Mombu the Programming Forum sponsored links

Go Back   Mombu the Programming Forum > Programming > SSL for Java without keystores.
User Name
Password
REGISTER NOW! Mark Forums Read

sponsored links


Reply
 
1 16th February 08:43
tobbe
External User
 
Posts: 1
Default SSL for Java without keystores.


Hi.

I know how to do an SSL implementation in Java that uses keys imported
by keytool into an keystore. But i find this rather inconvenient,
since i come from the C world of OpenSSL where you load your
certificate-files yourself inside your source.

What i want to do is to create a java-program that acts as a https
client. I want it to from inside the sourcecode decide what the files
holding the pem-encoded x509 certificates (or in worst case pkcs#12)
are called and located.

In pseudocode, this will be something like (derived from how you do it
in OpenSSL):

* Create SSL-Context
* Load CA File
* Load Client Cert
* Load Client Key
* Create SSL Object
* Call HTTPS server
....
* End Connection


Every example that i have found on the internet asumes keystores, but
surely the (standard) java lib must contains means to load the files
directly? Please note that it's of importance that the solution is
java standard.


Can you please help me?


Best Regards

/Robert Bengtsson
  Reply With Quote


  sponsored links


2 16th February 08:43
pankaj_kumar
External User
 
Posts: 1
Default SSL for Java without keystores.


SSLContext sc = SSLContext.getInstance(proto);

KeyManagerFactory kmf = KeyManagerFactory.getInstance(algo);
KeyStore ks = KeyStore.getInstance(kstype);
char[] passwd = ...
ks.setKeyEntry(alias, p, passwd, cert);
kmf.init(ks, passwd);
sc.init(kmf.getKeymanagers(), ...);
SSLSocketFactory sf = sc.getSocketFactory();

HttpsURLConnection uc = new HttpsURLConnection(url);
uc.setSSLSocketFactory(sf);

You are ready to go !

Pankaj Kumar,
http://www.j2ee-security.net
  Reply With Quote
3 16th February 08:43
tobbe
External User
 
Posts: 1
Default SSL for Java without keystores.


Thanx!

A Co-Worker of mine managed to get it right..
I provide the code if anyone got the same problem..

So.. here it is...

/* Load CA-Chain file */
CertificateFactory cf = CertificateFactory.getInstance("X509");
X509Certificate cert = (X509Certificate)cf.generateCertificate(new
FileInputStream("cacert.pem"));

/* Load client's public and private keys */
KeyStore ks = KeyStore.getInstance("PKCS12");
ks.load(new FileInputStream("clientcertandkey.p12"),
ks.setCertifica****try("verrySecretPwd", cert);

TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ks);

KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(ks, "verrySecretPwd");

/* and provide them for the SSLContext */
ctx = SSLContext.getInstance("TLS");
ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null);


/Robert Bengtsson
  Reply With Quote
4 18th February 07:04
raoul
External User
 
Posts: 1
Default SSL for Java without keystores -> this seems to work!


Hi everyone,

Since I really used many of your postings about this issue, it's my turn
to contribute. The ssl without keystores really seems a bad do***ented
feature i guess. The last two days I have been turning Google inside out
and with a lot docs at sun.com I finally managed to get an ssl working
without the authentication certificates. I understood this is called
anonymous sll and is (of course) less secure than the certified one. You
may get 'a man in the middle attack', but I think that's still pretty
difficult if you throw in some extra security measures.

Anyway, the default connection type seems to be the certified one, so in
this case you have to enumerate all the anonymous cipher suites both the
client and the server can choose from (are there any more?) so they will
not use any other cipher suite.

Ok, now for the coding. What I made was a server waiting on a port for a
client to connect. If it detects a client the server sends back a simple
string and both programs exit. Very simple, but the main thing is of
course the ssl part. If you think this is not working ok or if it's not
secure at all, please let me know as I am trying to learn too ;-)

Greetings,
Raoul

First the client source, then the server:

import javax.net.ssl.*;
import java.io.*;

public class mySecureClient {

public static void main(String[] args) {
String host = "localhost";
int port = 8080;

SSLSocketFactory factory;
SSLSocket socket;
String hostOutput;
BufferedReader br;
String[] cipherSuite = { "SSL_DH_anon_WITH_RC4_128_MD5"
, "SSL_DH_anon_WITH_RC4_128_MD5"
, "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA"
, "SSL_DH_anon_WITH_DES_CBC_SHA"
, "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5"
, "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA" };

try {
factory = (SSLSocketFactory)SSLSocketFactory.getDefault();
socket = (SSLSocket)factory.createSocket(host,port);
socket.setEnabledCipherSuites(cipherSuite);

System.out.println("Secure socket made");
br = new BufferedReader(new InputStreamReader(socket.getInputStream()));
hostOutput = br.readLine();
System.out.println(host + " responds with: " + hostOutput);

} catch (Exception e) {
System.out.println("Error " + e.getMessage());
};
}
}


import javax.net.ssl.*;
import java.io.*;

public class mySecureServer {

public static void main(String[] args) {

int port = 8080;
SSLServerSocketFactory factory;
SSLServerSocket svrSocket;
SSLSocket socket;
DataOutputStream out;
String[] cipherSuite = { "SSL_DH_anon_WITH_RC4_128_MD5"
, "SSL_DH_anon_WITH_RC4_128_MD5"
, "SSL_DH_anon_WITH_3DES_EDE_CBC_SHA"
, "SSL_DH_anon_WITH_DES_CBC_SHA"
, "SSL_DH_anon_EXPORT_WITH_RC4_40_MD5"
, "SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA" };
try {
factory = (SSLServerSocketFactory)SSLServerSocketFactory.get Default();
svrSocket = (SSLServerSocket)factory.createServerSocket(port);
svrSocket.setEnabledCipherSuites(cipherSuite);
System.out.println("Server waiting for connection on port " + port);
socket = (SSLSocket)svrSocket.accept();
out = new DataOutputStream(socket.getOutputStream());
out.writeBytes("This is secured text coming from the server");

System.out.println("Client has made connection, server will exit");


}
catch (Exception e) {
System.out.println("Server not started: " + e.getMessage());
}

}
}
  Reply With Quote


  sponsored links


Reply


Thread Tools
Display Modes




Copyright 2006 SmartyDevil.com - Dies Mies Jeschet Boenedoesef Douvema Enitemaus -
666