如何使用 PEM 文件在 Java 中创建 SSL 套接字?
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/723368/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How to use PEM file to create a SSL socket in Java?
提问by erotsppa
I have a PEM file provided to me and was told that it will be needed in establishing a SSL socket that connects to a c++ server for some API calls. Does anyone know how I can read in the PEM file and connect? I was also given the parapharse password.
我有一个 PEM 文件提供给我,并被告知在建立连接到 C++ 服务器以进行某些 API 调用的 SSL 套接字时需要它。有谁知道我如何读取 PEM 文件并连接?我还获得了释义密码。
回答by John Ellinwood
It sounds like the PEM file is a client cert for you to use to login to the server. If it is the client cert, and it sounds like it is, you will likely need a ca cert file also to use in validating the servers certificate in order to establish a connection.
听起来 PEM 文件是您用来登录服务器的客户端证书。如果它是客户端证书,并且听起来确实如此,则您可能还需要一个 ca 证书文件来验证服务器证书以建立连接。
The CA certs need to go into a truststore and your client certs need to go into a keystore. In Java, both of these will be JKS (although it has limited support for PKCS12.) There are default keystore/truststore locations for the JRE as well as for each user. You can also specify external locations for these files in your code, as in the examples below. The commons-ssl library seems to be able to support PEM directly, without the need for JKS, but I haven't used it.
CA 证书需要进入信任库,您的客户端证书需要进入密钥库。在 Java 中,这两个都是 JKS(尽管它对 PKCS12 的支持有限。)对于 JRE 和每个用户都有默认的密钥库/信任库位置。您还可以在代码中为这些文件指定外部位置,如下例所示。commons-ssl库好像可以直接支持PEM,不需要JKS,不过我没用过。
The default passphrase for these keystores in Java is "changeit" without the quotes.
Java 中这些密钥库的默认密码是不带引号的“changeit”。
This pageshows you have to read the PEM into your keystore/truststore. Here is another example.
此页面显示您必须将 PEM 读入您的密钥库/信任库。这是另一个例子。
Once you have your truststore and keystore set up properly, you need to pass the following JSSE system propertiesto your JVM:
正确设置信任库和密钥库后,您需要将以下JSSE 系统属性传递给 JVM:
javax.net.ssl.keyStore
javax.net.ssl.keyStoreType
javax.net.ssl.keyStorePassword
javax.net.ssl.trustStore
javax.net.ssl.trustStoreType
javax.net.ssl.trustStorePassword
You may specify them as -D parameters to the JRE or, as in the examples below, programatically.
您可以将它们指定为 JRE 的 -D 参数,或者,如下面的示例,以编程方式。
Once you finish that, heres a commons-ssl exampleof creating a socket. Also, heres the Java api for SSLSocket. Heres also an examplethat doesn't use any apache commons.
完成后,这是创建套接字的commons-ssl 示例。此外,这里是SSLSocket的 Java api 。这也是一个不使用任何 apache 公共资源的例子。
回答by Guss
You need a library that handles SSL. As John Ellinwood noted, some frameworks (such as Java 2 SE) offers these built-in, for others you'd need to use 3rd party libraries.
您需要一个处理 SSL 的库。正如 John Ellinwood 所指出的,一些框架(例如 Java 2 SE)提供了这些内置功能,对于其他框架,您需要使用 3rd 方库。
C developers often use openssl directly, but it can't be said to be easy and when using C++ there are several "gotchas" that are easy to fall into.
C 开发人员经常直接使用 openssl,但它不能说是容易的,并且在使用 C++ 时有几个“陷阱”很容易陷入。
I suggest you use a C++ network library with support for SSL, such as QT's network library, or Poco NetSSL. See herefor some tutorial documentation and herefor the API documentation - you probably want to take a look at initializeClientwhich takes a PEM file directly.
我建议您使用支持 SSL 的 C++ 网络库,例如 QT 的网络库或 Poco NetSSL。见这里的一些教程文档和这里的API文档-你可能想看看initializeClient直接采取PEM文件。
