-
Notifications
You must be signed in to change notification settings - Fork 0
A PKCS#12-based Java SSLSocketFactory and certificate manager including client certificate support. No longer needed with PgJDBC.
License
ringerc/pkcs12provider
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Folders and files
| Name | Name | Last commit message | Last commit date | |
|---|---|---|---|---|
Repository files navigation
======================
TERMINATED
======================
Work on this project has been terminated and the code has been removed. This
approach proved to be too inflexible to make generic without essentially
reimplementing the Java APIs that exist for the purpose.
If you want these facilities, you're better off building them yourself
in your app from the Java KeyStore, KeyStore.Builder, CertPath,
CertPathValidator, KeyStore.ProtectionParameter, etc APIs.
See the java.security and java.security.cert packages, Java PKI
Programmer's Guide:
http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html
Java Cryptography Architecture:
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#ProviderArch
http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html
Generally, use a KeyStore.Builder and KeyStore.ProtectionParameter to store a
"potential" keystore that you can decrypt via the KeyStore.ProtectionParameter
callback (eg with KeyStore.PasswordProtection or
KeyStore.CallbackHandlerProtection) when it's needed. If you want PKCS#12
format certs just use keystore type "pkcs12".
Once you have a KeyStore for your custom SSLSocketFactory, you can use a custom
X509TrustManager and X509KeyManager to supply keys and validate certs. Cert
validation should be done by building a CertPath from the X509Certificate[]
from the peer using CertificateFactory, building a Set<TrustAnchor> from your
set of trusted certificates (or using your KeyStore containing trusted certs),
and using CertPathValidator to check the path against the trusted certs.
If time permits I'll put a sample implementation up here, but don't hold your
breath.
My own app turns out to be better off setting java.net.ssl.keystore and
java.net.ssl.truststore to an app-maintained JKS store, and providing UI to
help the user import a PKCS#12 cert into the store if a server is found to
require a client cert, or a pem file if a server is found to be untrusted.
That way the standard Java SSLSocketFactory, X509TrustManager, X509KeyManager
etc may be used unchanged.
About
A PKCS#12-based Java SSLSocketFactory and certificate manager including client certificate support. No longer needed with PgJDBC.
Resources
License
Stars
Watchers
Forks
Releases
No releases published
Packages 0
No packages published