Java Reference
In-Depth Information
◾
SSLEngine
processes the network bufer's contents to produce handshaking data or
application data.
he
To create an
SSLEngine
, the developer needs to use the
SSLContext.createSSLEn-
gine()
methods. he developer must then conigure the engine as a client or a server and conig-
ure the parameters such as which cipher suites to use and whether to require client authentication,
and so on. here are two
SSLEngine
methods,
wrap()
and
unwrap(),
that are responsible
for generating and consuming network data. During the initial handshaking, the
wrap()
and
unwrap()
methods generate and consume handshake data, and the application is responsible
for transporting the data. he
wrap()
and
unwrap()
sequence is repeated until the hand-
shake is completed. Each operation of the
SSLEngine
generates a
SSLEngineResult
—
NEED_UNWRAP, NEED_WRAP, or FINISHED—of which the
SSLEngineResult.
HandshakeStatus
ield is used to determine what operation needs to occur next to move the
handshake along. If the ield is set to NEED_UNWRAP, the
unwrap()
method is invoked.
Alternatively, if the ield is set to NEED_WRAP, the
wrap()
method is invoked.
8.5.4 Support Classes and Interfaces
he
SSLContext
is one of the most important of the classes in the
javax.net.ssl
pack-
age, and this is a crucial class, as the
SSLContext
objects are used to create the most impor-
tant objects—
SSLSocketFactory
,
SSLServerSocketFactory
, and
SSLEngine
. he
TrustManager
and the
TrustManagerFactory
are the two other supporting classes/
interfaces.
8. 5.4.1
SSLContext
Class
As indicated earlier, the
javax.net.ssl.SSLContext
is an engine class for an implemen-
tation of secure socket protocol. An instance of the
SSLContext
class acts as a factory for
SSLSocketFactories
and
SSLEngines
. his
SSLContext
object holds all of the state
information shared across all objects created under that context. Each
SSLContext
instance is
conigured through its
init()
method with the help of keys, certiicate chains, and trusted
root CA certiicates that it needs to perform authentication. his coniguration is provided in
the form of key and trust managers. hese managers provide support for the authentication and
key agreement aspects of the cipher suites supported by the context. Currently, only X.509-based
managers are supported.
8.5.4.2
TrustManager
Interface
To authenticate the remote identity of a secure socket peer, one needs to initialize an
SSLContext
object with one or more
TrustManagers
. he
TrustManager
should determine whether the
presented authentication credentials can be trusted. If the credentials cannot be trusted, the con-
nection will be terminated. Typically, there is a single trust manager that supports authentication
based on X.509 public key certiicates (e.g., X509TrustManager). Some secure socket implementa-
tions may also support authentication based on other mechanisms—shared secret keys, Kerberos,
and so on.
TrustManagers
instances are created either by using a
TrustManagerFactory
or by providing a concrete implementation of this interface.
Search WWH ::
Custom Search