ssl小结

有几篇不错的文章：

http://www.cnblogs.com/pen-ink/archive/2011/01/17/1937680.html 这个应该是最简单的示例了。 不过，当两个password不同的时候会运行不了。

http://www.cnblogs.com/yqskj/p/3142006.html 这个很不错，不过却不是完整的示例。

http://www.iteye.com/topic/1125183 非常非常好的帖子

先建立客户端、服务端两个目录

接着上文，拷贝tclient.keystore至客户端,拷贝tserver.keystore至服务端

import java.io.BufferedReader;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.security.KeyStore;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;

public class SSLServer {
    private static String SERVER_KEY_STORE_PASSWORD = "123456";
    private static String SERVER_TRUST_KEY_STORE_PASSWORD = "123456";
    private static int DEFAULT_PORT = 9999;

    public static void main(String[] arstring) {

        try {
            SSLServerSocket sslServerSocket = asfd();
            SSLSocket sslsocket = (SSLSocket) sslServerSocket.accept();

            InputStream inputstream = sslsocket.getInputStream();
            InputStreamReader inputstreamreader = new InputStreamReader(
                    inputstream);
            BufferedReader bufferedreader = new BufferedReader(
                    inputstreamreader);
            String string = null;
            while ((string = bufferedreader.readLine()) != null) {
                System.out.println(string);
                System.out.flush();
            }
        } catch (Exception e) {
            // TODO Auto-generated catch block
            e.printStackTrace();
        }
    }

    private static SSLServerSocket asfd() throws Exception {
        // TODO Auto-generated method stub

        SSLContext ctx = SSLContext.getInstance("SSL");
        KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
        TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
        KeyStore ks = KeyStore.getInstance("JKS");
        KeyStore tks = KeyStore.getInstance("JKS");
        ks.load(new FileInputStream("data/kserver.keystore"),
                SERVER_KEY_STORE_PASSWORD.toCharArray());
        tks.load(new FileInputStream("data/tserver.keystore"),
                SERVER_TRUST_KEY_STORE_PASSWORD.toCharArray());
        kmf.init(ks, SERVER_KEY_STORE_PASSWORD.toCharArray());
        tmf.init(tks);
        ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
        return (SSLServerSocket) ctx.getServerSocketFactory()
                .createServerSocket(DEFAULT_PORT);
    }
}

import java.io.BufferedReader;
import java.io.BufferedWriter;
import java.io.FileInputStream;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.OutputStreamWriter;
import java.security.KeyStore;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;

public class SSLClient {
	private static final String DEFAULT_HOST = "127.0.0.1";
	private static final int DEFAULT_PORT = 9999;
	private static String CLIENT_KEY_STORE_PASSWORD = "123456";
	private static String CLIENT_TRUST_KEY_STORE_PASSWORD = "123456";

	public static void main(String[] arstring) throws Exception {
		SSLSocket sslsocket = asf();

		InputStream inputstream = System.in;
		InputStreamReader inputstreamreader = new InputStreamReader(inputstream);
		BufferedReader bufferedreader = new BufferedReader(inputstreamreader);

		OutputStream outputstream = sslsocket.getOutputStream();
		OutputStreamWriter outputstreamwriter = new OutputStreamWriter(
				outputstream);
		BufferedWriter bufferedwriter = new BufferedWriter(outputstreamwriter);

		String string = null;
		while ((string = bufferedreader.readLine()) != null) {
			bufferedwriter.write(string + '
');
			bufferedwriter.flush();
		}

	}

	private static SSLSocket asf() throws Exception {
		// TODO Auto-generated method stub
		SSLContext ctx = SSLContext.getInstance("SSL");
		KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
		TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
		KeyStore ks = KeyStore.getInstance("JKS");
		KeyStore tks = KeyStore.getInstance("JKS");
		ks.load(new FileInputStream("data/kclient.keystore"),
				CLIENT_KEY_STORE_PASSWORD.toCharArray());
		tks.load(new FileInputStream("data/tclient.keystore"),
				CLIENT_TRUST_KEY_STORE_PASSWORD.toCharArray());
		kmf.init(ks, CLIENT_KEY_STORE_PASSWORD.toCharArray());
		tmf.init(tks);
		ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
		return (SSLSocket) ctx.getSocketFactory().createSocket(DEFAULT_HOST,
				DEFAULT_PORT);
	}
}

　　

然后分别在服务端执行java SSLServer、客户端执行java SSLClient 即可看到结果

不过，如果要是CLIENT_KEY_STORE_PASSWORD 和CLIENT_TRUST_KEY_STORE_PASSWORD 不一致需要怎么处理？？

待续。。

==========

我再简单的总结一下

1 要区分密钥库-此时的密钥应该是特指私钥、授权证书、授权证书库- 专门存储证书的地方

a 生成私钥库

C:xxssl>keytool -genkey

-v -alias bluedash-ssl-demo-client -keyalg RSA -keystore 

./client_ks -dname "CN=localhost,OU=cn,O=cn,L=cn,ST=cn,C=cn" -storepass client -keypass 456456

用来生成密钥库 rsa 即是其使用的非对称算法，storepass 是指、而keypass 呢；

b 通过密钥库生成证书

C:xxssl>keytool -export -alias bluedash-ssl-demo-server -keystore ./server_ks -file server_key.cer

-file server_key.cer 指明证书名字----  应该理解为将server_ks 的公钥export-导出到了server_key.cer中去了

c 将client_ks加入至server_key.cer中去 --说反了！。。-- 为什么要这么做、见那张图。 认证的需要。

C:xxssl>keytool -import -trustcacerts -alias bluedash-ssl-demo-server -file ./server_key.cer -keystore ./client_ks

 此处的 -keystore ./client_ks，---- 可以是同之前的client_ks，也可以是个不同的证书xx_ks。 此处只是为了方便，才这样。。。、

就是说密钥库和授权证书库可以是同一个

2 上面描述的是单向认证，一般情况我们也需要双向认证。

3 密钥库、证书、证书库文件的后缀不限。 完成证书的导入-至证书库-之后，证书不在使用，可以丢弃？。。

4 代码中应该使用SSLSocket、SSLClient

5 SSL并不存在服务端和客户端，只存在谁需要信任谁

================ 和ssh的区别？ ================

 其实原理上、实现上好像也没太大区别

简单说ssl用于http协议安全

ssh用于telnet协议。-- tcp层？