如何使用PEM文件在Java中创建SSL套接字?
[英]How to use PEM file to create a SSL socket in Java?
问题描述
I have a PEM file provided to me and was told that it will be needed in establishing a SSL socket that connects to a c++ server for some API calls. 
我有一个PEM文件提供给我,并被告知在建立一个连接到c ++服务器以进行某些API调用的SSL套接字时需要它。 Does anyone know how I can read in the PEM file and connect? 有谁知道如何在PEM文件中读取并连接? I was also given the parapharse password. 我也被给了parapharse密码。
2 个解决方案
解决方案1
12 2009-04-06 21:54:59
It sounds like the PEM file is a client cert for you to use to login to the server. 听起来PEM文件是您用来登录服务器的客户端证书。 If it is the client cert, and it sounds like it is, you will likely need a ca cert file also to use in validating the servers certificate in order to establish a connection. 如果它是客户端证书,并且听起来像是这样,那么您可能还需要一个ca证书文件来用于验证服务器证书以建立连接。
The CA certs need to go into a truststore and your client certs need to go into a keystore. CA证书需要进入信任库,您的客户端证书需要进入密钥库。 In Java, both of these will be JKS (although it has limited support for PKCS12.) There are default keystore/truststore locations for the JRE as well as for each user. 在Java中,这两者都是JKS(尽管它对PKCS12的支持有限。)JRE和每个用户都有默认的密钥库/信任库位置。 You can also specify external locations for these files in your code, as in the examples below. 您还可以在代码中为这些文件指定外部位置,如下面的示例所示。 The commons-ssl library seems to be able to support PEM directly, without the need for JKS, but I haven't used it. commons-ssl库似乎能够直接支持PEM,而不需要JKS,但我还没有使用它。
The default passphrase for these keystores in Java is "changeit" without the quotes. Java中这些密钥库的默认密码短语是“changeit”,没有引号。
This page shows you have to read the PEM into your keystore/truststore. 此页面显示您必须将PEM读入您的密钥库/信任库。 Here is another example . 这是另一个例子 。
Once you have your truststore and keystore set up properly, you need to pass the following JSSE system properties to your JVM: 正确设置信任库和密钥库后,需要将以下JSSE系统属性传递给JVM:
javax.net.ssl.keyStore
javax.net.ssl.keyStoreType
javax.net.ssl.keyStorePassword
javax.net.ssl.trustStore
javax.net.ssl.trustStoreType
javax.net.ssl.trustStorePassword
You may specify them as -D parameters to the JRE or, as in the examples below, programatically. 您可以将它们指定为JRE的-D参数,或者如下面的示例中那样以编程方式指定它们。
Once you finish that, heres a commons-ssl example of creating a socket. 一旦你完成了,那就是一个创建套接字的公共示例 。 Also, heres the Java api for SSLSocket . 另外,继承了SSLSocket的Java API。 Heres also an example that doesn't use any apache commons. 继承人也是一个不使用任何apache公共的例子 。
解决方案2
0 2009-04-08 10:26:52
You need a library that handles SSL. 您需要一个处理SSL的库。 As John Ellinwood noted, some frameworks (such as Java 2 SE) offers these built-in, for others you'd need to use 3rd party libraries. 正如John Ellinwood所指出的,一些框架(例如Java 2 SE)提供了这些内置功能,对于其他框架,您需要使用第三方库。
C developers often use openssl directly, but it can't be said to be easy and when using C++ there are several "gotchas" that are easy to fall into. C开发人员经常直接使用openssl,但不能说它很容易,而且当使用C ++时,有几个容易陷入的“问题”。
I suggest you use a C++ network library with support for SSL, such as QT's network library, or Poco NetSSL. 我建议您使用支持SSL的C ++网络库,例如QT的网络库或Poco NetSSL。 See here for some tutorial documentation and here for the API documentation - you probably want to take a look at initializeClient which takes a PEM file directly. 请参阅此处获取一些教程文档,此处参阅API文档 - 您可能需要查看一下直接获取PEM文件的initializeClient 。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.