Java equivalent to OpenSSL s_client command
I have a requirement to convert certain bash scripts to java and one such script connects to a server using openssl with a vanit
-
call isAliasExists with your values ,
isAliasExists("api.sys.found1.cf.company.com","www.app.company.com");
Returns true if your alias (servername) is part of the cert,
private static boolean isAliasExists(String hostName, String alias) throws Exception { String host; int port; String[] parts = hostName.split(":"); host = parts[0]; port = (parts.length == 1) ? 443 : Integer.parseInt(parts[1]); // key store password char[] passphrase = "changeit".toCharArray(); File file = new File("jssecacerts"); if (file.isFile() == false) { char SEP = File.separatorChar; File dir = new File(System.getProperty("java.home") + SEP + "lib" + SEP + "security"); file = new File(dir, "jssecacerts"); if (file.isFile() == false) { file = new File(dir, "cacerts"); } } InputStream in = new FileInputStream(file); KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(in, passphrase); in.close(); SSLContext context = SSLContext.getInstance("TLS"); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); X509TrustManager defaultTrustManager = (X509TrustManager) tmf.getTrustManagers()[0]; SavingTrustManager tm = new SavingTrustManager(defaultTrustManager); context.init(null, new TrustManager[] { tm }, null); SSLSocketFactory factory = context.getSocketFactory(); SSLSocket socket = (SSLSocket) factory.createSocket(host, port); socket.setSoTimeout(10000); try { System.out.println("Starting SSL handshake..."); socket.startHandshake(); socket.close(); System.out.println("Certificate is already trusted"); } catch (SSLException e) { e.printStackTrace(); } X509Certificate[] chain = tm.chain; ListaltNames=new ArrayList (); for (X509Certificate cert: chain) { altNames.addAll(getSubjectAltNames(cert)); } for(String altName: altNames) { if(altName.trim().contains(alias)) return true; } if (chain == null) { System.out.println("Could not obtain server certificate chain"); return false; } return false; } Returns list of alternative names from cert,
private static ListgetSubjectAltNames(X509Certificate certificate) throws CertificateParsingException { List result = new ArrayList<>(); try { Collection subjectAltNames = certificate.getSubjectAlternativeNames(); if (subjectAltNames == null) { return Collections.emptyList(); } for (Object subjectAltName : subjectAltNames) { List entry = (List) subjectAltName; if (entry == null || entry.size() < 2) { continue; } Integer altNameType = (Integer) entry.get(0); if (altNameType == null) { continue; } String altName = (String) entry.get(1); if (altName != null) { result.add(altName); } } return result; } catch (CertificateParsingException e) { return Collections.emptyList(); } } custom trust manager,
private static class SavingTrustManager implements X509TrustManager { private final X509TrustManager tm; private X509Certificate[] chain; SavingTrustManager(X509TrustManager tm) { this.tm = tm; } public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; // throw new UnsupportedOperationException(); } public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { throw new UnsupportedOperationException(); } public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { this.chain = chain; tm.checkServerTrusted(chain, authType); } }
加载中...
- 热议问题