一.生成证书
- 生成CA证书。目前不使用第三方权威机构的CA来认证,自己充当CA的角色。
1.创建私钥:
openssl genrsa -out root/root-key.pem 1024
2.创建证书请求:
openssl req -new -out root/root-req.csr -key root/root-key.pem
3.自签署证书:
openssl x509 -req -in root/root-req.csr -out root/root-cert.pem -signkey root/root-key.pem -days 3650
4.将证书导出成浏览器支持的.p12格式:
openssl pkcs12 -export -clcerts -in root/root-cert.pem -inkey root/root-key.pem -out root/root.p12
- 生成server证书
1.创建私钥:
openssl genrsa -out server/server-key.pem 1024
2.创建证书请求:
openssl req -new -out server/server-req.csr -key server/server-key.pem
3.自签署证书:
openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式:
openssl pkcs12 -export -clcerts -in server/server-cert.pem -inkey server/server-key.pem -out server/server.p12
- 生成client证书
1.创建私钥:
openssl genrsa -out client/client-key.pem 1024
2.创建证书请求:
openssl req -new -out client/client-req.csr -key client/client-key.pem
3.自签署证书:
openssl x509 -req -in client/client-req.csr -out client/client-cert.pem -signkey client/client-key.pem -CA root/root-cert.pem -CAkey root/root-key.pem -CAcreateserial -days 3650
4.将证书导出成浏览器支持的.p12格式:
openssl pkcs12 -export -clcerts -in client/client-cert.pem -inkey client/client-key.pem -out client/client.p12
- 根据root证书生成jks文件
进入root目录
keytool -import -v -trustcacerts -storepass password -alias root -file root-cert.pem -keystore root.jks
Tomcat 配置
<Connector port="8443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" schemeecure="true"
keystoreType="PKCS12" keystoreFile="/Users/fengchao/cer/server/server.p12" keystorePass="1234"
truststoreType="JKS" truststoreFile="/Users/fengchao/cer/root/root.jks" truststorePass="password"
clientAuth="false" sslProtocol="TLS" />
注意参数大小写,和路径的写法,这个是mac配置
主要参数是SSLEnable,是否启用HTTPS,如果true,则用户用浏览器访问8443时,会提示要在浏览器里添加证书,因为我们是自签名,属于非认证签名,所以会提示,如果是第三方认证则的SSL证书,则浏览器默认通过,可以直接安全访问。iOS客户端如果将认真安全跳过,则可以直接访问,如果开启则不能访问。
clientAuth是否启用客户端验证,也可以说是否是双向认证,浏览器访问时会寻找系统登陆中的keychain,如果你安装过对应的client,则会出现选择框让用户选择,选择后提交则会正常显示。iOS则也类似,需要读取本地证书,然后带证书提交。
二.iOS客户端 https单向验证
NSURL *url = [NSURL URLWithString:@"https://localhost:8443/deploy/index.html"];
ASIFormDataRequest *request = [ASIFormDataRequest requestWithURL:url];
[request setValidatesSecureCertificate:YES];//set to NO if you use the self-signed certificate
如果这个时候你开启验证,则会返回如下错误
A connection failure occurred: SSL problem (Possible causes may include a bad/expired/self-signed certificate, clock set to wrong date)
因为我们的证书是自签名,而苹果已经明确提示,你的证书可能是自签名,所以导致失败。
则个时候如果访问其他HTTPS网站则不会报错,所以这个验证只有在正式的证书才有效果。这个也很合理,如果你的客户端自签名都能通过,这样没有安全可言。除非你让用户自己选择是否信任。
三.iOS客户端 https双向验证
SecIdentityRef identity = NULL;
SecTrustRef trust = NULL;
// SecCertificateRef myReturnedCertificate = NULL;
NSData *PKCS12Data = [NSData dataWithContentsOfFile:[[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"]];
// NSLog(@"%@",[[NSBundle mainBundle] pathForResource:@"client" ofType:@"p12"]);
[ASIHTTPRequestDemo extractIdentity:&identity andTrust:&trust fromPKCS12Data:PKCS12Data];
[request setClientCertificateIdentity:identity];
// status = SecIdentityCopyCertificate (identity,&myReturnedCertificate);
// [request setClientCertificates:[NSArray arrayWithObject:(id)PKCS12Data]];
[request startSynchronous];
NSError *error = [request error];
if (!error) {
//do something
}
......
}
思路就是读取p12文件,然后将证书内容和证书密钥导出,然后将证书塞入request,随后startSynchronous
由于没有正式证书,目前没有通过。所以如果有正式证书后再验证。或者已经验证过的朋友请留言交流下,在下感激不尽。
下面是提取P12信息代码
+ (BOOL)extractIdentity:(SecIdentityRef *)outIdentity andTrust:(SecTrustRef*)outTrust fromPKCS12Data:(NSData *)inPKCS12Data
{
OSStatus securityError = errSecSuccess;
// NSDictionary *optionsDictionary = [NSDictionary dictionaryWithObject:@"" forKey:(id)kSecImportExportPassphrase];
CFStringRef password = CFSTR("1234"); //证书密码
const void *keys[] = { kSecImportExportPassphrase };
const void *values[] = { password };
CFDictionaryRef optionsDictionary = CFDictionaryCreate(NULL, keys,values, 1,NULL, NULL);
CFArrayRef items = CFArrayCreate(NULL, 0, 0, NULL);
securityError = SecPKCS12Import((CFDataRef)inPKCS12Data,(CFDictionaryRef)optionsDictionary,&items);
if (securityError == 0) {
CFDictionaryRef myIdentityAndTrust = CFArrayGetValueAtIndex (items, 0);
const void *tempIdentity = NULL;
tempIdentity = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemIdentity);
*outIdentity = (SecIdentityRef)tempIdentity;
const void *tempTrust = NULL;
tempTrust = CFDictionaryGetValue (myIdentityAndTrust, kSecImportItemTrust);
*outTrust = (SecTrustRef)tempTrust;
} else {
NSLog(@"Failed with error code %d",(int)securityError);
return NO;
}
return YES;
}
四.RSA服务端加密,客户端解密
根据私钥和csr导出公钥
openssl x509 -req -in root-req.csr -out root_public_key.der -outform der -signkey root-key.pem -days 3650
如果重新来制作密钥则可以执行
openssl req -x509 -out public_key.der -outform der -new -newkey rsa:1024 -keyout private_key.pem
-days 3650
这个语句等于3个作用
1)创建私钥
2)创建证书请求(按照提示输入信息)
3)自签署根证书
客户端代码主要如下
NSString *pkcsPath = [[NSBundle mainBundle] pathForResource:@"root" ofType:@"p12"];
// 下面的与上面的一样
// NSString *pkcsPath = [[NSBundle mainBundle] pathForResource:@"pkcs-daniate" ofType:@"pfx"];
NSString *certPath = [[NSBundle mainBundle] pathForResource:@"server_public_key" ofType:@"der"];
Security *security = [Security sharedSecurity];
OSStatus status = -1;
status = [security extractEveryThingFromPKCS12File:pkcsPath passphrase:@"1234"];
NSLog(@"status = %ld", status);
// 取得公钥
status = [security extractPublicKeyFromCertificateFile:certPath];
NSLog(@"status = %ld", status);
// 苹果官方文档中只说了短数据加密,但也提到了长数据的分段加密
// 短数据
NSString *plainText = @"This is plain text~中华人民共和国~";
NSData *plainData = [plainText dataUsingEncoding:NSUTF8StringEncoding];
NSData *encrypted = [security encryptWithPublicKey:plainData];
NSData *decrypted = [security decryptWithPrivateKey:encrypted];
// NSString *encryptedText = [[NSString alloc] initWithData:encrypted encoding:NSUTF8StringEncoding];
NSString *decryptedText = [[NSString alloc] initWithData:decrypted encoding:NSUTF8StringEncoding];
// NSLog(@"plainData: %p", plainData);
// NSLog(@"encrypted: %p", encrypted);
// NSLog(@"decrypted: %p", decrypted);
NSLog(@"encrypted: %@",encrypted);
NSLog(@"decrypted text: %@", decryptedText);
p12文件包含私密,der则是包含公钥,分别提取并且利用其加密解密,从而达到验证的目的。
参考:1.http://since2006.com/blog/39/using-tomcat-ssl