Java SSL - sslecho SSL socket communication with client certificate

Transcription

1 1 of 5 Java SSL socket sample - Kobu.Com 12/25/2012 1:18 PM Sitemap Japanese Java SSL - sslecho SSL socket communication with client certificate Download: sslecho.zip Introduction SSL socket (JSSE) is included standard with Java 2 Standard Edition 1.4.x. The developer can easily protect his/her own network service with SSL as well as easily connect to an SSL-based Web server (specify " for URL class, or use HTTPSConnection class). A notable point of this sample is that the client side also supplies its public key certificate. In SSL communication, the server side always presents its certificate, the client can assure identify of the server. Usually, however, the client need not present its certificate, the server usually does not perform authentication of the client. In this sample, the client also supplies its certificate, authentication is done in both direction, which are effective in a situation where higher security is required. I took some sample code in O'Reilly's "Java Network Programming" written by Elliotte Rusty Harold as a staring point. Files server/server.class Execution file for server <- Deleted (please compile) server/server.java Source file for it server/server.jks server/server.cer server/clients.jks Keystore holding server's private key (example) Public key certificate for that private key (example) Trustsotre of certificates that the server trusts client/client.class Execution file for client <- Deleted (please compile) client/client.java client/client.jks Source file for it Keystore holding client's private key (example)

2 2 of 5 Java SSL socket sample - Kobu.Com 12/25/2012 1:18 PM client/client.cer client/servers.jks Public key certificate for that private key (example) Trustsotre of certificates that the client trusts sslecho.html This page Execution Run the server on one machine, and run the client on another machine. You can run both on the same machine. Change directory to "server" before running the server, and "client" before running the client. C:\SSLECHO> cd server C:\SSLECHO\SERVER> java server C:\SSLECHO> cd client C:\SSLECHO\CLIENT> java client -host <server-name> <server-name> is the name or IP address of the machine where the server is running. Specify "localhost" for <server-name> if you use one machine for running both. The server can handle any number of clients at the same time. When the connection is made, characters typed at the client are sent by lines, and the server returns the same characters to the client. These are displayed on the client screen. To quit, type a line only with a period (.) at the client. server = factory created socket created sender started receiver started handshake completed getciphersuite: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA getprotocol: TLSv1 getpeerhost: Cert #0: CN=Sample echo server, OU=Tech, O=Kobu.Com,... Hello server Hello server Bye bye server Bye bye server. sender exit. receiver exit By default, a certificate is presented only by the server. If you specify "-clientauth" option, the client must also present its certificate for successful connection. C:\SSLECHO\SERVER> java server -clientauth

3 3 of 5 Java SSL socket sample - Kobu.Com 12/25/2012 1:18 PM C:\SSLECHO\CLIENT> java client -host <server-name> -clientauth Recompile Here is how to recompile the server and client source respectively. C:\SSLECHO\> cd server C:\SSLECHO\SERVER> javac server.java C:\SSLECHO\> cd client C:\SSLECHO\CLIENT> javac client.java Creating keystore and truststore. In this sample, as you can see in the list of files, files necessary for operation of an SSL application are already there. Here is description of how to create these files. See the description of "keytool" in the document for tools included in Java. Preparation of server-side certificate (mandatory) First, create a private key for the server in the server's private key storage (called keystore). The next example creates a private key named "server" (called alias) in a keystore named "server.jks." In the sample code, single password of "changeit" is used for all keystores and private keys. keytool -genkey -keystore server.jks -alias server Next, extract the public key for the private key created above in a certificate file called "server.cer." keytool -export -keystore server.jks -alias server -file server.cer At last, add this server certificate to the storage of trustable public key certificates (called truststore) used by the client. Here, store the certificate saved in file "server.cer" in the truststore named "servers.jks" and give the name of "server1" to the certificate. keytool -import -keystore servers.jks -alias server1 -file server.cer Place the server's keystore (singular "server.jks") in the same directory as "server.class." Place the truststore (plural "servers.jks") for the client in the same directory as

4 4 of 5 Java SSL socket sample - Kobu.Com 12/25/2012 1:18 PM "client.class." Notes: Keytool generates a DSA algorithm key pair by default. RSA keys are used in SSL-based Web servers. Specify "-keyalg RSA" for keys in the SSL certificate. Keytool outputs a binary-format certificate file by default. To output in an RFC1421 text-format, specify "-rfc." You don't have to specify the format when you import a certificate. Preparation of client-side certificate (when -clientauth is used) The procedures are the same as in the case of the server certificate. First, create a client's private key (aliased as "client") in the client's keystore ("client.jks"). keytool -genkey -keystore client.jks -alias client Next, extract the public key certificate in "client.cer." keytool -export -keystore client.jks -alias client -file client.cer Add this certificate to the server's truststore (clients.jks) with the name of "client1." keytool -import -keystore clients.jks -alias client1 -file client.cer Place the client's keystore (singular "client.jks") in the same directory as "client.class." Place the truststore (plural "clients.jks") for the server in the same directory as "server.class." Locations of default keystore and truststore This sample uses the private key storage (keystore) and certificate storage (truststore) in the same directory as the class file so that you don't have to change the existing Java settings. However, if you place the truststore in the location of JSSE default (<java.home>/jre/lib/security/jssecacerts), you don't have to explicitly specify the store location as in the sample code. Certificates bundled with this sample are self-signed certificates created by Kobu.Com with the above procedures. If you are going to use certificates signed by the third party (certificate authorities such as Verisign and Tharte), the authority's certificate must be in your truststore. Instead, the certificate in question need not be in the truststore. Certificates of some famous certificate authorities are already in the Java's default truststore (<java.home>/jre/lib/security/cacerts).

5 5 of 5 Java SSL socket sample - Kobu.Com 12/25/2012 1:18 PM See the Java documents related to security and the JSSE reference manual for detail. Reference O'Reilly "Java Network Programming, 2nd Edition" Elliotte Rusty Harold Java document "Java Secure Socket Extension (JSSE) Reference Guide" (docs/guide/security/jsse/jsserefguide.html) Java document "keytool - Key and Certificate Management Tool" (docs/tooldocs /windows solaris/keytool.html) Written: Apr 28, 2003 Written by: ARAI Bunkichi Presented by: Kobu.Com ( The published sample code is a prototype and is not complete. Please refrain from duplicating the sample code and its document in another place. Copyright 2003 Kobu.Com. All rights reserved.