Jsse access HTTPS with an unauthenticated certificate

js| Access SummaryJsse is a pure Java implementation of SSL and TLS that enables easy programmatic access to HTTPS sites via Jsse. However, if the certificate for the site is not authenticated by the authoritative authority, Jsse will deny the certificate and cannot access the HTTPS site. Based on the brief introduction of Jsse, this paper puts forward two methods to solve the problem.

　　 Introduction

Over the past more than 10 years, the network has accumulated a lot of Web applications. Today, whether you are consolidating an existing Web application or making a new web development, you require programmatic access to some Web pages. The traditional approach is to use the socket interface, but now many development platforms or tools such as. NET, Java, or PHP provide a simple Web access interface, it is easy to programmatically implement interactive access to the Web application system, Even if you want to access Web applications that use HTTPS instead of HTTP.

HTTPS, a secure Hypertext Transfer Protocol, is widely used to secure Web application systems using SSL technology. Most of the programming interfaces that access Web applications encapsulate SSL, making it as easy as accessing HTTPS and accessing HTTP. However, the certificates used by many medium and small application systems or applications based on LAN and campus network are not issued by authoritative certification bodies or verified by them, and can not be accessed directly using these programming interfaces.

This article, based on a brief introduction to Jsse, describes in detail how to use Jsse to access HTTPS, which describes how to access HTTPS sites with unauthenticated certificates.

　　 Jsse Introduction

The Java Secure Sockets extension (Java Secure Socket Extension, JSSE) is a collection of packages that implement secure Internet traffic. It is a pure Java implementation of SSL and TLS, which can transparently provide data encryption, server authentication, information integrity and other functions, so that we can use the same as ordinary sockets using Jsse established Secure sockets. Jsse is an open standard, not only for sun to achieve a jsse, in fact, other companies have their own implementation of the Jsse.

Before delving into Jsse, you need to understand a concept of Java security: a Truststore file for the client. The client's Truststore file holds the certificate information for the server that is trusted by the client. When the client makes an SSL connection, Jsse determines whether to trust the server-side certificate based on the certificate in the file.

In Jsse, a trust manager class is responsible for deciding whether to trust a remote certificate, which has the following processing rules:

⑴ The System attribute javax.net.sll.trustStore specifies the Truststore file, the trust manager searches the lib/security/directory under the JRE installation path and uses the file to check the certificate.

⑵ The System property does not specify a Truststore file, it will go to the JRE installation path to find the default Truststore file, the relative path of this file is: Lib/security/jssecacerts.

⑶ If Jssecacerts does not exist, but cacerts exists (it is distributed with J2SDK and contains a limited number of trusted basic certificates), the default Truststore file is Cacerts.

Accessing Web pages directly using class Httpsurlconnection

Java provides a very concise way to access HTTPS Web pages, using class Httpsurlconnection, URLs, and so on. These classes do a further encapsulation of the Jsse-related classes to support HTTPS, as shown in the following example:

URL requrl = new URL ("https://www.sun.com"); Create a URL object
Httpsurlconnection httpsconn = (httpsurlconnection) requrl.openconnection ();

/* The following code implementation to the Web page to send data, to achieve interactive access to the Web page
Httpsconn.setdooutput (TRUE);
OutputStreamWriter out = new OutputStreamWriter (Huc.getoutputstream (), "8859_1");
Out.write ("...");
Out.flush ();
Out.close ();
*/

Gets the input stream for the connection to read the response content
InputStreamReader INSR = new InputStreamReader (Httpsconn.getinputstream ();

Read the response content of the server and display
int respint = Insr.read ();
while (Respint!=-1) {
System.out.print ((char) respint);
Respint = Insr.read ();
}

This code works correctly, but when you change the URL of the access to https://login.bjut.edu.cn, the program throws an exception javax.net.ssl.SSLException, due to https:// The security certificate for the login.bjut.edu.cn site is not trusted by Jsse. According to the analysis of the trust manager in the Jsse profile, one way to solve this problem is to put the certificate of the site into the jssecacerts of the library file, or to deposit the certificate in any Truststore file, according to the rules of the trust manager. Then set the System Properties Javax.net.sll.trustStore point to the file. Another workaround is to implement the Trust manager class yourself and let it trust the certificate that we specify. The two methods are described below.

　　 Import a certificate into the Truststore file

Java provides command-line tools Keytool for creating certificates or importing certificates from other files into Java's own truststore files. The command line format for importing certificates from other files into the Truststore file is:

Keytool-import-file Src_cer_file–keystore Dest_cer_store

Among them, Src_cer_file is the source filename containing the certificate information, Dest_cer_store as the target Truststore file.

Before using Keytool, you must first obtain the source certificate file, which can be obtained by using IE browser, and the IE browser will save the certificate of the visited HTTPS site to local. The way to export a certificate from IE is to open Internet options. Select the Content tab, click the "Certificate ..." button, select a certificate in the Open Certificate dialog box, click the "Export ..." button, and then follow the prompts to save the certificate to a file in one step. Finally, you can use Keytool to import the certificate into the Java Truststore file. To enable the Java program to locate the file, you should copy the file to the lib/security/directory under the JRE installation path.

This allows the Jsse to trust the certificate by setting the System Properties Javax.net.sll.trustStore point to the file Dest_cer_store in the program so that the program can access HTTPS sites that use unauthenticated certificates.

With this approach, programming is very simple, but you need to manually export the server's certificate. When a server certificate changes frequently, it is often necessary to manually export the certificate. The following approach to implementing the X509 certificate trust manager class avoids the problem of manually exporting certificates.

　　 implementation and application of X509 certificate trust manager class

In Jsse, the certificate trust manager class is the class that implements the interface X509trustmanager. We can implement this interface ourselves and let it trust the certificate we specify.

Interface X509trustmanager has the following three public methods that we need to implement:

⑴oid checkclienttrusted (x509certificate[] chain, String authtype)
Throws Certificateexception

This method checks the client's certificate and throws an exception if the certificate is not trusted. Since we do not need to authenticate the client, we only need to execute this method of the default trust manager. Jsse, the default trust manager class is TrustManager.

⑵oid checkservertrusted (x509certificate[] chain, String authtype)
Throws Certificateexception

This method checks the server's certificate and throws an exception if you do not trust the certificate. By implementing this method on your own, you can make it trust any certificate that we specify. When implementing this method, you can also simply do nothing, that is, an empty function body that trusts any certificate because it does not throw an exception.

⑶x509certificate[] Getacceptedissuers ()

Returns an array of trusted X509 certificates.

You implemented the Trust manager class, how do you use it? Class Httpsurlconnection does not seem to provide a method to set trust manager. In fact, httpsurlconnection through Sslsocket to establish a secure connection with HTTPS, Sslsocket objects are generated by sslsocketfactory. Httpsurlconnection provides a method Setsslsocketfactory (sslsocketfactory) to set the Sslsocketfactory object it uses. Sslsocketfactory is obtained by Sslcontext objects, which can be specified when the Sslcontext object is initialized. The following is a diagram that briefly represents the relationships of these Jsse classes:


Fig. 1 Diagram of the Jsse class
Assuming the class name of the X509trustmanager class you are implementing is: Myx509trustmanager, the following code fragment illustrates how to use Myx509trustmanager:

Creates the Sslcontext object and initializes it with the trust manager we specify.
Trustmanager[] TM = {new Myx509trustmanager ()};
Sslcontext Sslcontext = sslcontext.getinstance ("SSL", "Sunjsse");
Sslcontext.init (NULL, TM, New Java.security.SecureRandom ());

Get the Sslsocketfactory object from the above Sslcontext object
Sslsocketfactory SSF = Sslcontext.getsocketfactory ();

Create a Httpsurlconnection object and set its Sslsocketfactory object
Httpsurlconnection httpsconn = (httpsurlconnection) myurl.openconnection ();
Httpsconn.setsslsocketfactory (SSF);
This allows the Httpsurlconnection object to connect to HTTPS normally, regardless of whether its certificate is validated by an authoritative authority, as long as the class that implements the interface X509trustmanager Myx509trustmanager trusts the certificate.

　　 Summary

This paper mainly introduces two methods of accessing HTTPS site in the case of HTTPS certificate without authority certification, one way is to import the certificate into Java Truststore file, the other is to implement it and overwrite Jsse default certificate trust manager class. Both methods have advantages and disadvantages, the first method does not affect the security of jsse, but need to import the certificate manually; the second method, although not manually imported certificates, needs to be used with care, or it can cause some security risks.