使用 Java 的 OpenSSL

发布于 2024-10-26 05:17:06 字数 99 浏览 4 评论 0 原文

我必须在 Java Web 项目中使用 OpenSSL,但我对“OpenSSL”一无所知。

如何将 OpenSSL 与我的项目集成?有没有什么好的基础教程可以学习这个?

I have to use OpenSSL in a Java web project and I don't know anything about 'OpenSSL'.

How can I integrate OpenSSL with my project? is there any good fundamental tutorials to learn this?

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(7

南汐寒笙箫 2024-11-02 05:17:17

在提出任何建议之前,您需要回答几个重要问题

1)您真的想从JAVA中调用C(本机)实现吗?

2) OpenSSL 中有哪些功能是 JCE 和 BouncyCastle 无法解决的

3) 范围是否仅限于使用 OpenSSL 生成的证书,解密 OpenSSL 生成的文件?

You need to answer a few important questions before any suggestions

1) Do you really want to call C(native) implementation form JAVA?

2) What are the features in OpenSSL which cannot be solved by JCE and BouncyCastle

3) Is the scope just limited to using certificates generated by OpenSSL, decrypting files generated by OpenSSL?

×纯※雪 2024-11-02 05:17:17

您可以使用 java\jdk\jre\bin 目录中的 keytool java 工具。

You can use keytool java tool in your java\jdk\jre\bin directory.

怕倦 2024-11-02 05:17:16

Apache Tomcat Native Library 就是解决方案。
https://github.com/apache/tomcat-native

它使用 OpenSSL 来实现 TLS/SSL 功能。您可以将它用作独立库(就像我所做的那样)或连接您的 Tomcat。它是一个开源项目,具有详细记录的 Java 代码。

为什么要原生tomcat?

JSSE 速度慢且难以使用。
在我的项目中,为了获得最佳性能,我们决定为 OpenSSL 查找/编写 JNI 包装器,因为动态升级证书的可能性是一个问号,而且密钥存储太复杂。

由于 Bouncy Castle Crypto API 是用 Java 编写的,因此您不能指望获得最佳效率。

Tomcat Native 是一个包装器,因此您只能使用 OpenSSL 版本的功能。

Apache Tomcat Native Library is the solution.
https://github.com/apache/tomcat-native

It uses OpenSSL for TLS/SSL capabilities. You can use it as standalone library (as I did) or connect your Tomcat. It is open source project with well documented Java code.

Why tomcat native?

JSSE is slow and hard to use.
In my project to get best performance we've decided to find/write JNI wrapper for OpenSSL as possibility for upgrading certificates on-the-fly is a question mark and Key Stores are too complex.

As Bouncy Castle Crypto APIs is written in Java you cannot expect best efficiency.

Tomcat Native is a wrapper so you are limited only to capabilities of your OpenSSL version.

淡淡绿茶香 2024-11-02 05:17:16

每个人都在谈论 BouncyCastle,但在我们的用例中,Gnu 加密库赢得了胜利。原生java。

对于某些客户来说,我们的数据库 (aerospike) 至少花费 10% 的时间在 java 中计算哈希值,这仅仅是因为这些实现速度很慢。我欢迎每台 Linux 机器上都有可用的加密库的本机实现。我认为一些 Java7 VM 将包含更多算法,但我还没有看到它们。

Everyone talks about BouncyCastle, but in our use case Gnu Crypto library won the day. Native java.

Our database ( aerospike ) spends at least 10% of its time computing hashes in java, for some customers, simply because these implementations are slow. I welcome when there's a native implementation of the crypto libraries available on every Linux machine. I thought some of the Java7 VMs were going to include more algorithms, but I haven't seen them yet.

浸婚纱 2024-11-02 05:17:16

最佳解决方案:使用 Java 的内置安全性来执行简单任务,或使用 BouncyCastle 来执行更高级的任务。

如果您必须从 Java 使用 OpenSSL,您有 2 个选择:

  1. 从 Java 调用 openssl 作为进程。
  2. 为 OpenSSL 创建一个 JNI 层,但这对我来说完全是浪费时间。
    这些都不是真正好的方法。

Best solution: Use Java's built-in security for simple tasks or use BouncyCastle for more advanced ones.

If you HAVE TO use OpenSSL from Java you have 2 choices:

  1. Call openssl as a process from Java.
  2. Make a JNI layer to OpenSSL, but that seems like a complete waste of time to me.
    None of those are really good ways of doing it.
夜唯美灬不弃 2024-11-02 05:17:16

有很多用于加密的 Java 本机库。然而,它们通常不能与 OpenSSL 完全互操作,有时速度明显慢(请参阅下面网站上的指标),并且并非所有平台都支持。 OpenSSL 几乎在所有平台上都受到支持,并且通常具有高性能。

话虽这么说,使用基于虚拟机的加密有一些安全优势。这也应该是一个考虑因素。

Apache 小组已经为 Java 构建了一个库,该库使用 JNI 访问 openssl 以进行 AES 加密。我认为这是使用 JNI 访问 openssl 的最佳公开示例,您可以使用 maven 轻松引用它。

https://github.com/apache/commons-crypto

如果你愿意,你可以拉取出库的 JNI 绑定部分并实现您需要的功能。

此 makefile 展示了如何使用 javah 从 .class 中获取构建 .c 代码所需的内容:

https://github.com/apache/commons-crypto/blob/master/Makefile

具体来说,Makefile 中的这一行调用 javah: $(JAVAH) -force -classpath $ (TARGET)/classes -o $@ org.apache.commons.crypto.cipher.OpenSslNative 基于 OpenSslNative.class 生成正确的“OpenSslNative.h”文件。

https://github.com/apache/commons-crypto/blob/master/src/main/java/org/apache/commons/crypto/cipher/OpenSslNative.java

注意如何导入java.nio .ByteBuffer; 用于允许 C 输出缓冲区。

相关的.c程序在这里:

https://github.com/apache/commons-crypto/blob/master/src/main/native/org/apache/commons/crypto/cipher/OpenSslNative.c

这是编写时考虑到了跨平台支持,并且是一个很好的例子。每个导出的函数都必须以 JNIEXPORT 开头,您可以看到每个函数名称中的完整类路径。

我见过很多不好的 JNI 绑定、传递字符串等。从坚实的基础开始,对于在 Java 中构建良好的 OpenSSL 集成大有帮助。

There are lots of Java native libraries for crypto. However they are generally not fully interoperable with OpenSSL, are sometimes significantly slower (see the metrics on the site below), and aren't supported on all platforms. OpenSSL is definitely supported on nearly every platform and is, generally, performant.

That being said, there are some security advantages to using VM-based crypto. This should also be a consideration.

The Apache group has built a library for Java that uses JNI to access openssl for AES encryption. I think it's the best public example of using JNI to access openssl, and you can reference it easily using maven.

https://github.com/apache/commons-crypto

If you want, you can pull out the JNI binding portion of the libary and implement the functions you need.

This makefile shows how to use javah to get what you need from the .class to build the .c code:

https://github.com/apache/commons-crypto/blob/master/Makefile

Specifically, this line in the Makefile calls javah: $(JAVAH) -force -classpath $(TARGET)/classes -o $@ org.apache.commons.crypto.cipher.OpenSslNative to produce the correct "OpenSslNative.h" file based on the OpenSslNative.class.

https://github.com/apache/commons-crypto/blob/master/src/main/java/org/apache/commons/crypto/cipher/OpenSslNative.java

Note how import java.nio.ByteBuffer; is used to allow for C output buffers.

The associated .c program is here:

https://github.com/apache/commons-crypto/blob/master/src/main/native/org/apache/commons/crypto/cipher/OpenSslNative.c

It's written with cross-platform support in mind, and is a good example. Every exported function must begin with JNIEXPORT, and you can see how the full class path is in each function name.

I've seen a lot of bad JNI bindings, passing strings around, etc. Starting with a solid base goes a long way toward building good OpenSSL integration in Java.

左岸枫 2024-11-02 05:17:14

首先:你需要图书馆做什么?

  • 如果您要使用简单的加密函数,请使用 Java SE 安全组件与 JDK 一起部署。
  • 如果您需要更高级的功能(例如一些数字签名格式等),请使用加密库(BouncyCastle 是最受欢迎的之一)
  • 但是,如果您需要从 Java 代码打开 SSL 连接并处理证书身份验证等,则不需要以下任何一个:
    • 如果您正在使用 Java EE 容器,您的容器可以验证传入的 SSL 请求:这只是一个配置问题
    • 此外,如果您需要连接到 SSL 端口,JDK 会提供一些用于执行此操作的基本类(请参阅 此示例)。请注意,在这种情况下,您需要在 java 命令上设置一些系统属性。

喜欢这些属性:

-Djavax.net.ssl.keyStore=keystore_path
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=truststore_path
-Djavax.net.ssl.trustStorePassword=trustword

First of all: what do you need the library for?

  • If you are going to use simple cryptographic functions, then use the Java SE Security components deployed with the JDK.
  • If you need more advanced functions (such as some digital signing formats, etc), use a cryptographic library (BouncyCastle is one of the the most popular)
  • But, if what you need is to open SSL connections from Java code, and handle certificates authentication, etc, you won't need any of these:
    • If you are working on a Java EE Container, your container can validate incoming SSL requests: it's just a matter of configuration
    • Also, if you need to connect to a SSL port, the JDK presents some basic classes for doing so (see this example). Note that in this case, you'll need to set some system properties on your java command.

Like these properties:

-Djavax.net.ssl.keyStore=keystore_path
-Djavax.net.ssl.keyStorePassword=password
-Djavax.net.ssl.trustStore=truststore_path
-Djavax.net.ssl.trustStorePassword=trustword
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文