Java中的SSL证书验证 [英] SSL Certificate Verification in Java

问题描述

假设我写了两个Java应用程序： Ping.jar 和 Pong.jar 并且它们已部署并在两个单独的服务器上运行（ Ping.jar 部署到 srv-01.myorg.com 和 Pong.jar 部署到 srv-02.myorg.com ），这两个应用程序需要相互通信（双向）通过SSL。我们还假设每个应用程序都有自己的SSL证书。

Say I have two Java apps that I wrote: Ping.jar and Pong.jar and they get deployed and ran on two separate servers (Ping.jar deploys to srv-01.myorg.com and Pong.jar deploys to srv-02.myorg.com), and these two apps need to communicate with each other (2-way) via SSL. Let's also assume that each app has its own SSL Certificate.

• 我如何，Java程序员，代码 Ping 和 Pong 验证对方的SSL证书？每个CA是否提供某种我可以使用的RESTful API，例如 HttpClient ？ Java是否有自己的证书验证API？是否有我可以使用的开源第三方JAR或服务？

• How do I, a Java programmer, code Ping and Pong to verify each other's SSL cert? Does each CA provide some kind of RESTful API that I can hit with, say, HttpClient? Does Java have its own certificate-verifying API? Are there open source third party JARs or services I can use?

当我在网上搜索时，我感到很惊讶。

I was surprised by how little turned up when I searched for this online.

推荐答案

如果您使用Java SE SSL / TLS类进行连接（例如 SSLSocket 或 SSLEngine ），你正在使用 Java安全套接字扩展（JSSE）。

If you're connecting using the Java SE SSL/TLS classes (e.g. SSLSocket or SSLEngine), you're using the Java Secure Socket Extension (JSSE).

它将验证远程方的根据 SSLContext 的证书，用于创建此 SSLSocket 或 SSLEngine 。

It will verify the remote party's certificate according to the SSLContext that was used to create this SSLSocket or SSLEngine.

此 SSLContext 将使用 TrustManager 决定了如何信任应该建立。

This SSLContext will be initialised with TrustManager that dictate how trust should be established.

除非你需要特定的c在配置上，您通常可以依赖默认值：这将依赖于PKIX算法（RFC 3280）来根据一组信任锚来验证证书（默认情况下在 cacerts 中）。 Oracle JRE附带的 cacerts 是一个JKS密钥库，您可以向其添加其他证书。例如，您可以使用 keytool 显式添加证书。

Unless you need specific configuration, you can often rely on the default values: this will rely on the PKIX algorithm (RFC 3280) to verify the certificate against a set of trust anchors (in cacerts by default). cacerts, shipped with the Oracle JRE is a JKS keystore to which you can add additional certificates. You can add certificates explicitly using keytool for example.

您还可以创建 X509TrustManager 以编程方式基于自定义密钥库（如此答案中所述）并在特定用途中使用它 SSLContext 不影响默认值。

You can also create an X509TrustManager based on a custom keystore programmatically (as described in this answer) and use it in a specific SSLContext that doesn't affect the default one.

除此之外，如果您使用自己的协议，您需要验证您获得的证书是否与您要查找的主机名相匹配（请参阅RFC 6125）。通常，您可以在 X509Certificate 中查找主题备用名称（从 SSLSession ），如果没有，请在主题专有名称中查找 CN RDN。

In addition to this, if you're using your own protocol, you'll need to verify that the certificate you've obtained matches the host name you were looking for (see RFC 6125). Typically, you can look for the subject alternative name in the X509Certificate you get (get the first peer certificate in the chain from the SSLSession), failing that, look for the CN RDN in the Subject Distinguished Name.

这篇关于Java中的SSL证书验证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！