Return-Path:
The path you requested is not available. Future versions will definitely break the current API in a non-reverse compatible way. After commons-ssl-0.5.0, though, we
-plan on always being reverse compatible with ourselves.
- Not-Yet-Commons-SSL currently has NO affiliation with the Apache Software Foundation (apache.org), but we're hoping
-to start Incubation one day.
- Future versions will definitely break the current API in a non-reverse compatible way. After commons-ssl-0.5.0, though, we
-plan on always being reverse compatible with ourselves.
- Implementation note:
-To reduce memory consumption all CRL's are saved to disk using
- Support added for certificates with wildcards in the CN field
-(e.g. *.credential.com).
-Java already had this, to be fair. We broke it
-by accident!
-not-yet-commons-ssl
-
-
-
-404 - Page Not Found
-
-
-
-Current Version (September 23rd, 2014):
-Full source: not-yet-commons-ssl-0.3.16.zip 5.1MB Alpha MD5:
-Binary only: not-yet-commons-ssl-0.3.16.jar 267KB Alpha MD5:
-Previous Version (September 8th, 2014):
-Full source: not-yet-commons-ssl-0.3.15.zip 5.1MB Alpha MD5: f62d7f7f890ac03a0210d1be7571b21e
-Binary only: not-yet-commons-ssl-0.3.15.jar 267KB Alpha MD5: cebc58b8367c253688426043fdf08221
-All Previous Versions (use "svn export"):
- /svn/not-yet-commons-ssl/tags/
Warning:
- All versions (to date) of not-yet-commons-ssl should be considered to be of "Alpha" quality!
-This code probably contains bugs. This code may have security issues.
-
-
-
-
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/docs/TrustExample.java
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/docs/TrustExample.java b/3rdparty/not-yet-commons-ssl/docs/TrustExample.java
deleted file mode 100644
index c4561de..0000000
--- a/3rdparty/not-yet-commons-ssl/docs/TrustExample.java
+++ /dev/null
@@ -1,114 +0,0 @@
-
-import org.apache.commons.httpclient.HttpClient;
-import org.apache.commons.httpclient.methods.GetMethod;
-import org.apache.commons.httpclient.protocol.Protocol;
-import org.apache.commons.ssl.HttpSecureProtocol;
-import org.apache.commons.ssl.TrustMaterial;
-
-import javax.net.ssl.SSLHandshakeException;
-import java.net.URL;
-
-/**
- *
- * Example of trusting certs to answer a question Sudip Shrestha posed on the
- * httpclient-user@jakarta.apache.org mailing list, Fri 5/5/2006.
- *
- * @author Julius Davies
- * @since May 5, 2006
- */
-public class TrustExample {
-
-/*
-Microsoft IE trusts usertrust.com CA certs by default, but Java doesn't, so we need
-to tell Java to.
-
-Cert is good until 2019 !
-
-openssl x509 -in cert.pem -noout -text
-=======================================
-
-Serial Number:
- 44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
-Signature Algorithm: sha1WithRSAEncryption
-Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
-Validity
- Not Before: Jul 9 18:10:42 1999 GMT
- Not After : Jul 9 18:19:22 2019 GMT
-Subject: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
-
-X509v3 extensions:
- X509v3 Key Usage:
- Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
- X509v3 Basic Constraints: critical
- CA:TRUE
- X509v3 Subject Key Identifier:
- A1:72:5F:26:1B:28:98:43:95:5D:07:37:D5:85:96:9D:4B:D2:C3:45
- X509v3 CRL Distribution Points:
- URI:http://crl.usertrust.com/UTN-USERFirst-Hardware.crl
-
- X509v3 Extended Key Usage:
- TLS Web Server Authentication, IPSec End System, IPSec Tunnel, IPSec User
-
-*/
- private static byte[] pemCert = (
- "-----BEGIN CERTIFICATE-----\n" +
- "MIIEdDCCA1ygAwIBAgIQRL4Mi1AAJLQR0zYq/mUK/TANBgkqhkiG9w0BAQUFADCB\n" +
- "lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug\n" +
- "Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho\n" +
- "dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt\n" +
- "SGFyZHdhcmUwHhcNOTkwNzA5MTgxMDQyWhcNMTkwNzA5MTgxOTIyWjCBlzELMAkG\n" +
- "A1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEe\n" +
- "MBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8v\n" +
- "d3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3QtSGFyZHdh\n" +
- "cmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx98M4P7Sof885glFn\n" +
- "0G2f0v9Y8+efK+wNiVSZuTiZFvfgIXlIwrthdBKWHTxqctU8EGc6Oe0rE81m65UJ\n" +
- "M6Rsl7HoxuzBdXmcRl6Nq9Bq/bkqVRcQVLMZ8Jr28bFdtqdt++BxF2uiiPsA3/4a\n" +
- "MXcMmgF6sTLjKwEHOG7DpV4jvEWbe1DByTCP2+UretNb+zNAHqDVmBe8i4fDidNd\n" +
- "oI6yqqr2jmmIBsX6iSHzCJ1pLgkzmykNRg+MzEk0sGlRvfkGzWitZky8PqxhvQqI\n" +
- "DsjfPe58BEydCl5rkdbux+0ojatNh4lz0G6k0B4WixThdkQDf2Os5M1JnMWS9Ksy\n" +
- "oUhbAgMBAAGjgbkwgbYwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYD\n" +
- "VR0OBBYEFKFyXyYbKJhDlV0HN9WFlp1L0sNFMEQGA1UdHwQ9MDswOaA3oDWGM2h0\n" +
- "dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VVE4tVVNFUkZpcnN0LUhhcmR3YXJlLmNy\n" +
- "bDAxBgNVHSUEKjAoBggrBgEFBQcDAQYIKwYBBQUHAwUGCCsGAQUFBwMGBggrBgEF\n" +
- "BQcDBzANBgkqhkiG9w0BAQUFAAOCAQEARxkP3nTGmZev/K0oXnWO6y1n7k57K9cM\n" +
- "//bey1WiCuFMVGWTYGufEpytXoMs61quwOQt9ABjHbjAbPLPSbtNk28Gpgoiskli\n" +
- "CE7/yMgUsogWXecB5BKV5UU0s4tpvc+0hY91UZ59Ojg6FEgSxvunOxqNDYJAB+gE\n" +
- "CJChicsZUN/KHAG8HQQZexB2lzvukJDKxA4fFm517zP4029bHpbj4HR3dHuKom4t\n" +
- "3XbWOTCC8KucUvIqx69JXn7HaOWCgchqJ/kniCrVWFCVH/A7HFe7fRQ5YiuayZSS\n" +
- "KqMiDP+JJn1fIytH1xUdqWqeUQ0qUZ6B+dQ7XnASfxAynB67nfhmqA==\n" +
- "-----END CERTIFICATE-----\n" ).getBytes();
-
- public static void main( String[] args ) throws Exception
- {
- HttpSecureProtocol f = new HttpSecureProtocol();
-
- // might as well trust the usual suspects:
- f.addTrustMaterial(TrustMaterial.CACERTS);
-
- // here's where we start trusting usertrust.com's CA:
- f.addTrustMaterial(new TrustMaterial( pemCert ));
-
- Protocol trustHttps = new Protocol("https", f, 443);
- Protocol.registerProtocol("https", trustHttps);
-
- HttpClient client = new HttpClient();
- GetMethod httpget = new GetMethod("https://www.usertrust.com/");
- client.executeMethod(httpget);
- String s = httpget.getStatusLine().toString();
- System.out.println( "HTTPClient: " + s );
-
- // Notice that Java still can't access it. Only HTTPClient knows
- // to trust the cert!
- URL u = new URL( "https://www.usertrust.com/" );
- try
- {
- // This will throw an SSLHandshakeException
- u.openStream();
- }
- catch ( SSLHandshakeException she )
- {
- System.out.println( "Java: " + she );
- }
- }
-
-}
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/docs/TrustExample.java.html
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/docs/TrustExample.java.html b/3rdparty/not-yet-commons-ssl/docs/TrustExample.java.html
deleted file mode 100644
index ec2752d..0000000
--- a/3rdparty/not-yet-commons-ssl/docs/TrustExample.java.html
+++ /dev/null
@@ -1,131 +0,0 @@
-
-
-
-
-
-
-1
-2 import org.apache.commons.httpclient.HttpClient;
-3 import org.apache.commons.httpclient.methods.GetMethod;
-4 import org.apache.commons.httpclient.protocol.Protocol;
-5 import org.apache.commons.ssl.HttpSecureProtocol;
-6 import org.apache.commons.ssl.TrustMaterial;
-7
-8 import javax.net.ssl.SSLHandshakeException;
-9 import java.net.URL;
-10
-11 /**
-12 *
-13 * Example of trusting certs to answer a question Sudip Shrestha posed on the
-14 * httpclient-user@jakarta.apache.org mailing list, Fri 5/5/2006.
-15 *
-16 * @author Julius Davies
-17 * @since May 5, 2006
-18 */
-19 public class TrustExample {
-20
-21 /*
-22 Microsoft IE trusts usertrust.com CA certs by default, but Java doesn't, so we need
-23 to tell Java to.
-24
-25 Cert is good until 2019 !
-26
-27 openssl x509 -in cert.pem -noout -text
-28 =======================================
-29
-30 Serial Number:
-31 44:be:0c:8b:50:00:24:b4:11:d3:36:2a:fe:65:0a:fd
-32 Signature Algorithm: sha1WithRSAEncryption
-33 Issuer: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
-34 Validity
-35 Not Before: Jul 9 18:10:42 1999 GMT
-36 Not After : Jul 9 18:19:22 2019 GMT
-37 Subject: C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Hardware
-38
-39 X509v3 extensions:
-40 X509v3 Key Usage:
-41 Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
-42 X509v3 Basic Constraints: critical
-43 CA:TRUE
-44 X509v3 Subject Key Identifier:
-45 A1:72:5F:26:1B:28:98:43:95:5D:07:37:D5:85:96:9D:4B:D2:C3:45
-46 X509v3 CRL Distribution Points:
-47 URI:http://crl.usertrust.com/UTN-USERFirst-Hardware.crl
-48
-49 X509v3 Extended Key Usage:
-50 TLS Web Server Authentication, IPSec End System, IPSec Tunnel, IPSec User
-51
-52 */
-53 private static byte[] pemCert = (
-54 "-----BEGIN CERTIFICATE-----\n" +
-55 "MIIEdDCCA1ygAwIBAgIQRL4Mi1AAJLQR0zYq/mUK/TANBgkqhkiG9w0BAQUFADCB\n" +
-56 "lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug\n" +
-57 "Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho\n" +
-58 "dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt\n" +
-59 "SGFyZHdhcmUwHhcNOTkwNzA5MTgxMDQyWhcNMTkwNzA5MTgxOTIyWjCBlzELMAkG\n" +
-60 "A1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEe\n" +
-61 "MBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8v\n" +
-62 "d3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3QtSGFyZHdh\n" +
-63 "cmUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCx98M4P7Sof885glFn\n" +
-64 "0G2f0v9Y8+efK+wNiVSZuTiZFvfgIXlIwrthdBKWHTxqctU8EGc6Oe0rE81m65UJ\n" +
-65 "M6Rsl7HoxuzBdXmcRl6Nq9Bq/bkqVRcQVLMZ8Jr28bFdtqdt++BxF2uiiPsA3/4a\n" +
-66 "MXcMmgF6sTLjKwEHOG7DpV4jvEWbe1DByTCP2+UretNb+zNAHqDVmBe8i4fDidNd\n" +
-67 "oI6yqqr2jmmIBsX6iSHzCJ1pLgkzmykNRg+MzEk0sGlRvfkGzWitZky8PqxhvQqI\n" +
-68 "DsjfPe58BEydCl5rkdbux+0ojatNh4lz0G6k0B4WixThdkQDf2Os5M1JnMWS9Ksy\n" +
-69 "oUhbAgMBAAGjgbkwgbYwCwYDVR0PBAQDAgHGMA8GA1UdEwEB/wQFMAMBAf8wHQYD\n" +
-70 "VR0OBBYEFKFyXyYbKJhDlV0HN9WFlp1L0sNFMEQGA1UdHwQ9MDswOaA3oDWGM2h0\n" +
-71 "dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9VVE4tVVNFUkZpcnN0LUhhcmR3YXJlLmNy\n" +
-72 "bDAxBgNVHSUEKjAoBggrBgEFBQcDAQYIKwYBBQUHAwUGCCsGAQUFBwMGBggrBgEF\n" +
-73 "BQcDBzANBgkqhkiG9w0BAQUFAAOCAQEARxkP3nTGmZev/K0oXnWO6y1n7k57K9cM\n" +
-74 "//bey1WiCuFMVGWTYGufEpytXoMs61quwOQt9ABjHbjAbPLPSbtNk28Gpgoiskli\n" +
-75 "CE7/yMgUsogWXecB5BKV5UU0s4tpvc+0hY91UZ59Ojg6FEgSxvunOxqNDYJAB+gE\n" +
-76 "CJChicsZUN/KHAG8HQQZexB2lzvukJDKxA4fFm517zP4029bHpbj4HR3dHuKom4t\n" +
-77 "3XbWOTCC8KucUvIqx69JXn7HaOWCgchqJ/kniCrVWFCVH/A7HFe7fRQ5YiuayZSS\n" +
-78 "KqMiDP+JJn1fIytH1xUdqWqeUQ0qUZ6B+dQ7XnASfxAynB67nfhmqA==\n" +
-79 "-----END CERTIFICATE-----\n" ).getBytes();
-80
-81 public static void main( String[] args ) throws Exception
-82 {
-83 HttpSecureProtocol f = new HttpSecureProtocol();
-84
-85 // might as well trust the usual suspects:
-86 f.addTrustMaterial(TrustMaterial.CACERTS);
-87
-88 // here's where we start trusting usertrust.com's CA:
-89 f.addTrustMaterial(new TrustMaterial( pemCert ));
-90
-91 Protocol trustHttps = new Protocol("https", f, 443);
-92 Protocol.registerProtocol("https", trustHttps);
-93
-94 HttpClient client = new HttpClient();
-95 GetMethod httpget = new GetMethod("https://www.usertrust.com/");
-96 client.executeMethod(httpget);
-97 String s = httpget.getStatusLine().toString();
-98 System.out.println( "HTTPClient: " + s );
-99
-100 // Notice that Java still can't access it. Only HTTPClient knows
-101 // to trust the cert!
-102 URL u = new URL( "https://www.usertrust.com/" );
-103 try
-104 {
-105 // This will throw an SSLHandshakeException
-106 u.openStream();
-107 }
-108 catch ( SSLHandshakeException she )
-109 {
-110 System.out.println( "Java: " + she );
-111 }
-112 }
-113
-114 }
-115
-
-
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/docs/about.html
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/docs/about.html b/3rdparty/not-yet-commons-ssl/docs/about.html
deleted file mode 100644
index 5ef231e..0000000
--- a/3rdparty/not-yet-commons-ssl/docs/about.html
+++ /dev/null
@@ -1,73 +0,0 @@
-
-
-
-
-
-not-yet-commons-ssl
-
-
-
-About Not-Yet-Commons-SSL
-
-5 Design Goals:
-
-
-
-
-
\ No newline at end of file
http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/docs/download.html
----------------------------------------------------------------------
diff --git a/3rdparty/not-yet-commons-ssl/docs/download.html b/3rdparty/not-yet-commons-ssl/docs/download.html
deleted file mode 100644
index 5e8a8cb..0000000
--- a/3rdparty/not-yet-commons-ssl/docs/download.html
+++ /dev/null
@@ -1,263 +0,0 @@
-
-
-$JAVA_HOME/jre/lib/security/cacerts
-file, and you can invoke Java with -Djavax.net.ssl.keyStore=/path/to/keystore
. Both of
-these approaches are great at first, but they don't scale well. Do you really want to pollute every
-SSL socket in your JVM (HTTP, LDAP, JDBC, RMI, etc...) with those system-wide changes? Commons-SSL let's you
-control the SSL options you need in an natural way for each SSLSocketFactory, and those options
-won't bleed into the rest of your system.
-
openssl pkcs12
).any comments or whitespace up here are ignored
-
------BEGIN TYPE-----
-[...base64....]
------END TYPE-----
-
-any comments or whitespace down here are also ignored
not-yet-commons-ssl
-
-
-
-Download Not-Yet-Commons-SSL!
-
-
-
- Current Version (September 23rd, 2014):
- Full source: not-yet-commons-ssl-0.3.16.zip 5.1MB Alpha MD5:
- Binary only: not-yet-commons-ssl-0.3.16.jar 267KB Alpha MD5: cebc58b8367c253688426043fdf08221
- Previous Version (September 8th, 2014):
- Full source: not-yet-commons-ssl-0.3.15.zip 5.1MB Alpha MD5: f62d7f7f890ac03a0210d1be7571b21e
- Binary only: not-yet-commons-ssl-0.3.15.jar 267KB Alpha MD5: cebc58b8367c253688426043fdf08221
- All Previous Versions (use "svn export"):
- /svn/not-yet-commons-ssl/tags/
Warning:
- All versions of not-yet-commons-ssl should be considered to be of "Alpha" quality!
-This code probably contains bugs. This code may have security issues.
-
-Changelog for not-yet-commons-ssl-0.3.16:
-
-
-
-Changelog for not-yet-commons-ssl-0.3.15:
-
-
-Changelog for not-yet-commons-ssl-0.3.13:
-
-
-Changelog for not-yet-commons-ssl-0.3.12:
-
-
-Changelog for not-yet-commons-ssl-0.3.11:
-
-
-
-Features as of not-yet-commons-ssl-0.3.10:
-
-
-
-
-Features as of not-yet-commons-ssl-0.3.9:
-
-
-openssl enc -K [key] -iv [IV]
.
-Features as of not-yet-commons-ssl-0.3.8:
-
-
-
-Features as of not-yet-commons-ssl-0.3.7:
-
-
-
-SSLClient client = new SSLClient();
-client.addAllowedName( "www.cucbc.com" );
-Socket s = client.createSocket( "cucbc.com", 443 );
-
-
-This technique is also useful if you don't want to use DNS, and want to
-connect using the IP address.
-
-SSLClient server = new SSLServer();
-server.useTomcatSSLMaterial();
-
-
-java.lang.RuntimeException: Export restriction: this JSSE implementation is non-pluggable.
- at com.sun.net.ssl.internal.ssl.SSLSocketFactoryImpl.checkCreate(DashoA6275)
- at sun.net.www.protocol.https.HttpsClient.afterConnect(DashoA6275)
- at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(DashoA6275)
- at sun.net.www.protocol.http.HttpURLConnection.getOutputStream(HttpURLConnection.java:560)
- at sun.net.www.protocol.https.HttpsURLConnectionImpl.getOutputStream(DashoA6275)
-
-Silly Java - I'm still using your JSSE implementation, I'm just wrapping it!
-
-
-Features as of not-yet-commons-ssl-0.3.4:
-
-
"javax.net.ssl.keyStore"
and "javax.net.ssl.trustStore"
ssl.setCheckCRL( true/false )
Note: CRL is an abbreviation for "Certificate Revocation List"true
by default. If you're using SSLClient, then the remote
-server's certificate chain is checked. If you're using SSLServer, CRL checking is ignored unless
-client certificates are presented. Commons-SSL tries to perform the CRL check against each certificate in
-the chain, but we're not sure if we always know the entire chain.
-File.createTempFile()
and File.deleteOnExit()
.
-CRL's are re-downloaded every 24 hours. To reduce disk IO
-the "pass/fail" result of a CRL check for a given X.509 Certificate is cached using the 20 byte SHA1 hash of the
-certificate as the key. The cached "pass" result is discarded every 24 hours. The cached "fail" result is retained
-until the JVM restarts.
-ssl.setCheckExpiry( true/false )
ssl.setCheckHostname( true/false )
-s: CN=*.credential.com, OU=Domain Control Validated - RapidSSL(R), OU=See www.rapidssl.com/cps (c)05,
- OU=businessprofile.geotrust.com/get.jsp?GT27402892, O=*.credential.com, C=CA
-i: CN=Equifax Secure Global eBusiness CA-1, O=Equifax Secure Inc., C=US
-
-
KeyStoreBuilder
"- -java -cp commons-ssl-0.3.4.jar org.apache.commons.ssl.KeyStoreBuilder -
not-yet-commons-ssl-0.3.16 released! (September 23rd, 2014)
-Requires Java 1.5.x or higher. - -
Please see our ssl page for code examples on how to use this library.
- -Design Goals: | -about.html | -
---|---|
Code Examples: | -SSL/TLS | PKCS #8 | PBE | -
Join Mailing List: | -http://lists.juliusdavies.ca/listinfo.cgi/not-yet-commons-ssl-juliusdavies.ca/ | -
Mailing List Archives: | -http://lists.juliusdavies.ca/pipermail/not-yet-commons-ssl-juliusdavies.ca/ | -
Downloads: | -http://juliusdavies.ca/commons-ssl/download.html | -
Checkout From Subversion: | -svn co http://juliusdavies.ca/svn/not-yet-commons-ssl/trunk not-yet-commons-ssl |
-
-
Browse Subversion (via viewvc): | -http://juliusdavies.ca/svn/not-yet-commons-ssl/viewvc.cgi/not-yet-commons-ssl/ | -
License (Apache 2.0): | -LICENSE.txt | - -
We're calling this library "Not-Yet-Commons-SSL" since we have the intention of one day -becoming an official Apache project. Not-Yet-Commons-SSL was originally developed by -Credit Union Central of British Columbia. -The webpages, releases, and code here on juliusdavies.ca have no relationship to -the Apache Software Foundation, but all code is licensed under ASL 2.0. -
-The ASN.1 parsing code - -comes directly from BouncyCastle (bouncycastle.org). Our only modification to this -code was an accidental "reformat" to bring it inline with our code style. Also, in two places, we switched the BC code -to use our Hex.java -for encoding/decoding instead of their own. -The PKCS12 key derivation function (for some PKCS8 version 1.5 encrypted keys) also comes from BouncyCastle. -Presumably they got it from RSA's PKCS12 specification -(ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-12/pkcs-12v1.pdf). -BouncyCastle maintains copyright over all the code used, but allows us to reuse and redistribute -(the BouncyCastle license is compatible with ASL 2.0). We are very thankful for their excellent code. -
- -Not-Yet-Commons-SSL would never have happened without Oleg Kalnichevski's excellent -"contrib" -example in the HttpComponents SVN repository. -His -AuthSSLProtocolSocketFactory.java - -and -AuthSSLX509TrustManager.java -examples -were the seeds for all of this. Evil Comrade Oleg's Javadocs on those classes were also extremely helpful. We -only one day hope that we can write Javadocs like that (hopefully by 0.7.0!). -
- - http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/docs/openssl/compare.txt ---------------------------------------------------------------------- diff --git a/3rdparty/not-yet-commons-ssl/docs/openssl/compare.txt b/3rdparty/not-yet-commons-ssl/docs/openssl/compare.txt deleted file mode 100644 index 40c469d..0000000 --- a/3rdparty/not-yet-commons-ssl/docs/openssl/compare.txt +++ /dev/null @@ -1,28 +0,0 @@ - -Performance of org.apache.commons.ssl.OpenSSL.decrypt() - -Decrypting the same 946MB Base64 DES-3 encrypted file. - - -OpenSSL 0.9.7l 28 Sep 2006 --------------------- -real 1m40.578s -user 1m34.223s -sys 0m04.039s - - -not-yet-commons-ssl-0.3.10 -(22% slower than OpenSSL!) --------------------- -real 2m03.270s -user 1m56.959s -sys 0m03.605s - - -not-yet-commons-ssl-0.3.9 -(3,000% slower than OpenSSL!) --------------------- -real 50m47.424s -user 18m47.687s -sys 31m30.298s - http://git-wip-us.apache.org/repos/asf/directory-kerberos/blob/bc5c276e/3rdparty/not-yet-commons-ssl/docs/openssl/profile.3.10 ---------------------------------------------------------------------- diff --git a/3rdparty/not-yet-commons-ssl/docs/openssl/profile.3.10 b/3rdparty/not-yet-commons-ssl/docs/openssl/profile.3.10 deleted file mode 100644 index d52bd7d..0000000 --- a/3rdparty/not-yet-commons-ssl/docs/openssl/profile.3.10 +++ /dev/null @@ -1,72 +0,0 @@ -Flat profile of 140.04 secs (12528 total ticks): main - - Interpreted + native Method - 0.7% 0 + 90 java.io.FileOutputStream.writeBytes - 0.4% 0 + 56 java.io.FileInputStream.readBytes - 0.2% 0 + 24 java.lang.System.arraycopy - 0.0% 5 + 0 org.apache.commons.ssl.ComboInputStream.read - 0.0% 4 + 0 com.sun.crypto.provider.SunJCE_h.a - 0.0% 3 + 0 javax.crypto.CipherInputStream.available - 0.0% 2 + 0 com.sun.crypto.provider.SunJCE_h.a - 0.0% 2 + 0 org.apache.commons.ssl.Base64.decodeBase64 - 0.0% 0 + 2 java.io.FileInputStream.read - 0.0% 2 + 0 java.io.PrintStream.write - 0.0% 0 + 2 java.lang.String.intern - 0.0% 2 + 0 com.sun.crypto.provider.SunJCE_e.a - 0.0% 1 + 0 java.math.BigInteger.addOne - 0.0% 1 + 0 java.util.HashMap.getEntry - 0.0% 1 + 0 java.lang.String.Not-Yet-Commons-SSL has an implementation of PBE ("password based encryption") that is 100% -compatible with OpenSSL's command-line "enc" utility. PBE is a form of symmetric encryption where -the same key or password is used to encrypt and decrypt the file. -
-
-We are also compatible with openssl enc -K [key] -iv [IV]
, where the key and IV are provided explicitly,
-instead of being derived from a password. Look for encrypt()/decrypt() methods that take
-byte[] key, byte[] iv
-instead of char[] password.
-
-
Please visit the Quick-FAQ if you are having problems.
- - -PBE code example (DES-3):*
-
-char[] password = {'c','h','a','n','g','e','i','t'};
-byte[] data = "Hello World!".getBytes();
-
-// Encrypt!
-byte[] encrypted = OpenSSL.encrypt("des3", password, data);
-System.out.println("ENCRYPTED: [" + new String(encrypted) + "]");
-
-// Decrypt results of previous!
-data = OpenSSL.decrypt("des3", password, encrypted);
-System.out.println("DECRYPTED: [" + new String(data) + "]");
-
-
-OUTPUT:
-=======================
-ENCRYPTED: [U2FsdGVkX19qplb9qVDVVEYxH8wjJDGpMS+F4/2pS2c=]
-DECRYPTED: [Hello World!]
-
-* - This code example is not quite right.
-
-Some notes: -
openssl enc -K [key] -iv [IV]
" where key and iv
- are explicitly provided, rather than being derived from a password. The [key] and [IV] should be specified
- in either raw binary, or hexidecimal (4 bits per character). This isn't really PBE anymore, but it's a
- common use case.Here's a list of supported OpenSSL ciphers. The purple ones require the BouncyCastle JCE. -The red ones (desx, desx-cbc) probably require RSA's BSAFE JCE, -and have not been tested. -
--aes-128-cbc aes-128-cfb -aes-128-cfb8 aes-128-ecb aes-128-ofb -aes-192-cbc aes-192-cfb -aes-192-cfb8 aes-192-ecb aes-192-ofb -aes-256-cbc aes-256-cfb -aes-256-cfb8 aes-256-ecb aes-256-ofb -aes128 aes192 aes256 -bf bf-cbc bf-cfb -bf-ecb bf-ofb blowfish -camellia-128-cbc camellia-128-cfb -camellia-128-cfb8 camellia-128-ecb camellia-128-ofb -camellia-192-cbc camellia-192-cfb -camellia-192-cfb8 camellia-192-ecb camellia-192-ofb -camellia-256-cbc camellia-256-cfb -camellia-256-cfb8 camellia-256-ecb camellia-256-ofb -camellia128 camellia192 camellia256 -cast cast-cbc cast5-cbc -cast5-cfb cast5-ecb cast5-ofb -des des-cbc des-cfb - des-cfb8 des-ecb -des-ede des-ede-cbc des-ede-cfb -des-ede-ofb des-ede3 des-ede3-cbc -des-ede3-cfb des-ede3-ofb des-ofb -des3 desx desx-cbc -idea idea-cbc idea-cfb -idea-ecb idea-ofb rc2 -rc2-40-cbc rc2-64-cbc rc2-cbc -rc2-cfb rc2-ecb rc2-ofb -rc4 rc4-40 rc5 -rc5-cbc rc5-cfb rc5-ecb -rc5-ofb -- -
Here are some additional ciphers supported by BouncyCastle, but not by OpenSSL:
--cast6 -gost (aka: gost28147) -rc6 -seed -serpent -skipjack -tea -twofish -xtea -- -
-Other Downloads --You can use DES-3 (168 bit keys) without -installing the extra policy files. -
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6 -
-boolean useBase64 = true; -boolean useSalt = false; // Omitting the salt is bad for security! -byte[] result = OpenSSL.encrypt(alg, pwd, data, useBase64, useSalt); --
PBE example (DES-3): - -char[] password = {'c','h','a','n','g','e','i','t'}; -byte[] data = "Hello World!".getBytes("UTF-8"); - -// Encrypt! -byte[] encrypted = OpenSSL.encrypt("des3", password, data); -System.out.println("ENCRYPTED: [" + new String(encrypted, "UTF-8") + "]"); - -// Decrypt results of previous! -data = OpenSSL.decrypt("des3", password, encrypted); -System.out.println("DECRYPTED: [" + new String(data, "UTF-8") + "]"); - -OUTPUT: -====================== -ENCRYPTED: [U2FsdGVkX19qplb9qVDVVEYxH8wjJDGpMS+F4/2pS2c=] -DECRYPTED: [Hello World!] --
"org.apache.commons.ssl.Ping" contains a main method to help you diagnose SSL issues. -It's modeled on OpenSSL's very handy "s_client" utility. We've been very careful to -make sure "org.apache.commons.ssl.Ping" can execute without any additional jar files -on the classpath (except if using Java 1.3 - then you'll need jsse.jar).
- -"Ping" Utility Attempts "HEAD / HTTP/1.1" Request -This utility is very handy because it can get you the server's public -certificate even if your client certificate is bad (so even though the SSL -handshake fails). And unlike "openssl s_client", this utility can bind -against any IP address available. - -Usage: java -jar not-yet-commons-ssl-0.3.13.jar [options] -Version: 0.3.13 Compiled: [PDT:2014-05-08/14:15:16.000] -Options: (*=required) -* -t --target [hostname[:port]] default port=443 - -b --bind [hostname[:port]] default port=0 "ANY" - -r --proxy [hostname[:port]] default port=80 - -tm --trust-cert [path to trust material] {pem, der, crt, jks} - -km --client-cert [path to client's private key] {jks, pkcs12, pkcs8} - -cc --cert-chain [path to client's cert chain for pkcs8/OpenSSL key] - -p --password [client cert password] - -h --host-header [http-host-header] in case -t is an IP address - -u --path [path for GET/HEAD request] default=/ - -m --method [http method to use] default=HEAD - -Example: - -java -jar commons-ssl.jar -t host.com:443 -c ./client.pfx -p `cat ./pass.txt`
TODO:
Apparently Java 6.0 includes support for grabbing passwords from
-standard-in without echoing the typed characters. Would be nice to use that feature when it's
-available, instead of requiring the password to be specified as a command-line argument.
java -cp not-yet-commons-ssl-0.3.13.jar org.apache.commons.ssl.KeyStoreBuilder
KeyStoreBuilder converts PKCS12 and PKCS8 to Java "Keystore", and vice versa. -KeyStoreBuilder: creates '[alias].jks' (Java Key Store) - -topk8 mode: creates '[alias].pem' (x509 chain + unencrypted pkcs8) -[alias] will be set to the first CN value of the X509 certificate. -------------------------------------------------------------------- -Usage1: [password] [file:pkcs12] -Usage2: [password] [file:private-key] [file:certificate-chain] -Usage3: -topk8 [password] [file:jks] -------------------------------------------------------------------- -[private-key] can be openssl format, or pkcs8. -[password] decrypts [private-key], and also encrypts outputted JKS file. -All files can be PEM or DER.