SNI) on the server-side (even in Java 7 as far as I know), so you won't be able to know which host name the client is requesting before choosing the alias (from a server point of view).

回复收藏 0 原文

~没有更多了~