Return-Path:
Commons-SSL includes support for extracting private keys from PKCS #8 files.
-We also support the OpenSSL formats ("traditional SSLeay"). The private keys can be in PEM (base64)
-or DER (raw ASN.1 - a binary format).
- The code works with Java 1.3 (+JCE), 1.4, 5.0, 6.0, but not all of the ciphers and hashes are available
-until Java 5.0 (unless you use BouncyCastle). Fortunately the most common formats [OpenSSL MD5 with 3DES], [PKCS #8 V1.5 MD5 with DES], [PKCS #8 V2.0 HmacSHA1 with 3DES]
-work with all versions of Java, including Java 1.3. Both RSA and DSA keys are supported. Here is a list of supported formats:
-Here are links to the raw samples and test results:
-not-yet-commons-ssl
-
-
-
-PKCS #8 / OpenSSL Encrypted Keys
-
-Java 1.3 Compatible! (with jce1_2_2.jar) (or bcprov-jdk13.jar)
-pkcs8 example:
-
-FileInputStream in = new FileInputStream( "/path/to/pkcs8_private_key.der" );
-
-// If the provided InputStream is encrypted, we need a password to decrypt
-// it. If the InputStream is not encrypted, then the password is ignored
-// (can be null). The InputStream can be DER (raw ASN.1) or PEM (base64).
-PKCS8Key pkcs8 = new PKCS8Key( in, "changeit".toCharArray() );
-
-// If an unencrypted PKCS8 key was provided, then this actually returns
-// exactly what was originally passed in (with no changes). If an OpenSSL
-// key was provided, it gets reformatted as PKCS #8 first, and so these
-// bytes will still be PKCS #8, not OpenSSL.
-byte[] decrypted = pkcs8.getDecryptedBytes();
-PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec( decrypted );
-
-// A Java PrivateKey object is born.
-PrivateKey pk = null;
-if ( pkcs8.isDSA() )
-{
- pk = KeyFactory.getInstance( "DSA" ).generatePrivate( spec );
-}
-else if ( pkcs8.isRSA() )
-{
- pk = KeyFactory.getInstance( "RSA" ).generatePrivate( spec );
-}
-
-// For lazier types:
-pk = pkcs8.getPrivateKey();
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
The samples were all generated using OpenSSL's
-rsa
, genrsa
, dsa
, gendsa
, dsaparam
-and pkcs8
commands. We're curious to know if
-PKCS #8 keys created by other programs will also work, but OpenSSL is all we have to play
-with at the moment.
The password to decrypt the samples is always "changeit", and they all have the same RSA or DSA -key.
- - - http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/06a2c229/3rdparty/not-yet-commons-ssl/docs/rmi.html ---------------------------------------------------------------------- diff --git a/3rdparty/not-yet-commons-ssl/docs/rmi.html b/3rdparty/not-yet-commons-ssl/docs/rmi.html deleted file mode 100644 index 6d7b2b6..0000000 --- a/3rdparty/not-yet-commons-ssl/docs/rmi.html +++ /dev/null @@ -1,102 +0,0 @@ - - -LocateRegistry.createRegistry( 1099 )
-from within your own application. You must do this AFTER calling RMISocketFactory.setSocketFactory( impl )
.
-RMISocketFactoryImpl will open the registry on 1099, and will open anonymous RMI servers (where port 0 is
-specified) on port 31099.
-RMI-SSL, as shown here, doesn't work with $JAVA_HOME/bin/rmiregistry
.
-RMISocketFactory.setSocketFactory( impl )
.
-RMI over SSL Example - -import org.apache.commons.ssl.RMISocketFactoryImpl; - -// RMISocketFactoryImpl tries to detect plain sockets, so you should be able to use -// this even in situations where not all of the RMI servers you are talking to are -// using SSL. -RMISocketFactoryImpl impl = new RMISocketFactoryImpl(); - -// Let's change some settings on our default SSL client. -SSLClient defaultClient = (SSLClient) impl.getDefaultClient(); -client.setCheckHostname( false ); -client.setCheckCRL( true ); -client.setCheckExpiry( false ); - -// By default we trust Java's "cacerts", as well as whatever cert is on localhost:1099, -// so this is redundant: (Trusting localhost:1099 is some commons-ssl magic). -client.addTrustMaterial( TrustMaterial.DEFAULT ); - -// But if we had used setTrustMaterial() instead of addTrustMaterial(), we would (probably) -// no longer trust localhost:1099! Using set instead of add causes all previous "adds" to -// to be thrown out. - -// Meanwhile, RMI calls to rmi://special.com:1099/ need to trust a self-signed certificate, -// but we don't want to pollute our default trust with this shoddy cert. So only calls -// specifically to "special.com" (any port) will use this. -SSLClient specialClient = new SSLClient(); -TrustMaterial tm = new TrustMaterial( "special.pem" ); -specialClient.addTrustMaterial( tm ); -// Here's where the special cert gets associated with "special.com": -impl.setClient( "special.com", specialClient ); - - -// We're might also want to be an RMI server ourselves! -// By default commons-ssl looks for "~/.keystore" and tries password "changeit", -// but we can change things if we want: -SSLServer server = (SSLServer) impl.getDefaultServer(); -tm = new TrustMaterial( "trust_only_these_client_certs.pem" ); -KeyMaterial km = new KeyMaterial( "/path/to/myKey.p12", "password".toCharArray() ); -server.setTrustMaterial( tm ); -server.setKeyMaterial( km ); -// This particular RMI server will only accept connections with client certs! -server.setNeedClientAuth( true ); - -// Finally, we tell Java to use our new RMI socket factory! -RMISocketFactory.setSocketFactory( impl );-
- - -- - http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/06a2c229/3rdparty/not-yet-commons-ssl/docs/roadmap.html ---------------------------------------------------------------------- diff --git a/3rdparty/not-yet-commons-ssl/docs/roadmap.html b/3rdparty/not-yet-commons-ssl/docs/roadmap.html deleted file mode 100644 index 3962540..0000000 --- a/3rdparty/not-yet-commons-ssl/docs/roadmap.html +++ /dev/null @@ -1,86 +0,0 @@ - - -
0.3.10 - 0.3.11 are just some feature ideas. They might not be feasible. 0.3.9 is the current version.
-Version | Release Date? | Description |
---|---|---|
0.3.4 | Nov 2006 | 90% feature complete. Probably contains some bugs. |
0.3.5 | Dec 2006 | PKCS8Key constructor is public now. Whoops. Hostname verification -knows about more than just CN's now - also checks subjectAlts in the server's certificate. |
0.3.6 | Jan 2007 | Fixed Java 1.4 bug with HttpsURLConnection. |
0.3.7 | Feb 2007 | 40 bit and 56 bit ciphers disabled by default. RMI-SSL improved. getSSLContext() added. Various other improvements. |
0.3.8 | Nov 2007 | PBE (password-based-encryption) formally introduced and improved. 40 bit and 56 bit ciphers still disabled by default, but working better when re-enabled. |
0.3.9 | May 2008 | Some PBE fixes. Using latest ASN.1 code from BouncyCastle. |
0.3.10 | May 2008 |
- -Socket monitoring. Make it easier for long-running server applications to warn -about impending certificate expiries. - --OCSP - Online Certificate Status Protocol - - --NotQuiteSoEasySSLProtocolSocketFactory will trust any server The First Time, and store that server's cert on disk for future accesses. - - |
0.3.11 | Jun 2008 | TrustMaterial.setAutoReload( true / false ) , and KeyMaterial.setAutoReload( true / false ) ,
-but only if no password, or "changeit" was provided. (Question: should this "reload" tear down all open sockets?).
- |
0.4.0 | Jul 2008 | Non-public code (protected, private, etc) moved into a separate "impl" package where possible. |
0.5.0 | Aug 2008 | API froven. All future versions must be reverse-compatible with 0.5.0 (except for any parts of 0.5.0 later found to be insecure). |
0.7.0 | Nov 2008 | JavaDocs written for all public methods and classes. |
0.7.5 | Mar 2009 | JUnit tests written for all classes. |
0.9.0 | May 2009 | First BETA release. JUnit tests passing on all targetted platforms:
-
-
|
0.9.1 - 0.9.9 | Aug 2009 | Bug fixes. |
1.0.0 | Jan 2010 | Development mostly stops. |
The problem we're solving with Commons-SSL -is quite small, so I don't see any reason to ever go beyond 1.0.0, except for fixing bugs.
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/06a2c229/3rdparty/not-yet-commons-ssl/docs/source.html ---------------------------------------------------------------------- diff --git a/3rdparty/not-yet-commons-ssl/docs/source.html b/3rdparty/not-yet-commons-ssl/docs/source.html deleted file mode 100644 index 6c2fc85..0000000 --- a/3rdparty/not-yet-commons-ssl/docs/source.html +++ /dev/null @@ -1,38 +0,0 @@ - - -Client Example: - -SSLClient client = new SSLClient(); - -// Let's trust usual "cacerts" that come with Java. Plus, let's also trust a self-signed cert -// we know of. We have some additional certs to trust inside a java keystore file. -client.addTrustMaterial( TrustMaterial.DEFAULT ); -client.addTrustMaterial( new TrustMaterial( "/path/to/self-signed.pem" ) ); -client.addTrustMaterial( new KeyMaterial( "/path/to/keystore.jks", "changeit".toCharArray() ) ); - -// To be different, let's allow for expired certificates (not recommended). -client.setCheckHostname( true ); // default setting is "true" for SSLClient -client.setCheckExpiry( false ); // default setting is "true" for SSLClient -client.setCheckCRL( true ); // default setting is "true" for SSLClient - -// Let's load a client certificate (max: 1 per SSLClient instance). -client.setKeyMaterial( new KeyMaterial( "/path/to/client.pfx", "secret".toCharArray() ) ); -SSLSocket s = (SSLSocket) client.createSocket( "www.cucbc.com", 443 );- -
Server Example (OpenSSL/Apache Style) -// Compatible with the private key / certificate chain created from following the Apache2 -// TLS FAQ: "How do I create a self-signed SSL Certificate for testing purposes?" -// http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#selfcert - -SSLServer server = new SSLServer(); - -// Server needs some key material. We'll use an OpenSSL/PKCS8 style key (possibly encrypted). -String certificateChain = "/path/to/this/server.crt"; -String privateKey = "/path/to/this/server.key"; -char[] password = "changeit".toCharArray(); -KeyMaterial km = new KeyMaterial( certificateChain, privateKey, password ); - -server.setKeyMaterial( km ); - -// These settings have to do with how we'll treat client certificates that are presented -// to us. If the client doesn't present any client certificate, then these are ignored. -server.setCheckHostname( false ); // default setting is "false" for SSLServer -server.setCheckExpiry( true ); // default setting is "true" for SSLServer -server.setCheckCRL( true ); // default setting is "true" for SSLServer - -// This server trusts all client certificates presented (usually people won't present -// client certs, but if they do, we'll give them a socket at the very least). -server.addTrustMaterial( TrustMaterial.TRUST_ALL ); -SSLServerSocket ss = (SSLServerSocket) server.createServerSocket( 7443 ); -SSLSocket socket = (SSLSocket) ss.accept();- -
Server Example (Traditional Java "KeyStore" Style) - -SSLServer server = new SSLServer(); - -// Server needs some key material. We'll use a Java Keystore (.jks) or Netscape -// PKCS12 (.pfx or .p12) file. Commons-ssl automatically detects the type. -String pathToKeyMaterial = "/path/to/.keystore"; -char[] password = "changeit".toCharArray(); -KeyMaterial km = new KeyMaterial( pathToKeyMaterial, password ); - -server.setKeyMaterial( km ); - -// This server trusts all client certificates presented (usually people won't present -// client certs, but if they do, we'll give them a socket at the very least). -server.addTrustMaterial( TrustMaterial.TRUST_ALL ); -SSLServerSocket ss = (SSLServerSocket) server.createServerSocket( 7443 ); -SSLSocket socket = (SSLSocket) ss.accept();- - -