java - 使用 Apache HttpClient 通过 SSL 身份验证发送 HTTP 请求

Question

我是 Java 中 SSL 身份验证和 Httpclient 请求主题的新手。我需要与服务提供商执行安全连接，以便能够从服务提供商 api 获取一些数据。

我现在在哪里:

我已经制作了一个包含私钥和 CSR 请求的 .jks keystore ，我已将其发送给远程服务提供商。我有一个签名的 .cer 证书。到目前为止，我已经在 Postman 中测试了它，将私钥导出到 pem 文件，并通过 Postman 设置中的 CRT+KEY+Keypassword 设置客户端证书。请求运行得很好。现在，我必须使用 Java 来实现这个问题，并且我之前已经使用 Apache Fluent-hc 发送未经身份验证的 POST 请求。 我应该采取什么措施来实现客户端证书安全的 HTTP 请求？

更新。到目前为止，我已经用谷歌搜索了后续步骤:

我使用 PrivateKey 将 .CER 签名的证书导入到现有的 jks keystore 中:

keytool -importcert -file ./signed.cer -keystore trust.jks -alias mykey

列出 keystore 时，我得到两个条目:PrivateKeyEntry 和 trustCertEntry

然后我从资源加载我的 keystore :

    public KeyStore loadKeyStore() throws Exception {
    KeyStore keystore = KeyStore.getInstance("JKS");
    try (InputStream is =  new ClassPathResource(authProperties.getKeyStore()
    + ".jks").getInputStream()) {
    keystore.load(is, authProperties.getKeyPass().toCharArray());
    }

    return keystore;
    }

加载似乎没问题，我测试了它并获得了私钥和证书。但不是证书链，不确定我是否需要它。

然后我创建一个 SSLContext 并从同一 keystore 加载 TrustMaterial 和 KeyMaterial:

    public SSLContext loadSSLContext() throws Exception {
    return new SSLContextBuilder()
    .loadTrustMaterial(loadKeyStore(), (x509Certificates, s) -> true)
    .loadKeyMaterial(loadKeyStore(), authProperties.getKeyPass().toCharArray())
    .build();
    }

然后，我创建一个 SSLConnectionSocketFactory:

    SSLContext context = loadSSLContext();
    SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactory(context,
    new NoopHostnameVerifier());

我使用 SSLConnectionSocketFactory 创建 CloseableHttpClient:

    CloseableHttpClient httpclient = HttpClients.custom()
    .setSSLSocketFactory(sslsf)
    .build();

并执行 GET 请求:

    HttpGet request = new HttpGet("/private/openapi");
    HttpResponse httpresponse = httpclient.execute(request);

运行此程序时，我得到了

javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

可能是什么原因？我用谷歌搜索过这个问题，但似乎主要对应于协议(protocol)和密码套件不匹配。我不确定，这是否是我的情况。 请帮助，任何想法或链接将不胜感激! 这是堆栈跟踪和调试输出(请忽略奇怪的 IP 地址):

<小时/>

16:46:08.727 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> CONNECT api.serviceprovider.com:443 HTTP/1.1 16:46:08.727 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: api.serviceprovider.com:443 16:46:08.727 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_232) 16:46:08.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "CONNECT api.serviceprovider.com:443 HTTP/1.1[\r][\n]" 16:46:08.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host: api.serviceprovider.com:443[\r][\n]" 16:46:08.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_232)[\r][\n]" 16:46:08.727 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]" 16:46:08.878 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "HTTP/1.1 200 Connection established[\r][\n]" 16:46:08.879 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "[\r][\n]" 16:46:08.880 [main] DEBUG org.apache.http.headers - http-outgoing-0 << HTTP/1.1 200 Connection established 16:46:08.881 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Tunnel to target created. 16:46:08.906 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled protocols: [TLSv1, TLSv1.1, TLSv1.2] 16:46:08.906 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Enabled cipher suites:[TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_DHE_RSA_WITH_AES_256_CBC_SHA256, TLS_DHE_DSS_WITH_AES_256_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_RSA_WITH_AES_256_CBC_SHA, TLS_DHE_DSS_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_RSA_WITH_AES_128_CBC_SHA256, TLS_DHE_DSS_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_DHE_DSS_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_DSS_WITH_AES_128_GCM_SHA256, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] 16:46:08.906 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Starting handshake 16:46:08.997 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - Secure session established 16:46:08.997 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - negotiated protocol: TLSv1.2 16:46:08.997 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - negotiated cipher suite: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 16:46:08.998 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - peer principal: CN=api.serviceprovider.com, OU=IT Department, O=ServiceProv, L=Moscow, C=RU 16:46:08.998 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - peer alternative names: [api.serviceprovider.com, developer.serviceprovider.com] 16:46:08.999 [main] DEBUG org.apache.http.conn.ssl.SSLConnectionSocketFactory - issuer principal: CN=Thawte TLS RSA CA G1, OU=www.digicert.com, O=DigiCert Inc, C=US 16:46:08.999 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Executing request GET /private/openapi HTTP/1.1 16:46:08.999 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Target auth state: UNCHALLENGED 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> GET /private/openapi HTTP/1.1 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Host: api.serviceprovider.com:443 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Connection: Keep-Alive 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_232) 16:46:08.999 [main] DEBUG org.apache.http.headers - http-outgoing-0 >> Accept-Encoding: gzip,deflate 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "GET /private/openapi HTTP/1.1[\r][\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Host: api.serviceprovider.com:443[\r][\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Connection: Keep-Alive[\r][\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "User-Agent: Apache-HttpClient/4.5.3 (Java/1.8.0_232)[\r][\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "Accept-Encoding: gzip,deflate[\r][\n]" 16:46:08.999 [main] DEBUG org.apache.http.wire - http-outgoing-0 >> "[\r][\n]" 16:46:09.037 [main] DEBUG org.apache.http.wire - http-outgoing-0 << "[read] I/O error: Received fatal alert: handshake_failure" 16:46:09.037 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Close connection 16:46:09.037 [main] DEBUG org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-0: Shutdown connection 16:46:09.037 [main] DEBUG org.apache.http.impl.execchain.MainClientExec - Connection discarded 16:46:09.038 [main] DEBUG org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 0][route: {tls}->http://x.x.x.120:8080->https://api.serviceprovider.com:443][total kept alive: 0; route allocated: 0 of 2; total allocated: 0 of 20] javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:2020) at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1127) at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:933) at sun.security.ssl.AppInputStream.read(AppInputStream.java:105) at org.apache.http.impl.conn.LoggingInputStream.read(LoggingInputStream.java:84) at org.apache.http.impl.io.SessionInputBufferImpl.streamRead(SessionInputBufferImpl.java:137) at org.apache.http.impl.io.SessionInputBufferImpl.fillBuffer(SessionInputBufferImpl.java:153) at org.apache.http.impl.io.SessionInputBufferImpl.readLine(SessionInputBufferImpl.java:282) at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:138) at org.apache.http.impl.conn.DefaultHttpResponseParser.parseHead(DefaultHttpResponseParser.java:56) at org.apache.http.impl.io.AbstractMessageParser.parse(AbstractMessageParser.java:259) at org.apache.http.impl.DefaultBHttpClientConnection.receiveResponseHeader(DefaultBHttpClientConnection.java:163) at org.apache.http.impl.conn.CPoolProxy.receiveResponseHeader(CPoolProxy.java:165) at org.apache.http.protocol.HttpRequestExecutor.doReceiveResponse(HttpRequestExecutor.java:273) at org.apache.http.protocol.HttpRequestExecutor.execute(HttpRequestExecutor.java:125) at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:272) at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:185) at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:89) at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:111) at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:185) at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:118) at ru.bcs.creditmarkt.delivery.adapter.ServProvAuthTest.testConn(ServProvAuthTest.java:99)

Answer 1

问题已解决。问题出在 jks keystore 中，而不是代码中。我已经导入了客户端证书，但它也需要带有根证书的证书链。一旦导入带有客户证书的整个链，它就起作用了。