如何在不转换为密钥库的情况下从 PEM 证书和密钥构建 SSLSocketFactory?
How to build a SSLSocketFactory from PEM certificate and key without converting to keystore?
我获得了一个自签名客户端证书工具包,用于通过 HTTPS 访问服务器。该套件包含以下 PEM 文件:
- client.crt(客户端证书)
- client.key(客户端私钥)
- ca.crt(CA证书)
解决任务的一种方法是生成一个 Java 密钥库:
- 使用 openssl 将客户端证书和密钥转换为 PKCS12 密钥库
- 使用密钥工具将 CA 证书导入商店
... 然后使用如下代码构建 SSLSocketFactory 实例:
InputStream stream = new ByteArrayInputStream(pksData);
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(stream, password);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, password.toCharArray());
KeyManager[] keyManagers = kmf.getKeyManagers();
TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
tmfactory.init(keyStore);
TrustManager[] trustManagers = tmfactory.getTrustManagers();
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, trustManagers, null);
sslSocketFactory = sslContext.getSocketFactory();
...稍后用于初始化 http 库。
因此我们获得了一个 KeyStore,然后在它的帮助下初始化 KeyManagers 和 TrustManagers,最后我们用它们构建 SSLSocketFactory 实例。
问题是:有没有办法避免创建密钥库文件并以某种方式从 PublicKey 和 Certificate 实例开始构建 SSLSocketFactory(例如,可以从 PEM 获得文件使用 bouncycastle 的 PemReader)?
事实证明,KeyStore 实例仍然需要构建,但它可以在内存中完成(从 PEM 文件作为输入开始),而无需使用使用 keytool 构建的中间密钥库文件。
要构建内存中的 KeyStore,可以使用如下代码:
private static final String TEMPORARY_KEY_PASSWORD = "changeit";
private KeyStore getKeyStore() throws ConfigurationException {
try {
Certificate clientCertificate = loadCertificate(certificatePem);
PrivateKey privateKey = loadPrivateKey(privateKeyPem);
Certificate caCertificate = loadCertificate(caPem);
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, null);
keyStore.setCertificateEntry("ca-cert", caCertificate);
keyStore.setCertificateEntry("client-cert", clientCertificate);
keyStore.setKeyEntry("client-key", privateKey, TEMPORARY_KEY_PASSWORD.toCharArray(), new Certificate[]{clientCertificate});
return keyStore;
} catch (GeneralSecurityException | IOException e) {
throw new ConfigurationException("Cannot build keystore", e);
}
}
private Certificate loadCertificate(String certificatePem) throws IOException, GeneralSecurityException {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
final byte[] content = readPemContent(certificatePem);
return certificateFactory.generateCertificate(new ByteArrayInputStream(content));
}
private PrivateKey loadPrivateKey(String privateKeyPem) throws IOException, GeneralSecurityException {
return pemLoadPrivateKeyPkcs1OrPkcs8Encoded(privateKeyPem);
}
private byte[] readPemContent(String pem) throws IOException {
final byte[] content;
try (PemReader pemReader = new PemReader(new StringReader(pem))) {
final PemObject pemObject = pemReader.readPemObject();
content = pemObject.getContent();
}
return content;
}
private static PrivateKey pemLoadPrivateKeyPkcs1OrPkcs8Encoded(
String privateKeyPem) throws GeneralSecurityException, IOException {
// PKCS#8 format
final String PEM_PRIVATE_START = "-----BEGIN PRIVATE KEY-----";
final String PEM_PRIVATE_END = "-----END PRIVATE KEY-----";
// PKCS#1 format
final String PEM_RSA_PRIVATE_START = "-----BEGIN RSA PRIVATE KEY-----";
final String PEM_RSA_PRIVATE_END = "-----END RSA PRIVATE KEY-----";
if (privateKeyPem.contains(PEM_PRIVATE_START)) { // PKCS#8 format
privateKeyPem = privateKeyPem.replace(PEM_PRIVATE_START, "").replace(PEM_PRIVATE_END, "");
privateKeyPem = privateKeyPem.replaceAll("\s", "");
byte[] pkcs8EncodedKey = Base64.getDecoder().decode(privateKeyPem);
KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.generatePrivate(new PKCS8EncodedKeySpec(pkcs8EncodedKey));
} else if (privateKeyPem.contains(PEM_RSA_PRIVATE_START)) { // PKCS#1 format
privateKeyPem = privateKeyPem.replace(PEM_RSA_PRIVATE_START, "").replace(PEM_RSA_PRIVATE_END, "");
privateKeyPem = privateKeyPem.replaceAll("\s", "");
DerInputStream derReader = new DerInputStream(Base64.getDecoder().decode(privateKeyPem));
DerValue[] seq = derReader.getSequence(0);
if (seq.length < 9) {
throw new GeneralSecurityException("Could not parse a PKCS1 private key.");
}
// skip version seq[0];
BigInteger modulus = seq[1].getBigInteger();
BigInteger publicExp = seq[2].getBigInteger();
BigInteger privateExp = seq[3].getBigInteger();
BigInteger prime1 = seq[4].getBigInteger();
BigInteger prime2 = seq[5].getBigInteger();
BigInteger exp1 = seq[6].getBigInteger();
BigInteger exp2 = seq[7].getBigInteger();
BigInteger crtCoef = seq[8].getBigInteger();
RSAPrivateCrtKeySpec keySpec = new RSAPrivateCrtKeySpec(modulus, publicExp, privateExp, prime1, prime2,
exp1, exp2, crtCoef);
KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.generatePrivate(keySpec);
}
throw new GeneralSecurityException("Not supported format of a private key");
}
思路来自Programmatically Obtain KeyStore from PEM
我早些时候在面临类似挑战时对您的回答发表了评论,现在我回来提供加载 pem 文件的替代方法。我用它创建了一个库,让我自己和其他人更容易使用,请看这里:GitHub - SSLContext Kickstart 希望你喜欢它:)
添加以下依赖项:
<dependency>
<groupId>io.github.hakky54</groupId>
<artifactId>sslcontext-kickstart-for-pem</artifactId>
<version>7.0.0</version>
</dependency>
可以使用以下代码片段加载 pem 文件:
var keyManager = PemUtils.loadIdentityMaterial("certificate-chain.pem", "private-key.pem");
var trustManager = PemUtils.loadTrustMaterial("some-trusted-certificate.pem");
var sslFactory = SSLFactory.builder()
.withIdentityMaterial(keyManager)
.withTrustMaterial(trustManager)
.build();
var sslContext = sslFactory.getSslContext();
var sslSocketFactory = sslFactory.getSslSocketFactory();
回到您的主要问题,我还发现没有 KeyStores 就无法创建 SSLSocketFactory。内存中的 KeyStore 可以完美地工作,正如您针对此用例所建议的那样。
我获得了一个自签名客户端证书工具包,用于通过 HTTPS 访问服务器。该套件包含以下 PEM 文件:
- client.crt(客户端证书)
- client.key(客户端私钥)
- ca.crt(CA证书)
解决任务的一种方法是生成一个 Java 密钥库:
- 使用 openssl 将客户端证书和密钥转换为 PKCS12 密钥库
- 使用密钥工具将 CA 证书导入商店
... 然后使用如下代码构建 SSLSocketFactory 实例:
InputStream stream = new ByteArrayInputStream(pksData);
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(stream, password);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(
KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, password.toCharArray());
KeyManager[] keyManagers = kmf.getKeyManagers();
TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
tmfactory.init(keyStore);
TrustManager[] trustManagers = tmfactory.getTrustManagers();
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, trustManagers, null);
sslSocketFactory = sslContext.getSocketFactory();
...稍后用于初始化 http 库。
因此我们获得了一个 KeyStore,然后在它的帮助下初始化 KeyManagers 和 TrustManagers,最后我们用它们构建 SSLSocketFactory 实例。
问题是:有没有办法避免创建密钥库文件并以某种方式从 PublicKey 和 Certificate 实例开始构建 SSLSocketFactory(例如,可以从 PEM 获得文件使用 bouncycastle 的 PemReader)?
事实证明,KeyStore 实例仍然需要构建,但它可以在内存中完成(从 PEM 文件作为输入开始),而无需使用使用 keytool 构建的中间密钥库文件。
要构建内存中的 KeyStore,可以使用如下代码:
private static final String TEMPORARY_KEY_PASSWORD = "changeit";
private KeyStore getKeyStore() throws ConfigurationException {
try {
Certificate clientCertificate = loadCertificate(certificatePem);
PrivateKey privateKey = loadPrivateKey(privateKeyPem);
Certificate caCertificate = loadCertificate(caPem);
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(null, null);
keyStore.setCertificateEntry("ca-cert", caCertificate);
keyStore.setCertificateEntry("client-cert", clientCertificate);
keyStore.setKeyEntry("client-key", privateKey, TEMPORARY_KEY_PASSWORD.toCharArray(), new Certificate[]{clientCertificate});
return keyStore;
} catch (GeneralSecurityException | IOException e) {
throw new ConfigurationException("Cannot build keystore", e);
}
}
private Certificate loadCertificate(String certificatePem) throws IOException, GeneralSecurityException {
CertificateFactory certificateFactory = CertificateFactory.getInstance("X509");
final byte[] content = readPemContent(certificatePem);
return certificateFactory.generateCertificate(new ByteArrayInputStream(content));
}
private PrivateKey loadPrivateKey(String privateKeyPem) throws IOException, GeneralSecurityException {
return pemLoadPrivateKeyPkcs1OrPkcs8Encoded(privateKeyPem);
}
private byte[] readPemContent(String pem) throws IOException {
final byte[] content;
try (PemReader pemReader = new PemReader(new StringReader(pem))) {
final PemObject pemObject = pemReader.readPemObject();
content = pemObject.getContent();
}
return content;
}
private static PrivateKey pemLoadPrivateKeyPkcs1OrPkcs8Encoded(
String privateKeyPem) throws GeneralSecurityException, IOException {
// PKCS#8 format
final String PEM_PRIVATE_START = "-----BEGIN PRIVATE KEY-----";
final String PEM_PRIVATE_END = "-----END PRIVATE KEY-----";
// PKCS#1 format
final String PEM_RSA_PRIVATE_START = "-----BEGIN RSA PRIVATE KEY-----";
final String PEM_RSA_PRIVATE_END = "-----END RSA PRIVATE KEY-----";
if (privateKeyPem.contains(PEM_PRIVATE_START)) { // PKCS#8 format
privateKeyPem = privateKeyPem.replace(PEM_PRIVATE_START, "").replace(PEM_PRIVATE_END, "");
privateKeyPem = privateKeyPem.replaceAll("\s", "");
byte[] pkcs8EncodedKey = Base64.getDecoder().decode(privateKeyPem);
KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.generatePrivate(new PKCS8EncodedKeySpec(pkcs8EncodedKey));
} else if (privateKeyPem.contains(PEM_RSA_PRIVATE_START)) { // PKCS#1 format
privateKeyPem = privateKeyPem.replace(PEM_RSA_PRIVATE_START, "").replace(PEM_RSA_PRIVATE_END, "");
privateKeyPem = privateKeyPem.replaceAll("\s", "");
DerInputStream derReader = new DerInputStream(Base64.getDecoder().decode(privateKeyPem));
DerValue[] seq = derReader.getSequence(0);
if (seq.length < 9) {
throw new GeneralSecurityException("Could not parse a PKCS1 private key.");
}
// skip version seq[0];
BigInteger modulus = seq[1].getBigInteger();
BigInteger publicExp = seq[2].getBigInteger();
BigInteger privateExp = seq[3].getBigInteger();
BigInteger prime1 = seq[4].getBigInteger();
BigInteger prime2 = seq[5].getBigInteger();
BigInteger exp1 = seq[6].getBigInteger();
BigInteger exp2 = seq[7].getBigInteger();
BigInteger crtCoef = seq[8].getBigInteger();
RSAPrivateCrtKeySpec keySpec = new RSAPrivateCrtKeySpec(modulus, publicExp, privateExp, prime1, prime2,
exp1, exp2, crtCoef);
KeyFactory factory = KeyFactory.getInstance("RSA");
return factory.generatePrivate(keySpec);
}
throw new GeneralSecurityException("Not supported format of a private key");
}
思路来自Programmatically Obtain KeyStore from PEM
我早些时候在面临类似挑战时对您的回答发表了评论,现在我回来提供加载 pem 文件的替代方法。我用它创建了一个库,让我自己和其他人更容易使用,请看这里:GitHub - SSLContext Kickstart 希望你喜欢它:)
添加以下依赖项:
<dependency>
<groupId>io.github.hakky54</groupId>
<artifactId>sslcontext-kickstart-for-pem</artifactId>
<version>7.0.0</version>
</dependency>
可以使用以下代码片段加载 pem 文件:
var keyManager = PemUtils.loadIdentityMaterial("certificate-chain.pem", "private-key.pem");
var trustManager = PemUtils.loadTrustMaterial("some-trusted-certificate.pem");
var sslFactory = SSLFactory.builder()
.withIdentityMaterial(keyManager)
.withTrustMaterial(trustManager)
.build();
var sslContext = sslFactory.getSslContext();
var sslSocketFactory = sslFactory.getSslSocketFactory();
回到您的主要问题,我还发现没有 KeyStores 就无法创建 SSLSocketFactory。内存中的 KeyStore 可以完美地工作,正如您针对此用例所建议的那样。