SSL/TLS单向认证实现（JAVA、TOMCAT）

单向认证，客户端会认证服务器端身份，服务器端不对客户端进行认证

证书生成

只需要生成服务端的证书，需得到服务端keystore.jks和客户端的truststore.jks证书库（通常是将server.cer文件发送给客户端，客户端自己导入jks证书库），步骤如下：

1. 生成jks格式服务器端的keystore文件，keypass与storepass需一致，因tomcat server.xml中仅一处keystorePass

keytool -genkey -alias server -keystore D:\keystore.jks -keypass 123456 -storepass 123456 -keyalg RSA -keysize 512 -validity 3650 -v -dname “CN={hostname},O=company,OU=company, L=city,ST=province”

注：{hostname}取服务器的hostname值

2. 从keystore中导出别名为server的服务端证书

keytool -export -alias server -keystore D:\keystore.jks -storepass 123456 -file D:\server.cer

3. 将server.cer导入客户端的信任证书库truststore.jks

keytool -import -alias trust -file D:\server.cer -keystore D:\truststore.jks -storepass 123456

配置tomcat环境中的server.xml

将证书文件keystore.jks拷贝至tomcat的conf目录下

<Connector port="8443" protocol="HTTP/1.1"
SSLEnabled="true" clientAuth="false" sslProtocol="TLS"
maxThreads="150" scheme="https" secure="true"
keystoreFile="conf/keystore.jks" keystorePass="123456"  />

服务端、客户端

服务端web.xml

<security-constraint>
<web-resource-collection>
<web-resource-name>ssl</web-resource-name>
<url-pattern>/*</url-pattern>  //强制所有请求走https
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

客户端代码（需要引入jar文件httpcore-4.0.1.jar，httpclient-4.0.1.jar，httpmime-4.0.1.jar）

package com.ssl.http;

import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;

import org.apache.http.HttpEntity;
import org.apache.http.HttpResponse;
import org.apache.http.util.EntityUtils;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.scheme.Scheme;
import org.apache.http.conn.ssl.SSLSocketFactory;
import org.apache.http.impl.client.DefaultHttpClient;

/**
*  带证书认证请求处理
* @author blue_coat
* @date 2015-7-26
*/
public class HttpClientWithCA {

public static final String KEYSTORE_FILE = "D:\truststore.jks";
public static final String KEYSTORE_PWD = "123456";

public final static void main(String[] args) throws Exception {
String result = oneAuthSSL("https://localhost:8443/ssl", "", KEYSTORE_FILE, KEYSTORE_PWD);
......
}

public String oneAuthSSL(String url, String data, String keystore, String password) throws Exception {
String result = null;
DefaultHttpClient httpclient = new DefaultHttpClient();
KeyStore trustStore  = KeyStore.getInstance(KeyStore.getDefaultType());
FileInputStream instream = new FileInputStream(new File(keystore));
try {
trustStore.load(instream, password.toCharArray());
} finally {
instream.close();
}
SSLSocketFactory socketFactory = new SSLSocketFactory(trustStore);
Scheme sch = new Scheme("https", socketFactory, 8443);
httpclient.getConnectionManager().getSchemeRegistry().register(sch);
HttpGet httpget = new HttpGet(url);
System.out.println("executing: " + httpget.getRequestLine());
HttpResponse response = httpclient.execute(httpget);
HttpEntity entity = response.getEntity();
System.out.println("----------------------------------------");
System.out.println(response.getStatusLine());
if (entity != null) {
System.out.println("Response Content-length: " + entity.getContentLength());
result = EntityUtils.toString(entity);
entity.consumeContent();
}
// 关闭连接，腾出内存空间
httpclient.getConnectionManager().shutdown();
return result;
}
}

运行后调用成功，打印信息如下：

executing: GET https://localhost:8443/ssl HTTP/1.1
----------------------------------------
HTTP/1.1 200 OK
Response content length: 8432