net.sf.basedb.util.ssl
Class SSLUtil

java.lang.Object
  net.sf.basedb.util.ssl.SSLUtil

public class SSLUtil
extends Object

Utility class for working with SSL connections.

Since:

2.16

Author:

Nicklas

Last modified

$Date: 2010-06-16 14:28:36 +0200 (Wed, 16 Jun 2010) $

Field Summary

private static KeyManager[]	defaultKeyManagers
private static org.apache.http.conn.ssl.SSLSocketFactory	defaultSocketFactory
private static TrustManager[]	defaultTrustManagers

Constructor Summary

SSLUtil()

Method Summary

private static KeyManager[]	createKeyManagers(KeyStore keyStore, String password, String provider, String algorithm)
static KeyStore	createKeyStore(InputStream store, String password, String type, String provider) Create a key-store from the given input stream
private static TrustManager[]	createTrustManagers(KeyStore keyStore, String provider, String algorithm)
static Certificate	getCertificate(InputStream cert, String type, String provider) Get the certificate that is found in the given input stream.
private static KeyManager[]	getDefaultKeyManagers() Get the default keys manages as configured in the base.config file by ssl.keystore.* settings.
private static TrustManager[]	getDefaultTrustManagers() Get the default trust manages as configured in the base.config file by ssl.truststore.* settings.
static org.apache.http.conn.ssl.SSLSocketFactory	getSSLSocketFactory() Get a SSL Socket Factory object that is used to create SSL sockets.
static org.apache.http.conn.ssl.SSLSocketFactory	getSSLSocketFactory(byte[] serverCertificate, byte[] clientCertificate, String clientCertificatePassword) Create a SSL socket factory that optionally uses the given trusted server certificate and client certificate.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

defaultKeyManagers

private static KeyManager[] defaultKeyManagers

defaultTrustManagers

private static TrustManager[] defaultTrustManagers

defaultSocketFactory

private static org.apache.http.conn.ssl.SSLSocketFactory defaultSocketFactory

Constructor Detail

SSLUtil

public SSLUtil()

Method Detail

getSSLSocketFactory

public static org.apache.http.conn.ssl.SSLSocketFactory getSSLSocketFactory()

Get a SSL Socket Factory object that is used to create SSL sockets. Typical usage is:

URL u = ... // A https url
URLConnection conn = u.openConnection();
if (conn instanceof HttpsURLConnection)
{
  ((HttpsURLConnection)conn).setSSLSocketFactory(SSLUtil.getSSLSocketFactory());
}

Unless a key-store and/or trust-store has been configured this method returns a default socket factory provided by HttpsURLConnection.getDefaultSSLSocketFactory().

A key-store is used to store personal certificates that are used for authentication with the server. A key-store can be setup with the following configuration options in base.config.

• ssl.keystore.file: The full path to a file containing certificate keys.
• ssl.keystore.password: The password that is required to unlock the certificates. All certificates must use the same password.
• ssl.keystore.type (optional): The type of the keystore. The default value is 'JKS'.
• ssl.keystore.provider (optional): The cryptographic provider implementation to use. If not specified the list of registered providers is searched.
• ssl.keystore.algorithm (optional): The encryption algorithm used in the keystore. If not specified, 'SunX509' is used.

A trust-store is used to store public certificates of of servers that are trusted. The default trust-store uses the certificates that are shipped with the java runtime in $JAVA_HOME/jre/lib/security/cacerts. A trust-store can be setup with the following configuration options in base.config.

• ssl.truststore.file: The full path to a file containing the certificates.
• ssl.truststore.password: The password that is required to unlock the certificates. All certificates must use the same password.
• ssl.truststore.type (optional): The type of the keystore. The default value is 'JKS'.
• ssl.truststore.provider (optional): The cryptographic provider implementation to use. If not specified the list of registered providers is searched.
• ssl.truststore.algorithm (optional): The encryption algorithm used in the keystore. If not specified, 'PKIX' is used.

For more information about algorithms, keystore types, etc. see Java Secure Socket Extension Reference Guide

Returns:

A SSL socket factory

getSSLSocketFactory

public static org.apache.http.conn.ssl.SSLSocketFactory getSSLSocketFactory(byte[] serverCertificate,
                                                                            byte[] clientCertificate,
                                                                            String clientCertificatePassword)

Create a SSL socket factory that optionally uses the given trusted server certificate and client certificate. If both parameters are null then the socket factory from getSSLSocketFactory() is returned.

Parameters:

serverCertificate - The trusted server certificate data or null to use the default trusted certificates (see getSSLSocketFactory(). The data must represent a X.509 certificate in binary or base64-encoded DER format

clientCertificate - The client certificate to use for authorization with the server or null to use the default certificates. The data must represent a PKCS #12 cretificate in binary form

clientCertificatePassword - A password used to unlock the client certificate

Returns:

A socket factory

getDefaultTrustManagers

private static TrustManager[] getDefaultTrustManagers()
                                               throws KeyStoreException,
                                                      NoSuchAlgorithmException,
                                                      CertificateException,
                                                      NoSuchProviderException,
                                                      IOException

Get the default trust manages as configured in the base.config file by ssl.truststore.* settings.

Returns:

An array with trust managers or null if no trust-store file has been configured

Throws:

KeyStoreException

NoSuchAlgorithmException

CertificateException

NoSuchProviderException

IOException

getDefaultKeyManagers

private static KeyManager[] getDefaultKeyManagers()
                                           throws UnrecoverableKeyException,
                                                  KeyStoreException,
                                                  NoSuchAlgorithmException,
                                                  CertificateException,
                                                  NoSuchProviderException,
                                                  IOException

Get the default keys manages as configured in the base.config file by ssl.keystore.* settings.

Returns:

An array with key managers or null if no key-store file has been configured

Throws:

UnrecoverableKeyException

KeyStoreException

NoSuchAlgorithmException

CertificateException

NoSuchProviderException

IOException

createKeyStore

public static KeyStore createKeyStore(InputStream store,
                                      String password,
                                      String type,
                                      String provider)
                               throws KeyStoreException,
                                      NoSuchProviderException,
                                      NoSuchAlgorithmException,
                                      CertificateException,
                                      IOException

Create a key-store from the given input stream

Parameters:

store - The stream with key-store data

password - The password to unlock the keystore

Returns:

A KeyStore object

Throws:

KeyStoreException

NoSuchProviderException

NoSuchAlgorithmException

CertificateException

IOException

getCertificate

public static Certificate getCertificate(InputStream cert,
                                         String type,
                                         String provider)
                                  throws CertificateException,
                                         NoSuchProviderException

Get the certificate that is found in the given input stream.

Parameters:

cert - The stream with the certificate information

type - The type of the certificate, usually "X.509"

Returns:

A Certificate object (can usually be subclassed to X509Certificate

Throws:

CertificateException

NoSuchProviderException

createKeyManagers

private static KeyManager[] createKeyManagers(KeyStore keyStore,
                                              String password,
                                              String provider,
                                              String algorithm)
                                       throws KeyStoreException,
                                              NoSuchAlgorithmException,
                                              CertificateException,
                                              IOException,
                                              UnrecoverableKeyException,
                                              NoSuchProviderException

Throws:

KeyStoreException

NoSuchAlgorithmException

CertificateException

IOException

UnrecoverableKeyException

NoSuchProviderException

createTrustManagers

private static TrustManager[] createTrustManagers(KeyStore keyStore,
                                                  String provider,
                                                  String algorithm)
                                           throws KeyStoreException,
                                                  NoSuchAlgorithmException,
                                                  CertificateException,
                                                  IOException,
                                                  NoSuchProviderException

Throws:

KeyStoreException

NoSuchAlgorithmException

CertificateException

IOException

NoSuchProviderException