Spring Boot文档阅读笔记-how-to-implement-2-way-ssl-using-spring-boot-蒲公英云

two-way-ssl需要12次握手（除去TCP的三次握手），如下图：

watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxNzg0NDI3NjE_size_16_color_FFFFFF_t_70

双向认证过程：

1.客户端发送ClientHello消息，告诉服务端要使用SSL。

2.客户端发送ServerHello的响应，告诉客户端使用SSL。

3.服务端发送证书给客户端；

4.服务端发送发送数据，要求客户端发送证书；

5.此时客户端与服务端招呼已经结束；

6.客户端发送自己的证书给服务端（客户端认证服务端证书成功）；

7.客户端发送session key（使用服务端公钥加密）；

8.客户端发送一个CertificateVerify消息让服务器知道它拥有发送证书；

9.客户端发送自己支持的通道加密套给服务端；

10.客户端要服务端从中选着一个；

11.服务端选择一个加密套，并且告诉客户端，我选择了这个；

12.服务端发送认证完成。

使用keytool生成证书：

keytool -genkeypair -alias client-app -keyalg RSA -keysize 2048 -storetype JKS -keystore client-app.jks -validity 3650 -ext SAN=dns:localhost,ip:127.0.0.1
keytool -genkeypair -alias server-app -keyalg RSA -keysize 2048 -storetype JKS -keystore server-app.jks -validity 3650 -ext SAN=dns:localhost,ip:127.0.0.1
keytool -export -alias client-app -file client-app.crt -keystore client-app.jks
keytool -export -alias server-app -file server-app.crt -keystore server-app.jks
keytool -import -alias server-app -file server-app.crt -keystore client-app.jks
keytool -import -alias client-app -file client-app.crt -keystore server-app.jks

下面使用Spring Boot进行SSL双向认证

程序结构如下：

watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxNzg0NDI3NjE_size_16_color_FFFFFF_t_70 1

关键代码：

服务端

application.properties

spring.application.name=server-app
server.port=9002
server.ssl.enabled=true
server.ssl.client-auth=need
server.ssl.key-store=classpath:server-app.jks
server.ssl.key-store-password=server-app
server.ssl.key-alias=server-app
server.ssl.key-store-type=JKS
server.ssl.key-store-provider=SUN
server.ssl.trust-store=classpath:server-app.jks
server.ssl.trust-store-password=server-app
server.ssl.trust-store-type=JKS

Controller.java

package cn.server;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/server-app")
public class Controller {
    @GetMapping("/data")
    public String getData(){
        System.out.println("Returning data from server-app data method");
        return "Hello from Server-App-data method";
    }
}

客户端

application.properties

spring.application.name=client-app
server.port=9001
server.ssl.enabled=true
server.ssl.client-auth=need
server.ssl.key-store=classpath:client-app.jks
server.ssl.key-store-password=client-app
server.ssl.key-alias=client-app
server.ssl.key-store-type=JKS
server.ssl.key-store-provider=SUN
server.ssl.trust-store=classpath:client-app.jks
server.ssl.trust-store-password=client-app
server.ssl.trust-store-type=JKS
endpoint.server-app=https://localhost:9002/server-app/data

ClientMain.java

package cn.client;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.context.annotation.Bean;
import org.springframework.core.io.ClassPathResource;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;
import java.io.InputStream;
import java.net.URI;
import java.security.KeyStore;
@SpringBootApplication
public class ClientMain implements CommandLineRunner {
    @Autowired
    RestTemplate restTemplate;
    @Value("${endpoint.server-app}")
    private String msEndpoint;
    @Bean
    public RestTemplate getRestTemplate(){
        RestTemplate restTemplate = new RestTemplate();
        KeyStore keyStore;
        HttpComponentsClientHttpRequestFactory requestFactory = null;
        try {
            keyStore = KeyStore.getInstance("jks");
            ClassPathResource classPathResource = new ClassPathResource("client-app.jks");
            InputStream inputStream = classPathResource.getInputStream();
            keyStore.load(inputStream, "client-app".toCharArray());
            SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(new SSLContextBuilder()
                    .loadTrustMaterial(null, new TrustSelfSignedStrategy())
                    .loadKeyMaterial(keyStore, "client-app".toCharArray()).build(),
                    NoopHostnameVerifier.INSTANCE);
            HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory)
                    .setMaxConnTotal(Integer.valueOf(5))
                    .setMaxConnPerRoute(Integer.valueOf(5))
                    .build();
            requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
            requestFactory.setReadTimeout(Integer.valueOf(10000));
            requestFactory.setConnectTimeout(Integer.valueOf(10000));
            restTemplate.setRequestFactory(requestFactory);
        }
        catch (Exception exception) {
            System.out.println("Exception Occured while creating restTemplate "+exception);
            exception.printStackTrace();
        }
        return restTemplate;
    }
    public static void main(String[] args) {
        SpringApplication.run(ClientMain.class, args);
    }
    @Override
    public void run(String... args) throws Exception {
        String forObject = restTemplate.getForObject(new URI(msEndpoint), String.class);
        System.out.println(forObject);
    }
}