手摸手带你认识https涉及的知识,并实现https加密解密,加签解签

关注
手摸手带你认识https涉及的知识,并实现https加密解密,加签解签www.shan-machinery.com

@

目录http访问流程https访问流程配置创建密钥库修改XML文件流程概述服务端启用客户端访问服务端任务客户端任务证书证书格式pfx转keystore读取.pfx单向认证双向认证加密/解密对称加密算法DES3DESAES非对称加密算法RSA算法DSAECC综合加签/验签哈希算法MD4MD5SHAJava实现https证书信任TrustManager接口KeyManager接口完整代码实现测试过程中问题拓展网络协议看完整的代码,直接去完整代码实现,看实现完后会遇到的坑,直接去测试过程中的问题,包括经过代理服务器访问https,通过ip访问https等。

http访问流程

我们开发java web项目时,打好war包放到tomcat应用服务器的webapps目录下,tomcat的访问端口是8080,启动tomcat,在浏览器的地址栏输入http://localhost:8080。就会看到如下在这里插入图片描述

那么,看看服务器到底返回了什么内容,在web项目中,运行代码

package com.lgx.http;import java.io.InputStream;import java.net.HttpURLConnection;import java.net.URL;public class t1 {/*测试http请求服务器,看服务器返回了什么东西。 */public static void main(String[] args) {try {URL url = new URL("http://localhost:8080");HttpURLConnection connection = (HttpURLConnection) url.openConnection();connection.connect();InputStream input = connection.getInputStream();// 默认的index.jsp页面字节数远远小于1024byte[] bytes = new byte[1024];int bytesLength = input.read(bytes);System.out.println("服务器返回:\n" + new String(bytes, 0, bytesLength));connection.disconnect();} catch (Exception e) {e.printStackTrace();}}}

得到结果如下

在这里插入图片描述

上面其实并不是完整的服务器返回给浏览器的内容,被我们输出的只是http报文体,但这并不重要!可以看出数据并未加密。

https访问流程

更改上述代码,把URL的http改为https,会报错。需要配置一下tomcat服务器

配置

tomcat配置支持https访问,如果使用nginx还需配nginx。

创建密钥库

用Java自带的keytool生成一个秘钥库

keytool -genkey -alias "tomcat" -keyalg "RSA" -keysize 1024 -validity 365 -keystore "/Users/liguoxi/Public/tomcat.keystore"

秘密设置为123456在这里插入图片描述注:KeyStore一般用JDK中的keytool生成。Keytool使用RSA或DSA KeyPairGenerator生成一个秘钥对并连同新生成的证书一起存入KeyStore文件中。

修改XML文件

server.xml的Https配置默认是注释掉的,干脆手动加上。

更改http访问代码为https访问代码,启动项目,再以Java运行下述代码。

package com.lgx.https;import javax.net.ssl.HostnameVerifier;import javax.net.ssl.HttpsURLConnection;import javax.net.ssl.SSLSession;import java.io.InputStream;import java.net.URL;public class t1 {public static void main(String[] args) {// 输出https握手过程System.setProperty("javax.net.debug", "all");// 值配置成与tomcat keyStoreFile一致,服务器发过来的证书,要存在于信任秘钥库中System.setProperty("javax.net.ssl.trustStore", "/Users/liguoxi/Public/tomcat.keystore");// 信任秘钥库密码System.setProperty("javax.net.ssl.trustStorePassword", "123456");// https协议版本System.setProperty("https.protocols", "TLSv1");try {URL url = new URL("https://localhost:8443");HttpsURLConnection connection = (HttpsURLConnection) url.openConnection();connection.setHostnameVerifier(new HostnameVerifier() {@Overridepublic boolean verify(String s, SSLSession sslSession) {// 证书里面有个扩展域,记录了服务器ip,如果与访问url里面的ip不一致不报错//其实是因为用keytool生成的证书,并没有这个扩展域return true;}});connection.connect();InputStream input = connection.getInputStream();byte[] bytes = new byte[1024];int bytesLength = input.read(bytes);System.out.println("服务器返回:\n" + new String(bytes, 0, bytesLength));connection.disconnect();} catch (Exception e) {e.printStackTrace();}}}

输出一大堆

trustStore is: /Users/liguoxi/Public/tomcat.keystoretrustStore type is : jkstrustStore provider is : init truststoreadding as trusted cert:Subject: CN=LGX, OU=LGX, O=LGX, L=LGX, ST=LGX, C=LGXIssuer:CN=LGX, OU=LGX, O=LGX, L=LGX, ST=LGX, C=LGXAlgorithm: RSA; Serial number: 0x21e45f2cValid from Sun Oct 07 21:27:58 CST 2018 until Mon Oct 07 21:27:58 CST 2019keyStore is : keyStore type is : jkskeyStore provider is : init keystoreinit keymanager of type SunX509trigger seeding of SecureRandomdone seeding SecureRandomAllow unsafe renegotiation: falseAllow legacy hello messages: trueIs initial handshake: trueIs secure renegotiation: falsemain, setSoTimeout(0) calledIgnoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 for TLSv1Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256 for TLSv1Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 for TLSv1Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 for TLSv1Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 for TLSv1Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256 for TLSv1Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_CBC_SHA256Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_CBC_SHA256Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_CBC_SHA256Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_CBC_SHA256Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384Ignoring unsupported cipher suite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_256_GCM_SHA384Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_256_GCM_SHA384Ignoring unsupported cipher suite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256Ignoring unsupported cipher suite: TLS_RSA_WITH_AES_128_GCM_SHA256Ignoring unsupported cipher suite: TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256Ignoring unsupported cipher suite: TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256Ignoring unsupported cipher suite: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256Ignoring unsupported cipher suite: TLS_DHE_DSS_WITH_AES_128_GCM_SHA256%% No cached client session*** ClientHello, TLSv1RandomCookie:GMT: 1522146822 bytes = { 206, 221, 190, 215, 203, 75, 100, 29, 253, 204, 139, 195, 132, 250, 231, 86, 226, 225, 94, 88, 154, 174, 37, 73, 148, 29, 117, 165 }Session ID:{}Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV]Compression Methods:{ 0 }Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1}Extension ec_point_formats, formats: [uncompressed]Extension extended_master_secret***[write] MD5 and SHA1 hashes:len = 1250000: 01 00 00 79 03 01 5B BA 1E 06 CE DD BE D7 CB 4B...y..[........K0010: 64 1D FD CC 8B C3 84 FA E7 56 E2 E1 5E 58 9A AEd........V..^X..0020: 25 49 94 1D 75 A5 00 00 2C C0 0A C0 14 00 35 C0%I..u...,.....5.0030: 05 C0 0F 00 39 00 38 C0 09 C0 13 00 2F C0 04 C0....9.8...../...0040: 0E 00 33 00 32 C0 08 C0 12 00 0A C0 03 C0 0D 00..3.2...........0050: 16 00 13 00 FF 01 00 00 24 00 0A 00 16 00 14 00........$.......0060: 17 00 18 00 19 00 09 00 0A 00 0B 00 0C 00 0D 00................0070: 0E 00 16 00 0B 00 02 01 00 00 17 00 00 .............main, WRITE: TLSv1 Handshake, length = 125[Raw write]: length = 1300000: 16 03 01 00 7D 01 00 00 79 03 01 5B BA 1E 06 CE........y..[....0010: DD BE D7 CB 4B 64 1D FD CC 8B C3 84 FA E7 56 E2....Kd........V.0020: E1 5E 58 9A AE 25 49 94 1D 75 A5 00 00 2C C0 0A.^X..%I..u...,..0030: C0 14 00 35 C0 05 C0 0F 00 39 00 38 C0 09 C0 13...5.....9.8....0040: 00 2F C0 04 C0 0E 00 33 00 32 C0 08 C0 12 00 0A./.....3.2......0050: C0 03 C0 0D 00 16 00 13 00 FF 01 00 00 24 00 0A.............$..0060: 00 16 00 14 00 17 00 18 00 19 00 09 00 0A 00 0B................0070: 00 0C 00 0D 00 0E 00 16 00 0B 00 02 01 00 00 17................0080: 00 00..[Raw read]: length = 50000: 16 03 01 03 74 ....t[Raw read]: length = 8840000: 02 00 00 51 03 01 5B BA 1E 06 88 96 19 DB 9A CF...Q..[.........0010: 95 E3 75 CB 71 6F 48 8E 06 80 97 2A 74 AE D2 D1..u.qoH....*t...0020: 16 84 AA 11 C5 A9 20 5B BA 1E 06 D6 62 98 69 C8...... [....b.i.0030: 8C 1E 30 F0 DA B6 5D B6 C8 6E 35 D1 A0 D0 83 0B..0...]..n5.....0040: F7 FB 3A D5 A1 65 3C C0 14 00 00 09 FF 01 00 01..:..e..Ymain, WRITE: TLSv1 Handshake, length = 70[Raw write]: length = 750000: 16 03 01 00 46 10 00 00 42 41 04 23 4C 56 6B C7....F...BA.#LVk.0010: 21 21 D6 B7 82 39 40 86 FC 15 3F C8 EC 20 6D 17!!...9@...?.. m.0020: F3 F0 0A 3D 4C CA F1 94 DD CA 7D E6 CD F2 7C 52...=L..........R0030: C3 69 83 16 4E 06 E4 72 AF B4 18 BD 5D 73 69 3A.i..N..r....]si:0040: 17 FE D6 9A 1B D4 77 3E E4 F6 59 ......w>..YSESSION KEYGEN:PreMaster Secret:0000: 08 C3 67 71 5C 60 68 86 44 12 4E F2 AB A1 6C 9A..gq\`h.D.N...l.0010: 16 19 BA A0 D6 B6 AA 87 E1 F8 01 6F 43 05 72 74...........oC.rtCONNECTION KEYGEN:Client Nonce:0000: 5B BA 1E 06 CE DD BE D7 CB 4B 64 1D FD CC 8B C3[........Kd.....0010: 84 FA E7 56 E2 E1 5E 58 9A AE 25 49 94 1D 75 A5...V..^X..%I..u.Server Nonce:0000: 5B BA 1E 06 88 96 19 DB 9A CF 95 E3 75 CB 71 6F[...........u.qo0010: 48 8E 06 80 97 2A 74 AE D2 D1 16 84 AA 11 C5 A9H....*t.........Master Secret:0000: 2A E2 CE B4 07 60 8D D2 16 AF 42 3C 97 30 12 BD*....`....Bhttps://www.shan-machinery.com