我正在努力了解如何配置Web客户端。我所拥有的是一个工作curl,我无法通过(任何(Java HTTP客户端将其转换为有效的HTTPS请求。卷曲是:
curl -s --cert $CERTIFICATE --key $KEY https.url
其中$CERTIFICATE是包含以下内容的.crt文件:
----BEGIN CERTIFICATE----
....
----END CERTIFICATE-----
$KEY是一个.key文件,包含:
-----BEGIN RSA PRIVATE KEY-----
...
-----END RSA PRIVATE KEY-----
我想把这个curl转换成一个有效的JAVA请求。目前,我正在以这种方式配置SpringWebClient:
private WebClient getWebClient() throws SSLException {
SslContext sslContext = SslContextBuilder.forClient().keyManager(
Paths.get(properties.getCrtFile()).toFile(),
Paths.get(properties.getKeyFile()).toFile(),
properties.getCertKeyPassword()).build();
HttpClient httpClient = HttpClient.create().secure(t -> t.sslContext(sslContext));
return WebClient
.builder()
.clientConnector(new ReactorClientHttpConnector(httpClient)).build();
}
但当我使用网络客户端发出请求时,它会返回一个错误:
exception: File does not contain valid private key:
知道错误在哪里吗?
这就是我解决问题的方法:
- 验证
.cert和.key文件是否有效:
openssl x509 -noout -modulus -in certFile.crt | openssl md5
#> (stdin)= 7f1a9c4d13aead7fd4a0f241a6ce8
和
openssl rsa -noout -modulus -in certKey.key | openssl md5
#> (stdin)= 7f1a9c4d13aead7fd4a0f241a6ce8
- 将我的
.cert和.key文件转换为Java可以理解的PCKS12。(请记住,我的证书和密钥文件是问题中解释的PEM格式(。我使用了以下命令:
openssl pkcs12 -export -in certFile.crt -inkey keyFile.key -out cert.p12
此步骤将提示您输入密码。在将证书读取到KeyStore时,我们将使用此密码。
- 通过读取证书创建SSLContext:
private SslContext getSSLContext() {
try (FileInputStream keyStoreFileInputStream = new
FileInputStream("pathTop12CertificateFile")) {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(keyStoreFileInputStream,"password".toCharArray());
KeyManagerFactory keyManagerFactory =
KeyManagerFactory.getInstance("SunX509");
keyManagerFactory.init(keyStore, "password".toCharArray());
return SslContextBuilder.forClient()
.keyManager(keyManagerFactory)
.build();
} catch (Exception e) {
log.error("An error has occurred: ", e);
}
return null;
}
- 使用以下SSLContext构建Spring WebClient:
private WebClient getWebClient() {
HttpClient httpClient = HttpClient.create().secure(sslSpec -> sslSpec.sslContext(getSSLContext()));
ClientHttpConnector clientHttpConnector = new ReactorClientHttpConnector(httpClient);
return WebClient
.builder()
.clientConnector(clientHttpConnector)
.build();
}
现在我们可以使用WebClient进行HTTP请求了。
根据您提供的详细信息,我理解SslContextBuilder无法理解您的密钥类型。
尝试使用以下命令将未加密的密钥转换为PKCS8。
openssl pkcs8 -topk8 -nocrypt -in pkcs1_key_file -out pkcs8_key.pem
另请参阅上的示例https://netty.io/4.0/api/io/netty/handler/ssl/util/InsecureTrustManagerFactory.html它无需验证即可接受所有X.509证书,包括那些自签名的证书。
也在https://groups.google.com/forum/#!主题/grpc-io/5uAK5c9rTHw