Application Data Protection Techniques - Secure Java: For Web Application Development

Java Reference

In-Depth Information

◾ SSLEngine processes the network bufer's contents to produce handshaking data or

application data.

he

To create an SSLEngine , the developer needs to use the SSLContext.createSSLEn-

gine() methods. he developer must then conigure the engine as a client or a server and conig-

ure the parameters such as which cipher suites to use and whether to require client authentication,

and so on. here are two SSLEngine methods, wrap() and unwrap(), that are responsible

for generating and consuming network data. During the initial handshaking, the wrap() and

unwrap() methods generate and consume handshake data, and the application is responsible

for transporting the data. he wrap() and unwrap() sequence is repeated until the hand-

shake is completed. Each operation of the SSLEngine generates a SSLEngineResult —

NEED_UNWRAP, NEED_WRAP, or FINISHED—of which the SSLEngineResult.

HandshakeStatus ield is used to determine what operation needs to occur next to move the

handshake along. If the ield is set to NEED_UNWRAP, the unwrap() method is invoked.

Alternatively, if the ield is set to NEED_WRAP, the wrap() method is invoked.

8.5.4 Support Classes and Interfaces

he SSLContext is one of the most important of the classes in the javax.net.ssl pack-

age, and this is a crucial class, as the SSLContext objects are used to create the most impor-

tant objects— SSLSocketFactory , SSLServerSocketFactory , and SSLEngine . he

TrustManager and the TrustManagerFactory are the two other supporting classes/

interfaces.

8. 5.4.1 SSLContext Class

As indicated earlier, the javax.net.ssl.SSLContext is an engine class for an implemen-

tation of secure socket protocol. An instance of the SSLContext class acts as a factory for

SSLSocketFactories and SSLEngines . his SSLContext object holds all of the state

information shared across all objects created under that context. Each SSLContext instance is

conigured through its init() method with the help of keys, certiicate chains, and trusted

root CA certiicates that it needs to perform authentication. his coniguration is provided in

the form of key and trust managers. hese managers provide support for the authentication and

key agreement aspects of the cipher suites supported by the context. Currently, only X.509-based

managers are supported.

8.5.4.2 TrustManager Interface

To authenticate the remote identity of a secure socket peer, one needs to initialize an SSLContext

object with one or more TrustManagers . he TrustManager should determine whether the

presented authentication credentials can be trusted. If the credentials cannot be trusted, the con-

nection will be terminated. Typically, there is a single trust manager that supports authentication

based on X.509 public key certiicates (e.g., X509TrustManager). Some secure socket implementa-

tions may also support authentication based on other mechanisms—shared secret keys, Kerberos,

and so on. TrustManagers instances are created either by using a TrustManagerFactory

or by providing a concrete implementation of this interface.

Search WWH ::

Custom Search

Home