Return-Path: Delivered-To: apmail-jakarta-httpclient-user-archive@www.apache.org Received: (qmail 44586 invoked from network); 8 Mar 2007 15:27:57 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 8 Mar 2007 15:27:57 -0000 Received: (qmail 41860 invoked by uid 500); 8 Mar 2007 15:28:05 -0000 Delivered-To: apmail-jakarta-httpclient-user-archive@jakarta.apache.org Received: (qmail 41850 invoked by uid 500); 8 Mar 2007 15:28:04 -0000 Mailing-List: contact httpclient-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: "HttpClient User Discussion" Reply-To: "HttpClient User Discussion" Delivered-To: mailing list httpclient-user@jakarta.apache.org Received: (qmail 41839 invoked by uid 99); 8 Mar 2007 15:28:04 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Mar 2007 07:28:04 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: domain of juliusdavies@gmail.com designates 66.249.92.175 as permitted sender) Received: from [66.249.92.175] (HELO ug-out-1314.google.com) (66.249.92.175) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 08 Mar 2007 07:27:52 -0800 Received: by ug-out-1314.google.com with SMTP id 30so921505ugs for ; Thu, 08 Mar 2007 07:27:27 -0800 (PST) DKIM-Signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=QGf0zJ8RFGY/vI2hIHnVWkzIekSewmD9stRz8GCgju4XUlnBirJHTppbSs7EImTmcP8QpzdyFLCcyx+QD9Tp5ibwZCzcDgf3JRBuqqw9PtzbxJJVTuZqcYNQneLc28TXezS6wtluK16RbqXFguVJGSjeXLVks0bdyivzyz/l0fs= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=MhHhWQbsXDXTWS1RVgn5bbsh9XIL7WVyo5Gdw/qkC9tgLqWZ0SeHHRXPNP0TVvAmiOrWYsSpSaX9TseAOswV226g311U6XCFWJAbb+KsQKs/p7eTxc1Y0jlEAd7JwS1VCqK+rCmwvmpHjQ1Fyk7fk6piFIPt9Ireb0jzEBPijrs= Received: by 10.114.174.2 with SMTP id w2mr162209wae.1173367646098; Thu, 08 Mar 2007 07:27:26 -0800 (PST) Received: by 10.114.38.7 with HTTP; Thu, 8 Mar 2007 07:27:26 -0800 (PST) Message-ID: <598ad5b50703080727j49d11912mac823125c23967c7@mail.gmail.com> Date: Thu, 8 Mar 2007 07:27:26 -0800 From: "Julius Davies" To: "HttpClient User Discussion" Subject: Re: Certificate Based Client Authentication In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-Virus-Checked: Checked by ClamAV on apache.org Hi, Lalit, Consider downloading "not-yet-commons-ssl-0.3.7.jar" from here: http://juliusdavies.ca/commons-ssl/download.html With "not-yet-commons-ssl-0.3.7.jar" on your classpath, you can do this: ------------------------------------------------------ char[] pwd = "secret".toCharArray(); KeyMaterial km = new KeyMaterial( "/path/to/client_cert.p12", pwd ); TrustMaterial tm = new TrustMaterial( "/path/to/server_cert.pem" ); HttpSecureProtocol sf = new HttpSecureProtocol(); sf.setKeyMaterial( km ); sf.addTrustMaterial( tm ); // Alternatively, if you want to disable Java's standard "cacerts", you // can use setTrustMaterial() instead of addTrustMaterial(): // sf.setTrustMaterial( tm ); ProtocolSocketFactory psf = sf; Protocol specialHttps = new Protocol("https-special", psf, 443); Protocol.registerProtocol("https-special", specialHttps); // From this point on, HttpClient will use the client cert specified // for all URL's of the form "https-special://". ------------------------------------------------------ If you don't have the server's X509 certificate on hand, you can download the certificate straight from the server by using the "not-yet-commons-ssl" Ping utility, documented here: http://juliusdavies.ca/commons-ssl/utilities.html However, be aware that acquiring and trusting a certificate in this way is not secure, since someone could impersonate the server in that one moment. It's better to acquire the server certificate "out-of-band" through the mail or encrypted zip file or something like that. If you must acquire the certificate using the "Ping" utility, at the very least call the server's administrator and verify the fingerprint of the certificate you downloaded! * * * The rest of this email explains how to do things without "not-yet-commons-ssl-0.3.7". It's possible to do what you're doing without "not-yet-commons-ssl-0.3.7.jar", and just using the contrib AuthSSLProtocolSocketFactory alone. If you want to do things that way, create a special "TrustStore" JKS file and import the server's certificate into it like so: ------------------------------------------------------ keytool -import -file x509.pem -keystore my_new_truststore.jks ------------------------------------------------------ The "x509.pem" file should look like this, but with several lines of base64 - not just those two lines I've put in this example. -----BEGIN CERTIFICATE----- MIIGADCCA+gCCQDyLXt3uNXa9TANBgkqhkiG9w0BAQUFADCBwTELMAkGA1UEBhMC Q0ExGTAXBgNVBAgTEEJyaXRpc2ggQ29sdW1iaWExEjAQBgNVBAcTCVZhbmNvdXZl -----END CERTIFICATE----- Keytool is a bit picky and might get upset if the PEM file contains ANYTHING before or after the "BEGIN" and "END" lines, including whitespace. Make sure there are no extra line-feeds or carriage returns before and after the "BEGIN" and "END". Once you have both the "keystore" and "truststore" ready (both are java keystore files), you can do this: ------------------------------------------------------ URL keystore = new URL( "file:///path/to/keystore.jks" ); URL truststore = new URL( "file:///path/to/truststore.jks" ); String key_pwd = "secret"; String trust_pwd = "changeit"; AuthSSLProtocolSocketFactory sf; sf = new AuthSSLProtocolSocketFactory( keystore, key_pwd, truststore, trust_pwd ); ------------------------------------------------------ If your client certificate is in PKCS12 format (e.g. *.pfx or *.p12) after exporting from a browser, you can use the KeyStoreBuilder utility in "not-yet-commons-ssl-0.3.7" to convert it to "Java Keystore" format on the command line. The original AuthSSLProtocolSocketFactory in HttpClient's "contrib" cannot deal with PKCS12. java -cp not-yet-commons-ssl-0.3.7.jar org.apache.commons.ssl.KeyStoreBuilder Good luck! yours, Julius On 3/8/07, Roland Weber wrote: > Hello Lalit, > > Julius Davis has written some detailed mails about SSL in the last months. > You may have to search the developer list as well as the user list. > > best regards, > Roland > > > -- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ --------------------------------------------------------------------- To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: httpclient-user-help@jakarta.apache.org