SpringBoot服务间实现https双向认证 (使用自签名证书)

/ 默认分类 / 没有评论 / 25浏览

以服务server-one和server-two之间使用RestTemplate以https调用为例

一、生成密钥

需要生成server-one和server-two的客户端密钥和一个信任库密钥

1、生成TrustStore(信任库)

keytool -genkey -alias trustkeys -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore trustKeys.p12 -validity 36500

2、生成server-one客户端密钥

keytool -genkey -alias server-one -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore server-one.p12 -validity 36500

3、生成server-two客户端密钥

keytool -genkey -alias server-two -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore server-two.p12 -validity 36500

genkey 表示要创建一个新的密钥。 alias 表示 keystore 的别名。 keyalg 表示使用的加密算法是 RSA ,一种非对称加密算法。 keysize 表示密钥的长度。 keystore 表示生成的密钥存放位置。 validity 表示密钥的有效时间,单位为天。

二、导出客户端公钥添加到信任库

1、导出server-one的公钥

keytool -keystore server-one.p12 -export -alias server-two -file server-one-publicKey.cer

2、导出server-two的公钥

keytool -keystore server-two.p12 -export -alias server-two -file server-two-publicKey.cer

3、添加客户端公钥到信任库

keytool -import -alias server-one -v -file server-one-publicKey.cer -keystore trustKeys.p12

keytool -import -alias server-two -v -file server-two-publicKey.cer -keystore trustKeys.p12

三、配置SpringBoot支持https

1、拷贝相应密钥到resources

2、修改application.yml配置文件

service-one

server:
  ssl:
    enable: true
    client-auth: need #双向认证need
    key-store: classpath:ssl/server-one.p12
    key-store-password: 123456
    key-store-type: PKCS12
    key-alias: server-one
    trust-store: classpath:ssl/trustKeys.p12
    trust-store-password: 123456
    trust-store-type: PKCS12

service-two

server:
  ssl:
    enable: true
    client-auth: need #双向认证need
    key-store: classpath:ssl/server-two.p12
    key-store-password: 123456
    key-store-type: PKCS12
    key-alias: server-two
    trust-store: classpath:ssl/trustKeys.p12
    trust-store-password: 123456
    trust-store-type: PKCS12

3、配置RestTemplate

pom添加httpclient支持

<dependency>
    <groupId>org.apache.httpcomponents</groupId>
    <artifactId>httpclient</artifactId>
    <version>4.5.13</version>
</dependency>

设置RestTemplate支持https请求

package com.example.serviceone.config;

import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.util.ResourceUtils;
import org.springframework.web.client.RestTemplate;

import javax.net.ssl.*;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.*;
import java.security.cert.CertificateException;
import java.time.Duration;

/**
 * Created by chenzan on 2021/05/21
 */
@Configuration
public class RestTemplateConfig {
    @Value("${server.ssl.key-store}")
    String clientPath;
    @Value("${server.ssl.key-store-password}")
    String clientPass;
    @Value("${server.ssl.key-store-type}")
    String clientKeyType;
    @Value("${server.ssl.trust-store}")
    String trustPath;
    @Value("${server.ssl.trust-store-password}")
    String trustPass;
    @Value("${server.ssl.trust-store-type}")
    String trustKeyType;

    @Bean
    public RestTemplate restTemplate() {
        RestTemplate restTemplate = null;
        try {
            HttpComponentsClientHttpRequestFactory requestFactory = new HttpComponentsClientHttpRequestFactory();
            // 客户端证书类型
            KeyStore clientStore = KeyStore.getInstance(clientKeyType);
            // 加载客户端证书,即自己的私钥
            clientStore.load(new FileInputStream(ResourceUtils.getFile(clientPath)), clientPass.toCharArray());
            // 创建密钥管理工厂实例
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            // 初始化客户端密钥库
            keyManagerFactory.init(clientStore, clientPass.toCharArray());
            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

            // 创建信任库管理工厂实例
            TrustManagerFactory trustManagerFactory = TrustManagerFactory
                    .getInstance(TrustManagerFactory.getDefaultAlgorithm());
            KeyStore trustStore = KeyStore.getInstance(trustKeyType);
            trustStore.load(new FileInputStream(ResourceUtils.getFile(trustPath)), trustPass.toCharArray());

            // 初始化信任库
            trustManagerFactory.init(trustStore);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            // 建立TLS连接
            SSLContext sslContext = SSLContext.getInstance("TLS");
            // 初始化SSLContext
            sslContext.init(keyManagers, trustManagers, new SecureRandom());
            // INSTANCE 忽略域名检查
            SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
            CloseableHttpClient httpclient = HttpClients
                    .custom()
                    .setSSLSocketFactory(sslConnectionSocketFactory)
                    .setSSLHostnameVerifier(new NoopHostnameVerifier())
                    .build();
            requestFactory.setHttpClient(httpclient);
            requestFactory.setConnectTimeout((int) Duration.ofSeconds(15).toMillis());
            restTemplate = new RestTemplate(requestFactory);
        } catch (KeyManagementException | FileNotFoundException | NoSuchAlgorithmException e) {
            e.printStackTrace();
        } catch (KeyStoreException | CertificateException | UnrecoverableKeyException | IOException e) {
            e.printStackTrace();
        }
        return restTemplate;
    }
}

添加测试代码 server-one和server-two分别在Controller添加代码

server-two中

@RestController
public class ServerTwoController {

    @RequestMapping("/get")
    public String get() {
        return "two";
    }
}

server-one中

@RestController
public class ServerOneController {

    @RequestMapping("/get")
    public String get() {
        return "one";
    }
}

添加test代码

@SpringBootTest
public class ServiceOneApplicationTests {
    String url = "https://localhost:8081/server-two/get";
    @Autowired
    private RestTemplate restTemplate;

    @Test
    public void testHttpsGet() {
        ResponseEntity<String> forEntity = restTemplate.getForEntity(url, String.class);
        System.out.println(forEntity.toString());
    }
}

执行返回

<200,two,[Content-Type:"text/plain;charset=UTF-8", Content-Length:"3", Date:"Fri, 21 May 2021 08:12: