Secure Sockets in Java

23Nov07

 In plain words secure sockets using javax.net.ssl package.

We need secure socket to connect to an ip and port with security. Thus Secure Socket is like a door which we need to go inside apartment whose address is its ip and door number is the port. Now how to we open the door. We need keys.

Certificates are keys which is verified and signed by some authority(Certifying Authority – CA) as good keys.

Now we have more than one key. So we use a keystore. Its like key-rings holding all your keys in one place. KeyStore Class can be used to represent a certificate in java. You upload your keystore made by java keytool into this object.

KeyManagerFactory class does the job of managing your key ring. Give that to your SSLContextClass and from that you can get the SSLSocketFactory. Using SSLSocketFactory we finally get our SSLSocket.

That much code in place the problem of how to trust others keys which they(servers) send to verify themselves while communicating comes up. We will put those keys in another keystore and call it our trust store. Again put the trust store in a KeyStore object and put it a TrustManagerFactory and give it to the context.

Of-course the question how to get keystore and truststore with certificates is still there. Click this link for that.

The folowing method creates a secure socket with client authentication.

public SSLSocket createSecureSocket(String keyStore, String keyStorePwd, String trustStore,
String trustStorePwd) throws IOException {
// create 2 JKS keystores for keystore and truststore
KeyStore clientKeyStore = null;
KeyStore clientTrustStore = null;
try {
clientKeyStore = KeyStore.getInstance( “JKS”);
clientTrustStore = KeyStore.getInstance( “JKS”) ;
} catch (KeyStoreException e) {
e.printStackTrace();
}
//convert keystore pwd into char array and load the client keystore made with keytool into
//one keystore object.
char[] keyStorePwdArray = keyStorePwd.toCharArray();
try {
clientKeyStore.load(new FileInputStream(keyStore), keyStorePwdArray);
} catch (NoSuchAlgorithmException e1) {
e1.printStackTrace();
} catch (CertificateException e1) {
e1.printStackTrace();
}
//convert truststore pwd into char array and load the client truststore made with keytool into
//other keystore object.
char[] trustStorePwdArray = trustStorePwd.toCharArray();
try {
clientTrustStore.load(new FileInputStream(trustStore), trustStorePwdArray);
} catch (NoSuchAlgorithmException e1) {
e1.printStackTrace();
} catch (CertificateException e1) {
e1.printStackTrace();
}
// create the key manager and trust manager factories.
KeyManagerFactory kmf = null;
TrustManagerFactory tmf = null;
try {
kmf = KeyManagerFactory.getInstance( “SunX509″ );
tmf = TrustManagerFactory.getInstance(“SunX509″);
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
//load client keystore and pwd to key manager factory.
try {
kmf.init(clientKeyStore, keyStorePwdArray);
} catch (KeyStoreException e1) {
e1.printStackTrace();
} catch (NoSuchAlgorithmException e1) {
e1.printStackTrace();
} catch (UnrecoverableKeyException e1) {
e1.printStackTrace();
}
// load client truststore into trust manager factory.
try {
tmf.init(clientTrustStore);
} catch (KeyStoreException e) {
e.printStackTrace();
}
// create sslcontext object and load both the facotries into it.
SSLContext ctx=null;
try {
ctx = SSLContext.getInstance( “TLS” );
} catch (NoSuchAlgorithmException e) {
e.printStackTrace();
}
try {
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);
} catch (KeyManagementException e) {
e.printStackTrace();
}
// Get our socket factory from context and then get the socket.
SSLSocketFactory factory = ctx.getSocketFactory();
SSLSocket socket = (SSLSocket)factory.createSocket();
return socket;
}

Now we need to open a connection.
socket.connect(new InetSocketAddress(“localhost”, 9999),10000000);
or
SSLSocketFactory sf = sslContext.getSocketFactory();
Socket socket = sf.createSocket(host, port);

To create a server socket use the same method but use servers keystore and truststore.
Get the context object ctx.
SSLServerSocketFactory ssf = ctx.getServerSocketFactory();
ServerSocket ss = ssf.createServerSocket( 6660 );

Note : If you are really bothered by the numerous try catch statements just put the code in one try block and write catch statements at the end. I write really good 
system.out.printlns in catch blocks during the first attempt just to know where I am going wrong. Later I combine them.

Filed under: TLS   |  Leave a Comment
Tags: code, java, security