You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Lalit Sahoo <la...@sonata-software.com> on 2007/03/08 14:05:18 UTC

Certificate Based Client Authentication

Hi All,

 

I am using the AuthSSLProtocolSocketFactory example code for SSL and
certificate based authentication.

 

I have written following statement:

 

ProtocolSocketFactory socketFactory = new AuthSSLProtocolSocketFactory(

                    keystoreURL,
httpConnectParams.keystorePassword,null,null);

 

I am using Weblogic Application Server.

 

But when I am executing the client I am getting following error:

 

javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate found

 

Is it necessary to provide trust certificate?

 

Can anybody help me in this regard?

 

Regards,

Lalit

RE: Certificate Based Client Authentication

Posted by William Cai <wc...@xwarelabs.com>.
You may know the link http://e-docs.bea.com/wls/docs81/secmanage/ssl.html#1166927. Since you choose two-way SSL, it doesn't make sense to disable server side authentication. I doubt if there is such an option available. Please correct me if I'm wrong.

Thanks,
William

-----Original Message-----
From: Lalit Sahoo [mailto:lalit.s@sonata-software.com] 
Sent: Friday, March 09, 2007 2:36 AM
To: HttpClient User Discussion
Subject: RE: Certificate Based Client Authentication

Hi Julius,
 
Thanks for the help!
 
Actually I am using Weblogic 8.1.
 
I have configured weblogic to use two-way SSL.
 
Do I need to do anything on server side to stop server authentication?
 
Regards,
Lalit

________________________________

From: Julius Davies [mailto:juliusdavies@gmail.com]
Sent: Thu 3/8/2007 9:58 PM
To: HttpClient User Discussion
Subject: Re: Certificate Based Client Authentication



Hi, Lalit,

If you really, really, really are sure that you don't want to
"authenticate" the server (not recommended!) you can use
TrustMaterial.TRUST_ALL with "not-yet-commons-ssl-0.3.7.jar" like so:

------------------------------------------------------
char[] pwd = "secret".toCharArray();
KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd );

HttpSecureProtocol sf = new HttpSecureProtocol();
sf.setKeyMaterial( km );

// Trust ANY server!  NOT RECOMMENDED!
sf.setTrustMaterial( TrustMaterial.TRUST_ALL );

ProtocolSocketFactory psf = sf;
Protocol specialHttps = new Protocol("https-special", psf, 443);
Protocol.registerProtocol("https-special", specialHttps);

// From this point on, HttpClient will use the client cert specified
// for all URL's of the form "https-special://".
------------------------------------------------------


To do this just using the "HttpClient" contrib code is not possible.
Giving "null" to the AuthSSLProtocolSocketFactory just tells it to use
$JAVA_HOME/jre/lib/security/cacerts as the "truststore":

new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );


What you're trying to do is essentially a hybrid of
"EasySSLProtocolSocketFactory" (trusting any server), and
"AuthSSLProtocolSocketFactory" (providing a client certificate).

If you don't want to use not-yet-commons-ssl-0.3.7, you'll have to
code up the hybrid yourself using the "contrib" code to guide you.


yours,

Julius



On 3/8/07, Lalit Sahoo <la...@sonata-software.com> wrote:
> Hi Julius,
>
> Thanks for the response!
>
> You have adviced me to do in this way:
>
> URL keystore = new URL( "file:///path/to/keystore.jks" ); URL truststore
> = new URL( "file:///path/to/truststore.jks" ); String key_pwd =
> "secret";
> String trust_pwd = "changeit";
>
> AuthSSLProtocolSocketFactory sf;
> sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
> trust_pwd );
>
>
> Supoose I don't want to authenticate server then I should use as below:
>
>
> AuthSSLProtocolSocketFactory sf;
> sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );
>
> But I am getting SSL handshake error.
>
> Could you please help?
>
> Regards,
> Lalit
>

--
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org






---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

Re: Certificate Based Client Authentication

Posted by Julius Davies <ju...@gmail.com>.
Hi, William,

The technique I showed in my previous email doesn't disable
server-side auth - it just ignores the server's certificate... or in
other words, trusts any certificate the server supplies.

The EasyX509TrustManager example in the "contrib" section of the
HttpClient SVN repository is a good low-level example of this
technique.  See how it implements its own X509TrustManager:

http://svn.apache.org/viewvc/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasyX509TrustManager.java

But this X509TrustManager is very trusting!  It trusts everything!

[simplified...  the real one does check expiry]
-------------------------
public void checkServerTrusted(X509Certificate[] certificates,String authType) {
  // do nothing - so all server certificates are trusted!
}
-------------------------

yours,

Julius



On 3/10/07, William Cai <ca...@acm.org> wrote:
>
> You may know the link http://e-docs.bea.com/wls/docs81/secmanage/ssl.html#1166927. Since you choose two-way SSL, it doesn't make sense to disable server side authentication. I doubt if there is such an option available. Please correct me if I'm wrong.
>
> Thanks,
> William
>
> -----Original Message-----
> From: Lalit Sahoo [mailto:lalit.s@sonata-software.com]
> Sent: Friday, March 09, 2007 2:36 AM
> To: HttpClient User Discussion
> Subject: RE: Certificate Based Client Authentication
>
> Hi Julius,
>
> Thanks for the help!
>
> Actually I am using Weblogic 8.1.
>
> I have configured weblogic to use two-way SSL.
>
> Do I need to do anything on server side to stop server authentication?
>
> Regards,
> Lalit
>
> ________________________________
>
> From: Julius Davies [mailto:juliusdavies@gmail.com]
> Sent: Thu 3/8/2007 9:58 PM
> To: HttpClient User Discussion
> Subject: Re: Certificate Based Client Authentication
>
>
>
> Hi, Lalit,
>
> If you really, really, really are sure that you don't want to
> "authenticate" the server (not recommended!) you can use
> TrustMaterial.TRUST_ALL with "not-yet-commons-ssl-0.3.7.jar" like so:
>
> ------------------------------------------------------
> char[] pwd = "secret".toCharArray();
> KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd );
>
> HttpSecureProtocol sf = new HttpSecureProtocol();
> sf.setKeyMaterial( km );
>
> // Trust ANY server!  NOT RECOMMENDED!
> sf.setTrustMaterial( TrustMaterial.TRUST_ALL );
>
> ProtocolSocketFactory psf = sf;
> Protocol specialHttps = new Protocol("https-special", psf, 443);
> Protocol.registerProtocol("https-special", specialHttps);
>
> // From this point on, HttpClient will use the client cert specified
> // for all URL's of the form "https-special://".
> ------------------------------------------------------
>
>
> To do this just using the "HttpClient" contrib code is not possible.
> Giving "null" to the AuthSSLProtocolSocketFactory just tells it to use
> $JAVA_HOME/jre/lib/security/cacerts as the "truststore":
>
> new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );
>
>
> What you're trying to do is essentially a hybrid of
> "EasySSLProtocolSocketFactory" (trusting any server), and
> "AuthSSLProtocolSocketFactory" (providing a client certificate).
>
> If you don't want to use not-yet-commons-ssl-0.3.7, you'll have to
> code up the hybrid yourself using the "contrib" code to guide you.
>
>
> yours,
>
> Julius
>
>
>
> On 3/8/07, Lalit Sahoo <la...@sonata-software.com> wrote:
> > Hi Julius,
> >
> > Thanks for the response!
> >
> > You have adviced me to do in this way:
> >
> > URL keystore = new URL( "file:///path/to/keystore.jks" ); URL truststore
> > = new URL( "file:///path/to/truststore.jks" ); String key_pwd =
> > "secret";
> > String trust_pwd = "changeit";
> >
> > AuthSSLProtocolSocketFactory sf;
> > sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
> > trust_pwd );
> >
> >
> > Supoose I don't want to authenticate server then I should use as below:
> >
> >
> > AuthSSLProtocolSocketFactory sf;
> > sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );
> >
> > But I am getting SSL handshake error.
> >
> > Could you please help?
> >
> > Regards,
> > Lalit
> >
>
> --
> yours,
>
> Julius Davies
> 416-652-0183
> http://juliusdavies.ca/
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
>
>


-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

RE: Certificate Based Client Authentication

Posted by William Cai <ca...@acm.org>.
You may know the link http://e-docs.bea.com/wls/docs81/secmanage/ssl.html#1166927. Since you choose two-way SSL, it doesn't make sense to disable server side authentication. I doubt if there is such an option available. Please correct me if I'm wrong.

Thanks,
William

-----Original Message-----
From: Lalit Sahoo [mailto:lalit.s@sonata-software.com] 
Sent: Friday, March 09, 2007 2:36 AM
To: HttpClient User Discussion
Subject: RE: Certificate Based Client Authentication

Hi Julius,
 
Thanks for the help!
 
Actually I am using Weblogic 8.1.
 
I have configured weblogic to use two-way SSL.
 
Do I need to do anything on server side to stop server authentication?
 
Regards,
Lalit

________________________________

From: Julius Davies [mailto:juliusdavies@gmail.com]
Sent: Thu 3/8/2007 9:58 PM
To: HttpClient User Discussion
Subject: Re: Certificate Based Client Authentication



Hi, Lalit,

If you really, really, really are sure that you don't want to
"authenticate" the server (not recommended!) you can use
TrustMaterial.TRUST_ALL with "not-yet-commons-ssl-0.3.7.jar" like so:

------------------------------------------------------
char[] pwd = "secret".toCharArray();
KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd );

HttpSecureProtocol sf = new HttpSecureProtocol();
sf.setKeyMaterial( km );

// Trust ANY server!  NOT RECOMMENDED!
sf.setTrustMaterial( TrustMaterial.TRUST_ALL );

ProtocolSocketFactory psf = sf;
Protocol specialHttps = new Protocol("https-special", psf, 443);
Protocol.registerProtocol("https-special", specialHttps);

// From this point on, HttpClient will use the client cert specified
// for all URL's of the form "https-special://".
------------------------------------------------------


To do this just using the "HttpClient" contrib code is not possible.
Giving "null" to the AuthSSLProtocolSocketFactory just tells it to use
$JAVA_HOME/jre/lib/security/cacerts as the "truststore":

new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );


What you're trying to do is essentially a hybrid of
"EasySSLProtocolSocketFactory" (trusting any server), and
"AuthSSLProtocolSocketFactory" (providing a client certificate).

If you don't want to use not-yet-commons-ssl-0.3.7, you'll have to
code up the hybrid yourself using the "contrib" code to guide you.


yours,

Julius



On 3/8/07, Lalit Sahoo <la...@sonata-software.com> wrote:
> Hi Julius,
>
> Thanks for the response!
>
> You have adviced me to do in this way:
>
> URL keystore = new URL( "file:///path/to/keystore.jks" ); URL truststore
> = new URL( "file:///path/to/truststore.jks" ); String key_pwd =
> "secret";
> String trust_pwd = "changeit";
>
> AuthSSLProtocolSocketFactory sf;
> sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
> trust_pwd );
>
>
> Supoose I don't want to authenticate server then I should use as below:
>
>
> AuthSSLProtocolSocketFactory sf;
> sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );
>
> But I am getting SSL handshake error.
>
> Could you please help?
>
> Regards,
> Lalit
>

--
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org








---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

RE: Certificate Based Client Authentication

Posted by Lalit Sahoo <la...@sonata-software.com>.
Hi Julius,
 
Thanks for the help!
 
Actually I am using Weblogic 8.1.
 
I have configured weblogic to use two-way SSL.
 
Do I need to do anything on server side to stop server authentication?
 
Regards,
Lalit

________________________________

From: Julius Davies [mailto:juliusdavies@gmail.com]
Sent: Thu 3/8/2007 9:58 PM
To: HttpClient User Discussion
Subject: Re: Certificate Based Client Authentication



Hi, Lalit,

If you really, really, really are sure that you don't want to
"authenticate" the server (not recommended!) you can use
TrustMaterial.TRUST_ALL with "not-yet-commons-ssl-0.3.7.jar" like so:

------------------------------------------------------
char[] pwd = "secret".toCharArray();
KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd );

HttpSecureProtocol sf = new HttpSecureProtocol();
sf.setKeyMaterial( km );

// Trust ANY server!  NOT RECOMMENDED!
sf.setTrustMaterial( TrustMaterial.TRUST_ALL );

ProtocolSocketFactory psf = sf;
Protocol specialHttps = new Protocol("https-special", psf, 443);
Protocol.registerProtocol("https-special", specialHttps);

// From this point on, HttpClient will use the client cert specified
// for all URL's of the form "https-special://".
------------------------------------------------------


To do this just using the "HttpClient" contrib code is not possible.
Giving "null" to the AuthSSLProtocolSocketFactory just tells it to use
$JAVA_HOME/jre/lib/security/cacerts as the "truststore":

new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );


What you're trying to do is essentially a hybrid of
"EasySSLProtocolSocketFactory" (trusting any server), and
"AuthSSLProtocolSocketFactory" (providing a client certificate).

If you don't want to use not-yet-commons-ssl-0.3.7, you'll have to
code up the hybrid yourself using the "contrib" code to guide you.


yours,

Julius



On 3/8/07, Lalit Sahoo <la...@sonata-software.com> wrote:
> Hi Julius,
>
> Thanks for the response!
>
> You have adviced me to do in this way:
>
> URL keystore = new URL( "file:///path/to/keystore.jks" ); URL truststore
> = new URL( "file:///path/to/truststore.jks" ); String key_pwd =
> "secret";
> String trust_pwd = "changeit";
>
> AuthSSLProtocolSocketFactory sf;
> sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
> trust_pwd );
>
>
> Supoose I don't want to authenticate server then I should use as below:
>
>
> AuthSSLProtocolSocketFactory sf;
> sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );
>
> But I am getting SSL handshake error.
>
> Could you please help?
>
> Regards,
> Lalit
>

--
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

Re: Certificate Based Client Authentication

Posted by Julius Davies <ju...@gmail.com>.
Hi, Lalit,

If you really, really, really are sure that you don't want to
"authenticate" the server (not recommended!) you can use
TrustMaterial.TRUST_ALL with "not-yet-commons-ssl-0.3.7.jar" like so:

------------------------------------------------------
char[] pwd = "secret".toCharArray();
KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd );

HttpSecureProtocol sf = new HttpSecureProtocol();
sf.setKeyMaterial( km );

// Trust ANY server!  NOT RECOMMENDED!
sf.setTrustMaterial( TrustMaterial.TRUST_ALL );

ProtocolSocketFactory psf = sf;
Protocol specialHttps = new Protocol("https-special", psf, 443);
Protocol.registerProtocol("https-special", specialHttps);

// From this point on, HttpClient will use the client cert specified
// for all URL's of the form "https-special://".
------------------------------------------------------


To do this just using the "HttpClient" contrib code is not possible.
Giving "null" to the AuthSSLProtocolSocketFactory just tells it to use
$JAVA_HOME/jre/lib/security/cacerts as the "truststore":

new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );


What you're trying to do is essentially a hybrid of
"EasySSLProtocolSocketFactory" (trusting any server), and
"AuthSSLProtocolSocketFactory" (providing a client certificate).

If you don't want to use not-yet-commons-ssl-0.3.7, you'll have to
code up the hybrid yourself using the "contrib" code to guide you.


yours,

Julius



On 3/8/07, Lalit Sahoo <la...@sonata-software.com> wrote:
> Hi Julius,
>
> Thanks for the response!
>
> You have adviced me to do in this way:
>
> URL keystore = new URL( "file:///path/to/keystore.jks" ); URL truststore
> = new URL( "file:///path/to/truststore.jks" ); String key_pwd =
> "secret";
> String trust_pwd = "changeit";
>
> AuthSSLProtocolSocketFactory sf;
> sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
> trust_pwd );
>
>
> Supoose I don't want to authenticate server then I should use as below:
>
>
> AuthSSLProtocolSocketFactory sf;
> sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );
>
> But I am getting SSL handshake error.
>
> Could you please help?
>
> Regards,
> Lalit
>

-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

RE: Certificate Based Client Authentication

Posted by Lalit Sahoo <la...@sonata-software.com>.
Hi Julius,

Thanks for the response!

You have adviced me to do in this way:

URL keystore = new URL( "file:///path/to/keystore.jks" ); URL truststore
= new URL( "file:///path/to/truststore.jks" ); String key_pwd =
"secret";
String trust_pwd = "changeit";		

AuthSSLProtocolSocketFactory sf;
sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
trust_pwd );


Supoose I don't want to authenticate server then I should use as below:


AuthSSLProtocolSocketFactory sf;
sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );

But I am getting SSL handshake error.

Could you please help?

Regards,
Lalit

-----Original Message-----
From: Julius Davies [mailto:juliusdavies@gmail.com] 
Sent: Thursday, March 08, 2007 8:57 PM
To: HttpClient User Discussion
Subject: Re: Certificate Based Client Authentication

Hi, Lalit,

Consider downloading "not-yet-commons-ssl-0.3.7.jar"  from here:

http://juliusdavies.ca/commons-ssl/download.html

With "not-yet-commons-ssl-0.3.7.jar" on your classpath, you can do this:

------------------------------------------------------
char[] pwd = "secret".toCharArray();
KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd );
TrustMaterial tm = new TrustMaterial( "/path/to/server_cert.pem" );

HttpSecureProtocol sf = new HttpSecureProtocol();
sf.setKeyMaterial( km );
sf.addTrustMaterial( tm );
		
// Alternatively, if you want to disable Java's standard "cacerts", you
// can use setTrustMaterial() instead of addTrustMaterial():
// sf.setTrustMaterial( tm );
				
ProtocolSocketFactory psf = sf;
Protocol specialHttps = new Protocol("https-special", psf, 443);
Protocol.registerProtocol("https-special", specialHttps);

// From this point on, HttpClient will use the client cert specified
// for all URL's of the form "https-special://".
------------------------------------------------------

If you don't have the server's X509 certificate on hand, you can
download the certificate straight from the server by using the
"not-yet-commons-ssl" Ping utility, documented here:

http://juliusdavies.ca/commons-ssl/utilities.html

However, be aware that acquiring and trusting a certificate in this
way is not secure, since someone could impersonate the server in that
one moment.  It's better to acquire the server certificate
"out-of-band" through the mail or encrypted zip file or something like
that.

If you must acquire the certificate using the "Ping" utility, at the
very least call the server's administrator and verify the fingerprint
of the certificate you downloaded!

* * *

The rest of this email explains how to do things without
"not-yet-commons-ssl-0.3.7".

It's possible to do what you're doing without
"not-yet-commons-ssl-0.3.7.jar", and just using the contrib
AuthSSLProtocolSocketFactory alone.  If you want to do things that
way, create a special "TrustStore" JKS file and import the server's
certificate into it like so:

------------------------------------------------------
keytool -import -file x509.pem -keystore my_new_truststore.jks
------------------------------------------------------

The "x509.pem" file should look like this, but with several lines of
base64 - not just those two lines I've put in this example.

-----BEGIN CERTIFICATE-----
MIIGADCCA+gCCQDyLXt3uNXa9TANBgkqhkiG9w0BAQUFADCBwTELMAkGA1UEBhMC
Q0ExGTAXBgNVBAgTEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAcTCVZhbmNvdXZl
-----END CERTIFICATE-----

Keytool is a bit picky and might get upset if the PEM file contains
ANYTHING before or after the "BEGIN" and "END" lines, including
whitespace.  Make sure there are no extra line-feeds or carriage
returns before and after the "BEGIN" and "END".

Once you have both the "keystore" and "truststore" ready (both are
java keystore files), you can do this:

------------------------------------------------------
URL keystore = new URL( "file:///path/to/keystore.jks" );
URL truststore = new URL( "file:///path/to/truststore.jks" );
String key_pwd = "secret";
String trust_pwd = "changeit";		

AuthSSLProtocolSocketFactory sf;
sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
trust_pwd );
------------------------------------------------------

If your client certificate is in PKCS12 format (e.g. *.pfx or *.p12)
after exporting from a browser, you can use the KeyStoreBuilder
utility in "not-yet-commons-ssl-0.3.7" to convert it to "Java
Keystore" format on the command line.  The original
AuthSSLProtocolSocketFactory in HttpClient's "contrib" cannot deal
with PKCS12.

java -cp not-yet-commons-ssl-0.3.7.jar
org.apache.commons.ssl.KeyStoreBuilder


Good luck!


yours,

Julius


On 3/8/07, Roland Weber <RO...@de.ibm.com> wrote:
> Hello Lalit,
>
> Julius Davis has written some detailed mails about SSL in the last
months.
> You may have to search the developer list as well as the user list.
>
> best regards,
>   Roland
>
>
>


-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

Re: Certificate Based Client Authentication

Posted by Julius Davies <ju...@gmail.com>.
Hi, Lalit,

Consider downloading "not-yet-commons-ssl-0.3.7.jar"  from here:

http://juliusdavies.ca/commons-ssl/download.html

With "not-yet-commons-ssl-0.3.7.jar" on your classpath, you can do this:

------------------------------------------------------
char[] pwd = "secret".toCharArray();
KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd );
TrustMaterial tm = new TrustMaterial( "/path/to/server_cert.pem" );

HttpSecureProtocol sf = new HttpSecureProtocol();
sf.setKeyMaterial( km );
sf.addTrustMaterial( tm );
		
// Alternatively, if you want to disable Java's standard "cacerts", you
// can use setTrustMaterial() instead of addTrustMaterial():
// sf.setTrustMaterial( tm );
				
ProtocolSocketFactory psf = sf;
Protocol specialHttps = new Protocol("https-special", psf, 443);
Protocol.registerProtocol("https-special", specialHttps);

// From this point on, HttpClient will use the client cert specified
// for all URL's of the form "https-special://".
------------------------------------------------------

If you don't have the server's X509 certificate on hand, you can
download the certificate straight from the server by using the
"not-yet-commons-ssl" Ping utility, documented here:

http://juliusdavies.ca/commons-ssl/utilities.html

However, be aware that acquiring and trusting a certificate in this
way is not secure, since someone could impersonate the server in that
one moment.  It's better to acquire the server certificate
"out-of-band" through the mail or encrypted zip file or something like
that.

If you must acquire the certificate using the "Ping" utility, at the
very least call the server's administrator and verify the fingerprint
of the certificate you downloaded!

* * *

The rest of this email explains how to do things without
"not-yet-commons-ssl-0.3.7".

It's possible to do what you're doing without
"not-yet-commons-ssl-0.3.7.jar", and just using the contrib
AuthSSLProtocolSocketFactory alone.  If you want to do things that
way, create a special "TrustStore" JKS file and import the server's
certificate into it like so:

------------------------------------------------------
keytool -import -file x509.pem -keystore my_new_truststore.jks
------------------------------------------------------

The "x509.pem" file should look like this, but with several lines of
base64 - not just those two lines I've put in this example.

-----BEGIN CERTIFICATE-----
MIIGADCCA+gCCQDyLXt3uNXa9TANBgkqhkiG9w0BAQUFADCBwTELMAkGA1UEBhMC
Q0ExGTAXBgNVBAgTEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAcTCVZhbmNvdXZl
-----END CERTIFICATE-----

Keytool is a bit picky and might get upset if the PEM file contains
ANYTHING before or after the "BEGIN" and "END" lines, including
whitespace.  Make sure there are no extra line-feeds or carriage
returns before and after the "BEGIN" and "END".

Once you have both the "keystore" and "truststore" ready (both are
java keystore files), you can do this:

------------------------------------------------------
URL keystore = new URL( "file:///path/to/keystore.jks" );
URL truststore = new URL( "file:///path/to/truststore.jks" );
String key_pwd = "secret";
String trust_pwd = "changeit";		

AuthSSLProtocolSocketFactory sf;
sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
trust_pwd );
------------------------------------------------------

If your client certificate is in PKCS12 format (e.g. *.pfx or *.p12)
after exporting from a browser, you can use the KeyStoreBuilder
utility in "not-yet-commons-ssl-0.3.7" to convert it to "Java
Keystore" format on the command line.  The original
AuthSSLProtocolSocketFactory in HttpClient's "contrib" cannot deal
with PKCS12.

java -cp not-yet-commons-ssl-0.3.7.jar org.apache.commons.ssl.KeyStoreBuilder


Good luck!


yours,

Julius


On 3/8/07, Roland Weber <RO...@de.ibm.com> wrote:
> Hello Lalit,
>
> Julius Davis has written some detailed mails about SSL in the last months.
> You may have to search the developer list as well as the user list.
>
> best regards,
>   Roland
>
>
>


-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

RE: Certificate Based Client Authentication

Posted by Roland Weber <RO...@de.ibm.com>.
Hello Lalit,

Julius Davis has written some detailed mails about SSL in the last months.
You may have to search the developer list as well as the user list.

best regards,
  Roland

RE: Certificate Based Client Authentication

Posted by Lalit Sahoo <la...@sonata-software.com>.
Hi Roland,

Thanks! for the response.

I have gone through the mailing list, but I didn't get any concrete one.

Could you please give URL for these?

Regards,
Lalit

-----Original Message-----
From: Roland Weber [mailto:ROLWEBER@de.ibm.com] 
Sent: Thursday, March 08, 2007 6:46 PM
To: HttpClient User Discussion
Subject: Re: Certificate Based Client Authentication

Hello Lalit,

the answer you are looking for is in the mailing list archives.

best regards,
  Roland


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org

Re: Certificate Based Client Authentication

Posted by Roland Weber <RO...@de.ibm.com>.
Hello Lalit,

the answer you are looking for is in the mailing list archives.

best regards,
  Roland