pem 文件 java,使用.pem文件以Java发送https请求

I have .pem file containing certificate, private key and trust chain, and .p12 file that I've generated from it using openssl pkcs12 -export:openssl pkcs12 -export -out file.p12 -in file.pem -inkey fi

weixin_39710951

1349人浏览 · 2021-02-21 06:13:51

weixin_39710951 · 2021-02-21 06:13:51 发布

I have .pem file containing certificate, private key and trust chain, and .p12 file that I've generated from it using openssl pkcs12 -export:

openssl pkcs12 -export -out file.p12 -in file.pem -inkey file.pem -passin pass:password -passout pass:password

My PEM file structure:

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

-----BEGIN PRIVATE KEY-----

...

-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

...

-----END CERTIFICATE-----

I'm using this curl request to fetch data from API:

curl --cert file.p12:password --cacert file.pem --resolve destinationHost.com:443:100.100.100.100 -H "Content-Type: text/plain" https://destinationHost.com/api

I'm trying to implement this request using Java (no matter which library).

import org.apache.http.HttpEntity;

import org.apache.http.client.methods.CloseableHttpResponse;

import org.apache.http.client.methods.HttpGet;

import org.apache.http.config.RegistryBuilder;

import org.apache.http.conn.DnsResolver;

import org.apache.http.conn.socket.ConnectionSocketFactory;

import org.apache.http.conn.socket.PlainConnectionSocketFactory;

import org.apache.http.conn.ssl.NoopHostnameVerifier;

import org.apache.http.conn.ssl.SSLConnectionSocketFactory;

import org.apache.http.impl.client.CloseableHttpClient;

import org.apache.http.impl.client.HttpClientBuilder;

import org.apache.http.impl.conn.BasicHttpClientConnectionManager;

import org.apache.http.impl.conn.SystemDefaultDnsResolver;

import javax.net.ssl.KeyManager;

import javax.net.ssl.KeyManagerFactory;

import javax.net.ssl.SSLContext;

import javax.xml.bind.DatatypeConverter;

import java.io.ByteArrayInputStream;

import java.io.IOException;

import java.net.InetAddress;

import java.net.UnknownHostException;

import java.nio.file.Files;

import java.nio.file.Paths;

import java.security.KeyFactory;

import java.security.KeyStore;

import java.security.NoSuchAlgorithmException;

import java.security.cert.Certificate;

import java.security.cert.CertificateException;

import java.security.cert.CertificateFactory;

import java.security.cert.X509Certificate;

import java.security.interfaces.RSAPrivateKey;

import java.security.spec.InvalidKeySpecException;

import java.security.spec.PKCS8EncodedKeySpec;

public class Main {

public static void main(String[] args) throws Exception {

HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();

SSLContext context = SSLContext.getInstance("TLS");

byte[] certAndKey = Files.readAllBytes(Paths.get("file.pem"));

byte[] certBytes = parseDERFromPEM(certAndKey, "-----BEGIN CERTIFICATE-----", "-----END CERTIFICATE-----");

byte[] keyBytes = parseDERFromPEM(certAndKey, "-----BEGIN PRIVATE KEY-----", "-----END PRIVATE KEY-----");

X509Certificate cert = generateCertificateFromDER(certBytes);

RSAPrivateKey key = generatePrivateKeyFromDER(keyBytes);

KeyStore keystore = KeyStore.getInstance("JKS");

keystore.load(null);

keystore.setCertificateEntry("alias", cert);

keystore.setKeyEntry("alias", key, "password".toCharArray(), new Certificate[] {cert});

KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");

kmf.init(keystore, "password".toCharArray());

KeyManager[] km = kmf.getKeyManagers();

context.init(km, null, null);

DnsResolver dnsResolver = new SystemDefaultDnsResolver() {

@Override

public InetAddress[] resolve(final String host) throws UnknownHostException {

if (host.equalsIgnoreCase("destinationHost.com")) {

/* If we match the host we're trying to talk to,

return the IP address we want, not what is in DNS */

return new InetAddress[] { InetAddress.getByName("100.100.100.100") };

} else {

/* Else, resolve it as we would normally */

return super.resolve(host);

}

};

SSLConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(context, new NoopHostnameVerifier());

BasicHttpClientConnectionManager connManager = new BasicHttpClientConnectionManager(

RegistryBuilder.create()

.register("http", PlainConnectionSocketFactory.getSocketFactory())

.register("https", socketFactory)

.build(),

null, /* Default ConnectionFactory */

null, /* Default SchemePortResolver */

dnsResolver

);

httpClientBuilder.setConnectionManager(connManager);

CloseableHttpClient client = httpClientBuilder.build();

HttpGet httpGet = new HttpGet("https://destinationHost.com/api");

CloseableHttpResponse execute = client.execute(httpGet);

int statusCode = execute.getStatusLine().getStatusCode();

assert statusCode == 200;

}

private static byte[] parseDERFromPEM(byte[] pem, String beginDelimiter, String endDelimiter) {

String data = new String(pem);

String[] tokens = data.split(beginDelimiter);

tokens = tokens[1].split(endDelimiter);

return DatatypeConverter.parseBase64Binary(tokens[0]);

}

private static RSAPrivateKey generatePrivateKeyFromDER(byte[] keyBytes) throws InvalidKeySpecException, NoSuchAlgorithmException {

PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(keyBytes);

KeyFactory factory = KeyFactory.getInstance("RSA");

return (RSAPrivateKey)factory.generatePrivate(spec);

}

private static X509Certificate generateCertificateFromDER(byte[] certBytes) throws CertificateException {

CertificateFactory factory = CertificateFactory.getInstance("X.509");

return (X509Certificate)factory.generateCertificate(new ByteArrayInputStream(certBytes));

}

But receiving:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)

at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1959)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:302)

at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)

at sun.security.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1514)

at sun.security.ssl.ClientHandshaker.processMessage(ClientHandshaker.java:216)

at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)

at sun.security.ssl.Handshaker.process_record(Handshaker.java:961)

at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1072)

at sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1385)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1413)

at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1397)

at org.apache.http.conn.ssl.SSLConnectionSocketFactory.createLayeredSocket(SSLConnectionSocketFactory.java:394)

at org.apache.http.conn.ssl.SSLConnectionSocketFactory.connectSocket(SSLConnectionSocketFactory.java:353)

at org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java:134)

at org.apache.http.impl.conn.BasicHttpClientConnectionManager.connect(BasicHttpClientConnectionManager.java:338)

at org.apache.http.impl.execchain.MainClientExec.establishRoute(MainClientExec.java:380)

at org.apache.http.impl.execchain.MainClientExec.execute(MainClientExec.java:236)

at org.apache.http.impl.execchain.ProtocolExec.execute(ProtocolExec.java:184)

at org.apache.http.impl.execchain.RetryExec.execute(RetryExec.java:88)

at org.apache.http.impl.execchain.RedirectExec.execute(RedirectExec.java:110)

at org.apache.http.impl.client.InternalHttpClient.doExecute(InternalHttpClient.java:184)

at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:82)

at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:107)

at com.test.Main.main(Main.java:95)

Thanks in advance for any advice.

解决方案

The problem was that I forgot to add the TrustManager to init method of SSLContext. Now everything works.

TrustManager acceptAll = new X509TrustManager() {

public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {}

public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {}

public X509Certificate[] getAcceptedIssuers() {

return null;

}

};

context.init(km, new TrustManager[]{acceptAll}, null);

魔乐社区

魔乐社区（Modelers.cn) 是一个中立、公益的人工智能社区，提供人工智能工具、模型、数据的托管、展示与应用协同服务，为人工智能开发及爱好者搭建开放的学习交流平台。社区通过理事会方式运作，由全产业链共同建设、共同运营、共同享有，推动国产AI生态繁荣发展。

更多推荐

Pont - 搭建前后端之桥：高效、灵活的接口管理工具

Pont 是一款强大的数据服务层解决方案，它能够帮助开发者快速搭建前后端之间的桥梁，实现接口的高效管理和代码自动生成。无论是新手还是有经验的开发者，都能通过 Pont 轻松处理接口文档、生成类型安全的 API 代码，从而显著提升开发效率。[![Pont 工具标志](https://raw.gitcode.com/gh_mirrors/po/pont/raw/3f1b7d4bbba3fd2dda

魔乐社区

如何快速上手 hvac：HashiCorp Vault Python 客户端零基础入门指南

**hvac** 是 HashiCorp Vault 的 Python 3.X 客户端库，专为开发者提供简单高效的 Vault 交互方式。无论你是需要管理密钥、配置身份验证，还是实现安全的秘密数据存储，hvac 都能帮助你轻松搞定 Vault 的各项操作。本文将带你零基础快速入门，从安装到基础操作，让你在几分钟内即可上手使用这个强大的工具。[![hvac 客户端 Logo](https://r

魔乐社区

提升Angular2-HN性能的7个实用技巧：让新闻加载速度飞起来

Angular2-HN是一款基于Angular构建的Progressive Hacker News客户端，专为追求高效新闻浏览体验的用户设计。本文将分享7个实用技巧，帮助你优化Angular2-HN的性能，让新闻加载速度显著提升，带来更流畅的阅读体验。## 1. 启用Service Worker缓存关键资源Service Worker是提升Angular应用性能的强大工具，它可以在后台缓存