我正在尝试使我的帮助台聊天应用程序安全。在我的客户端,我创建了它,以便每个客户端在运行时创建他们的证书和密钥库(因此不是每个客户端都有相同的密钥库),并且在服务器上完全相同。但是,在服务器端,这发生在接受来自客户端的连接的while循环之前。这意味着服务器为每个连接使用相同的证书,这使得恶意用户只需使用服务器的证书就可以很容易地将数据发送到服务器(这与服务器的整个时间相同)起来了。
我可以以某种方式在服务器的while循环中创建证书和密钥库,并以某种方式将该证书用于新的传入连接(sslsocket.accept)。 (顺便说一句,我只能为所有连接使用一个服务器端口)。
以下是我的客户端实现(摘录):
String domainName ="localhost";
KeyPairGenerator keyPairGenerator;
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider ());
keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024);
KeyPair KPair = keyPairGenerator.generateKeyPair();
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
v3CertGen.setSerialNumber(BigInteger.valueOf(Math.abs(new SecureRandom().nextInt())));
v3CertGen.setIssuerDN(new X509Principal("CN=" + domainName + ", OU=None, O=None L=None, C=None"));
v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30));
v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365*10)));
v3CertGen.setSubjectDN(new X509Principal("CN=" + domainName + ", OU=None, O=None L=None, C=None"));
v3CertGen.setPublicKey(KPair.getPublic());
v3CertGen.setSignatureAlgorithm("MD5WithRSAEncryption");
X509Certificate pkCertificate = v3CertGen.generateX509Certificate(KPair.getPrivate());
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(null, null);
Random rand = new Random();
String x = rand.nextInt(1000000000) + "";
char[] passCert = x.toCharArray();
keystore.setKeyEntry("user", KPair.getPrivate(), passCert, new X509Certificate[] {pkCertificate});
FileOutputStream fos;
fos = new FileOutputStream("cert.cert");
fos.write(pkCertificate.getEncoded());
fos.close();
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
Random rand2 = new Random();
String y = rand2.nextInt(1000000000) + "";
char[] password = y.toCharArray();
ks.load(null, password);
PrivateKeyEntry entry = new PrivateKeyEntry(KPair.getPrivate(),
new java.security.cert.Certificate[]{pkCertificate});
ks.setEntry("newuser",entry , new KeyStore.PasswordProtection(password));
fos = new FileOutputStream("mySrvKeystore2");
ks.store(fos, password);
fos.close();
System.setProperty("javax.net.ssl.keyStore", "mySrvKeystore2");
System.setProperty("javax.net.ssl.keyStorePassword", y);
System.setProperty("javax.net.ssl.trustStore", "mySrvKeystore");
System.setProperty("javax.net.ssl.trustStorePassword", "harinder99");
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
}
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
}
};
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, y.toCharArray());
SSLContext ctx = SSLContext.getInstance("TLSv1.2");
ctx.init(kmf.getKeyManagers(), trustAllCerts, new SecureRandom());
sslsocketfactory = (SSLSocketFactory)SSLSocketFactory.getDefault();
sslsocket = (SSLSocket) sslsocketfactory.createSocket(server, hh);
以下是我的服务器实现(代码段)。
String domainName ="localhost";
KeyPairGenerator keyPairGenerator;
Security.addProvider(new org.bouncycastle.jce.provider.BouncyCastleProvider ());
keyPairGenerator = KeyPairGenerator.getInstance("RSA");
keyPairGenerator.initialize(1024);
KeyPair KPair = keyPairGenerator.generateKeyPair();
X509V3CertificateGenerator v3CertGen = new X509V3CertificateGenerator();
v3CertGen.setSerialNumber(BigInteger.valueOf(Math.abs(new SecureRandom().nextInt())));
v3CertGen.setIssuerDN(new X509Principal("CN=" + domainName + ", OU=None, O=None L=None, C=None"));
v3CertGen.setNotBefore(new Date(System.currentTimeMillis() - 1000L * 60 * 60 * 24 * 30));
v3CertGen.setNotAfter(new Date(System.currentTimeMillis() + (1000L * 60 * 60 * 24 * 365*10)));
v3CertGen.setSubjectDN(new X509Principal("CN=" + domainName + ", OU=None, O=None L=None, C=None"));
v3CertGen.setPublicKey(KPair.getPublic());
v3CertGen.setSignatureAlgorithm("MD5WithRSAEncryption");
X509Certificate pkCertificate = v3CertGen.generateX509Certificate(KPair.getPrivate());
KeyStore keystore = KeyStore.getInstance("JKS");
keystore.load(null, null);
Random rand = new Random();
String x = rand.nextInt(1000000000) + "";
char[] passCert = x.toCharArray();
keystore.setKeyEntry("user", KPair.getPrivate(), passCert, new X509Certificate[] {pkCertificate});
FileOutputStream fos;
fos = new FileOutputStream("cert.cert");
fos.write(pkCertificate.getEncoded());
fos.close();
KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
Random rand2 = new Random();
String y = rand2.nextInt(1000000000) + "";
char[] password = y.toCharArray();
ks.load(null, password);
PrivateKeyEntry entry = new PrivateKeyEntry(KPair.getPrivate(),
new java.security.cert.Certificate[]{pkCertificate});
ks.setEntry("newuser",entry , new KeyStore.PasswordProtection(password));
fos = new FileOutputStream("mySrvKeystore3");
ks.store(fos, password);
fos.close();
System.setProperty("javax.net.ssl.keyStore", "mySrvKeystore3");
System.setProperty("javax.net.ssl.keyStorePassword", y);
System.setProperty("javax.net.ssl.trustStore", "mySrvKeystore");
System.setProperty("javax.net.ssl.trustStorePassword", "harinder99");
/////
clientSocket = null;
ServerSocket serverSocket = null;
SSLServerSocket server1 = (SSLServerSocket)null;
String port = JOptionPane.showInputDialog("Enter Port: ", "1234");
try {
//SSLServerSocketFactory sslserversocketfactory = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();
TrustManager[] trustAllCerts = new TrustManager[] {
new X509TrustManager() {
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
}
public java.security.cert.X509Certificate[] getAcceptedIssuers() {
return null;
}
}
};
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, y.toCharArray());
SSLContext ctx = SSLContext.getInstance("TLSv1.2");
ctx.init(kmf.getKeyManagers(), trustAllCerts, new SecureRandom());
SSLServerSocketFactory sslserversocketfactory = ctx.getServerSocketFactory();
server1 = (SSLServerSocket) sslserversocketfactory.createServerSocket(Integer.parseInt(port));
答案 0 :(得分:0)
这意味着服务器为每个连接使用相同的证书,这使得恶意用户只需使用服务器的证书就可以很容易地将数据发送到服务器(这与服务器的整个时间相同)向上)。
不,不会。如果没有服务器的私钥,服务器证书对任何人都没有用,当然你需要保密。它不会通过任何与SSL有关的广告来宣传。
你的问题是虚构的。