-
Notifications
You must be signed in to change notification settings - Fork 0
A PKCS#12-based Java SSLSocketFactory and certificate manager including client certificate support. No longer needed with PgJDBC.
License
ringerc/pkcs12provider
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
====================== TERMINATED ====================== Work on this project has been terminated and the code has been removed. This approach proved to be too inflexible to make generic without essentially reimplementing the Java APIs that exist for the purpose. If you want these facilities, you're better off building them yourself in your app from the Java KeyStore, KeyStore.Builder, CertPath, CertPathValidator, KeyStore.ProtectionParameter, etc APIs. See the java.security and java.security.cert packages, Java PKI Programmer's Guide: http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html Java Cryptography Architecture: http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderArch http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html Generally, use a KeyStore.Builder and KeyStore.ProtectionParameter to store a "potential" keystore that you can decrypt via the KeyStore.ProtectionParameter callback (eg with KeyStore.PasswordProtection or KeyStore.CallbackHandlerProtection) when it's needed. If you want PKCS#12 format certs just use keystore type "pkcs12". Once you have a KeyStore for your custom SSLSocketFactory, you can use a custom X509TrustManager and X509KeyManager to supply keys and validate certs. Cert validation should be done by building a CertPath from the X509Certificate[] from the peer using CertificateFactory, building a Set<TrustAnchor> from your set of trusted certificates (or using your KeyStore containing trusted certs), and using CertPathValidator to check the path against the trusted certs. If time permits I'll put a sample implementation up here, but don't hold your breath. My own app turns out to be better off setting java.net.ssl.keystore and java.net.ssl.truststore to an app-maintained JKS store, and providing UI to help the user import a PKCS#12 cert into the store if a server is found to require a client cert, or a pem file if a server is found to be untrusted. That way the standard Java SSLSocketFactory, X509TrustManager, X509KeyManager etc may be used unchanged.
About
A PKCS#12-based Java SSLSocketFactory and certificate manager including client certificate support. No longer needed with PgJDBC.
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published