Introduction to SSL in Java – Java中的SSL简介

最后修改: 2018年 4月 24日

中文/混合/英文(键盘快捷键:t)

1. Overview

1.概述

In this tutorial, we’ll introduce SSL and explore how we can use it in Java using JSSE (Java Secure Socket Extension) API.

在本教程中,我们将介绍SSL,并探讨如何使用JSSE(Java安全套接字扩展)API在Java中使用它。

2. Introduction

2.简介

Simply put, the Secured Socket Layer (SSL) enables a secured connection between two parties, usually clients and servers.

简单地说,安全套接字层(SSL)能够在两方之间建立安全连接,通常是客户和服务器。

SSL provisions a secure channel between two devices operating over a network connection. One usual example for SSL is to enable secure communications between web browsers and web servers.

SSL在通过网络连接操作的两个设备之间提供了一个安全通道。SSL的一个通常的例子是在网络浏览器和网络服务器之间实现安全通信。

In this specific case, web browsers will use HTTPS (S standing for Secured) connections to access the resources supplied by distinct web servers.

在这种特定情况下,网络浏览器将使用HTTPS(S代表安全)连接来访问不同网络服务器提供的资源。

SSL is necessary to support the three main information security principles:

SSL对于支持三个主要的信息安全原则是必要的:

  • Encryption: protect data transmissions between parties
  • Authentication: ensure the server we connect to is indeed the proper server
  • Data integrity: guarantee that the requested data is what is effectively delivered

Java provides several security-based APIs that help out developers to establish secure connections with the client to receive and send messages in an encrypted format:

Java提供了几个基于安全的API,帮助开发者与客户端建立安全连接,以加密的形式接收和发送信息。

  • Java Secured-Socket Extension (JSSE)
  • Java Cryptography Architecture (JCA)
  • Java Cryptographic Extension (JCE)

In the next sections, we’ll introduce the Secure Socket Extension that Java uses to enable secure communication.

在接下来的章节中,我们将介绍Java用来实现安全通信的安全套接字扩展。

3. JSSE API

3.JSSE API

The Java security APIs make use of the Factory design pattern extensively.

Java安全API广泛地使用了Factory设计模式。

In fact, everything is instantiated using a factory in JSSE.

事实上,在JSSE中所有的东西都是使用工厂来实例化的。

3.1. SSLSocketFactory

3.1.SSLSocketFactory

The javax.net.ssl.SSLSocketFactory is used for creating SSLSocket objects.

javax.net.ssl.SSLSocketFactory用于创建SSLSocket对象。

This class contains three groups of APIs.

该类包含三组API。

The first group consists of a single static getDefault() method used to retrieve the default instance which, in turn, can create SSLSocket instances.

第一组由一个静态的getDefault()方法组成,用于检索默认实例,反过来,它可以创建SSLSocket实例。

The second group consists of five methods that can be used for creating SSLSocket instances:

第二组由五个方法组成,可用于创建SSLSocket实例。

  • Socket createSocket(String host, int port)
  • Socket createSocket(String host, int port, InetAddress clientHost, int clientPort)
  • Socket createSocket(InetAddress host, int port)
  • Socket createSocket(InetAddress host, int port, InetAddress clientHost, int clientPort)
  • Socket createSocket(Socket socket, String host, int port, boolean autoClose)

We can use this class directly by obtaining the default instance or by using a javax.net.ssl.SSLContext object which contains methods to get an SSLSocketFactory instance.

我们可以通过获取默认的实例直接使用这个类,也可以通过使用javax.net.ssl.SSLContext对象来使用,该对象包含获取SSocketFactory实例的方法。

3.2. SSLSocket

3.2. SSLSocket

This class extends the Socket class and provides secure socket. Such sockets are normal stream sockets.

该类扩展了Socket类,并提供安全套接字。这种套接字是普通的流套接字。

In addition, they add a layer of security protections over the underlying network transport protocol.

此外,它们在底层网络传输协议上增加了一层安全保护。

SSLSocket instances construct an SSL connection to a named host at a specified port.

SSLSocket实例构建了一个SSL连接到指定端口的指定主机。

This allows binding the client side of the connection to a given address and port.

这允许将连接的客户端绑定到一个给定的地址和端口。

3.3. SSLServerSocketFactory

3.3.SSLServerSocketFactory

The SSLServerSocketFactory class is quite similar to SSLSocketFactory with the difference that it creates SSLServerSocket instances in place of SSLSocket instances.

SSLServerSocketFactory类与SSLSocketFactory非常相似,不同的是它创建SSLServerSocket实例来代替SSLSocket实例。

By similarity, the methods are called createServerSocket as analogous to SSLSocketFactory class.

通过相似性,这些方法被称为createServerSocket,与SSLSocketFactory类相类似。

3.4. SSLServerSocket

3.4. SSLServerSocket SSLServerSocket

The SSLServerSocket class is analogous to the SSLSocket class. The methods on SSLServerSocket class are a subset of the SSLSocket class methods. They act on the opposite side of an SSL connection

SSLServerSocket类与SSLSocket类类似。SSLServerSocket类的方法是SSLSocket类方法的一个子集。它们作用于SSL连接的另一端

4. SSL Example

4.SSL实例

Let’s provide an example of how we can create a secured connection to a server:

让我们提供一个例子,说明我们如何能够创建一个与服务器的安全连接。

String host = getHost(...);
Integer port = getPort(...);
SSLSocketFactory sslsocketfactory = SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory
  .createSocket(host, port);
InputStream in = sslsocket.getInputStream();
OutputStream out = sslsocket.getOutputStream();

out.write(1);
while (in.available() > 0) {
    System.out.print(in.read());
}

System.out.println("Secured connection performed successfully");

In case we get the error “javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target while establishing the SSL connection”, it indicates that we don’t have the public certificate of the server which we’re trying to connect in the Java truststore.

如果我们得到错误“javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:PKIX路径构建失败:sun.security.provider.certpath.SunCertPathBuilderException:在建立SSL连接时无法找到所请求的目标的有效认证路径”这表明我们在Java truststore中没有我们试图连接的服务器的公共证书。

The truststore is the file containing trusted certificates that Java uses to validate secured connections.

信任库是包含可信证书的文件,Java用它来验证安全连接。

In order to sort this problem out, we have several options:

为了解决这个问题,我们有几个选择。

  • add the public certificate of the server to the default cacerts truststore used by Java. while initiating the SSL connection
  • Set the javax.net.ssl.trustStore environment variable to point to the truststore file so that the application can pick up that file which contains the public certificate of the server we are connecting to.

The steps to install a new certificate into the Java default truststore are:

在Java默认信任库中安装新证书的步骤是。

  1. extract cert from server: openssl s_client -connect server:443
  2. import certificate into truststore using keytool: keytool -import -alias alias.server.com -keystore $JAVA_HOME/jre/lib/security/cacerts

Once we have done this, we should be able to run the example again and obtain the Secured connection performed successfully message.

一旦我们完成了这些,我们应该能够再次运行这个例子,并获得安全连接成功执行消息。

5. Conclusion

5.总结

In this article, we introduced SSL and JSSE API, which implements SSL for Java. By using SSL and JSSE, we can make our Java applications and the communications between applications and inside the application safer.

在这篇文章中,我们介绍了SSL和JSSE API,它为Java实现了SSL。通过使用SSL和JSSE,我们可以使我们的Java应用程序以及应用程序之间和应用程序内部的通信更加安全。

As always, the code presented in this article is available over on Github.

一如既往,本文介绍的代码可在Github上获得