Tomcat配置https单向双向认证,iOS加密解密验证,iOS访问HTTPS
2014-10-10 09:41
579 查看
一.生成证书
生成CA证书。目前不使用第三方权威机构的CA来认证,自己充当CA的角色。
1.创建私钥:
openssl genrsa -out root/root-key.pem 1024
2.创建证书请求:
openssl req -new -out root/root-req.csr -key root/root-key.pem
3.自签署证书:
openssl x509 -req -in root/root-req.csr -out root/root-cert.pem -signkey root/root-key.pem -days 3650
4.将证书导出成浏览器支持的.p12格式:
openssl pkcs12 -export -clcerts -in root/root-cert.pem -inkey root/root-key.pem -out root/root.p12
生成server证书
1.创建私钥:
openssl genrsa -out server/server-key.pem 1024
2.创建证书请求:
openssl req -new -out server/server-req.csr -key server/server-key.pem
3.自签署证书:
openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式:
openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
生成client证书
1.创建私钥:
openssl genrsa -out client/client-key.pem 1024
2.创建证书请求:
openssl req -new -out client/client-req.csr -key client/client-key.pem
3.自签署证书:
openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式:
openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
根据root证书生成jks文件
进入root目录
keytool -import -v -trustcacerts -storepass password -alias root -file root-cert.pem -keystore root.jks
Tomcat 配置
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" schemeecure="true"
keystoreType="PKCS12" keystoreFile="/Users/fengchao/cer/server/server.p12" keystorePass="1234"
truststoreType="JKS" truststoreFile="/Users/fengchao/cer/root/root.jks" truststorePass="password"
clientAuth="false" sslProtocol="TLS" />
注意参数大小写,和路径的写法,这个是mac配置
主要参数是SSLEnable,是否启用HTTPS,如果true,则用户用浏览器访问8443时,会提示要在浏览器里添加证书,因为我们是自签名,属于非认证签名,所以会提示,如果是第三方认证则的SSL证书,则浏览器默认通过,可以直接安全访问。iOS客户端如果将认真安全跳过,则可以直接访问,如果开启则不能访问。
clientAuth是否启用客户端验证,也可以说是否是双向认证,浏览器访问时会寻找系统登陆中的keychain,如果你安装过对应的client,则会出现选择框让用户选择,选择后提交则会正常显示。iOS则也类似,需要读取本地证书,然后带证书提交。
二.iOS客户端 https单向验证
NSURL *url = [NSURL URLWithString:@"https://localhost:8443/deploy/index.html"];
ASIFormDataRequest *request = [ASIFormDataRequest requestWithURL:url];
[request setValidatesSecureCertificate:YES];//set to NO if you use the self-signed certificate
如果这个时候你开启验证,则会返回如下错误
A connection failure occurred: SSL problem (Possible causes may include a bad/expired/self-signed certificate, clock set to wrong date)
因为我们的证书是自签名,而苹果已经明确提示,你的证书可能是自签名,所以导致失败。
则个时候如果访问其他HTTPS网站则不会报错,所以这个验证只有在正式的证书才有效果。这个也很合理,如果你的客户端自签名都能通过,这样没有安全可言。除非你让用户自己选择是否信任。
三.iOS客户端 https双向验证
SecIdentityRef identity = NULL;
SecTrustRef trust = NULL;
// SecCertificateRef myReturnedCertificate = NULL;
NSData *PKCS12Data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"]];
// NSLog(@"%@",[[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"]);
[ASIHTTPRequestDemo extractIdentity:&identity andTrust:&trust fromPKCS12Data:PKCS12Data];
[request setClientCertificateIdentity:identity];
// status = SecIdentityCopyCertificate (identity,&myReturnedCertificate);
// [request setClientCertificates:[NSArray arrayWithObject:(id)PKCS12Data]];
[request startSynchronous];
NSError *error = [request error];
if (!error) {
//do something
}
......
}
思路就是读取p12文件,然后将证书内容和证书密钥导出,然后将证书塞入request,随后startSynchronous
由于没有正式证书,目前没有通过。所以如果有正式证书后再验证。或者已经验证过的朋友请留言交流下,在下感激不尽。
下面是提取P12信息代码
+ (BOOL)extractIdentity:(SecIdentityRef *)outIdentity andTrust:(SecTrustRef*)outTrust fromPKCS12Data:(NSData *)inPKCS12Data
{
OSStatus securityError = errSecSuccess;
// NSDictionary *optionsDictionary = [NSDictionary dictionaryWithObject:@"" forKey:(id)kSecImportExportPassphrase];
CFStringRef password = CFSTR("1234"); //证书密码
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys,values, 1,NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
securityError = SecPKCS12Import((CFDataRef)inPKCS12Data,(CFDictionaryRef)optionsDictionary,&items);
if (securityError == 0) {
CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex (items, 0);
const void *tempIdentity = NULL;
tempIdentity = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemIdentity);
*outIdentity = (SecIdentityRef)tempIdentity;
const void *tempTrust = NULL;
tempTrust = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemTrust);
*outTrust = (SecTrustRef)tempTrust;
} else {
NSLog(@"Failed with error code %d",(int)securityError);
return NO;
}
return YES;
}
四.RSA服务端加密,客户端解密
根据私钥和csr导出公钥
openssl x509 -req -in root-req.csr -out root_public_key.der -outform der -signkey root-key.pem -days 3650
如果重新来制作密钥则可以执行
openssl req -x509 -out public_key.der -outform
der -new -newkey rsa:1024 -keyout private_key.pem -days 3650
这个语句等于3个作用
1)创建私钥
openssl genrsa -out private_key.pem 1024
2)创建证书请求(按照提示输入信息)
openssl req -new -out cert.csr -key private_key.pem
3)自签署根证书
openssl x509 -req -in cert.csr -out public_key.der -outform der -signkey private_key.pem -days 3650
客户端代码主要如下
NSString *pkcsPath = [[NSBundle mainBundle] pathForResource:@"root" ofType:@"p12"];
// 下面的与上面的一样
// NSString *pkcsPath = [[NSBundle mainBundle] pathForResource:@"pkcs-daniate" ofType:@"pfx"];
NSString *certPath = [[NSBundle mainBundle] pathForResource:@"server_public_key" ofType:@"der"];
Security *security = [Security sharedSecurity];
OSStatus status = -1;
status = [security extractEveryThingFromPKCS12File:pkcsPath passphrase:@"1234"];
NSLog(@"status = %ld", status);
// 取得公钥
status = [security extractPublicKeyFromCertificateFile:certPath];
NSLog(@"status = %ld", status);
// 苹果官方文档中只说了短数据加密,但也提到了长数据的分段加密
// 短数据
NSString *plainText = @"This is plain text~中华人民共和国~";
NSData *plainData = [plainText dataUsingEncoding:NSUTF8StringEncoding];
NSData *encrypted = [security encryptWithPublicKey:plainData];
NSData *decrypted = [security decryptWithPrivateKey:encrypted];
// NSString *encryptedText = [[NSString alloc] initWithData:encrypted encoding:NSUTF8StringEncoding];
NSString *decryptedText = [[NSString alloc] initWithData:decrypted encoding:NSUTF8StringEncoding];
// NSLog(@"plainData: %p", plainData);
// NSLog(@"encrypted: %p", encrypted);
// NSLog(@"decrypted: %p", decrypted);
NSLog(@"encrypted: %@",encrypted);
NSLog(@"decrypted text: %@", decryptedText);
p12文件包含私密,der则是包含公钥,分别提取并且利用其加密解密,从而达到验证的目的。
生成CA证书。目前不使用第三方权威机构的CA来认证,自己充当CA的角色。
1.创建私钥:
openssl genrsa -out root/root-key.pem 1024
2.创建证书请求:
openssl req -new -out root/root-req.csr -key root/root-key.pem
3.自签署证书:
openssl x509 -req -in root/root-req.csr -out root/root-cert.pem -signkey root/root-key.pem -days 3650
4.将证书导出成浏览器支持的.p12格式:
openssl pkcs12 -export -clcerts -in root/root-cert.pem -inkey root/root-key.pem -out root/root.p12
生成server证书
1.创建私钥:
openssl genrsa -out server/server-key.pem 1024
2.创建证书请求:
openssl req -new -out server/server-req.csr -key server/server-key.pem
3.自签署证书:
openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式:
openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
生成client证书
1.创建私钥:
openssl genrsa -out client/client-key.pem 1024
2.创建证书请求:
openssl req -new -out client/client-req.csr -key client/client-key.pem
3.自签署证书:
openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式:
openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
根据root证书生成jks文件
进入root目录
keytool -import -v -trustcacerts -storepass password -alias root -file root-cert.pem -keystore root.jks
Tomcat 配置
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" schemeecure="true"
keystoreType="PKCS12" keystoreFile="/Users/fengchao/cer/server/server.p12" keystorePass="1234"
truststoreType="JKS" truststoreFile="/Users/fengchao/cer/root/root.jks" truststorePass="password"
clientAuth="false" sslProtocol="TLS" />
注意参数大小写,和路径的写法,这个是mac配置
主要参数是SSLEnable,是否启用HTTPS,如果true,则用户用浏览器访问8443时,会提示要在浏览器里添加证书,因为我们是自签名,属于非认证签名,所以会提示,如果是第三方认证则的SSL证书,则浏览器默认通过,可以直接安全访问。iOS客户端如果将认真安全跳过,则可以直接访问,如果开启则不能访问。
clientAuth是否启用客户端验证,也可以说是否是双向认证,浏览器访问时会寻找系统登陆中的keychain,如果你安装过对应的client,则会出现选择框让用户选择,选择后提交则会正常显示。iOS则也类似,需要读取本地证书,然后带证书提交。
二.iOS客户端 https单向验证
NSURL *url = [NSURL URLWithString:@"https://localhost:8443/deploy/index.html"];
ASIFormDataRequest *request = [ASIFormDataRequest requestWithURL:url];
[request setValidatesSecureCertificate:YES];//set to NO if you use the self-signed certificate
如果这个时候你开启验证,则会返回如下错误
A connection failure occurred: SSL problem (Possible causes may include a bad/expired/self-signed certificate, clock set to wrong date)
因为我们的证书是自签名,而苹果已经明确提示,你的证书可能是自签名,所以导致失败。
则个时候如果访问其他HTTPS网站则不会报错,所以这个验证只有在正式的证书才有效果。这个也很合理,如果你的客户端自签名都能通过,这样没有安全可言。除非你让用户自己选择是否信任。
三.iOS客户端 https双向验证
SecIdentityRef identity = NULL;
SecTrustRef trust = NULL;
// SecCertificateRef myReturnedCertificate = NULL;
NSData *PKCS12Data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"]];
// NSLog(@"%@",[[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"]);
[ASIHTTPRequestDemo extractIdentity:&identity andTrust:&trust fromPKCS12Data:PKCS12Data];
[request setClientCertificateIdentity:identity];
// status = SecIdentityCopyCertificate (identity,&myReturnedCertificate);
// [request setClientCertificates:[NSArray arrayWithObject:(id)PKCS12Data]];
[request startSynchronous];
NSError *error = [request error];
if (!error) {
//do something
}
......
}
思路就是读取p12文件,然后将证书内容和证书密钥导出,然后将证书塞入request,随后startSynchronous
由于没有正式证书,目前没有通过。所以如果有正式证书后再验证。或者已经验证过的朋友请留言交流下,在下感激不尽。
下面是提取P12信息代码
+ (BOOL)extractIdentity:(SecIdentityRef *)outIdentity andTrust:(SecTrustRef*)outTrust fromPKCS12Data:(NSData *)inPKCS12Data
{
OSStatus securityError = errSecSuccess;
// NSDictionary *optionsDictionary = [NSDictionary dictionaryWithObject:@"" forKey:(id)kSecImportExportPassphrase];
CFStringRef password = CFSTR("1234"); //证书密码
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys,values, 1,NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
securityError = SecPKCS12Import((CFDataRef)inPKCS12Data,(CFDictionaryRef)optionsDictionary,&items);
if (securityError == 0) {
CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex (items, 0);
const void *tempIdentity = NULL;
tempIdentity = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemIdentity);
*outIdentity = (SecIdentityRef)tempIdentity;
const void *tempTrust = NULL;
tempTrust = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemTrust);
*outTrust = (SecTrustRef)tempTrust;
} else {
NSLog(@"Failed with error code %d",(int)securityError);
return NO;
}
return YES;
}
四.RSA服务端加密,客户端解密
根据私钥和csr导出公钥
openssl x509 -req -in root-req.csr -out root_public_key.der -outform der -signkey root-key.pem -days 3650
如果重新来制作密钥则可以执行
openssl req -x509 -out public_key.der -outform
der -new -newkey rsa:1024 -keyout private_key.pem -days 3650
这个语句等于3个作用
1)创建私钥
openssl genrsa -out private_key.pem 1024
2)创建证书请求(按照提示输入信息)
openssl req -new -out cert.csr -key private_key.pem
3)自签署根证书
openssl x509 -req -in cert.csr -out public_key.der -outform der -signkey private_key.pem -days 3650
客户端代码主要如下
NSString *pkcsPath = [[NSBundle mainBundle] pathForResource:@"root" ofType:@"p12"];
// 下面的与上面的一样
// NSString *pkcsPath = [[NSBundle mainBundle] pathForResource:@"pkcs-daniate" ofType:@"pfx"];
NSString *certPath = [[NSBundle mainBundle] pathForResource:@"server_public_key" ofType:@"der"];
Security *security = [Security sharedSecurity];
OSStatus status = -1;
status = [security extractEveryThingFromPKCS12File:pkcsPath passphrase:@"1234"];
NSLog(@"status = %ld", status);
// 取得公钥
status = [security extractPublicKeyFromCertificateFile:certPath];
NSLog(@"status = %ld", status);
// 苹果官方文档中只说了短数据加密,但也提到了长数据的分段加密
// 短数据
NSString *plainText = @"This is plain text~中华人民共和国~";
NSData *plainData = [plainText dataUsingEncoding:NSUTF8StringEncoding];
NSData *encrypted = [security encryptWithPublicKey:plainData];
NSData *decrypted = [security decryptWithPrivateKey:encrypted];
// NSString *encryptedText = [[NSString alloc] initWithData:encrypted encoding:NSUTF8StringEncoding];
NSString *decryptedText = [[NSString alloc] initWithData:decrypted encoding:NSUTF8StringEncoding];
// NSLog(@"plainData: %p", plainData);
// NSLog(@"encrypted: %p", encrypted);
// NSLog(@"decrypted: %p", decrypted);
NSLog(@"encrypted: %@",encrypted);
NSLog(@"decrypted text: %@", decryptedText);
p12文件包含私密,der则是包含公钥,分别提取并且利用其加密解密,从而达到验证的目的。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- Tomcat配置https单向双向认证,iOS加密解密验证,iOS访问HTTPS
- 【网页访问单向、双向验证均可以】https原理及tomcat配置https方法[生成CA根证书配置tomcat后,若要成功访问axis中的webservice,需要配置它对应的axis2.xml文件]
- https 单向认证和双向认证及tomcat配置及各种证书类型之间的转换,适用ios,Android,网页端
- 从http到https简介,tomcat和nginx的https配置,单向认证和双向认证简介,对称加密和非对称加密简介,RSA算法简介
- linux系统下用单向认证方式将Tomcat配置成https方式访问
- tomcat配置https单向和双向认证
- Tomcat 配置设置https访问(单向验证)
- tomcat下配置https (超文本传输协议)-单向/双向验证
- IOS Android Tomcat SSL双向认证HTTPS访问
- https单向/双向认证及tomcat配置https方法
- 使用Tomcat 9验证Https单向认证和双向认证
- https单向/双向认证的tomcat配置攻略
- https单向/双向认证及tomcat配置https方法
- IOS Android Tomcat SSL双向认证HTTPS访问
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat配置HTTPS双向证书认证
- keytool+tomcat 单向/双向认证的配置
- 配置tomcat的https通信(单向认证)
- tomcat6配置https (双向认证/单向认证)
- Tomcat 配置WebService的HTTPS实现SSL的单双向认证