hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lalit Sahoo" <lali...@sonata-software.com>
Subject RE: Certificate Based Client Authentication
Date Thu, 08 Mar 2007 15:35:41 GMT
Hi Julius,

Thanks for the response!

You have adviced me to do in this way:

URL keystore = new URL( "file:///path/to/keystore.jks" ); URL truststore
= new URL( "file:///path/to/truststore.jks" ); String key_pwd =
"secret";
String trust_pwd = "changeit";		

AuthSSLProtocolSocketFactory sf;
sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
trust_pwd );


Supoose I don't want to authenticate server then I should use as below:


AuthSSLProtocolSocketFactory sf;
sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, null, null );

But I am getting SSL handshake error.

Could you please help?

Regards,
Lalit

-----Original Message-----
From: Julius Davies [mailto:juliusdavies@gmail.com] 
Sent: Thursday, March 08, 2007 8:57 PM
To: HttpClient User Discussion
Subject: Re: Certificate Based Client Authentication

Hi, Lalit,

Consider downloading "not-yet-commons-ssl-0.3.7.jar"  from here:

http://juliusdavies.ca/commons-ssl/download.html

With "not-yet-commons-ssl-0.3.7.jar" on your classpath, you can do this:

------------------------------------------------------
char[] pwd = "secret".toCharArray();
KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd );
TrustMaterial tm = new TrustMaterial( "/path/to/server_cert.pem" );

HttpSecureProtocol sf = new HttpSecureProtocol();
sf.setKeyMaterial( km );
sf.addTrustMaterial( tm );
		
// Alternatively, if you want to disable Java's standard "cacerts", you
// can use setTrustMaterial() instead of addTrustMaterial():
// sf.setTrustMaterial( tm );
				
ProtocolSocketFactory psf = sf;
Protocol specialHttps = new Protocol("https-special", psf, 443);
Protocol.registerProtocol("https-special", specialHttps);

// From this point on, HttpClient will use the client cert specified
// for all URL's of the form "https-special://".
------------------------------------------------------

If you don't have the server's X509 certificate on hand, you can
download the certificate straight from the server by using the
"not-yet-commons-ssl" Ping utility, documented here:

http://juliusdavies.ca/commons-ssl/utilities.html

However, be aware that acquiring and trusting a certificate in this
way is not secure, since someone could impersonate the server in that
one moment.  It's better to acquire the server certificate
"out-of-band" through the mail or encrypted zip file or something like
that.

If you must acquire the certificate using the "Ping" utility, at the
very least call the server's administrator and verify the fingerprint
of the certificate you downloaded!

* * *

The rest of this email explains how to do things without
"not-yet-commons-ssl-0.3.7".

It's possible to do what you're doing without
"not-yet-commons-ssl-0.3.7.jar", and just using the contrib
AuthSSLProtocolSocketFactory alone.  If you want to do things that
way, create a special "TrustStore" JKS file and import the server's
certificate into it like so:

------------------------------------------------------
keytool -import -file x509.pem -keystore my_new_truststore.jks
------------------------------------------------------

The "x509.pem" file should look like this, but with several lines of
base64 - not just those two lines I've put in this example.

-----BEGIN CERTIFICATE-----
MIIGADCCA+gCCQDyLXt3uNXa9TANBgkqhkiG9w0BAQUFADCBwTELMAkGA1UEBhMC
Q0ExGTAXBgNVBAgTEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAcTCVZhbmNvdXZl
-----END CERTIFICATE-----

Keytool is a bit picky and might get upset if the PEM file contains
ANYTHING before or after the "BEGIN" and "END" lines, including
whitespace.  Make sure there are no extra line-feeds or carriage
returns before and after the "BEGIN" and "END".

Once you have both the "keystore" and "truststore" ready (both are
java keystore files), you can do this:

------------------------------------------------------
URL keystore = new URL( "file:///path/to/keystore.jks" );
URL truststore = new URL( "file:///path/to/truststore.jks" );
String key_pwd = "secret";
String trust_pwd = "changeit";		

AuthSSLProtocolSocketFactory sf;
sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore,
trust_pwd );
------------------------------------------------------

If your client certificate is in PKCS12 format (e.g. *.pfx or *.p12)
after exporting from a browser, you can use the KeyStoreBuilder
utility in "not-yet-commons-ssl-0.3.7" to convert it to "Java
Keystore" format on the command line.  The original
AuthSSLProtocolSocketFactory in HttpClient's "contrib" cannot deal
with PKCS12.

java -cp not-yet-commons-ssl-0.3.7.jar
org.apache.commons.ssl.KeyStoreBuilder


Good luck!


yours,

Julius


On 3/8/07, Roland Weber <ROLWEBER@de.ibm.com> wrote:
> Hello Lalit,
>
> Julius Davis has written some detailed mails about SSL in the last
months.
> You may have to search the developer list as well as the user list.
>
> best regards,
>   Roland
>
>
>


-- 
yours,

Julius Davies
416-652-0183
http://juliusdavies.ca/

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message