AppletTalk.com

Robert Bengtsson · Guest

Hi.

I know how to do an SSL implementation in Java that uses keys imported
by keytool into an keystore. But i find this rather inconvenient,
since i come from the C world of OpenSSL where you load your
certificate-files yourself inside your source.

What i want to do is to create a java-program that acts as a https
client. I want it to from inside the sourcecode decide what the files
holding the pem-encoded x509 certificates (or in worst case pkcs#12)
are called and located.

In pseudocode, this will be something like (derived from how you do it
in OpenSSL):

* Create SSL-Context
* Load CA File
* Load Client Cert
* Load Client Key
* Create SSL Object
* Call HTTPS server
....
* End Connection

Every example that i have found on the internet asumes keystores, but
surely the (standard) java lib must contains means to load the files
directly? Please note that it's of importance that the solution is
java standard.

Can you please help me?

Best Regards

/Robert Bengtsson

JK · Guest

Have a look at the CertificateFactory or KeyFactory classes

CertificateFactory cf = CertificateFactory.getInstance("X.509");
X509Certificate cert = cf.generateCertificate(new
FileInputStream("encodedCertFile"));

KeyFactory kf = KeyFactory.getInstance("DSA");
PrivateKey p = kf.getPrivate(
new PKCS8EncodedKeySpec(
new ByteArrayInputStream(
new FileInputStream("privateKeyFileName"))));

for PEM encoding or similar for other encodings.

Regards
JK.

Robert Bengtsson wrote:

Robert Bengtsson · Guest

Hello JK

Thank you for your quick reply.

I think i fairly understand how to do it now but if you got a pice of
code to paste here, explaining how to setup a 2Way SSL (with client
authentication) and loading the RSA - X509 encoded private and public
keys aswell as the CA-Chain it would be most kind.

Best Regards

Robert Bengtsson

JK <nobody (AT) nowhere (DOT) org> wrote

Pankaj Kumar · Guest

Robert Bengtsson · Guest

Thanx!

A Co-Worker of mine managed to get it right..
I provide the code if anyone got the same problem..

So.. here it is... :)

/* Load CA-Chain file */
CertificateFactory cf = CertificateFactory.getInstance("X509");
X509Certificate cert = (X509Certificate)cf.generateCertificate(new
FileInputStream("cacert.pem"));

/* Load client's public and private keys */
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream("clientcertandkey.p12"),
ks.setCertificateEntry("verrySecretPwd", cert);

TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);

KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, "verrySecretPwd");

/* and provide them for the SSLContext */
ctx = SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);

/Robert Bengtsson

Raoul · Guest

Hi everyone,

Since I really used many of your postings about this issue, it's my turn
to contribute. The ssl without keystores really seems a bad documented
feature i guess. The last two days I have been turning Google inside out
and with a lot docs at sun.com I finally managed to get an ssl working
without the authentication certificates. I understood this is called
anonymous sll and is (of course) less secure than the certified one. You
may get 'a man in the middle attack', but I think that's still pretty
difficult if you throw in some extra security measures.

Anyway, the default connection type seems to be the certified one, so in
this case you have to enumerate all the anonymous cipher suites both the
client and the server can choose from (are there any more?) so they will
not use any other cipher suite.

Ok, now for the coding. What I made was a server waiting on a port for a
client to connect. If it detects a client the server sends back a simple
string and both programs exit. Very simple, but the main thing is of
course the ssl part. If you think this is not working ok or if it's not
secure at all, please let me know as I am trying to learn too ;-)

Greetings,
Raoul

First the client source, then the server:

import javax.net.ssl.*;
import java.io.*;

public class mySecureClient {

public static void main(String[] args) {
String host = "localhost";
int port = 8080;

SSLSocketFactory factory;
SSLSocket socket;
String hostOutput;
BufferedReader br;
String[] cipherSuite = { "SSL_DH_anon_WITH_RC4_128_MD5"
, "SSL_DH_anon_WITH_RC4_128_MD5"
, "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA"
, "SSL_DH_anon_WITH_DES_CBC_SHA"
, "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5"
, "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA" };

try {
factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
socket = (SSLSocket)factory.createSocket(host,port);
socket.setEnabledCipherSuites(cipherSuite);

System.out.println("Secure socket made");
br = new BufferedReader(new InputStreamReader(socket.getInputStream()));
hostOutput = br.readLine();
System.out.println(host + " responds with: " + hostOutput);

} catch (Exception e) {
System.out.println("Error " + e.getMessage());
};
}
}

import javax.net.ssl.*;
import java.io.*;

public class mySecureServer {

public static void main(String[] args) {

int port = 8080;
SSLServerSocketFactory factory;
SSLServerSocket svrSocket;
SSLSocket socket;
DataOutputStream out;
String[] cipherSuite = { "SSL_DH_anon_WITH_RC4_128_MD5"
, "SSL_DH_anon_WITH_RC4_128_MD5"
, "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA"
, "SSL_DH_anon_WITH_DES_CBC_SHA"
, "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5"
, "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA" };
try {
factory = (SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
svrSocket = (SSLServerSocket)factory.createServerSocket(port);
svrSocket.setEnabledCipherSuites(cipherSuite);
System.out.println("Server waiting for connection on port " + port);
socket = (SSLSocket)svrSocket.accept();
out = new DataOutputStream(socket.getOutputStream());
out.writeBytes("This is secured text coming from the server");

System.out.println("Client has made connection, server will exit");

}
catch (Exception e) {
System.out.println("Server not started: " + e.getMessage());
}

}
}

On Wed, 24 Sep 2003 01:18:26 -0700, Robert Bengtsson wrote: