使用RestTemplate发送SSL双向验证请求

world Spring Boot

转换证书文件

已有文件
– app.crt 客户端证书
– app.key 客户端证书的密钥文件
– ca.crt 根证书文件

将客户端证书和密钥转换为java可识别证书文件jks (已有 client.jks 文件时忽略此步)

  1. 将crt文件转为p12
> openssl pkcs12 -export -out cert.p12 -in app.crt -inkey app.key
Enter Export Password:
Verifying - Enter Export Password:

提示输入密码: 注意此时密码为网站软件app对应的密钥

  1. 将cert.p12文件转为java可识别的jks文件, 此文件为客户端证书
> keytool -importkeystore -srckeystore cert.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore client.jks
Importing keystore cert.p12 to client.jks...
Enter destination keystore password:
Re-enter new password: 
Enter source keystore password:  
Entry for alias 1 successfully imported.
Import command completed:  1 entries successfully imported, 0 entries failed or cancelled

提示输入密码:此处建议三个密码都为app对应的密钥

导出Domain CA证书为 jks (已有 openapi_ca.jks 文件时忽略此步)

> keytool -import -file openapi_ca.crt -keystore openapi_ca.jks
Enter keystore password:  
Re-enter new password: 
...
Trust this certificate? [no]:  yes
Certificate was added to keystore

提示: 此处Trust this certificate?必须为 yes 或者 是, 否则删除文件重新生成

提示输入密码: 建议密码都是密钥

信任 ca 证书

注: 因一些奇怪的原因导致此条无法运行,故建议使用导出证书

> keytool -import -alias openapi_com -trustcacerts -keystore openapi_com.jks
> keytool -import -trustcacerts -keystore openapi_com.jks

此处密码为上一步生成文件时的密码, 建议所有密码为同一个

RestTemplate的使用案例及配置文件参考

# 请求ssl的域名
ucc.openapi.domain=https://www.openapi.com:13443/
# resources文件路径
ucc.openapi.application=cert/client.jks
ucc.openapi.domain-ca=cert/openapi_com.jks
# 密钥密码
ucc.openapi.passphrase=xxxxxxxxxxxxxxxxx

@Data
@Component
@ConfigurationProperties(value = "ucc.openapi")
public class UccDomainProperties {
    private String domain;

    private String crtFile;

    private String keyFile;

    private String passphrase;

    private String application;

    private String domainCa;
}

RestTemplate配置类

package org.example.untitled.config;

import lombok.extern.slf4j.Slf4j;
import org.apache.http.client.HttpClient;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.example.untitled.domin.vo.UccDomainProperties;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.boot.web.client.RestTemplateBuilder;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.io.ClassPathResource;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.web.client.RestTemplate;

import java.security.KeyStore;


@Configuration
@Slf4j
public class RestTemplateConfiguration {

    @Autowired
    private UccDomainProperties properties;

    @Bean
    public RestTemplate restTemplate(RestTemplateBuilder builder) {
        RestTemplate restTemplate = new RestTemplate();

        KeyStore keyStore;
        HttpComponentsClientHttpRequestFactory requestFactory = null;

        try {
            keyStore = KeyStore.getInstance("jks");
            keyStore.load(new ClassPathResource(properties.getApplication()).getInputStream(), properties.getPassphrase().toCharArray());

            SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(new SSLContextBuilder()
                    .loadTrustMaterial(null, new TrustSelfSignedStrategy())
                    .loadKeyMaterial(keyStore, properties.getPassphrase().toCharArray()).build(),
                    NoopHostnameVerifier.INSTANCE);

            HttpClient httpClient = HttpClients.custom().setSSLSocketFactory(socketFactory)
                    .setMaxConnTotal(5)
                    .setMaxConnPerRoute(5)
                    .build();

            requestFactory = new HttpComponentsClientHttpRequestFactory(httpClient);
            requestFactory.setReadTimeout(10000);
            requestFactory.setConnectTimeout(10000);

            restTemplate.setRequestFactory(requestFactory);
        } catch (Exception exception) {
            System.out.println("Exception Occured while creating restTemplate "+exception);
            exception.printStackTrace();
        }
        return restTemplate;
    }
}

发表评论

您的电子邮箱地址不会被公开。