我正在尝试使用经过身份验证的SSL连接和贝娄类中定义的许多控制消息来编写客户端和服务器之间的简单协议:
public class KeyExchangeProtcolMsgs {
public static final String reqStr = "#REQ_KM";
public static final String nonceStr = "#NONCE_END";
public static final String ackStr = "#ACK_KM";
}
客户端程序
// Connect to the server
cSock = (SSLSocket) fact.createSocket(this.remoteHost, this.remotePort);
// Create the streams to send out data as well as read data
OutputStream out = cSock.getOutputStream();
InputStream in = cSock.getInputStream();
// Generate client nonce
byte[] clientNonceB = CryptographyUtils.generateRandomNumber();
// Send the nonce and the request for a key from the server
// First, send the keying material request to the server
System.out.println("[I] SSL client written " + KeyExchangeProtcolMsgs.reqStr);
out.write(CryptographyUtils.toByteArray(KeyExchangeProtcolMsgs.reqStr)); // <== Successfully written to the server
// Next, send the generated nonce (by the client)
System.out.println("[I] SSL client written nonce ");
System.out.println(new String(clientNonceB, "UTF-8"));
out.write(clientNonceB);
// Finally, send the ending string
System.out.println("[I] SSL client written " + KeyExchangeProtcolMsgs.nonceStr);
out.write(CryptographyUtils.toByteArray(KeyExchangeProtcolMsgs.nonceStr));
// Wait for the response from the server containing the key
int ch = 0;
String responseStr = "";
while ((responseStr.contains(KeyExchangeProtcolMsgs.ackStr) == false) && (responseStr.contains(KeyExchangeProtcolMsgs.nonceStr) == false)) {
ch = in.read();
responseStr = responseStr + (char) ch;
System.out.println("[I] SSL client read " + responseStr);
}
// Display read information from server
System.out.println("[I] SSL client read " + responseStr);
// Check if the server nonce contains the starting and end messages of the protocol
String serverNonceStr = responseStr.substring(KeyExchangeProtcolMsgs.ackStr.length(), responseStr.length() - KeyExchangeProtcolMsgs.nonceStr.length());
// Compute the key by xor-ing the client and server nonce and applying AES
// on the resulting string
clientKeyingMaterial = new SecretKeySpec(CryptographyUtils.xorStrings(clientNonceB, CryptographyUtils.toByteArray(serverNonceStr)), "AES");
return clientKeyingMaterial;
服务器.java
System.out.println("[I] SSL server listening");
SSLSocket sslSock = (SSLSocket) sSock.accept();
sslSock.startHandshake();
System.out.println("[I] SSL server starting handshake");
// Process if principal checks out
if (isEndEntity(sslSock.getSession())) {
// Create the streams to send out data as well as read data
OutputStream out = sslSock.getOutputStream();
InputStream in = sslSock.getInputStream();
// Wait and read the client's nonce
int ch = 0;
String requestStr = "";
while ((requestStr.contains(KeyExchangeProtcolMsgs.reqStr) == false) && (requestStr.contains(KeyExchangeProtcolMsgs.nonceStr) == false)) {
ch = in.read();
requestStr = requestStr + (char) ch;
System.out.println("[I] SSL server received " + requestStr);
}
System.out.println("[I] SSL server received " + requestStr);
}
发送KeyExchangeProtcolMsgs.reqStr /#REQ_KM后,服务器端的循环就会退出,但不会等待实际的现时和结束消息KeyExchangeProtcolMsgs.nonceStr /#NONCE_END。
为什么服务器端的while循环在客户端发送最后一条消息之前退出?
最佳答案
因为只要requestStr包含KeyExchangeProtcolMsgs.reqStr,requestStr.contains(KeyExchangeProtcolMsgs.reqStr)就会变成true,所以requestStr.contains(KeyExchangeProtcolMsgs.reqStr) == false就会变成true == false,也就是false,因此while循环中的整个测试都变成了false,因此执行从while循环中退出。
有两种方法可以解决此问题,最简单的方法是有两个while循环。第一个循环直到requestStr为KeyExchangeProtcolMsgs.reqStr,第二个循环累积现时,直到它以KeyExchangeProtcolMsgs.nonceStr结尾。像这样:
String requestStr = "";
while (!requestStr.equals(KeyExchangeProtcolMsgs.reqStr)) {
ch = in.read();
requestStr = requestStr + (char) ch;
}
System.out.println("[I] SSL server received " + requestStr);
String nonceStr = "";
while (!requestStr.endsWith(KeyExchangeProtcolMsgs.nonceStr)) {
ch = in.read();
nonceStr = nonceStr + (char) ch;
}
// Whack #NONCE_END from the end to get just the nonce.
nonceStr = nonceStr.substring(0, nonceStr.length() - KeyExchangeProtcolMsgs.nonceStr.length());
System.out.println("[I] SSL server received " + nonceStr);
这未经测试,但应该很接近。
您可以通过保留某种状态指示器,使用一个while循环来做到这一点,这样您就知道何时累积
reqStr和何时累积nonceStr,但是我认为像这样进行拆分比较干净。