第10章 安全Socket

第10章 安全Socket

Java安全Socket扩展（Java Secure Sockets Extension,JSSE）可以使用安全Socket层（Secure Sockets Layer,SSL）版本3和传输层安全（Transprot Layer Security,TLS）协议及相关算法来保护网络通信的安全。

保护通信

对称加密：加密和解密数据都使用相同的秘钥。

非对称加密：加密和解密数据使用不同的秘钥。

JSSE掩盖了如何协商算法、交换秘钥、认证通信双方和加密数据的底层细节。JSSE允许你创建Socket和服务器Socket，可以透明地处理安全通信中必要的协商和加密。

Java安全Socket扩展（JSSE）分为四个包：

javax.net.ssl

定义Java安全网络通信API的抽象类。

javax.net

替代构造函数创建安全Socket的抽象Socket工厂类。

java.security.cert

处理SSL所需公开秘钥证书的类

com.sun.net.ssl

Sun的JSSE参考实现中实现加密算法和协议的具体类。

创建安全客户端Socket

从javax.net.ssl.SSLSocketFactory使用其createSocket()方法得到一个Socket对象。

SocketFactory factory = SSLSocketFactory.getDefault();

Socket socket = factory.createSocket("login.ibiblio.org",7000);

5个重载createSocket()方法创建一个SSLSocket:

public abstract Socket createSocket(String host,int port) throws IOException,UnknownHostException

public abstract Socket createSocket(InetAddress host, int port) throws IOException

public abstract Socket createSocket(String host,int port,InetAddress interface,int localPort) throws IOException,UnKnownHostException

public abstract Socket createSocket(InetAddress host,int port,InetAddress interface,int localPort) throws IOException,UnKnownHostException

public abstract Socket createSocket(Socket proxy,String host,int port,boolean autoClose) throws IOException

示例10-1是一个简单的程序，它会连接一个安全HTTP服务器，发送简单地GET请求并显示响应。

示例10-1：HTTPSClient

import java.io.*;
import javax.net.ssl.*;

public class HTTPSClient {

public static void main(String[] args) {

if (args.length == 0) {
System.out.println("Usage: java HTTPSClient2 host");
return;
}

int port = 443; // default https port
String host = args[0];

SSLSocketFactory factory
= (SSLSocketFactory) SSLSocketFactory.getDefault();
SSLSocket socket = null;
try {
socket = (SSLSocket) factory.createSocket(host, port);

// enable all the suites
String[] supported = socket.getSupportedCipherSuites();
socket.setEnabledCipherSuites(supported);

Writer out = new OutputStreamWriter(socket.getOutputStream(), "UTF-8");
// https requires the full URL in the GET line
out.write("GET http://" + host + "/ HTTP/1.1\r\n");
out.write("Host: " + host + "\r\n");
out.write("\r\n");
out.flush();

// read response
BufferedReader in = new BufferedReader(
new InputStreamReader(socket.getInputStream()));

// read the header
String s;
while (!(s = in.readLine()).equals("")) {
System.out.println(s);
}
System.out.println();

// read the length
String contentLength = in.readLine();
int length = Integer.MAX_VALUE;
try {
length = Integer.parseInt(contentLength.trim(), 16);
} catch (NumberFormatException ex) {
// This server doesn't send the content-length
// in the first line of the response body
}
System.out.println(contentLength);

int c;
int i = 0;
while ((c = in.read()) != -1 && i++ < length) {
System.out.write(c);
}

System.out.println();
} catch (IOException ex) {
System.err.println(ex);
} finally {
try {
if (socket != null) socket.close();
} catch (IOException e) {}
}
}
}

选择密码组

*public abstract String[] getSupportedCipherSuites()

SSLSocketFactory中的getSupportedCipherSuites()方法可以指出给定Socket上可用的算法组合：

*public abstract String[] getEnabledCipherSuites()

指出这个Socket允许使用哪些密码组

*public abstract void setEnabledCipherSuites(String[] suites)

修改客户端试图使用的密码组

事件处理器

会话管理

客户端模式