所以我有一个 sslServer 和一个 sslClient。我生成一个证书,将它放入一个 keyStore,然后将 keyStore 放入服务器的主目录。然后我将这个 keyStore 复制到客户端目录中。那安全吗?难道有人不能下载我的客户端副本并获取证书/keyStore 并执行中间人攻击吗?我该如何解决这个证书共享问题?如果有帮助,这里是一些代码:
服务器:
/*This is a hidden class*/
class Server implements Runnable{
public Server(){
}
@Override
public void run() {
DataInputStream stringGetter = null;
try{
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
char[] password = "iamakeystore".toCharArray();
ks.load(null, password);
System.setProperty("javax.net.ssl.keyStore", "keyStore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "iamakeystore");
// Store away the keystore.
//FileOutputStream fos = new FileOutputStream("keyStore.jks");
//ks.store(fos, password);
//fos.close();
}catch(Exception e){
}
SSLSocket sslsocket = null;
try {
SSLServerSocketFactory sslserversocketfactory =
(SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
SSLServerSocket sslserversocket =
(SSLServerSocket) sslserversocketfactory.createServerSocket(31030);
sslserversocket.setEnabledCipherSuites(sslserversocket.getSupportedCipherSuites());
sslsocket = (SSLSocket) sslserversocket.accept();
stringGetter= new DataInputStream(sslsocket.getInputStream());
boolean done=false;
byte input=-1;
while(!done){
input=stringGetter.readByte();
switch(input){
case 1:{
}
}
}
sslsocket.close();
} catch (IOException e) {
e.printStackTrace();
}finally{
if(stringGetter!=null){
try {
stringGetter.close();
} catch (IOException e) {
e.printStackTrace();
}
}
if(sslsocket!=null){
try {
sslsocket.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
}
}
客户:
private void login(){
System.setProperty("javax.net.ssl.keyStore", "keyStore.jks");
System.setProperty("javax.net.ssl.keyStorePassword", "iamakeystore");
SSLSocketFactory ssf = (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket s = null;
DataOutputStream stringSender = null;
try {
s=(SSLSocket) ssf.createSocket("127.0.0.1", 31030);
s.setEnabledCipherSuites(s.getSupportedCipherSuites());
s.startHandshake();
stringSender= new DataOutputStream(s.getOutputStream());
try {
Thread.sleep(500);
} catch (InterruptedException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
stringSender.writeByte(1);
stringSender.flush();
} catch (UnknownHostException e) {
// TODO Auto-generated catch block
e.printStackTrace();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}finally{
if(s!=null){
try {
s.close();
} catch (IOException e) {
// TODO Auto-generated catch block
e.printStackTrace();
}
}
}
}
}
最佳答案
I then copy this keyStore into the clients directory.
不要。
Is that safe?
没有。这既不安全又毫无意义。 keystore 包含私钥。因此,它应该对 key 的所有者是私有(private)的。这意味着客户端和服务器这两个 key 所有者应该各自拥有自己的 keystore 。非私有(private)的私钥会破坏其自身的目的,并使 PKI 和依赖它的一切(例如 TLS)完全不安全。
Couldn't someone just download a copy of my client and get the certificate/keyStore and perform man in middle attacks?
是的。
How could I fix this certificate sharing problem?
请勿分享。生成两个 keystore 、两个 key 对、两个证书,并在服务器端使用一个,在客户端使用一个。不要混合它们,不要混淆它们,不要混淆它们。
关于Java SSLSockets : same keyStore on client and server, 安全吗?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/26900560/