Java安全传输实践


		传输层安全访问是通过身份验证和加密传输的过程。JDK的JSSE提供了传输层安全访问的实现。本文旨在通过一个完整的TLS通讯实例，辨析一个普遍的误导。
网络上停留在理论的简单实例通常存在一个误导。在双向信任的情况下，双方都需要信任对方的证书。这样的例子很多，普遍拷贝并简述过程。
其实，在实践中发现，双方都信任一个权威的CA，并持有该CA根证书和该CA签发的证书，即可以信任对方，实现通讯，不需要对方证书。这样做的好处是，连接方发生变动后，如果新的接入方也是CA签发认证的，即可认为可信。还有一个好处是，减少一个文件的部署(如果该通讯被重用在其他项目，或许这不是小事)。
〇 Scenario
ICM和UCGW是双向信任的两方，通过TLS通讯。CA是内部公信签证机构。
一 Certificate
签证流程：



 
0.CA自签证书作为其他设备的根证书
1.ICM和UCGW(两方流程一致，以下简称ICM)自签证书
2.向CA发送签发请求
这一步可以是发送一个CSR将公钥信息传递给CA
本例是将证书直接发给CA
3.CA为请求者签发证书
4.CA发送根证书和CA签发的证书给请求者
5.ICM将CA根证书导入信任列表
6.ICM将CA签发的证书替换自己签发的证书
实现代码：
0.CA自签证书作为其他设备的根证书
CertInfo certInfo = new CertInfo();
SelfSign selfs = new SelfSign();
certInfo.setKeystore(CA_KEYSTORE);
certInfo.setAlias(CA_ALIAS);
certInfo.setCommonName("mars_ca");
selfs.sign(certInfo, CA_CER);
keytool -genkey -dname "CN=mars_ca, OU=rv, O=rcd, L=ZB, ST=bj, C=China" -alias root -keyalg RSA -keystore ca--ca.keystore -keypass 111111 -storepass 111111 -validity 60
keytool -export -alias root -keystore ca--ca.keystore -storepass 111111 -rfc -file ca--ca.cer
Certificate stored in file <ca--ca.cer>
keytool -list -keystore ca--ca.keystore -storepass 111111
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
root, May 24, 2011, PrivateKeyEntry, 
Certificate fingerprint (MD5): 24:48:A3:4D:9F:EE:39:DE:8C:E7:51:60:7E:94:7A:76
1.ICM和UCGW(两方流程一致，以下简称ICM)自签证书
// CertInfo certInfo = new CertInfo();
// SelfSign selfs = new SelfSign();
certInfo.setKeystore(ICM_KEYSTORE);
certInfo.setAlias(ICM_ALIAS);
certInfo.setCommonName("mars_icm");
selfs.sign(certInfo, ICM_CER);
// SelfSign selfs = new SelfSign();
// CertInfo certInfo = new CertInfo();
certInfo.setKeystore(UCGW_KEYSTORE);
certInfo.setAlias(UCGW_ALIAS);
certInfo.setCommonName("mars_UCGW");
selfs.sign(certInfo, UCGW_CER);
keytool -genkey -dname "CN=mars_icm, OU=rv, O=rcd, L=ZB, ST=bj, C=China" -alias icm -keyalg RSA -keystore iview.keystore -keypass 111111 -storepass 111111 -validity 60
keytool -export -alias icm -keystore iview.keystore -storepass 111111 -rfc -file icm--icm.cer
Certificate stored in file <icm--icm.cer>
keytool -genkey -dname "CN=mars_UCGW, OU=rv, O=rcd, L=ZB, ST=bj, C=China" -alias ucgw -keyalg RSA -keystore ucgw.keystore -keypass 111111 -storepass 111111 -validity 60
keytool -export -alias ucgw -keystore ucgw.keystore -storepass 111111 -rfc -file ucgw--ucgw.cer
Certificate stored in file <ucgw--ucgw.cer>
keytool -export -alias ca_signed -keystore ca--ca_sign.keystore -storepass 111111 -rfc -file ca--icm.signed.cer
Certificate stored in file <ca--icm.signed.cer>
keytool -export -alias ca_signed -keystore ca--ca_sign.keystore -storepass 111111 -rfc -file ca--ucgw.signed.cer
Certificate stored in file <ca--ucgw.signed.cer>
keytool -list -keystore iview.keystore -storepass 111111
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
icm, May 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 78:5C:AA:1B:27:9D:FB:3E:BE:1A:BD:6E:C5:A5:25:BD
keytool -list -keystore ucgw.keystore -storepass 111111
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 1 entry
ucgw, May 24, 2011, PrivateKeyEntry,
Certificate fingerprint (MD5): 7B:88:44:27:88:66:2D:6B:64:E3:D5:34:4A:03:DA:8F
2.向CA发送签发请求
3.CA为请求者签发证书
CASign cas = new CASign();
cas.sign(ICM_CER, ICM_SIGN_CER, CASIGN_KEYSTORE);
cas.sign(UCGW_CER, UCGW_SIGN_CER, CASIGN_KEYSTORE);
5.ICM将CA根证书导入信任列表
6.ICM将CA签发的证书替换自己签发的证书
CertImport im = new CertImport();
im.importCA(ICM_KEYSTORE);
im.importSign(ICM_ALIAS, ICM_SIGN_CER, ICM_KEYSTORE);
im.importCA(UCGW_KEYSTORE);
im.importSign(UCGW_ALIAS, UCGW_SIGN_CER, UCGW_KEYSTORE);
keytool -importcert -noprompt -alias root -file ca--ca.cer -keystore iview.keystore -storepass 111111
Certificate was added to keystore
keytool -importcert -noprompt -trustcacerts -alias icm -file ca--icm.signed.cer -keystore iview.keystore -storepass 111111 -keypass 111111
Certificate reply was installed in keystore
keytool -importcert -noprompt -alias root -file ca--ca.cer -keystore ucgw.keystore -storepass 111111
Certificate was added to keystore
keytool -importcert -noprompt -trustcacerts -alias ucgw -file ca--ucgw.signed.cer -keystore ucgw.keystore -storepass 111111 -keypass 111111
Certificate reply was installed in keystore
keytool -list -keystore iview.keystore -storepass 111111
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
root, May 24, 2011, trustedCertEntry,
Certificate fingerprint (MD5): 24:48:A3:4D:9F:EE:39:DE:8C:E7:51:60:7E:94:7A:76
icm, May 24, 2011, PrivateKeyEntry, 
Certificate fingerprint (MD5): 18:D9:40:BD:65:6C:4D:B9:F3:87:2B:09:63:CD:F0:7A
keytool -list -keystore ucgw.keystore -storepass 111111
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
root, May 24, 2011, trustedCertEntry,
Certificate fingerprint (MD5): 24:48:A3:4D:9F:EE:39:DE:8C:E7:51:60:7E:94:7A:76
ucgw, May 24, 2011, PrivateKeyEntry, 
Certificate fingerprint (MD5): 2A:3D:3F:A6:E3:2F:36:B9:71:CD:AB:1D:9F:19:8A:49
二 TLS
这里以ICM作为服务器端，UCGW作为客户端。
方式一：加载keystore到环境变量，启用默认工厂SSL-Server-Socket-Factory
public class SSLServer {
    public static void main(String args[]) throws Exception {
        System.setProperty("javax.net.ssl.keyStore", TLSParameter.ICM_KEYSTORE);
        System.setProperty("javax.net.ssl.keyStorePassword", TLSParameter.S_KEY_PASS);
        
        SSLServerSocketFactory ssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
        ServerSocket ss = ssf.createServerSocket(TLSParameter.SSLPORT);
        System.out.println("SSL Server is started.");
        while (true) {
            Socket s = ss.accept();
            PrintStream out = new PrintStream(s.getOutputStream());
            out.println("ICM say Hello to UCGW!");
            out.close();
            s.close();
        }
    }
}
public class SSLClient {
    public static void main(String args[]) throws Exception {
        System.setProperty("javax.net.ssl.trustStore", TLSParameter.UCGW_KEYSTORE);
        SSLSocketFactory ssf = (SSLSocketFactory) SSLSocketFactory.getDe

补充：综合编程 , 安全编程 ,