OpenSSL with Java

Question

I have to use OpenSSL in a Java web project and I don't know anything about 'OpenSSL'.

How can I integrate OpenSSL with my project? is there any good fundamental tutorials to learn this?

Answer 1

First of all: what do you need the library for?

• If you are going to use simple cryptographic functions, then use the Java SE Security components deployed with the JDK.
• If you need more advanced functions (such as some digital signing formats, etc), use a cryptographic library (BouncyCastle is one of the the most popular)
• But, if what you need is to open SSL connections from Java code, and handle certificates authentication, etc, you won't need any of these:
  • If you are working on a Java EE Container, your container can validate incoming SSL requests: it's just a matter of configuration
  • Also, if you need to connect to a SSL port, the JDK presents some basic classes for doing so (see this example). Note that in this case, you'll need to set some system properties on your java command.

Like these properties:

-Djavax.net.ssl.keyStore=keystore_path -Djavax.net.ssl.keyStorePassword=password -Djavax.net.ssl.trustStore=truststore_path -Djavax.net.ssl.trustStorePassword=trustword 

Answer 2

Everyone talks about BouncyCastle, but in our use case Gnu Crypto library won the day. Native java.

Our database ( aerospike ) spends at least 10% of its time computing hashes in java, for some customers, simply because these implementations are slow. I welcome when there's a native implementation of the crypto libraries available on every Linux machine. I thought some of the Java7 VMs were going to include more algorithms, but I haven't seen them yet.

Answer 3

Apache Tomcat Native Library is the solution. https://github.com/apache/tomcat-native

It uses OpenSSL for TLS/SSL capabilities. You can use it as standalone library (as I did) or connect your Tomcat. It is open source project with well documented Java code.

Why tomcat native?

JSSE is slow and hard to use. In my project to get best performance we've decided to find/write JNI wrapper for OpenSSL as possibility for upgrading certificates on-the-fly is a question mark and Key Stores are too complex.

As Bouncy Castle Crypto APIs is written in Java you cannot expect best efficiency.

Tomcat Native is a wrapper so you are limited only to capabilities of your OpenSSL version.

Answer 4

Best solution: Use Java's built-in security for simple tasks or use BouncyCastle for more advanced ones.

If you HAVE TO use OpenSSL from Java you have 2 choices:

1. Call openssl as a process from Java.
2. Make a JNI layer to OpenSSL, but that seems like a complete waste of time to me. None of those are really good ways of doing it.