Return-Path: X-Original-To: apmail-directory-commits-archive@www.apache.org Delivered-To: apmail-directory-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 173A7177CB for ; Sun, 25 Jan 2015 08:34:09 +0000 (UTC) Received: (qmail 66148 invoked by uid 500); 25 Jan 2015 08:34:07 -0000 Delivered-To: apmail-directory-commits-archive@directory.apache.org Received: (qmail 66097 invoked by uid 500); 25 Jan 2015 08:34:07 -0000 Mailing-List: contact commits-help@directory.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@directory.apache.org Delivered-To: mailing list commits@directory.apache.org Received: (qmail 66084 invoked by uid 99); 25 Jan 2015 08:34:07 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Jan 2015 08:34:07 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 7DB97E07F9; Sun, 25 Jan 2015 08:34:02 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: drankye@apache.org To: commits@directory.apache.org Date: Sun, 25 Jan 2015 08:34:04 -0000 Message-Id: <65c7f851d2964df8ae6e144522d23728@git.apache.org> In-Reply-To: References: X-Mailer: ASF-Git Admin Mailer Subject: [3/4] directory-kerberos git commit: Removed many unrelated http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/06a2c229/3rdparty/not-yet-commons-ssl/docs/pkcs8.html ---------------------------------------------------------------------- diff --git a/3rdparty/not-yet-commons-ssl/docs/pkcs8.html b/3rdparty/not-yet-commons-ssl/docs/pkcs8.html deleted file mode 100644 index 2119983..0000000 --- a/3rdparty/not-yet-commons-ssl/docs/pkcs8.html +++ /dev/null @@ -1,156 +0,0 @@ - - -Decrypting PKCS #8 and OpenSSL Private Keys with Java - - - -

not-yet-commons-ssl

-
-

PKCS #8 / OpenSSL Encrypted Keys

-
-

Java 1.3 Compatible! (with jce1_2_2.jar) (or bcprov-jdk13.jar)

Commons-SSL includes support for extracting private keys from PKCS #8 files. -We also support the OpenSSL formats ("traditional SSLeay"). The private keys can be in PEM (base64) -or DER (raw ASN.1 - a binary format). -

The code works with Java 1.3 (+JCE), 1.4, 5.0, 6.0, but not all of the ciphers and hashes are available -until Java 5.0 (unless you use BouncyCastle). Fortunately the most common formats [OpenSSL MD5 with 3DES], [PKCS #8 V1.5 MD5 with DES], [PKCS #8 V2.0 HmacSHA1 with 3DES] -work with all versions of Java, including Java 1.3.

pkcs8 example:
-
-FileInputStream in = new FileInputStream( "/path/to/pkcs8_private_key.der" );
-
-// If the provided InputStream is encrypted, we need a password to decrypt
-// it. If the InputStream is not encrypted, then the password is ignored
-// (can be null).  The InputStream can be DER (raw ASN.1) or PEM (base64).
-PKCS8Key pkcs8 = new PKCS8Key( in, "changeit".toCharArray() );
-
-// If an unencrypted PKCS8 key was provided, then this actually returns
-// exactly what was originally passed in (with no changes).  If an OpenSSL
-// key was provided, it gets reformatted as PKCS #8 first, and so these
-// bytes will still be PKCS #8, not OpenSSL.
-byte[] decrypted = pkcs8.getDecryptedBytes();
-PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec( decrypted );
-
-// A Java PrivateKey object is born.
-PrivateKey pk = null;
-if ( pkcs8.isDSA() )
-{
-  pk = KeyFactory.getInstance( "DSA" ).generatePrivate( spec );
-}
-else if ( pkcs8.isRSA() )
-{
-  pk = KeyFactory.getInstance( "RSA" ).generatePrivate( spec );
-}
-
-// For lazier types:
-pk = pkcs8.getPrivateKey();
-

-
-

Both RSA and DSA keys are supported. Here is a list of supported formats:

OpenSSL "Traditional SSLeay Compatible Format"
- Unencrypted PEM or DER
- Encrypted PEM:
  -
  - des
  - des2
  - des3
  - blowfish
  -
  - aes128
  - aes192
  - aes256
  -
  - rc2-40
  - rc2-64
  - rc2-128
  -
  -
  Note:
  OpenSSL "traditional SSLeay" format does not allow encrypted keys to be encoded in DER. Only -unencrypted keys can be encoded in DER.
-
PKCS #8 (Unencrypted) -
- PEM or DER
PKCS #8 with PKCS #5 Version 1.5 Encryption -
- PEM or DER: -
  - MD2 with DES
  - MD2 with RC2-64
  -
  - MD5 with DES
  - MD5 with RC2-64
  -
  - SHA1 with DES
  - SHA1 with RC2-64
  -
  -
PKCS #8 with PKCS #5 Version 1.5 Encryption and PKCS #12 Key Derivation -
- PEM or DER: -
  - SHA1 with 3DES
  - SHA1 with 2DES
  -
  - SHA1 with RC2-128
  - SHA1 with RC2-40
  -
  - SHA1 with RC4-128
  - SHA1 with RC4-40
  -
  -
PKCS #8 with PKCS #5 Version 2.0 Encryption and HmacSHA1 -
- PEM or DER: -
  - DES
  - 3DES
  - Blowfish
  -
  - AES-128
  - AES-192
  - AES-256
  -
  - RC2-40
  - RC2-64
  - RC2-128
  -
  -

-Here are links to the raw samples and test results: -

2048 Bit RSA
2048 Bit DSA

The samples were all generated using OpenSSL's -rsa, genrsa, dsa, gendsa, dsaparam -and pkcs8 commands. We're curious to know if -PKCS #8 keys created by other programs will also work, but OpenSSL is all we have to play -with at the moment.

The password to decrypt the samples is always "changeit", and they all have the same RSA or DSA -key.

- - - http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/06a2c229/3rdparty/not-yet-commons-ssl/docs/rmi.html ---------------------------------------------------------------------- diff --git a/3rdparty/not-yet-commons-ssl/docs/rmi.html b/3rdparty/not-yet-commons-ssl/docs/rmi.html deleted file mode 100644 index 6d7b2b6..0000000 --- a/3rdparty/not-yet-commons-ssl/docs/rmi.html +++ /dev/null @@ -1,102 +0,0 @@ - - -Not-Yet-Commons-SSL - RMI over SSL Java Example - - - -

not-yet-commons-ssl

-
-

RMI over SSL (experimental)

-
3 points to consider: -

To run the RMI-SSL server, you must invoke LocateRegistry.createRegistry( 1099 ) -from within your own application. You must do this AFTER calling RMISocketFactory.setSocketFactory( impl ). -RMISocketFactoryImpl will open the registry on 1099, and will open anonymous RMI servers (where port 0 is -specified) on port 31099. -RMI-SSL, as shown here, doesn't work with $JAVA_HOME/bin/rmiregistry. -
See the example code below for help with RMISocketFactory.setSocketFactory( impl ). -
To run the RMI-SSL client, you need to find an RMI-SSL server to connect to. See #1, above. ;-)
If you don't manage to find an RMI-SSL server, then the RMI-SSL client will automatically downgrade itself -to plain-socket. There is an important security consideration to consider regarding this: RMISocketFactoryImpl -at this time only guarantees the security of the registry and the server sockets it opens. Client sockets -it creates might be plain-socket.

- -

RMI over SSL Example
-
-import org.apache.commons.ssl.RMISocketFactoryImpl;
-
-// RMISocketFactoryImpl tries to detect plain sockets, so you should be able to use
-// this even in situations where not all of the RMI servers you are talking to are
-// using SSL.
-RMISocketFactoryImpl impl = new RMISocketFactoryImpl();
-
-// Let's change some settings on our default SSL client.
-SSLClient defaultClient = (SSLClient) impl.getDefaultClient();
-client.setCheckHostname( false );
-client.setCheckCRL( true );
-client.setCheckExpiry( false );
-
-// By default we trust Java's "cacerts", as well as whatever cert is on localhost:1099,
-// so this is redundant:   (Trusting localhost:1099 is some commons-ssl magic).
-client.addTrustMaterial( TrustMaterial.DEFAULT );
-
-// But if we had used setTrustMaterial() instead of addTrustMaterial(), we would (probably)
-// no longer trust localhost:1099!  Using set instead of add causes all previous "adds" to
-// to be thrown out.
-
-// Meanwhile, RMI calls to rmi://special.com:1099/ need to trust a self-signed certificate,
-// but we don't want to pollute our default trust with this shoddy cert.  So only calls
-// specifically to "special.com" (any port) will use this.
-SSLClient specialClient = new SSLClient();
-TrustMaterial tm = new TrustMaterial( "special.pem" );
-specialClient.addTrustMaterial( tm );
-// Here's where the special cert gets associated with "special.com":
-impl.setClient( "special.com", specialClient );
-
-
-// We're might also want to be an RMI server ourselves!
-// By default commons-ssl looks for "~/.keystore" and tries password "changeit",
-// but we can change things if we want:
-SSLServer server = (SSLServer) impl.getDefaultServer();
-tm = new TrustMaterial( "trust_only_these_client_certs.pem" );
-KeyMaterial km = new KeyMaterial( "/path/to/myKey.p12", "password".toCharArray() );
-server.setTrustMaterial( tm );
-server.setKeyMaterial( km );
-// This particular RMI server will only accept connections with client certs!
-server.setNeedClientAuth( true );
-
-// Finally, we tell Java to use our new RMI socket factory!
-RMISocketFactory.setSocketFactory( impl );

-
-

-
-
-

- - http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/06a2c229/3rdparty/not-yet-commons-ssl/docs/roadmap.html ---------------------------------------------------------------------- diff --git a/3rdparty/not-yet-commons-ssl/docs/roadmap.html b/3rdparty/not-yet-commons-ssl/docs/roadmap.html deleted file mode 100644 index 3962540..0000000 --- a/3rdparty/not-yet-commons-ssl/docs/roadmap.html +++ /dev/null @@ -1,86 +0,0 @@ - - -Not-Yet-Commons-SSL - Downloads, Features, Future Directions - - - -

not-yet-commons-ssl

-
-

This page is out of date. These days we just do maintenance releases to fix bugs reported on the mailing list. -Current version is 0.3.15.

Road Map For Future Versions

0.3.10 - 0.3.11 are just some feature ideas. They might not be feasible. 0.3.9 is the current version.

- - - - - - - - - - - - - - - - - - - - - -

Version	Release Date?	Description
0.3.4	Nov 2006	90% feature complete. Probably contains some bugs.
0.3.5	Dec 2006	PKCS8Key constructor is public now. Whoops. Hostname verification -knows about more than just CN's now - also checks subjectAlts in the server's certificate.
0.3.6	Jan 2007	Fixed Java 1.4 bug with HttpsURLConnection.
0.3.7	Feb 2007	40 bit and 56 bit ciphers disabled by default. RMI-SSL improved. getSSLContext() added. Various other improvements.
0.3.8	Nov 2007	PBE (password-based-encryption) formally introduced and improved. 40 bit and 56 bit ciphers still disabled by default, but working better when re-enabled.
0.3.9	May 2008	Some PBE fixes. Using latest ASN.1 code from BouncyCastle.
0.3.10	May 2008	- -Socket monitoring. Make it easier for long-running server applications to warn -about impending certificate expiries. - - -OCSP - Online Certificate Status Protocol - - - -NotQuiteSoEasySSLProtocolSocketFactory will trust any server The First Time, and store that server's cert on disk for future accesses. - -
0.3.11	Jun 2008	`TrustMaterial.setAutoReload( true / false )`, and `KeyMaterial.setAutoReload( true / false )`, -but only if no password, or "changeit" was provided. (Question: should this "reload" tear down all open sockets?). -
0.4.0	Jul 2008	Non-public code (protected, private, etc) moved into a separate "impl" package where possible.
0.5.0	Aug 2008	API froven. All future versions must be reverse-compatible with 0.5.0 (except for any parts of 0.5.0 later found to be insecure).
0.7.0	Nov 2008	JavaDocs written for all public methods and classes.
0.7.5	Mar 2009	JUnit tests written for all classes.
0.9.0	May 2009	First BETA release. JUnit tests passing on all targetted platforms: - - - Intel/AMD: (Sun, IBM, BEA) x (Linux, Mac, Windows) x (1.3, 1.4, 5, 6, 7) - All of the above with and without BouncyCastle. - PowerPC: Mac OS X 10.4, 10.5 - Linux: Latest GCJ, Kaffe, and Blackdown releases. BouncyCastle added if necessary to get tests to pass. - Anyone got an IBM mainframe we can test on? -
0.9.1 - 0.9.9	Aug 2009	Bug fixes.
1.0.0	Jan 2010	Development mostly stops.

The problem we're solving with Commons-SSL -is quite small, so I don't see any reason to ever go beyond 1.0.0, except for fixing bugs.

http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/06a2c229/3rdparty/not-yet-commons-ssl/docs/source.html ---------------------------------------------------------------------- diff --git a/3rdparty/not-yet-commons-ssl/docs/source.html b/3rdparty/not-yet-commons-ssl/docs/source.html deleted file mode 100644 index 6c2fc85..0000000 --- a/3rdparty/not-yet-commons-ssl/docs/source.html +++ /dev/null @@ -1,38 +0,0 @@ - - -Not-Yet-Commons-SSL - Source Tree - - - -

not-yet-commons-ssl

-
-

not-yet-commons-ssl Source Code

-
- - - - - http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/06a2c229/3rdparty/not-yet-commons-ssl/docs/ssl.html ---------------------------------------------------------------------- diff --git a/3rdparty/not-yet-commons-ssl/docs/ssl.html b/3rdparty/not-yet-commons-ssl/docs/ssl.html deleted file mode 100644 index 86bfa4d..0000000 --- a/3rdparty/not-yet-commons-ssl/docs/ssl.html +++ /dev/null @@ -1,106 +0,0 @@ - - - - - -Java Examples for Creating SSL/TLS Sockets - - - -

not-yet-commons-ssl

-
-

Code Examples For Creating SSL Sockets

-Note: -
SSLClient extends SSLSocketFactory -
SSLServer extends SSLServerSocketFactory -

Client Example:
-
-SSLClient client = new SSLClient();
-
-// Let's trust usual "cacerts" that come with Java.  Plus, let's also trust a self-signed cert
-// we know of.  We have some additional certs to trust inside a java keystore file.
-client.addTrustMaterial( TrustMaterial.DEFAULT );
-client.addTrustMaterial( new TrustMaterial( "/path/to/self-signed.pem" ) );
-client.addTrustMaterial( new KeyMaterial( "/path/to/keystore.jks", "changeit".toCharArray() ) );
-
-// To be different, let's allow for expired certificates (not recommended).
-client.setCheckHostname( true );  // default setting is "true" for SSLClient
-client.setCheckExpiry( false );   // default setting is "true" for SSLClient
-client.setCheckCRL( true );       // default setting is "true" for SSLClient
-
-// Let's load a client certificate (max: 1 per SSLClient instance).
-client.setKeyMaterial( new KeyMaterial( "/path/to/client.pfx", "secret".toCharArray() ) );
-SSLSocket s = (SSLSocket) client.createSocket( "www.cucbc.com", 443 );

- -

Server Example (OpenSSL/Apache Style)
-// Compatible with the private key / certificate chain created from following the Apache2
-// TLS FAQ: "How do I create a self-signed SSL Certificate for testing purposes?"
-// http://httpd.apache.org/docs/2.2/ssl/ssl_faq.html#selfcert
-
-SSLServer server = new SSLServer();
-
-// Server needs some key material.  We'll use an OpenSSL/PKCS8 style key (possibly encrypted).
-String certificateChain = "/path/to/this/server.crt";
-String privateKey = "/path/to/this/server.key";
-char[] password = "changeit".toCharArray();
-KeyMaterial km = new KeyMaterial( certificateChain, privateKey, password ); 
-
-server.setKeyMaterial( km );
-
-// These settings have to do with how we'll treat client certificates that are presented
-// to us.  If the client doesn't present any client certificate, then these are ignored.
-server.setCheckHostname( false ); // default setting is "false" for SSLServer
-server.setCheckExpiry( true );    // default setting is "true" for SSLServer
-server.setCheckCRL( true );       // default setting is "true" for SSLServer
-
-// This server trusts all client certificates presented (usually people won't present
-// client certs, but if they do, we'll give them a socket at the very least).
-server.addTrustMaterial( TrustMaterial.TRUST_ALL );
-SSLServerSocket ss = (SSLServerSocket) server.createServerSocket( 7443 );
-SSLSocket socket = (SSLSocket) ss.accept();

- -

Server Example (Traditional Java "KeyStore" Style)
-
-SSLServer server = new SSLServer();
-
-// Server needs some key material.   We'll use a Java Keystore (.jks) or Netscape
-// PKCS12 (.pfx or .p12) file.  Commons-ssl automatically detects the type.
-String pathToKeyMaterial = "/path/to/.keystore";
-char[] password = "changeit".toCharArray();
-KeyMaterial km = new KeyMaterial( pathToKeyMaterial, password ); 
-
-server.setKeyMaterial( km );
-
-// This server trusts all client certificates presented (usually people won't present
-// client certs, but if they do, we'll give them a socket at the very least).
-server.addTrustMaterial( TrustMaterial.TRUST_ALL );
-SSLServerSocket ss = (SSLServerSocket) server.createServerSocket( 7443 );
-SSLSocket socket = (SSLSocket) ss.accept();

- - -
- - -