[英]SSL Certificate Verification in Java
Say I have two Java apps that I wrote: Ping.jar
and Pong.jar
and they get deployed and ran on two separate servers ( Ping.jar
deploys to srv-01.myorg.com
and Pong.jar
deploys to srv-02.myorg.com
), and these two apps need to communicate with each other (2-way) via SSL.假设我有两个我编写的 Java 应用程序:
Ping.jar
和Pong.jar
,它们在两个独立的服务器上部署和运行( Ping.jar
部署到srv-01.myorg.com
, Pong.jar
部署到srv-02.myorg.com
),这两个应用程序需要通过 SSL 相互通信(双向)。 Let's also assume that each app has its own SSL Certificate.我们还假设每个应用程序都有自己的 SSL 证书。
Ping
and Pong
to verify each other's SSL cert?Ping
和Pong
代码来验证彼此的 SSL 证书? Does each CA provide some kind of RESTful API that I can hit with, say, HttpClient
?HttpClient
进行访问? Does Java have its own certificate-verifying API? I was surprised by how little turned up when I searched for this online.当我在网上搜索这个时,我很惊讶地发现了这么少的东西。
If you're connecting using the Java SE SSL/TLS classes (eg SSLSocket
or SSLEngine
), you're using the Java Secure Socket Extension (JSSE) .如果您使用 Java SE SSL/TLS 类(例如
SSLSocket
或SSLEngine
)进行连接,则您使用的是Java 安全套接字扩展 (JSSE) 。
It will verify the remote party's certificate according to the SSLContext
that was used to create this SSLSocket
or SSLEngine
.它将根据用于创建此
SSLSocket
或SSLEngine
的SSLContext
验证远程方的证书。
This SSLContext
will be initialised with TrustManager
that dictate how trust should be established.这个
SSLContext
将用TrustManager
初始化,它指示应该如何建立信任。
Unless you need specific configuration, you can often rely on the default values : this will rely on the PKIX algorithm (RFC 3280) to verify the certificate against a set of trust anchors (in cacerts
by default).除非您需要特定配置,否则您通常可以依赖默认值:这将依赖 PKIX 算法 (RFC 3280) 根据一组信任锚(默认情况下在
cacerts
中)验证证书。 cacerts
, shipped with the Oracle JRE is a JKS keystore to which you can add additional certificates. cacerts
随 Oracle JRE 一起提供,是一个 JKS 密钥库,您可以向其中添加其他证书。 You can add certificates explicitly using keytool
for example.例如,您可以使用
keytool
显式添加证书。
You can also create an X509TrustManager
based on a custom keystore programmatically (as described in this answer ) and use it in a specific SSLContext
that doesn't affect the default one.您还可以以编程方式创建基于自定义密钥库的
X509TrustManager
(如本答案中所述),并在不影响默认值的特定SSLContext
中使用它。
In addition to this, if you're using your own protocol, you'll need to verify that the certificate you've obtained matches the host name you were looking for (see RFC 6125).除此之外,如果您使用自己的协议,则需要验证您获得的证书是否与您要查找的主机名相匹配(请参阅 RFC 6125)。 Typically, you can look for the subject alternative name in the
X509Certificate
you get (get the first peer certificate in the chain from the SSLSession
), failing that, look for the CN
RDN in the Subject Distinguished Name.通常,您可以在获得的
X509Certificate
中查找主题备用名称(从SSLSession
获取链中的第一个对等证书),否则,在主题专有名称中查找CN
RDN。
You can get the peer certificate either by attaching a HandshakeCompletedListener
to the SSLSocket
and getting the certificate from the event, or else by getting the SSLSession
from the SSLSocket
and getting the peer certificate from the session.您可以通过将
HandshakeCompletedListener
附加到SSLSocket
并从事件中获取证书来获取对等证书,或者通过从SSLSocket
获取SSLSession
并从会话中获取对等证书。
SSL provides privacy, integrity, and authentication of the peer identity. SSL 提供隐私、完整性和对等身份的验证。 Whether that peer identity is the one the application expects, and what that identity is allowed to do in the application, should be checked by the application if necessary.
该对等身份是否是应用程序所期望的身份,以及该身份在应用程序中被允许做什么,应由应用程序在必要时进行检查。 This is the 'authorization' step, and SSL cannot do it for you.
这是“授权”步骤,SSL 无法为您完成。
AFAIK certificate verification should consist of following steps: AFAIK 证书验证应包括以下步骤:
You don´t have to manually check each other´s certificates.您不必手动检查彼此的证书。
You just have to import each server certificate into each other´s cacerts, this way both application servers will automatically trust each other.您只需将每个服务器证书导入彼此的 cacerts,这样两个应用程序服务器就会自动相互信任。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.