背景说明
在与某个外部系统进行API对接,比如银行支付网关或第三方服务,这些系统通常要求双向SSL认证来确保通信双方的身份
;前端端交互的时候或者进行HTTPS协议传输的时候,其实已经帮我实现了,就不需要通过代码层进行解决了,但是目前就有这个需求,在于第三方系统接口交互的时候需要进行双向认证,那么在实战之前,大家肯定需要对双向认证原理进行个熟悉的认知
HTTPS双向认证实践:Spring Boot RestTemplate的正确配置之道
@Data
@Configuration
@ConfigurationProperties("pki")
public class PkiConfig {
private String brand;
private Map<String,String> urlMap;
private String alg;
private String sha;
private String certificateAddr;
private String certificatePwd="";
private String platformID;
private String iWallAK;
private String iWallSK;
private String v23Uri;
private String iWallUri;
private String iWallKeyID;
private String signAlg;
private Integer iWallMode;
private Integer mode;
}
@Configuration
@Slf4j
public class RestTemplateConfig {
@Autowired
private PkiConfig pkiConfig;
@Bean
public RestTemplate restTemplate() throws Exception {
log.info("pkiConfig:{}",pkiConfig);
// PFX 文件路径
String pfxPath = "src/main/resources/test-Lion.OTA.pfx";
// PFX 文件密码
String pfxPassword = pkiConfig.getCertificatePwd();
Resource resource = new ClassPathResource("test-Lion.OTA.pfx");
KeyStore keyStore = KeyStore.getInstance("PKCS12");
keyStore.load(resource.getInputStream(), pfxPassword.toCharArray());
// 创建一个信任所有证书的 TrustStrategy
TrustStrategy acceptingTrustStrategy = (X509Certificate[] chain, String authType) -> true;
SSLContext sslContext = SSLContextBuilder.create()
.loadKeyMaterial(keyStore, pfxPassword.toCharArray())
.loadTrustMaterial(null, acceptingTrustStrategy)
.build();
SSLConnectionSocketFactory sslSocketFactory = new SSLConnectionSocketFactory(sslContext, NoopHostnameVerifier.INSTANCE);
CloseableHttpClient httpClient = HttpClients.custom(