Thanks for your replies! I haven't bit the maven bullet yet. Right now I've got the binary jar, and the full-source zip hosted directly off "http://juliusdavies.ca/commons-ssl/";.
http://juliusdavies.ca/commons-ssl/not-yet-commons-ssl-0.3.7.zip http://juliusdavies.ca/commons-ssl/not-yet-commons-ssl-0.3.7.jar To compile "not-yet-commons-ssl" depends on: log4j httpclient-3.0 I'm storing both of these jar files in the "zip" download for easy building. To build: ------------------------------------------ unzip not-yet-commons-ssl-0.3.7.zip cd not-yet-commons-ssl-0.3.7 ant ------------------------------------------ At runtime "not-yet-commons-ssl" has no dependencies.
In fact we have two requirements that this seems to meet: 1) easily using different certs on different connections
I tried to make loading client certs as easy as possible by supporting all the formats. Take a look at this page: http://juliusdavies.ca/commons-ssl/pkcs8.html Here's an example loading all the different client cert formats: // Java Keystore KeyMaterial km = new KeyMaterial( "my.keystore", pwd ); // PKCS12 (Microsoft .pfx or Netscape .p12) KeyMaterial km = new KeyMaterial( "my.pfx", pwd ); // OpenSSL key + chain all in one: // http://juliusdavies.ca/commons-ssl/samples/pkcs12/pkcs12_client_cert.pem KeyMaterial km = new KeyMaterial( "rsa_key_and_chain.pem", pwd ); Notice how the consumer never has to specify the type. It's the same constructor every time - String, char[] - and yet it figures everything out. If the provided arguments are meant to become a private key and associated certificate chain, not-yet-commons-ssl will figure it out. More formats! (Doesn't actually matter which argument is private-key and which is cert-chain, but I thought I might as well pretend it matters to help keep users from going insane.) // OpenSSL private-key PEM and cert-chain PEM // http://juliusdavies.ca/commons-ssl/samples/rsa/openssl_rsa_des3_cbc.pem // // Or instead of OpenSSL 'traditional' format, you can do PKCS8 in PEM: // http://juliusdavies.ca/commons-ssl/samples/rsa/pkcs8v2_rsa_des3.pem // // Don't forget the cert-chain that goes with the private key: // http://juliusdavies.ca/commons-ssl/samples/x509/certificate_chain.pem KeyMaterial km = new KeyMaterial( "rsa_key.pem", "x509chain.pem", pwd ); // OpenSSL DER instead of PEM // (Warning: the DER links are ugly binary files that confuse browsers). // http://juliusdavies.ca/commons-ssl/samples/rsa/pkcs8v2_rsa_des3.der // http://juliusdavies.ca/commons-ssl/samples/x509/certificate.der KeyMaterial km = new KeyMaterial( "pkcs8_rsa_key.der", "x509chain.der", pwd ); // OpenSSL DER and PEM! :-) // http://juliusdavies.ca/commons-ssl/samples/rsa/pkcs8v2_rsa_des3.der // http://juliusdavies.ca/commons-ssl/samples/x509/certificate.pem KeyMaterial km = new KeyMaterial( "pkcs8_rsa_key.der", "x509chain.pem", pwd ); // OpenSSL PEM and DER! (Okay, just making noise on your mailing list - sorry!) // http://juliusdavies.ca/commons-ssl/samples/rsa/pkcs8v2_rsa_des3.pem // http://juliusdavies.ca/commons-ssl/samples/x509/certificate.der SSLClient client = new SSLClient(); client.setKeyMaterial( km ); That's for the client's private key + certificate. But what server certificates should the client trust? You can quickly disable the standard "cacerts" for even better security! client.setTrustMaterial( new TrustMaterial( "/path/to/cert.pem" ) ); Or you can trust everything (very insecure): client.setTrustMaterial( TrustMaterial.TRUST_ALL ); I think the flexibility of this library suits it well for web-services where the SSL can range from extremely insecure (dev environments) to extremely secure (mutual auth with standard "cacerts" disabled and CRL checking enabled). We'll probably have the OCSP working in a month or two, as well.
2) working on any recent JDK, not just 1.5
I probably have to always support Java 1.3 due to requirements where I work. But the library switches to the Java 1.4 JSSE packages (javax.net.ssl.*) if they are available. yours, Julius On 2/25/07, Asankha C. Perera <[EMAIL PROTECTED]> wrote:
Hi Julius I am not subscribed to jakarta-general but am in the apache incubator group already, and would be glad to help you get into incubation if we can. Synapse would like to be able to perform hostname verification and mutual auth when its possible with the NIO SSL module on which we are based now. Do you place your alpha JARs into a Maven repo by any chance? asankha
-- yours, Julius Davies 416-652-0183 http://juliusdavies.ca/ http://juliusdavies.ca/commons-ssl/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
