Writing a client-server application that uses ssl / tls using java without beeing able to use keytool -


what i'm planning writing client-server application uses ssl (tls) connection exchange data.

as client downloadable , can not guarantee access keystore i'm looking way import certificates @ runtime.

what need:

  • a way import server's public key/certificate client application
  • a way import server's private key/certificate server application

what found out far:

// load server's public crt (pem), exported https website certificatefactory cf = certificatefactory.getinstance("x509"); x509certificate cert = (x509certificate)cf.generatecertificate(new fileinputstream("c:\\certificate.crt"));  // load pkcs12 key generated openssl out of server.crt , server.key (private) (if private key stored in pkcs file, not solution need ship application) keystore ks = keystore.getinstance("pkcs12"); ks.load(new fileinputstream("c:\\certificate.pkcs"), "password".tochararray()); ks.setcertificateentry("alias", cert);  trustmanagerfactory tmf = trustmanagerfactory.getinstance("sunx509"); tmf.init(ks);  keymanagerfactory kmf = keymanagerfactory.getinstance("sunx509"); kmf.init(ks, "password".tochararray());  // create sslcontext establish secure connection sslcontext ctx = sslcontext.getinstance("tls"); ctx.init(kmf.getkeymanagers(), tmf.gettrustmanagers(), null);

this not work me i'm getting error:

java.security.keystoreexception: trustedcertentry not supported @ ks.setcertificateentry("alias", cert);

also, think pkcs12 used store private keys not want.

i'm new java , i'm stuck problem now.

thanks in advance,

kazuo

sun's implementation of #pkcs12 not allow store trusted certificates if not part of chain of private key.
if need use #pkcs12 have switch different provider e.g. bouncy castle supports this.
if not have requirement on keystore type can switch jks java's keystore , allows set trusted certificates (i.e. not part of private key).
jks can use default provider i.e. sun.
update:
code have change follows: 

//create temp keystore server certificate    keystore kstemp = keystore.getinstance("jks");     kstemp.load(null, null);//initialize   kstemp.setcertificateentry("alias", cert);    bytearrayoutputstream bout = new bytearrayoutputstream();   // save temp keystore ks.store(bout, password);    //now create keystore used jsse    keystore store = keystore.getinstance("jks");    store.load(new bytearrayinputstream(bout.tobytearray()), password);

now use keystore store in code has server's trusted certificate , not private key.
comments in code noticed have pkcs12 created using openssl?
if have p12 can not use "jks" keymanager.
have use pkcs12 , load pkcs12 use in kmf.
have use 2 types in app


Comments

Post a Comment

Popular posts from this blog

c++ - Is it possible to compile a VST on linux? -

for class project i'm attempting write vst plugin backed cuda. current cuda workflow on linux box, i'd prefer compile , link there. according wikipedia , should possible (i couldn't find steinberg documentation relevant linux) can't find makefile or instructions on how build if aren't using xcode or visual studio. i'm vst 3 sdk doesn't support linux. when try compile plugin under linux, error: ./base/source/fatomic.cpp:39:30: fatal error: libkern/osatomic.h: no such file or directory this issue caused following code in "vst3 sdk/base/source/fatomic.cpp" #if mac #include <libkern/osatomic.h> #if mac_os_x_version_min_required > mac_os_x_version_10_4 #define native_atomic_type (volatile int32_t*) #else #define native_atomic_type (int32_t*) #endif #elif windows #include <windows.h> #endif but hope compiling under linux work vst sdk 2.4. reading. jvstwrapper seems run on lin...
Read more

c# - SharpSVN - How to get the previous revision? -

i trying find efficient way previous revision of file text comparison using sharpsvn. using (svnclient c = new svnclient()) { c.authentication.defaultcredentials = new networkcredential( configurationmanager.appsettings.get("svnserviceusername") , configurationmanager.appsettings.get("svnservicepassword") , configurationmanager.appsettings.get("svnservicedomain") ); c.authentication.sslservertrusthandlers += new eventhandler<svnsslservertrusteventargs>(authentication_sslservertrusthandlers); collection<svnfileversioneventargs> fileversioncollection = new collection<svnfileversioneventargs>(); svnrevisionrange range = new svnrevisionrange(0, this.hooks.revision); svnfileversionsargs args = new svnfileversionsargs(); args.retrieveproperties = true; args.range = range; foreach (svnchangeitem item in log.changedpaths) { string path = this.repositorypath + it...
Read more

php cli reading files and how to fix it? -

while using php cli in ubuntu got apache web server cant read file can while using in browser. , error shows nothing , next used code testing purposes : <? $handle = fopen("testfile.txt", "r"); if ($handle) { while (($buffer = fgets($handle, 4096)) !== false) { echo $buffer; } if (!feof($handle)) { echo "error: unexpected fgets() fail\n"; } if(!is_readable($handle) { die("not readable"); } fclose($handle); } ?> how fix ? edit : after removing '@' before fopen got following error fopen(testfile.txt): failed open stream: no such file or directory in /var/www/log/ka.php on line 2 when run script through cli, uses shell's working directory, in opposition file's directory (which apache hands current directory). important you, since fopen call depends on relative path; , relative paths resolved relatively working directory, not script. to have script behave apache, eit...
Read more