Class OpenSsl

java.lang.Object
cloud.opencode.base.crypto.ssl.OpenSsl
public final class OpenSsl extends Object
OpenSsl - SSL/TLS Utility Class OpenSsl - SSL/TLS 工具类

This class provides static utilities for SSL/TLS operations including creating SSL contexts, loading certificates, and configuring trust managers.

此类提供 SSL/TLS 操作的静态工具,包括创建 SSL 上下文、加载证书和配置信任管理器。

Example | 示例:

// Create trust-all context (development only)
SSLContext devContext = OpenSsl.createTrustAllContext();

// Create context with custom truststore
SSLContext prodContext = OpenSsl.createContext(
    Path.of("/path/to/truststore.jks"), "password");

// Get default SSL context
SSLContext defaultContext = OpenSsl.getDefaultContext();

Features | 主要功能:

  • SSLContext creation utilities - SSLContext 创建工具
  • Trust-all context for development - 开发用信任所有上下文
  • PEM and extra CA support - PEM 和额外 CA 支持
  • Mutual TLS (mTLS) support - 双向 TLS(mTLS)支持

Usage Examples | 使用示例:

SSLContext ctx = OpenSsl.createTrustAllContext(); // dev only
SSLContext prod = OpenSsl.withExtraCA(Path.of("ca.pem"));

Security | 安全性:

  • Thread-safe: Yes - 线程安全: 是
  • Null-safe: Partial - 空值安全: 部分
Since:
JDK 25, opencode-base-crypto V1.0.0
Author:
Leon Soo www.LeonSoo.com
See Also:

  • Method Details

    • builder

      public static SslContextBuilder builder()
      Creates a builder for SSLContext. 创建 SSLContext 的构建器。
      Returns:
      the builder - 构建器

    • getDefaultContext

      public static SSLContext getDefaultContext()
      Gets the default SSLContext. 获取默认的 SSLContext。
      Returns:
      the default SSLContext - 默认的 SSLContext

    • createTrustAllContext

      public static SSLContext createTrustAllContext()
      Creates a SSLContext that trusts all certificates. 创建信任所有证书的 SSLContext。

      WARNING: Use only for development/testing.

      警告:仅用于开发/测试。

      Returns:
      the SSLContext - SSLContext

    • createContext

      public static SSLContext createContext(Path trustStorePath, String trustStorePassword)
      Creates a SSLContext with custom truststore. 使用自定义信任库创建 SSLContext。
      Parameters:
      trustStorePath - the truststore path - 信任库路径
      trustStorePassword - the truststore password - 信任库密码
      Returns:
      the SSLContext - SSLContext

    • createContext

      public static SSLContext createContext(Path keyStorePath, String keyStorePassword, Path trustStorePath, String trustStorePassword)
      Creates a SSLContext with keystore and truststore. 使用密钥库和信任库创建 SSLContext。
      Parameters:
      keyStorePath - the keystore path - 密钥库路径
      keyStorePassword - the keystore password - 密钥库密码
      trustStorePath - the truststore path - 信任库路径
      trustStorePassword - the truststore password - 信任库密码
      Returns:
      the SSLContext - SSLContext

    • createContext

      public static SSLContext createContext(InputStream keyStoreStream, String keyStorePassword, InputStream trustStoreStream, String trustStorePassword)
      Creates a SSLContext from streams. 从流创建 SSLContext。
      Parameters:
      keyStoreStream - the keystore stream - 密钥库流
      keyStorePassword - the keystore password - 密钥库密码
      trustStoreStream - the truststore stream - 信任库流
      trustStorePassword - the truststore password - 信任库密码
      Returns:
      the SSLContext - SSLContext

    • fromPem

      public static SSLContext fromPem(String caCertPem)
      Creates a SSLContext that trusts only a specific PEM-encoded certificate. 创建只信任指定 PEM 证书的 SSLContext。

      Safer than createTrustAllContext() — validates the certificate chain but only trusts the provided CA.

      createTrustAllContext() 更安全——验证证书链但只信任提供的 CA。

      Example | 示例:

      String pem = Files.readString(Path.of("/etc/ssl/internal-ca.pem"));
SSLContext ctx = OpenSsl.fromPem(pem);
HttpClient client = HttpClient.builder().sslContext(ctx).build();
      Parameters:
      caCertPem - the PEM-encoded CA certificate - PEM 格式的 CA 证书
      Returns:
      the SSLContext - SSLContext

    • withExtraCA

      public static SSLContext withExtraCA(Path caCertPath)
      Creates a SSLContext that trusts the JVM system CA store plus an extra CA certificate. 创建信任 JVM 系统 CA 库和额外 CA 证书的 SSLContext。

      This is the recommended approach for corporate environments where the server uses an internal CA not shipped with the JVM. All public CAs remain trusted.

      推荐用于企业环境(服务器使用 JVM 中未包含的内部 CA)。所有公共 CA 仍然受信任。

      Example | 示例:

      SSLContext ctx = OpenSsl.withExtraCA(Path.of("/etc/corp/ca.pem"));
HttpClient client = HttpClient.builder().sslContext(ctx).build();
      Parameters:
      caCertPath - path to the extra CA PEM file - 额外 CA PEM 文件路径
      Returns:
      the SSLContext - SSLContext

    • withExtraCA

      public static SSLContext withExtraCA(String caCertPem)
      Creates a SSLContext that trusts the JVM system CA store plus a PEM-encoded CA. 创建信任 JVM 系统 CA 库和 PEM 格式 CA 的 SSLContext。
      Parameters:
      caCertPem - the PEM-encoded extra CA certificate - PEM 格式的额外 CA 证书
      Returns:
      the SSLContext - SSLContext

    • mTls

      public static SSLContext mTls(String clientCertPem, String clientKeyPem)
      Creates an SSLContext for mutual TLS (mTLS) using PEM client certificate and PKCS8 private key. The server's certificate is validated against the JVM default trust store. 使用 PEM 客户端证书和 PKCS8 私钥创建双向 TLS(mTLS)的 SSLContext。 服务器证书使用 JVM 默认信任库验证。

      The private key must be in PKCS8 unencrypted format (-----BEGIN PRIVATE KEY-----). Convert from PKCS1: openssl pkcs8 -topk8 -nocrypt -in key.pem -out key-pkcs8.pem

      Example | 示例:

      String cert = Files.readString(Path.of("/etc/ssl/client.pem"));
String key  = Files.readString(Path.of("/etc/ssl/client-key.pem"));
HttpClient client = HttpClient.builder()
    .sslContext(OpenSsl.mTls(cert, key))
    .build();
      Parameters:
      clientCertPem - PEM-encoded client certificate - PEM 格式的客户端证书
      clientKeyPem - PEM-encoded PKCS8 private key - PEM 格式的 PKCS8 私钥
      Returns:
      the SSLContext configured for mTLS - 配置了 mTLS 的 SSLContext

    • mTls

      public static SSLContext mTls(Path clientCertPath, Path clientKeyPath)
      Creates an SSLContext for mutual TLS from PEM files on disk. 从磁盘上的 PEM 文件创建双向 TLS(mTLS)的 SSLContext。
      Parameters:
      clientCertPath - path to the PEM client certificate - PEM 客户端证书文件路径
      clientKeyPath - path to the PKCS8 private key file - PKCS8 私钥文件路径
      Returns:
      the SSLContext configured for mTLS - 配置了 mTLS 的 SSLContext

    • mTls

      public static SSLContext mTls(String clientCertPem, String clientKeyPem, String caCertPem)
      Creates an SSLContext for mutual TLS with a custom CA trust anchor. Use when both the client certificate and server's CA are non-public. 使用自定义 CA 信任锚创建双向 TLS(mTLS)的 SSLContext。 适用于客户端证书和服务器 CA 均为非公开的场景(如服务网格、内部微服务)。
      Parameters:
      clientCertPem - PEM-encoded client certificate - PEM 格式的客户端证书
      clientKeyPem - PEM-encoded PKCS8 private key - PEM 格式的 PKCS8 私钥
      caCertPem - PEM-encoded CA certificate to trust - 要信任的 PEM 格式 CA 证书
      Returns:
      the SSLContext configured for mTLS - 配置了 mTLS 的 SSLContext

    • createTrustAllSocketFactory

      public static SSLSocketFactory createTrustAllSocketFactory()
      Creates a SSLSocketFactory that trusts all certificates. 创建信任所有证书的 SSLSocketFactory。
      Returns:
      the SSLSocketFactory - SSLSocketFactory

    • getDefaultSocketFactory

      public static SSLSocketFactory getDefaultSocketFactory()
      Gets the default SSLSocketFactory. 获取默认的 SSLSocketFactory。
      Returns:
      the SSLSocketFactory - SSLSocketFactory

    • getTrustAllHostnameVerifier

      public static HostnameVerifier getTrustAllHostnameVerifier()
      Gets a hostname verifier that accepts all hostnames. 获取接受所有主机名的主机名验证器。

      WARNING: Use only for development/testing.

      Returns:
      the hostname verifier - 主机名验证器

    • getDefaultHostnameVerifier

      public static HostnameVerifier getDefaultHostnameVerifier()
      Gets the default hostname verifier. 获取默认的主机名验证器。
      Returns:
      the hostname verifier - 主机名验证器

    • getServerCertificates

      public static X509Certificate[] getServerCertificates(String host, int port)
      Gets server certificates from a URL. 从 URL 获取服务器证书。
      Parameters:
      host - the hostname - 主机名
      port - the port - 端口
      Returns:
      the certificates - 证书数组

    • getCertificateSubject

      public static String getCertificateSubject(X509Certificate certificate)
      Gets certificate subject DN. 获取证书主题 DN。
      Parameters:
      certificate - the certificate - 证书
      Returns:
      the subject DN - 主题 DN

    • getCertificateIssuer

      public static String getCertificateIssuer(X509Certificate certificate)
      Gets certificate issuer DN. 获取证书签发者 DN。
      Parameters:
      certificate - the certificate - 证书
      Returns:
      the issuer DN - 签发者 DN

    • getSupportedProtocols

      public static String[] getSupportedProtocols()
      Gets supported SSL protocols. 获取支持的 SSL 协议。
      Returns:
      the supported protocols - 支持的协议

    • getSupportedCipherSuites

      public static String[] getSupportedCipherSuites()
      Gets supported cipher suites. 获取支持的密码套件。
      Returns:
      the supported cipher suites - 支持的密码套件

    • isTls13Supported

      public static boolean isTls13Supported()
      Checks if TLS 1.3 is supported. 检查是否支持 TLS 1.3。
      Returns:
      true if supported - 如果支持返回 true