如何在Java中使用PEM文件创建SSL套接字?
我有一个 PEM文件提供给我,并被告知在建立连接到 C++ 服务器以进行某些 API 调用的 SSL 套接字时需要它。有谁知道如何读取 PEM 文件并连接?我还得到了释义密码。
I have a PEM file provided to me and was told that it will be needed in establishing a SSL socket that connects to a c++ server for some API calls. Does anyone know how I can read in the PEM file and connect? I was also given the parapharse password.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
听起来 PEM 文件是一个客户端证书,供您用来登录服务器。如果它是客户端证书(听起来确实如此),您可能还需要一个 ca 证书文件来验证服务器证书以建立连接。
CA 证书需要进入信任库,而您的客户端证书需要进入密钥库。在 Java 中,这两者都是 JKS(尽管它对 PKCS12 的支持有限。)JRE 以及每个用户都有默认的密钥库/信任库位置。您还可以在代码中指定这些文件的外部位置,如下例所示。 commons-ssl库好像可以直接支持PEM,不需要JKS,不过我没用过。
Java 中这些密钥库的默认密码是“changeit”,不带引号。
此页面显示您必须将 PEM 读入您的密钥库/信任库。这是 另一个示例。
正确设置信任库和密钥库后,您需要传递以下 JSSE 系统属性 到您的 JVM:
您可以将它们指定为 JRE 的 -D 参数,或者以编程方式指定它们,如下例所示。
完成后,下面是创建套接字的 commons-ssl 示例。另外,这是 SSLSocket。这里还有一个不使用任何 apache commons 的示例。
It sounds like the PEM file is a client cert for you to use to login to the server. If it is the client cert, and it sounds like it is, you will likely need a ca cert file also to use in validating the servers certificate in order to establish a connection.
The CA certs need to go into a truststore and your client certs need to go into a keystore. In Java, both of these will be JKS (although it has limited support for PKCS12.) There are default keystore/truststore locations for the JRE as well as for each user. You can also specify external locations for these files in your code, as in the examples below. The commons-ssl library seems to be able to support PEM directly, without the need for JKS, but I haven't used it.
The default passphrase for these keystores in Java is "changeit" without the quotes.
This page shows you have to read the PEM into your keystore/truststore. Here is another example.
Once you have your truststore and keystore set up properly, you need to pass the following JSSE system properties to your JVM:
You may specify them as -D parameters to the JRE or, as in the examples below, programatically.
Once you finish that, heres a commons-ssl example of creating a socket. Also, heres the Java api for SSLSocket. Heres also an example that doesn't use any apache commons.
您需要一个处理 SSL 的库。正如 John Ellinwood 所指出的,某些框架(例如 Java 2 SE)提供了这些内置框架,而对于其他框架,您需要使用第 3 方库。
C 开发人员经常直接使用 openssl,但这并不能说很容易,而且在使用 C++ 时,有几个很容易陷入的“陷阱”。
我建议你使用支持SSL的C++网络库,比如QT的网络库,或者Poco NetSSL。请参阅此处获取一些教程文档以及此处获取 API 文档 - 您可能需要查看 org/docs/Poco.Net.SSLManager.html#11818" rel="nofollow noreferrer">initializeClient 直接获取 PEM 文件。
You need a library that handles SSL. As John Ellinwood noted, some frameworks (such as Java 2 SE) offers these built-in, for others you'd need to use 3rd party libraries.
C developers often use openssl directly, but it can't be said to be easy and when using C++ there are several "gotchas" that are easy to fall into.
I suggest you use a C++ network library with support for SSL, such as QT's network library, or Poco NetSSL. See here for some tutorial documentation and here for the API documentation - you probably want to take a look at initializeClient which takes a PEM file directly.