Note that the article mentioned in the Jsse after jdk1.4 has been integrated, do not have to tangle.
Summary Jsse is a pure Java implementation of SSL and TLS, and can be easily programmed for access to HTTPS sites through Jsse. However, if the site's certificate is not verified by the authoritative authority, Jsse will deny trusting the certificate and cannot access the HTTPS site. In this paper, two methods to solve the problem are presented on the basis of brief introduction of Jsse.
Introduction
over the past more than 10 years, a large number of Web applications have been accumulated on the web. Today, whether it's integrating legacy Web applications or new Web development, it requires programmatic access to certain Web pages. The traditional approach is to use the socket interface, but now many development platforms or tools such as. NET, Java, or PHP provide simple Web access interfaces that can be easily programmed for interactive access to Web applications. Even if you want to access Web applications that use HTTPS instead of HTTP.
HTTPS, a secure Hypertext Transfer Protocol, employs SSL technology and is widely used to ensure the security of Web application systems. The programming interface for accessing Web apps mostly encapsulates SSL, making it as easy to access HTTPS as it is to access HTTP. However, many medium and small application systems or applications based on LAN or campus network are not issued by the authoritative certification authority or verified by them, and the direct use of these programming interfaces will not be able to access HTTPS.
This article provides a brief introduction to Jsse, which describes in detail how to access HTTPS using Jsse, and how to access HTTPS sites with unverified certificates.
Jsse Introduction
The Java Secure Sockets extension (Java Secure Socket Extension, JSSE) is a collection of a series of packages that enable secure communication over the Internet. It is a pure Java implementation of SSL and TLS, can transparently provide data encryption, server authentication, information integrity and other functions, you can enable us to use the same as normal sockets using Jsse established Secure sockets. Jsse is an open standard, not only sun company can achieve a jsse, in fact, other companies have their own implementation of Jsse.
before you dive into Jsse, you need to know a concept about Java security: The client's Truststore file. The client's Truststore file holds the certificate information for the server that is trusted by the client. When the client makes an SSL connection, Jsse determines whether to trust the server-side certificate based on the certificate in the file.
in Jsse, there is a trust manager class responsible for deciding whether to trust the remote certificate, which has the following processing rules:
⑴ The System attribute javax.net.sll.trustStore specifies the Truststore file, the trust manager looks for and uses this file to check the certificate in the lib/security/directory under the JRE installation path.
⑵ The System attribute does not specify a Truststore file, it will go to the JRE installation path to find the default Truststore file, the relative path of this file is: Lib/security/jssecacerts.
⑶ If Jssecacerts does not exist, but cacerts exists (it is released with J2SDK with a limited number of trusted basic certificates), then this default Truststore file is Cacerts.
Access Web pages directly using class Httpsurlconnection
Java provides a very concise way to access HTTPS Web pages, such as the use of Class httpsurlconnection, URLs, and so on. These classes do a further encapsulation of Jsse related classes to support HTTPS, as shown in the following example:
URL requrl = new URL ("https://www.sun.com"); Create a URL object Httpsurlconnection httpsconn = (httpsurlconnection) requrl.openconnection ();
/* The following code implements sending data to a Web page for interactive access to the page Httpsconn.setdooutput (TRUE); OutputStreamWriter out = new OutputStreamWriter (Huc.getoutputstream (), "8859_1"); Out.write ("..."); Out.flush (); Out.close (); */
Gets the input stream of the connection to read the response content InputStreamReader INSR = new InputStreamReader (Httpsconn.getinputstream ();
Reads the response content of the server and displays int respint = Insr.read (); while (respint! =-1) { System.out.print ((char) respint); Respint = Insr.read (); } |
This code can execute normally, but when the URL of the access is changed to https://login.bjut.edu.cn, the program throws an exception javax.net.ssl.SSLException, because https:// The security certificate for the login.bjut.edu.cn site is not trusted by Jsse. According to the analysis of trust manager in Jsse profile, one way to solve this problem is to put the certificate of the site into the library file Jssecacerts or the certificate into any Truststore file, according to the rules of the Trust manager processing. Then set the System Properties Javax.net.sll.trustStore point to the file. Another workaround is to implement the Trust manager class yourself, and let it trust the certificate we specify. These two methods are described in each of the following.
Import the certificate into the Truststore file
Java provides command-line tools Keytool for creating certificates or importing certificates from other files into Java's own truststore files. The command line format for importing certificates from other files into the Truststore file is:
keytool-import-file Src_cer_file–keystore Dest_cer_store
where Src_cer_file is the source file name that holds the certificate information, Dest_cer_store is the target Truststore file.
before using the Keytool, the first to obtain the source certificate file, the source file can be obtained using IE browser, IE will be visited the HTTPS site of the certificate saved to local. The way to export a certificate from IE is to open Internet options, select the Content tab, click the Certificate ... button, in the Open Certificate dialog box, select a certificate, and then click the Export ... button, and then follow the prompts to save the certificate to a file in one step. Finally, you can use Keytool to import the certificate into the Java Truststore file. In order for the Java program to find the file, the file should be copied to the lib/security/directory under the JRE installation path.
This allows the Jsse to trust the certificate by setting System Properties Javax.net.sll.trustStore to the file Dest_cer_store in the program so that the program can access an HTTPS site that uses an unauthenticated certificate.
with this approach, programming is straightforward, but you need to manually export the server's certificate. When the server certificate changes frequently, it is necessary to manually export the certificate operations. The following approach to implementing the X509 certificate trust manager class avoids the problem of manually exporting certificates.
implementation and application of X509 certificate trust manager class
in Jsse, the certificate trust manager class is the class that implements the interface X509trustmanager. We can implement the interface ourselves and let it trust the certificates we specify.
interface X509trustmanager The following three public methods are required for us to implement:
⑴oid checkclienttrusted (x509certificate[] chain, String authtype)
throws Certificateexception
This method checks the client's certificate and throws an exception if the certificate is not trusted. Since we do not need to authenticate the client, we only need to execute this method of the default trust manager. Jsse, the default trust manager class is TrustManager.
⑵oid checkservertrusted (x509certificate[] chain, String authtype)
throws Certificateexception
This method checks the server's certificate and throws an exception if the certificate is not trusted. By implementing this method yourself, you can trust any certificate that we specify. When implementing this method, you can also simply do nothing, i.e. an empty function body that trusts any certificate because it does not throw an exception.
⑶x509certificate[] Getacceptedissuers ()
returns an array of trusted X509 certificates.
the Trust manager class is implemented by itself, how to use it? Class Httpsurlconnection does not seem to provide a way to set the trust manager. In fact, httpsurlconnection through Sslsocket to establish a secure connection with HTTPS, Sslsocket object is generated by Sslsocketfactory. Httpsurlconnection provides a method Setsslsocketfactory (sslsocketfactory) to set the Sslsocketfactory object it uses. Sslsocketfactory is obtained through the Sslcontext object, which specifies the trust manager object when initializing the Sslcontext object. The following diagram is a simple representation of the relationships of these Jsse classes:
Figure 1 Diagram of the Jsse class |
Assuming that you implement the class name of the X509trustmanager class: Myx509trustmanager, the following code snippet illustrates how to use Myx509trustmanager:
Create the Sslcontext object and initialize it with the trust manager that we specified. Trustmanager[] TM = {new Myx509trustmanager ()}; Sslcontext Sslcontext = sslcontext.getinstance ("SSL", "Sunjsse"); Sslcontext.init (NULL, TM, New Java.security.SecureRandom ());
Get the Sslsocketfactory object from the above Sslcontext object Sslsocketfactory SSF = Sslcontext.getsocketfactory ();
Create a Httpsurlconnection object and set its Sslsocketfactory object Httpsurlconnection httpsconn = (httpsurlconnection) myurl.openconnection (); Httpsconn.setsslsocketfactory (SSF); |
In this way, the Httpsurlconnection object can connect to HTTPS normally, regardless of whether its certificate is authenticated by the authority, as long as the class that implements the interface X509trustmanager Myx509trustmanager trusts the certificate.
Summary
This article mainly introduces two methods of accessing the HTTPS site in cases where the certificate of HTTPS is not authorized by the authority, one method is to import the certificate into Java Truststore file, and the other is to implement and overwrite the Jsse default certificate trust manager class. Both methods have advantages and disadvantages, the first method does not affect the security of Jsse, but the need to manually import the certificate; The second method does not have to manually import the certificate, but you need to use it carefully, otherwise it will bring some security risks.
If the HTTPS certificate is not authorized by the authoritative authority, two methods of accessing the HTTPS site