当前位置: 动力学知识库 > 问答 > 编程问答 >

Setting the certificate used by a Java SSL ServerSocket

问题描述:

I want to open a secure listening socket in a Java server application. I know that the recommended way to do that is to just do this:

SSLServerSocketFactory ssf = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();

ServerSocket ss = ssf.createServerSocket(443);

But this requires to pass the certificate of the server to the JVM when launching java. Because this would make some things in deployment more complicated for me, I would prefer to load the certificate at runtime.

So I have a key file and a password and I want a server socket. How do I get there? Well, I read the documentation and the only way I could find is this:

// these are my parameters for SSL encryption

char[] keyPassword = "[email protected]!".toCharArray();

FileInputStream keyFile = new FileInputStream("ssl.key");

// init keystore

KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());

keyStore.load(keyFile, keyPassword);

// init KeyManagerFactory

KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());

keyManagerFactory.init(keyStore, keyPassword);

// init KeyManager

KeyManager keyManagers[] = keyManagerFactory.getKeyManagers();

// init the SSL context

SSLContext sslContext = SSLContext.getDefault();

sslContext.init(keyManagers, null, new SecureRandom());

// get the socket factory

SSLServerSocketFactory socketFactory = sslContext.getServerSocketFactory();

// and finally, get the socket

ServerSocket serverSocket = socketFactory.createServerSocket(443);

And that doesn't even have any error handling. Is it really that complicated? Isn't there an easier way to do it?

网友答案:

But this requires to pass the certificate of the server to the JVM when launching java.

No it doesn't. Just set these system properties before you create the SSLServerSocket:

javax.net.ssl.keyStore ssl.key
javax.net.ssl.keyStorePassword [email protected]!

You can do that with System.setProperties() or on the command line.

网友答案:

If you look at the code, you can see why it's necessarily complicated. This code decouples the implementation of the SSL protocol from:

  • the source of your key material (KeyStore)
  • certificate algorithm choice and key management (KeyManager)
  • management of peer trust rules (TrustManager) - not used here
  • secure random algorithm (SecureRandom)
  • NIO or socket implementation (SSLServerSocketFactory) - could use SSLEngine for NIO

Consider what your own implementation would look like if you were trying to reach the same goals!

分享给朋友:
您可能感兴趣的文章:
随机阅读: