HSM与Apache Tomcat一起用于HTTPS

HSM与Apache Tomcat一起用于HTTPS

最后，基于此示例，我仅提出以下解决方案。我将

<Connector>

实例添加到Tomcat配置中，并带有

sslImplementationName

指向自定义

JSSEImplementation

类名称的属性，并

JSSEImplementation

通过自定义

JSSESocketFactory

和

X509KeyManager

类进行扩展。

Tomcat配置如下所示：

<Connector       protocol="org.apache.coyote.http11.Http11Protocol"       port="8443" maxThreads="200"       scheme="https" secure="true" SSLEnabled="true"       clientAuth="true" sslProtocol="TLS" SSLEnabled="true"       sslImplementationName="x.y.z.CustomJSSEImplementation"       keyAlias="alias_of_key_in_HSM_and_cert_in_JKS"/>

CustomJSSEImplementation

类是：

public class CustomJSSEImplementation extends JSSEImplementation {   @Override   public ServerSocketFactory getServerSocketFactory(AbstractEndpoint endpoint) {      return new CustomSslContextSocketFactory(endpoint);   }   @Override   public SSLUtil getSSLUtil(AbstractEndpoint endpoint) {      return new CustomSslContextSocketFactory(endpoint);   }}

CustomSslContextSocketFactory

类是：

public class CustomSslContextSocketFactory extends JSSESocketFactory {    public static final AtomicReference<CustomSslContext> customSslContext =        new AtomicReference<CustomSslContext>();    public CustomSslContextSocketFactory(AbstractEndpoint endpoint) {        super(endpoint);    }    @Override    public KeyManager[] getKeyManagers() throws Exception {        return (customSslContext.get() == null ? super.getKeyManagers() : customSslContext.get().getKeyManagers(this));    }}

CustomSslContext

界面是：

interface CustomSslContext {    KeyManager[] getKeyManagers(JSSESocketFactory factory) throws Exception;}

HsmKeyManagerImpl

通过

keyAlias

属性在HSM中引用私钥的形式如下：

public class HsmKeyManagerImpl implements X509KeyManager {    ...    @Override    public PrivateKey getPrivateKey(String alias) {        // HSM Vendor specific API calls    }}

我没有显示代码如何获取与私有证书相对应的证书，但是使用的

keyAlias

属性定义的相同别名

<Connector>

用于从JKS 获取证书。