Java Network Programming (3rd ed) [Electronic resources] نسخه متنی

11.2 Creating Secure Client Sockets

If
you don't care very much about the underlying
details, using an encrypted SSL socket to talk to an existing secure
server is truly straightforward. Rather than constructing a
java.net.Socket object with a constructor, you get
one from a
javax.net.ssl.SSLSocketFactory using its createSocket() method.
SSLSocketFactory is an abstract class that follows
the abstract factory design pattern:

public abstract class SSLSocketFactory extends SocketFactory

Since the SSLFactorySocket class is itself
abstract, you get an instance of it by invoking the static
SSLSocketFactory.getDefault() method:

public static SocketFactory getDefault( ) throws InstantiationException

This either returns an instance of
SSLSocketFactory or throws an
InstantiationException if no concrete subclass can
be found. Once you have a reference to the factory, use one of these
five overloaded createSocket( ) methods to build
an SSLSocket:

public abstract Socket createSocket(String host, int port) 
throws IOException, UnknownHostException
public abstract Socket createSocket(InetAddress host, int port) 
throws IOException
public abstract Socket createSocket(String host, int port, 
InetAddress interface, int localPort) 
throws IOException, UnknownHostException
public abstract Socket createSocket(InetAddress host, int port, 
InetAddress interface, int localPort) 
throws IOException, UnknownHostException
public abstract Socket createSocket(Socket proxy, String host, int port, 
boolean autoClose) throws IOException

The first two methods create and return a socket
that's connected to the specified host and port or
throw an IOException if they
can't connect. The third and fourth methods connect
and return a socket that's connected to the
specified host and port from the specified local network interface
and port. The last createSocket( ) method,
however, is a little different. It begins with an existing
Socket object that's connected to
a proxy server. It returns a Socket that tunnels
through this proxy server to the specified host and port. The
autoClose argument determines whether the
underlying proxy socket should be closed when this
socket is closed. If autoClose is
true, the underlying socket will be closed; if
false, it won't be.

The
Socket that all these methods return will really
be a javax.net.ssl.SSLSocket, a subclass of
java.net.Socket. However, you
don't need to know that. Once the secure socket has
been created, you use it just like any other socket, through its
getInputStream( ), getOutputStream(), and other methods. For example, let's
suppose there's a server running on
login.ibiblio.org on port 7,000 that accepts
orders. Each order is sent as an ASCII string using a single TCP
connection. The server accepts the order and closes the connection.
(I'm leaving out a lot of
details that would be necessary in a real-world system, such as the
server sending a response code telling the client whether the order
was accepted.) The orders that clients send look like this:

Name: John Smith
Product-ID: 67X-89
Address: 1280 Deniston Blvd, NY NY 10003
Card number: 4000-1234-5678-9017
Expires: 08/05

There's enough information in this message to let
someone snooping packets use John Smith's credit
card number for nefarious purposes. Consequently, before sending this
order, you should encrypt it; the simplest way to do that without
burdening either the server or the client with a lot of complicated,
error-prone encryption code is to use a secure socket. The following
code sends the order over a secure socket:

try {
// This statement is only needed if you didn't add 
// security.provider.3=com.sun.net.ssl.internal.ssl.Provider 
// to your java.security file.
Security.addProvider(new com.sun.net.ssl.internal.ssl.Provider( ));
SSLSocketFactory factory 
= (SSLSocketFactory) SSLSocketFactory.getDefault( );
Socket socket = factory.createSocket("login.metalab.unc.edu", 7000);
Writer out = new OutputStreamWriter(socket.getOutputStream( ), 
"ASCII");
out.write("Name: John Smith\r\n");
out.write("Product-ID: 67X-89\r\n");
out.write("Address: 1280 Deniston Blvd, NY NY 10003\r\n");
out.write("Card number: 4000-1234-5678-9017\r\n");
out.write("Expires: 08/05\r\n");
out.flush( ); 
out.close( );
socket.close( );                  
} 
catch (IOException ex) {
ex.printStackTrace( );
}

Only the first three statements are noticeably different from what
you'd do with an insecure socket. The rest of the
code just uses the normal methods of the Socket,
OutputStream, and Writer
classes.

Reading input is no harder. Example 11-1 is a simple
program that connects to a secure HTTP server, sends a simple GET
request, and prints out the response.

Example 11-1. HTTPSClient

import java.net.*;
import java.io.*;
import java.security.*;
import javax.net.ssl.*;
import com.macfaq.io.*;
public class HTTPSClient {
public static void main(String[] args) {
if (args.length == 0) {
System.out.println("Usage: java HTTPSClient2 host");
return;
}       
int port = 443; // default https port
String host = args[0];
try {           
SSLSocketFactory factory 
= (SSLSocketFactory) SSLSocketFactory.getDefault( );
SSLSocket socket = (SSLSocket) factory.createSocket(host, port);
// enable all the suites
String[] supported = socket.getSupportedCipherSuites( );
socket.setEnabledCipherSuites(supported);
Writer out = new OutputStreamWriter(socket.getOutputStream( ));
// https requires the full URL in the GET line
out.write("GET http://" + host + "/ HTTP/1.1\r\n");
out.write("Host: " + host + "\r\n");
out.write("\r\n");
out.flush( ); 
// read response
BufferedReader in = new SafeBufferedReader(
new InputStreamReader(socket.getInputStream( )));
// read the header
String s;
while (!(s = in.readLine( )).equals(")) {
System.out.println(s);
}
System.out.println( );
// read the length
String contentLength = in.readLine( );
int length = Integer.MAX_VALUE;
try {
length = Integer.parseInt(contentLength.trim( ), 16);
}
catch (NumberFormatException ex) {
// This server doesn't send the content-length
// in the first line of the response body
}
System.out.println(contentLength);
int c;
int i = 0;
while ((c = in.read( )) != -1 && i++ < length) {
System.out.write(c);
}
System.out.println( );
out.close( );                  
in.close( );
socket.close( );
} 
catch (IOException ex) {
System.err.println(ex);
}
}
}

Here are the first few lines of output you get when you connect to
the U.S. Postal Service's web site:

% java HTTPSClient www.usps.com
HTTP/1.1 200 OK
Server: Netscape-Enterprise/6.0
Date: Wed, 28 Jan 2004 18:13:08 GMT
Content-type: text/html
Set-Cookie: WEBTRENDS_ID=216.254.85.72-1075313584.16566; expires=Fri, 
31-Dec-2010 00:00:00 GMT; path=/
Transfer-Encoding: chunked
b6b
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=UTF-8">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML>
<HEAD>
<link rel="stylesheet" href="/image/library/english/10151_styles.css" 
type="text/css">
<TITLE>USPS - The United States Postal Service (U.S. Postal 
Service)</TITLE>

When this program was tested for this edition, it initially refused to connect to www.usps.com because it couldn't verify the identity of the remote server. The problem was that the root certificates shipped with the version of the JDK I was using (1.4.2_02-b3) had expired. Upgrading to the latest minor version (1.4.2_03-b2) fixed the problem. If you see any exception messages like "No trusted certificate found", try upgrading to the latest minor version of either the JDK (if you're using 1.4 or later) or the JSSE (if you're using Java 1.3 or earlier).

One thing you may notice when you run this program is that
it's slower to respond than you might expect.
There's a
noticeable amount of both CPU and network overhead involved in
generating and exchanging the public keys. Even over a fast
connection, it can easily take 10 seconds or more for the connection
to be established. Consequently, you probably don't
want to serve all your content over HTTPS, only the content that
really needs to be private.