如何解决替换正在运行的 Java 应用程序中的证书
我有一个打开 SSLServerSocket 的 Java 应用程序。要创建该 SSLServerSocket,它使用从数据库加载的 KeyStore。每隔一段时间,我们就会滚动数据库中的证书。
应用程序现在设置的方式,它永远保留 SSLServerSocket 并且永远不会开始使用新证书,除非它手动重新启动。
java 有没有办法热替换 SSLServerSocket 使用的证书?如果不是,在这种情况下可接受的最佳做法是什么?
解决方法
这是可能的,但不支持开箱即用。我的一个项目遇到了同样的挑战。我通过将 KeyManager 和 TrustManager 实例包装成一个委托实例来解决它,并且我添加了一种额外的方法来设置内部 KeyManager 和 TrustManager 每当我想替换为旧的时。因此,我认为您有两种选择,详情请参见下文:
选项 1
仅使用纯 Java 代码并复制以下 KeyManager 和 TrustManager。
struct X x = MAGIC_INITIALIZER_MACRO;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedKeyManager;
import java.net.Socket;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Objects;
public final class HotSwappableX509ExtendedKeyManager extends X509ExtendedKeyManager {
private X509ExtendedKeyManager keyManager;
public HotSwappableX509ExtendedKeyManager(X509ExtendedKeyManager keyManager) {
this.keyManager = keyManager;
}
@Override
public String chooseClientAlias(String[] keyType,Principal[] issuers,Socket socket) {
return keyManager.chooseClientAlias(keyType,issuers,socket);
}
@Override
public String[] getClientAliases(String keyType,Principal[] issuers) {
return keyManager.getClientAliases(keyType,issuers);
}
@Override
public String chooseEngineClientAlias(String[] keyTypes,SSLEngine sslEngine) {
return keyManager.chooseEngineClientAlias(keyTypes,sslEngine);
}
@Override
public String chooseServerAlias(String keyType,Socket socket) {
return keyManager.chooseServerAlias(keyType,socket);
}
@Override
public String[] getServerAliases(String keyType,Principal[] issuers) {
return keyManager.getServerAliases(keyType,issuers);
}
@Override
public String chooseEngineServerAlias(String keyType,SSLEngine sslEngine) {
return keyManager.chooseEngineServerAlias(keyType,sslEngine);
}
@Override
public PrivateKey getPrivateKey(String alias) {
return keyManager.getPrivateKey(alias);
}
@Override
public X509Certificate[] getCertificateChain(String alias) {
return keyManager.getCertificateChain(alias);
}
public void setKeyManager(X509ExtendedKeyManager keyManager) {
this.keyManager = Objects.requireNonNull(keyManager);
}
}
并使用上述包装器,如以下代码段:
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedTrustManager;
import java.net.Socket;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Objects;
public class HotSwappableX509ExtendedTrustManager extends X509ExtendedTrustManager {
private X509ExtendedTrustManager trustManager;
public HotSwappableX509ExtendedTrustManager(X509ExtendedTrustManager trustManager) {
this.trustManager = trustManager;
}
@Override
public void checkClientTrusted(X509Certificate[] chain,String authType,Socket socket) throws CertificateException {
trustManager.checkClientTrusted(chain,authType,socket);
}
@Override
public void checkClientTrusted(X509Certificate[] chain,String authType) throws CertificateException {
trustManager.checkClientTrusted(chain,authType);
}
@Override
public void checkClientTrusted(X509Certificate[] chain,SSLEngine sslEngine) throws CertificateException {
trustManager.checkClientTrusted(chain,sslEngine);
}
@Override
public void checkServerTrusted(X509Certificate[] chain,Socket socket) throws CertificateException {
trustManager.checkServerTrusted(chain,socket);
}
@Override
public void checkServerTrusted(X509Certificate[] chain,String authType) throws CertificateException {
trustManager.checkServerTrusted(chain,authType);
}
@Override
public void checkServerTrusted(X509Certificate[] chain,SSLEngine sslEngine) throws CertificateException {
trustManager.checkServerTrusted(chain,sslEngine);
}
@Override
public X509Certificate[] getAcceptedIssuers() {
X509Certificate[] acceptedIssuers = trustManager.getAcceptedIssuers();
return Arrays.copyOf(acceptedIssuers,acceptedIssuers.length);
}
public void setTrustManager(X509ExtendedTrustManager trustManager) {
this.trustManager = Objects.requireNonNull(trustManager);
}
}
选项 2
我已经在我自己的库中提供了选项 1,有关详细信息,请参见此处:GitHub - SSLContext Kickstart。
将以下依赖项添加到您的项目中:
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.util.Collections;
import java.util.Objects;
import java.security.KeyStore;
public class App {
public static void main(String[] args) throws Exception {
Path keyStorePath = Paths.get("/path/to/keystore.jks");
InputStream keyStoreInputStream = Files.newInputStream(keyStorePath,StandardOpenOption.READ);
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(keyStoreInputStream,"secret".toCharArray());
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore,"secret".toCharArray());
KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
Path trustStorePath = Paths.get("/path/to/truststore.jks");
InputStream trustStoreInputStream = Files.newInputStream(trustStorePath,StandardOpenOption.READ);
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(trustStoreInputStream,"secret".toCharArray());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
HotSwappableX509ExtendedKeyManager hotSwappableX509ExtendedKeyManager = new HotSwappableX509ExtendedKeyManager((X509ExtendedKeyManager) keyManagers[0]);
HotSwappableX509ExtendedTrustManager hotSwappableX509ExtendedTrustManager = new HotSwappableX509ExtendedTrustManager((X509ExtendedTrustManager) trustManagers[0]);
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(new KeyManager[]{hotSwappableX509ExtendedKeyManager},new TrustManager[]{hotSwappableX509ExtendedTrustManager},null);
SSLServerSocketFactory sslServerSocketFactory = sslContext.getServerSocketFactory();
// use the sslServerSocketFactory
// after some time update the key and trust material with the following snippet
X509ExtendedKeyManager myNewKeyManager = ...;
X509ExtendedTrustManager myNewTrustManager = ...;
hotSwappableX509ExtendedKeyManager.setKeyManager(myNewKeyManager);
hotSwappableX509ExtendedTrustManager.setTrustManager(myNewTrustManager);
SSLSessionContext sslSessionContext = sslContext.getServerSessionContext()
Collections.list(sslSessionContext.getIds()).stream()
.map(sslSessionContext::getSession)
.filter(Objects::nonNull)
.forEach(SSLSession::invalidate);
}
}
并使用以下代码段:
<dependency>
<groupId>io.github.hakky54</groupId>
<artifactId>sslcontext-kickstart</artifactId>
<version>6.6.1</version>
</dependency>
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。
