Reference Implementation Additional APIs

This note provides a brief overview of additional APIs provided by the JSSE reference implementation for trust and key management.

com.sun.net.ssl

This package includes classes and interfaces which are not part of the standard socket extension but are necessary for constructing new secure socket factories with specifically configured authentication capabilities and the associated trust and key management support. The package defines 3 provider-based classes.
  1. KeyManagerFactory is a factory for key managers that provide access to private credentials used to authenticate to a remote secure socket peer. A typical example would be a private key and it's associated X.509 public key certificate chain. A single secure socket factory may support authentication using multiple keys and types of keys. Installed security providers may implement a variety of named key manager factory algorithms. Each key manager factory knows how to derive its key material from the optional KeyStore initialization parameter in addition to any provider-specific access to key material. The reference implementation provider contains a "SunX509" factory which can derive X509-related key material from a key store.

  2. TrustManagerFactory is a factory for trust managers that make decisions about whether to trust the authentication material provided by a remote peer. A typical example would be an X.509 certificate chain. A single secure socket factory may support multiple root certificate authority public keys or multiple types of trust managers. Installed security providers may implement a variety of named trust manager factory algorithms. Each trust manager factory knows how to derive its trust material such as trusted root certificates from the optional KeyStore initialization parameter in addition to any provider-specific access to trust material. The reference implementation provider contains a "SunX509" factory which can derive X509-related trust material from a key store. If a null key store is provided during initialization, it defaults to reading the "cacerts" file provided with the JRE in the "jre/lib/security" directory.

  3. SSLContext holds the overall state associated with an instance of a provider-specific implementation of a named SSL-like protocol. It is initialized with a set of key and trust managers which it uses to support local and remote authentication. In addition, it may also include provider-specific key and trust management state. This class acts as a factory for socket factories which share this common key and trust management state as well as any cached session state used by sockets created with this context.

Supported Providers

The JSSE reference implementation currently supports 1 security provider named "JSSE". This is likely to be renamed in a future pre-final release to "SunJSSE". This provider contains implementations of the three above classes through their respective getInstance methods. In addition, it contains support for RSA signature-related algorithms. Other algorithms are used internally to implement a variety of supported cipher suites but are not generally exposed through the provider.

See the Java API documentation for further details.


java-security@java.sun.com