如何通俗的解释MD5加盐

MD5自身是不可逆的,但是目前网路上有很多数据库支持反查询。如果用户密码数据库不小心被泄露黑客就可以通过反查询方式获得用户密码或者对于数据库中出现频率较高的hash码(即很多人使用的)进行暴力破解(因为它通常都是弱口令)。

盐值就是在密码hash过程中添加的额外的随机值,比如我的id是abc,密码是123456,存在数据库中的时候就可以对字符串123456idabc进行hash,而验证密码的时候也以字符串(要验证的密码)+idabc进行验证。

这样有另外一个用户密码是123456的时候,依然能构造出不同的hash值,并且能成功的验证,但这时候我的id就作为盐值为密码进行复杂hash了。

可见,盐值最大的作用之一就是减少数据库泄露带来的损失。

AXIS2跳过HTTPS证书验证的几种方式

AXIS2启用HTTPS,只需要设置truststore及密码,然后对于HTTPS协议,就会自动启用SSL通信了。

System.setProperty("javax.net.ssl.trustStore", PATH_TO_TRUSTSTORE);        
System.setProperty("javax.net.ssl.trustStorePassword", PASSWORD_OF_TRUSTSTORE);

但有时,基于种种原因,比如证书链有问题,比如证书HOST有问题,比如证书本身就有问题,说多了都是泪,这是后就要绕过HTTPS的证书验证了。总起来说,AXIS2有下面几种方式可以跳过HTTPS证书验证:

1、通过设置TrustAllTrustManager来绕过证书验证
这是一种局部设置方式,方式适合用wsdl2java生成stub代码的程序来执行,比如,客户端可以:

SSLContext sslCtx = SSLContext.getInstance("TLS");
sslCtx.init(null, new TrustManager[] {new TrustAllTrustManager()}, null);
stub._getServiceClient().getOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLER,
    new Protocol("https",(ProtocolSocketFactory)new SSLProtocolSocketFactory(sslCtx),443));

2、通过设置CUSTOM_PROTOCOL_HANDLER来绕过证书验证
这是一种全局设置的方式。

Protocol myProtocolHandler = new Protocol("https", new NeoSecureSocketFactory(), 443);
//中心端注册CUSTOM_PROTOCOL_HANDLER
messageContext.getOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLER, myProtocolHandler);
//客户端注册CUSTOM_PROTOCOL_HANDLER
stub._getServiceClient().getOptions().setProperty(HTTPConstants.CUSTOM_PROTOCOL_HANDLER, myProtocolHandler); 

3、注册Protocol来绕过证书验证
这是一种全局设置的方式。

Protocol.registerProtocol("https", new Protocol("https", new NeoSecureSocketFactory(), 443)); 

4、最后是NeoSecureSocketFactory.java

package com.neohope.axis2test;

import javax.net.ssl.*;
import java.io.*;
import java.net.*;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import javax.net.SocketFactory;
import org.apache.commons.httpclient.ConnectTimeoutException;
import org.apache.commons.httpclient.params.HttpConnectionParams;
import org.apache.commons.httpclient.protocol.ProtocolSocketFactory;

/**
 *
 * @author Hansen
 */
public class NeoSecureSocketFactory implements ProtocolSocketFactory {
    
    private static SSLContext ssl = null;  
    
    private static TrustManager[ ] getTrustManagers() {
        TrustManager[ ] certs = new TrustManager[ ] {
                new X509TrustManager() {
                    public X509Certificate[ ] getAcceptedIssuers() { return null; }
                    public void checkClientTrusted(X509Certificate[ ] certs, String t) { }
                    public void checkServerTrusted(X509Certificate[ ] certs, String t) { }
                }
        };
        return certs;
    }
    
    private static SSLContext createSSLContext() {  
        try {  
            TrustManager[] trustManagers = getTrustManagers();  
            SSLContext sslContext = SSLContext.getInstance("TLS");  
            sslContext.init(null, trustManagers, null);  
  
            return sslContext;  
        } catch (KeyManagementException e) {  
            ; 
        } catch (NoSuchAlgorithmException e) { 
            ;
        }
        return null;  
    }  
  
    private static SSLContext getSSLContext() {  
        if (ssl == null) {  
            ssl = createSSLContext();  
        }  
        return ssl;  
    }  

    @Override
    public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException {
        return getSSLContext().getSocketFactory().createSocket(host, port,  
                clientHost, clientPort); 
    }

    @Override
    public Socket createSocket(String host, int port, InetAddress clientHost, int clientPort, HttpConnectionParams params) throws IOException, UnknownHostException, ConnectTimeoutException {
        if (params == null) {  
            throw new IllegalArgumentException("Parameters may not be null");  
        }  
        int timeout = params.getConnectionTimeout();  
        SocketFactory socketfactory = getSSLContext().getSocketFactory();  
        if (timeout == 0) {  
            return socketfactory.createSocket(host, port, clientHost,  
                    clientPort);  
        }  
  
        Socket socket = socketfactory.createSocket();  
        SocketAddress localaddr = new InetSocketAddress(clientHost, clientPort);  
        SocketAddress remoteaddr = new InetSocketAddress(host, port);  
        socket.bind(localaddr);  
        try {  
            socket.connect(remoteaddr, timeout);  
        } catch (Exception e) {  
            throw new ConnectTimeoutException(e.getMessage(), e);  
        }  
  
        return socket;  
    }

    @Override
    public Socket createSocket(String host, int port) throws IOException, UnknownHostException {
         return getSSLContext().getSocketFactory().createSocket(host, port); 
    }
}

SUN PKIX、AXIS2及C#在HTTPS认证方式的区别

最近尝试了用两级自签名证书来验证SUN PKIX、AXIS2及C#在HTTPS认证方式的区别。
两级证书为:
1、CA证书NMyCA1024
2、服务器证书serversigned

其中,AXIS2通过验证是最简单的,
1、服务端设置serversigned证书的Key Store
2、客户端设置NMyCA1024或serversigned的Trust Store
3、通过验证。

如果要SUN PKIX通过验证(Oracle的JDK/JRE自带)
1、那需要服务端设置serversigned证书的Key Store
2、客户端设置NMyCA1024或serversigned的Trust Store
3、客户端把NMyCA1024证书导入JDK或JRE的CA证书列表cacerts
4、通过验证。

如果要C#通过验证
1、那需要服务端设置serversigned证书的P12文件
2、客户端设置NMyCA1024或serversigned的Trust Store
3、客户端双击NMyCA1024证书导入IE的CA证书列表
4、通过验证。

Java程序如何加密

今天在想Java程序加密的事情,现在市面上的方法,无非是混淆代码,jar包签名等,瞬间就能被破解掉。

我想到了一个很挫的方法,和PE文件加壳脱壳一样,class文件/jar文件为什么不可以呢?

但这样做的话,是有限制的,就是客户必须使用你自己定制的JVM及容器,否则是无法运行的。

具体方法如下:
1、生成class文件后,按一定规则进行加密处理。偷懒的话,直接对称加密好了。
2、生成jar包的时候,同样按一定规则进行加密处理。偷懒的话,zip的时候,增加一个强壮的密码就好了。
3、下载并编译OpenJDK,在读取jar包内容,和class文件的地方,要进行脱壳处理。按上面的思路,就是解压缩和解密处理。
4、当然,定制部分的dll和exe,需要进行PE加壳处理

当然,上面这种方式的话,和加壳脱壳还是有很大的区别的,就是不能自行解压,并要依赖于JVM甚至容器的定制。

如果要真正实现自解压处理的话,就要多做几步:

具体方法如下:
1、编译生成class文件,按一定规则进行加密处理。偷懒的话,直接对称加密好了。
2、生成jar包的时候,同样按一定规则进行加密处理。偷懒的话,zip的时候,增加一个强壮的密码就好了。
3、将需要的所有jar包,按你喜欢的方法,生成一个jar包列表,并打成一个巨大的资源文件。
4、写一个java引导文件,用于处理运行参数,比如入口程序等。
5、写一个自定义classloader+jni+dll,用于读取巨大的资源文件中的jar包及class文件
6、用普通的jvm启动程序,初始化时用引导文件+自定义classloader
7、引导文件+自定义classloader将需要的文件直接解压到内存中,提供给jvm使用
8、dll部分要进行PE加壳处理

Java摘要算法

package com.neohope.utils;

import java.io.IOException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;

import javax.crypto.Mac;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;

public class NDigest
{
	/**
	 * Bytes to Hex String
	 * 
	 * @param hexBytes
	 * 
	 * @return hex string
	 */
	private static String bytesToHexString(byte[] hexBytes)
	{
		StringBuffer buf = new StringBuffer();

		for (int i = 0; i < hexBytes.length; i++)
		{
			if ((hexBytes[i] & 0xff) < 0x10)
			{
				buf.append("0");
			}

			buf.append(Long.toString(hexBytes[i] & 0xff, 16));
		}

		return buf.toString();
	}

	/**
	 * calc MD5 for string
	 * 
	 * @param textIn
	 * 
	 * @return md5 digest string
	 * @throws NoSuchAlgorithmException
	 */
	public static String MD5Digest(String textIn)
			throws NoSuchAlgorithmException
	{
		byte[] textData = textIn.getBytes();

		MessageDigest md = null;
		md = MessageDigest.getInstance("MD5");
		md.reset();
		md.update(textData);

		byte[] encodedData = md.digest();
		return bytesToHexString(encodedData);
	}

	/**
	 * calc SHA1 for string
	 * 
	 * @param textIn
	 * 
	 * @return sha1 digest string
	 * @throws NoSuchAlgorithmException
	 */
	public static String SHA1Digest(String textIn)
			throws NoSuchAlgorithmException
	{
		byte[] textData = textIn.getBytes();

		MessageDigest md = null;
		md = MessageDigest.getInstance("SHA1");
		md.reset();
		md.update(textData);

		byte[] encodedData = md.digest();
		return bytesToHexString(encodedData);
	}

	/**
	 * Encode a string using Base64 encoding.
	 * 
	 * @param textIn
	 * @return String
	 */
	public static String base64Encode(String textIn)
	{
		sun.misc.BASE64Encoder encoder = new sun.misc.BASE64Encoder();
		return encoder.encodeBuffer(textIn.getBytes()).trim();
	}

	/**
	 * Decode a string using Base64 encoding.
	 * 
	 * @param textIn
	 * @return String
	 * @throws IOException
	 */
	public static String decodeString(String textIn) throws IOException
	{
		sun.misc.BASE64Decoder dec = new sun.misc.BASE64Decoder();
		return new String(dec.decodeBuffer(textIn));
	}

	/**
	 * 使用 HMAC-SHA-1 签名方法对对textIn进行摘要
	 * 
	 * @param textIn
	 * @param keyIn
	 * @return
	 * @throws Exception
	 */
	public static String HmacSHA1Digest(String textIn, String keyIn)
			throws Exception
	{
		final String MAC_NAME = "HmacSHA1";
		final String ENCODING = "UTF-8";

		byte[] keyData = keyIn.getBytes(ENCODING);
		SecretKey secretKey = new SecretKeySpec(keyData, MAC_NAME);
		Mac mac = Mac.getInstance(MAC_NAME);
		mac.init(secretKey);

		byte[] textData = textIn.getBytes(ENCODING);
		byte[] encodedData = mac.doFinal(textData);

		return bytesToHexString(encodedData);
	}

	// 我就是那个测试函数。。。
	public static void main(String args[]) throws Exception
	{
		String key = "Y9zTQxRvxwrHOi45OoKNnIoxboerNqt3";
		String text = "Good good study, day day up.";
		String hmacSHA1 = HmacSHA1Digest(text, key );
		String base64 = base64Encode(hmacSHA1);
		System.out.println(hmacSHA1 );
		System.out.println(cbase64);
	}
}

常用SSL证书格式及转换方法

一、证书相关文件类型说明
KEY
通常用来存放私钥(或公钥),可能是PEM或DER格式。私钥可以对证书/程序进行签名,也可以用解密公钥加密郭的HTTP消息,是一定要妥善保管的,是不能交给别人的。比如下面是一个典型的私钥:

-----BEGIN RSA PRIVATE KEY-----
MIICXgIBAAKBgQC0oavm8KvMLbXqIPheGjeKJ5yCQ2DUBFjmcDuQzpZgHO+NC50f
9sMFZo/MO2HCvejIWHCzbxzFeGgNN/1IEH2oSbJdeAlXTpwNqBqwQBDj/5neM98E
a6dvi+FF3loGhhodb0FvSC+TLldfGJodm+kveu3kkp6txeYjaIpcKBr2bwIDAQAB
AoGBAJYs//WeTMcRjfgc90GNfHWRX07x49QB1UOpNey7xUwdYpCagkTr7NJVpeI/
0JSPPbUrym90RrBq3d93mE3M4BqeODGoh2vy1/sArlwFut9SrNA/i7e7wikCQsLa
eQRaiNRbDlooxb6J0LLS6M0bb8p/YivFBYIN5G2hs7bgJwCpAkEA63clQ7IQfhGw
YuHSaW29GR4YV4MsAcqTQBpjIpQxtrCKCWJElE5Si0wyb48buMZlrhNRpc5Dz+FW
HitDUwu2fQJBAMRiVreK4GX48O/f4+dSW8q/lbXQQp4vLB6KxjL+lqEgvzOMhEzJ
6z8BP52J2C3AS/Qen9cH+y0iD5atEYNI+FsCQQDjIUXX2/6erQ95Ap3Fxu4+OVJ/
r+8WN0L89bck1tBxii9Mx/ahHD/xUGniRKgX/4B7fvUmPCYbcyBv74l8pPK9AkAw
PDsyb8D4KvH66RIQQjFblj0OYC3Mrqd2hP1zjwauYt2zqqLgPYQzgHoAltfrPN0r
A86cwVAXYNNVXgL8LRMbAkEAm5kTm8CsNF4fAcAFFLZMHbz3vkidsnCvHiqXd9vq
GCrms/STzQq3LVQqHll1g2SJAYy80SXPSoZVbCxA9pBgzw==
-----END RSA PRIVATE KEY-----

查看私钥信息:

openssl rsa -in test.key -text -noout
openssl rsa -in test.key -text -noout -inform der

CSR
证书签名请求,即Certificate Signing Request,可能是PEM或DER格式,是向权威证书颁发机构获得签名证书的申请,是一个用私钥签名的,包括了公钥+证书申请者信息的文件。比如下面是一个典型的CSR文件:

-----BEGIN CERTIFICATE REQUEST-----
MIIBrzCCARgCAQAwbzELMAkGA1UEBhMCQ04xETAPBgNVBAgMCFNoYW5nSGFpMREw
DwYDVQQHDAhTaGFuZ0hhaTEQMA4GA1UECgwHTkVPSE9QRTEUMBIGA1UECwwLRGV2
ZWxvcG1lbnQxEjAQBgNVBAMMCU5NeUNBMTAyNDCBnzANBgkqhkiG9w0BAQEFAAOB
jQAwgYkCgYEAtKGr5vCrzC216iD4Xho3iiecgkNg1ARY5nA7kM6WYBzvjQudH/bD
BWaPzDthwr3oyFhws28cxXhoDTf9SBB9qEmyXXgJV06cDagasEAQ4/+Z3jPfBGun
b4vhRd5aBoYaHW9Bb0gvky5XXxiaHZvpL3rt5JKercXmI2iKXCga9m8CAwEAAaAA
MA0GCSqGSIb3DQEBBQUAA4GBAA5BUPQcmpUVliu1DHqflVTXR7zOfhtd6UX1uU90
TEGAYlzaggU+dZRtXC86ha+MoiCX2598w4OaM/7vErSOUbwU3Nou9/ooyh+eLt8U
ozwHAC6Xpw2phm9d/RkbTpGXCoCRFykV7K8OfS2BYgdQstOJWRti08VD/03NjESd
wMIf
-----END CERTIFICATE REQUEST-----

查看CSR信息:

openssl req -noout -text -in test.csr
openssl req -noout -text -in test.csr -inform der

PEM
PEM证书,即Privacy Enhanced Mail,多用于linux服务器,是Base64编码的文本文件,可以用文本编辑器打开直接查看。PEM证书是互联网中最常使用的证书格式,可用于保存服务器证书、中级证书、私钥等。一个PEM文件中可以保持多个证书及私钥(但一般大家会把证书及私钥放到不同的PEM文件中)。PEM文件的常用后缀有:.pem、.crt、.cer、.key等。 。比如下面是一个典型的PEM文件:

-----BEGIN CERTIFICATE-----
MIICrDCCAhWgAwIBAgIJAMUPP9qD0sTlMA0GCSqGSIb3DQEBBQUAMG8xCzAJBgNV
BAYTAkNOMREwDwYDVQQIDAhTaGFuZ0hhaTERMA8GA1UEBwwIU2hhbmdIYWkxEDAO
BgNVBAoMB05FT0hPUEUxFDASBgNVBAsMC0RldmVsb3BtZW50MRIwEAYDVQQDDAlO
TXlDQTEwMjQwHhcNMTYwMzI1MTM0MDI3WhcNMTkwMzI1MTM0MDI3WjBvMQswCQYD
VQQGEwJDTjERMA8GA1UECAwIU2hhbmdIYWkxETAPBgNVBAcMCFNoYW5nSGFpMRAw
DgYDVQQKDAdORU9IT1BFMRQwEgYDVQQLDAtEZXZlbG9wbWVudDESMBAGA1UEAwwJ
Tk15Q0ExMDI0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC0oavm8KvMLbXq
IPheGjeKJ5yCQ2DUBFjmcDuQzpZgHO+NC50f9sMFZo/MO2HCvejIWHCzbxzFeGgN
N/1IEH2oSbJdeAlXTpwNqBqwQBDj/5neM98Ea6dvi+FF3loGhhodb0FvSC+TLldf
GJodm+kveu3kkp6txeYjaIpcKBr2bwIDAQABo1AwTjAdBgNVHQ4EFgQUMeG4c9MI
Dl8jMTZ3w/V4fAYdNMgwHwYDVR0jBBgwFoAUMeG4c9MIDl8jMTZ3w/V4fAYdNMgw
DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOBgQCG6ROpwc+j9GoMk02YnRwb
VlgYkMjtH2vIb/+zDYmgjOQL0uYJ2xt7LHf2zrRP053rgIJskznNn6CLrM85Dwb0
DqkgwccHYd2439hTZhdZ5BMe7FxUCfeZvKgJ7VjOf1aaBrdUfy5RgikfO6CX6v1L
eaV1orOAEma0muLIyE9igQ==
-----END CERTIFICATE-----

查看PEM信息:

openssl x509 -in test.pem -text -noout

DER
DER证书,即Distinguished Encoding Rules,多用于Windows服务器及Java平台,为二进制格式,不可以用文本编辑器打开直接查看。DER文件的常用后缀有:.der、.cer等。 所以当您拿到一个证书文件时,可以用文本工具打开看一下,如果可读,一般是PEM格式,如果是二进制文件,一般是DER格式。

查看DER信息:

openssl x509 -in test.der -inform der -text -noout

PKCS#7/P7B
PKCS#7/P7B证书是是Base64编码的文本文件, 证书以”—–BEGIN PKCS7—–“开始,以”—–END PKCS7—–“结束。PKCS#7/P7B证书的常用后缀名有.p7b、.p7c。 PKCS#7/P7B文件中只有证书及证书链,不会包含私钥。Windows及Tomcat都支持这种证书。

openssl pkcs7 -in test.p7b -noout

PKCS#12/P12/PFX
PKCS#12/P12/PFX证书是经过加密的二进制格式,可用于保存服务器证书、中级证书、私钥等。PKCS#12/P12/PFX证书的常用后缀名有 .pfx、.p12。PKCS#12/P12/PFX证书通常用于Windows平台上的证书及私钥的导入及导出。导入及导出时,需要输入PKCS#12/P12/PFX文件的秘密。

openssl pkcs12 -in test.p12 -noout

JKS
JKS,即Java Key Storage,是JAVA程序最常用的证书存储方式。JKS按使用方式,一般会人为的区分为CASTORE,KEYSTORE和TRUSTSTORE,其中CASTORE是JDK/JRE环境自带的,用于存储JAVA信任的CA证书,通常是%JAVA_HOME%/lib/security/cacerts这个文件,相当于一个专门用于存储CA证书的全局TRUSTSTORE;KEYSTORE用于存储私钥,在通讯过程中进行解密,或则用于进行签名;TRUSTSTORE存放的是可以信任的证书,如果是自签名证书的话,建议CASTORE中也事先导入会好一些,会避免很多问题。

查看JKS文件:

keytool -list -v -keystore test.jks -storepass password

总结
其实,咱们总结一下:
1、KEY一般为私钥
2、CSR只是获取证书时用一下
3、常用的证书格式只有PEM和DER两种,区别为是否加密
4、P7B、P12、JKS,只是存放证书的小数据库而已

但有件事情,让这个问题变的复杂了一些,那就是后缀名并不能让你直接区分格式,比如CRT、CER这样的后缀名,只告诉你这是一个证书,但没有告诉你是什么格式。所以要么自己用文本工具及openssl查看一下,判断一下格式咯。

二、常用证书格式转换

#PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der

#PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

#PEM to PFX/P12
openssl pkcs12 -export -out certificate.p12 -inkey privateKey.key -in certificate.crt -certfile CACert.crt

#DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem

#P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

#P7B to PFX/P12
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.p12 -certfile CACert.cer

#PFX/P12 to PEM
openssl pkcs12 -in certificate.p12 -out certificate.cer -nodes

#JKS to P12
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -deststoretype PKCS12 -destkeystore keystore.p12
 
#P12 to JKS
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks

C# Https Soap Client

1、Soap Https Soap Client

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Net;
using System.Security.Cryptography.X509Certificates;
using System.Net.Security;

namespace IISSoapClientTest
{
    class Program
    {
        public static void HelloHttp(string url)
        {
            Hello h = new Hello(url);
            string ans = h.HelloWorld("C# http client");
            Console.WriteLine(ans);
            Console.WriteLine();
        }

        //同样的证书,IIS可以过,Tomcat过不去
        public static void HelloHttps(string url,String certPath)
        {
            X509CertificateCollection certs = new X509CertificateCollection();
            X509Certificate cert = X509Certificate.CreateFromCertFile(certPath);

            Hello h = new Hello(url);
            h.ClientCertificates.Add(cert);
            string ans = h.HelloWorld("C# https client");
            Console.WriteLine(ans);
            Console.WriteLine();
        }

        //绕过证书检查
        public static void HelloHttpsWithRemoteCertificateValidationCallback(string url)
        {
            //ServicePointManager.ServerCertificateValidationCallback = delegate { return true; };
            ServicePointManager.ServerCertificateValidationCallback = new System.Net.Security.RemoteCertificateValidationCallback(RemoteCertificateValidationCallback);

            Hello h = new Hello(url);
            string ans = h.HelloWorld("C# https client");
            Console.WriteLine(ans);
            Console.WriteLine();
        }

        private static bool RemoteCertificateValidationCallback(object sender, X509Certificate certificate, 
            X509Chain chain, SslPolicyErrors sslPolicyErrors)
        {
            return true;
        }  

        static void Main(string[] args)
        {
            //HelloHttp("http://127.0.0.1:80/Hello.asmx");
            //HelloHttps("https://127.0.0.1:443/Hello.asmx");
            //HelloHttpsWithRemoteCertificateValidationCallback("https://127.0.0.1:443/Hello.asmx");

            //HelloHttp("http://127.0.0.1:8080/SoapTest/services/HelloService");
            HelloHttps("https://127.0.0.1:8443/SoapTest/services/HelloService", @"D:\DiskE\Projects\VS2010\TestProjects\SSLSocket\myKeyStore.cer");
            //HelloHttpsWithRemoteCertificateValidationCallback("https://127.0.0.1:8443/SoapTest/services/HelloService");
        }
    }
}

Java Https Soap Server(Tomcat-Axis2)

1、%Tomcat%/server/server.xml
找到下面一段:

<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
-->

替换为:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol" SSLEnabled="true"  
	    maxThreads="150" scheme="https"  secure="true"
	    clientAuth="false" sslProtocol="TLS"
	    disableUploadTimeout="true" enableLookups="false"
	    keystoreFile="D:/JavaContainer/apache-tomcat-6.0.35-x86/myKeyStore.jks"
	    keystorePass="sslTestPwd"
/>

这样,就可以用https://127.0.0.1:8443访问Tomcat了。

2、在需要使用https项目的axis2.xml文件中,增加下面内容

        <!--修改-->
	<transportReceiver name="http"
		class="org.apache.axis2.transport.http.AxisServletListener">
		<parameter name="port">8080</parameter>
	</transportReceiver>
        <!--新增-->
	<transportReceiver name="https"
		class="org.apache.axis2.transport.http.AxisServletListener">
		<parameter name="port">8443</parameter>
	</transportReceiver>

这样,该WebService就可以使用https进行访问了:)

C# Https Soap Server(IIS7)

1、首先准备一个p12格式的服务端证书
无论是购买,还是用openssl或java keytool生成自签名证书都可以

2、在IIS7的根目录,选中“安全性->根目录证书”,选择“导入”即可

3、如果显示证书链有问题,则在IE中导入CA证书就好了

4、在需要HTTPS的网站上,选择“绑定”,绑定类型为https,选择需要的证书

5、在客户端的IE中,导入CA证书就好了

Java Https Soap Client(Axis2)

1、SoapClient

package com.neohope;

import java.net.URL;
import java.rmi.RemoteException;

public class SoapClientTest {
	
	public static void HelloHttp(String url) throws RemoteException
	{
		HelloStub h = new HelloStub(url);
		com.neohope.HelloStub.HelloWorld hello = new com.neohope.HelloStub.HelloWorld();
		hello.setName("Java http client");
		com.neohope.HelloStub.HelloWorldResponse rsp = h.helloWorld(hello);
		System.out.println(rsp.getHelloWorldResult());
	}
	
	public static void HelloHttps(String url,String trustStorePath,String trustStorePwd) throws RemoteException
	{
		URL jksurl = SoapClientTest.class.getClassLoader().getResource(
				"myTrustStore.jks");
		String jks = jksurl.getFile();
		System.setProperty("javax.net.ssl.trustStore", jks);
		System.setProperty("javax.net.ssl.trustStorePassword", trustStorePwd);
		
		HelloStub h = new HelloStub(url);
		com.neohope.HelloStub.HelloWorld hello = new com.neohope.HelloStub.HelloWorld();
		hello.setName("Java https client");
		com.neohope.HelloStub.HelloWorldResponse rsp = h.helloWorld(hello);
		System.out.println(rsp.getHelloWorldResult());
	}
	
	
	public static void main(String[] args) throws RemoteException
	{
		//HelloHttp("http://localhost:80/Hello.asmx");
		HelloHttps("https://localhost:443/Hello.asmx","myTrustStore.jks","sslTestPwd");
	}
}

2、SoapClientWithContextTest

package com.neohope;

import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URL;
import java.rmi.RemoteException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;

import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;

public class SoapClientWithContextTest {
	
	public static void HelloHttp(String url) throws RemoteException
	{
		HelloStub h = new HelloStub(url);
		com.neohope.HelloStub.HelloWorld hello = new com.neohope.HelloStub.HelloWorld();
		hello.setName("Java http client");
		com.neohope.HelloStub.HelloWorldResponse rsp = h.helloWorld(hello);
		System.out.println(rsp.getHelloWorldResult());
	}
	
	public static void HelloHttps(String url,String trustStorePath,String trustStorePwd) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, CertificateException, FileNotFoundException, IOException
	{
		URL jksurl = SoapClientTest.class.getClassLoader().getResource(
				"myTrustStore.jks");
		String jks = jksurl.getFile();
		
		KeyStore trustStore = KeyStore.getInstance("JKS");
		trustStore.load(new FileInputStream(jks), trustStorePwd.toCharArray());
		TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509");
		trustManagerFactory.init(trustStore);
        
		SSLContext sslContext = SSLContext.getInstance("TLSv1");
		//SSLContext sslContext = SSLContext.getInstance("SSLv3");
		
		sslContext.init(new KeyManager[0], trustManagerFactory.getTrustManagers(), null);
		SSLContext.setDefault(sslContext);
		
		HelloStub h = new HelloStub(url);
		com.neohope.HelloStub.HelloWorld hello = new com.neohope.HelloStub.HelloWorld();
		hello.setName("Java https client");
		com.neohope.HelloStub.HelloWorldResponse rsp = h.helloWorld(hello);
		System.out.println(rsp.getHelloWorldResult());
	}
	
	
	public static void main(String[] args) throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, CertificateException, FileNotFoundException, IOException
	{
		//HelloHttp("http://localhost:80/Hello.asmx");
		HelloHttps("https://localhost:443/Hello.asmx","myTrustStore.jks","sslTestPwd");
	}
}

3、SoapClientWithTrustManagerTest
可以绕过证书检查

package com.neohope;

import java.io.FileNotFoundException;
import java.io.IOException;
import java.rmi.RemoteException;
import java.security.KeyManagementException;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;

import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;

public class SoapClientWithTrustManagerTest {
	
	public static void HelloHttp(String url) throws RemoteException
	{
		HelloStub h = new HelloStub(url);
		com.neohope.HelloStub.HelloWorld hello = new com.neohope.HelloStub.HelloWorld();
		hello.setName("Java http client");
		com.neohope.HelloStub.HelloWorldResponse rsp = h.helloWorld(hello);
		System.out.println(rsp.getHelloWorldResult());
	}
	
	public static void HelloHttps(String url,String trustStorePath,String trustStorePwd) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, CertificateException, FileNotFoundException, IOException
	{        
		SSLContext sslContext = SSLContext.getInstance("TLSv1");
		//SSLContext sslContext = SSLContext.getInstance("SSLv3");
		
		sslContext.init(new KeyManager[0], new TrustManager[] { new DefaultTrustManager() }, new SecureRandom());
		SSLContext.setDefault(sslContext);
		
		HelloStub h = new HelloStub(url);
		com.neohope.HelloStub.HelloWorld hello = new com.neohope.HelloStub.HelloWorld();
		hello.setName("Java https client");
		com.neohope.HelloStub.HelloWorldResponse rsp = h.helloWorld(hello);
		System.out.println(rsp.getHelloWorldResult());
	}
	
	private static class DefaultTrustManager implements X509TrustManager {

		@Override
		public void checkClientTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
		}

		@Override
		public void checkServerTrusted(X509Certificate[] arg0, String arg1) throws CertificateException {
		}

		@Override
		public X509Certificate[] getAcceptedIssuers() {
			return null;
		}
	}
	
	
	public static void main(String[] args) throws KeyManagementException, NoSuchAlgorithmException, KeyStoreException, CertificateException, FileNotFoundException, IOException
	{
		//HelloHttp("http://localhost:80/Hello.asmx");
		HelloHttps("https://localhost:443/Hello.asmx","myTrustStore.jks","sslTestPwd");
	}
}