I've made a little progress with this in my local workspace, but I'd
like to get the work out into the community so everyone can see it. To
this end I've created a temporary branch [1] under which I will be
committing changes as I go. I figured this was the easiest thing so I
can reorganise things, break the build etc. without disturbing our main
tree.
So far I've got the following:
- I'm passing some of the relevant certs/keys down to native code and
then into OpenSSL. I'm not 100% sure what I've done with this is right
so far, but it's work in progress!
- OpenSSL is performing the SSL handshake and, at least for a simple
client-server case, is succeeding with the certs passed from Java.
- I've modified the read/write methods on SSLSocketImpl to make calls
through natives into OpenSSL and they seem to be working. It's a little
bit hacked at the moment because I'm working from the starting point of
the JSSE implementation we already have, but the fact it works at least
verifies that the connection has been successfully made and OpenSSL has
been configured correctly.
I'll be committing these changes to the sandbox I've just created soon.
Please feel free to check out the tree and take a look/submit patches if
you like :) Things I still need to investigate are:
- Is the method I've used to pass down certs to OpenSSL sufficient?
- Reads from the socket are 1 byte at a time at the moment(!) - this
needs to be altered to use the OpenSSL calls more efficiently.
- How do I tell OpenSSL to use the Java SecureRandom implementation
rather than its own random number generator? Via an OpenSSL ENGINE?
- What's the best way to get/build the OpenSSL dependency?
Any comments/suggestions are welcome!
Regards,
Oliver
[1] https://svn.apache.org/repos/asf/harmony/enhanced/java/branches/omd
On 19/07/2010 17:15, Oliver Deakin wrote:
Hi all,
I'm currently investigating the possibility of implementing a JSSE
provider wrapping OpenSSL. This has a couple of obvious advantages:
- The onus of code maintenance and bug fixing in a security sensitive
area is moved outside of Harmony.
- New protocols can be integrated into the Harmony provider with
minimal effort (updating dependencies rather than implementing them
ourselves).
Really I'm sending this mail as a heads up, but would be interested to
know if anyone has any experience/opinions in this area. In
particular, I'd be interested in ideas on:
- the best way to setup OpenSSL as a dependency - precompile the
libraries and make them available for download or compile them at
build time on the user's machine.
- how to tie in the Java x-net APIs to the OpenSSL APIs.
Any comments/suggestions welcome.
Regards,
Oliver
--
Oliver Deakin
Unless stated otherwise above:
IBM United Kingdom Limited - Registered in England and Wales with number 741598.
Registered office: PO Box 41, North Harbour, Portsmouth, Hampshire PO6 3AU
