--- /dev/null
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd">\r
+<html><head>\r
+<meta content="HTML Tidy for Solaris (vers 1st April 2003), see www.w3.org" name="generator">\r
+<link rel="stylesheet" type="text/css" href="../style/doc.css"><title>Configuring SSL in Jigsaw</title></head>\r
+\r
+<body>\r
+<div class="icons-w3c"><a href="http://www.w3.org/"><img src="/Icons/w3c_home" alt="W3C logo" border="0" height="48" width="72"></a></div>\r
+<div class="icons-jigsaw"><a href="http://www.w3.org/Jigsaw/"><img src="/Icons/jigsaw" alt="Jigsaw" border="0" height="49" width="212"></a></div>\r
+<div class="title">\r
+<h1 class="title">Jigsaw<br>\r
+<span class="subtitle">SSL configuration</span></h1>\r
+<hr align="left" noshade="noshade" width="70%">\r
+<a href="http://www.w3.org/Jigsaw/Overview.html">Jigsaw Home</a> /\r
+<a href="http://www.w3.org/Jigsaw/Doc/Overview.html">Documentation\r
+Overview</a></div>\r
+<div class="body">\r
+<p>In the first part of the tutorial, SSL is being configured for\r
+<b>server authentication</b>.<br>\r
+In the second part, the SSL configuration is extended for also\r
+providing <b>client authentication</b>.</p>\r
+<p>SSL configuration is a two-step process. First the SSL\r
+certificates need to be created, and then the jigsaw server needs\r
+to be configured.</p>\r
+<p><font color="red">Make sure that jdk 1.4.x or higher is being\r
+used.<br>\r
+When using jdk 1.2.x or 1.3.x, the JSSE jars must be available in\r
+the class path.<br>\r
+Optional client authentication or generic trust stores require at\r
+least jdk 1.5.x.</font></p>\r
+<p>We are going to be using the SSL implementation from Sun. Mainly\r
+the keytool\r
+(http://java.sun.com/j2se/1.4/docs/tooldocs/solaris/keytool.html)\r
+is used to configure the SSL certificates. If keytool is not in\r
+your default PATH, you can find it in the "bin" directory of your\r
+JDK installation.</p>\r
+<ol>\r
+<li>Create a directory under jigsaw for the <b>key store</b>\r
+keeping the server certificate, which is presented to accessing\r
+clients</li>\r
+<li>Run the jdk's keytool to first generate the self signed server\r
+certificate.<br>\r
+ In addition, the public/private key pair is generated during this\r
+process.Example:<br>\r
+ \r
+<div class="box"><code>keytool -genkey -alias troi.example.com\r
+-keypass example -keystore\r
+/opt/jigsaw/dev/Jigsaw/keystore/troi.keystore -keyalg\r
+RSA</code></div></li>\r
+<li>Run the keytool again to make a certificate request. This is\r
+what is sent to verisign or our own certificate authority. You can\r
+skip this if you want to sign it yourself.<!-- Example:</br>\r
+ <div class="box"><code>keytool -certreq -alias troi.example.com -keypass example -keystore\r
+ /opt/jigsaw/dev/Jigsaw/keystore/troi.keystore</code></div>\r
+-->\r
+Example - specifying the output is put into a file:<br>\r
+ \r
+<div class="box"><code>keytool -certreq -alias troi.example.com\r
+-keypass example -keystore\r
+/opt/jigsaw/dev/Jigsaw/keystore/troi.keystore -file\r
+troi.csr</code></div>\r
+It will output something like: \r
+<div class="box">\r
+<pre> -----BEGIN NEW CERTIFICATE REQUEST-----\r
+ MIICgTCCAj4CAQAwezELMAkGA1UEBhMCVVMxETAPBgAAAAgTCElsbGlub2lzMRYwFAYDVQQHEw1E\r
+ b3duZXJzIEdyb3ZlMRAwDgYDVQQKEwdQZXJzZWNvMRkwFwYDVQQLExBCdXNpbmVzcyBTeXN0ZW1z\r
+ MRQwEgYDVQQDEwtCcmlhbiBMYWlyZDCCAbgwggEsBgcqhkjOOAQBMIIBHwKBgQD9f1OBHXUSKVLf\r
+ Spwu7OTn9hG3UjzvRADDHj+AtlEmaUVdQCJR+1k9jVj6v8X1ujD2y5tVbNeBO4AdNG/yZmC3a5lQ\r
+ paSfn+gEexAiwk+7qdf+t8Yb+DtX58aophUPBPuD9tPFHsMCNVQTWhaRMvZ1864rYdcq7/IiAxmd\r
+ 0UgBxwIVAJdgUI8VIwvMspK5gqLrhAvwWBz1AoGBAPfhoIXWmz3ey7yrXDa4V7l5lK+7+jrqgvlX\r
+ TAs9B4JnUVlXjrrUWU/mcQcQgYC0SRZxI+hMKBYTt88JMozIpuE8FnqLVHyNKOCjrh4rs6Z1kW6j\r
+ fwv6ITVi8ftiegEkO8yk8b6oUZCJqIPf4VrlnwaSi2ZegHtVJWQBTDv+z0kqA4GFAAKBgQDc5Ki4\r
+ 7dX93se92yzYjxJIi99R9EZYHu4sNUH9obMQYO7o5u/3AOkxzqHLx60wWbf9JoCAlMe8q2i28NNC\r
+ hjsN6LN7V0fgA05k/CzM9pMxbgeA0dqwQrtroWkJnFyzzFLrxjv7Rrh5RDGV/+ZeR72ZpHwy1GOj\r
+ yDB2Dz+NE98sgKAAMAsGByqGSM44BAMFAAMwADAtAhRumfMg6P1KJmstMYga74KxaPLBfgIVAIwB\r
+ bVanNqQb898bqHBkRybHIFqW\r
+ -----END NEW CERTIFICATE REQUEST-----\r
+</pre></div>\r
+<p>Now we will import the response from the certificate\r
+authority.</p>\r
+<div class="box"><code>keytool -import -alias sis.example.com\r
+-keystore sis.keystore -file sis.cer -keyalg RSA\r
+-trustcacerts</code></div>\r
+<p>and skip the next point (related to self-signature)</p></li>\r
+<li>If you want to self-sign the certificate, you may proceed like\r
+this:Example:<br>\r
+ \r
+<div class="box"><code>keytool -selfcert -alias troi.example.com\r
+-keystore /opt/jigsaw/dev/Jigsaw/keystore/troi.keystore -keyalg\r
+RSA</code></div></li>\r
+<li>Create a new configuration file called https-XXXXX.props where\r
+the XXXXX is the outside service (ex: enter.example.com). You can\r
+copy the default http- server.props to get started</li>\r
+<li>Edit the https-XXXXX.props file and add the following entries: \r
+<div class="box">\r
+<pre> # Points to the key store (cf. 4. above, don't forget to put the full path to the keystore)\r
+ org.w3c.jigsaw.ssl.keystore.path=\r
+ # Supplies the password for accessing the key store ...\r
+ org.w3c.jigsaw.ssl.keystore.password=\r
+ # Finally, the socket client factory has to be set to the SSL factory ...\r
+ org.w3c.jigsaw.<b>http</b>.ClientFactory=org.w3c.jigsaw.<b>https</b>.socket.SSLSocketClientFactory\r
+</pre></div>\r
+<p>Of course you may change the default port to use the default one\r
+for SSL: 443 (or any other you like and which is not yet used)</p>\r
+<p>You should also change the propfile value to match the name of\r
+your configuration file.</p></li>\r
+<li>Edit the server.props to use the new configuration file and add\r
+the following when creating the new server configurationExample -\r
+note the piece in bold. That lets jigsaw know, which listener\r
+daemon to start:<br>\r
+ \r
+<div class="box">\r
+<pre>org.w3c.jigsaw.daemon.handlers=https-server|...\r
+https-server.org.w3c.jigsaw.daemon.class=org.w3c.jigsaw.<b>https.httpsd</b>\r
+</pre></div></li></ol>\r
+<p>This should cover the setup requirements. You should be able to\r
+start jigsaw and see something like the following when the start up\r
+occurs:</p>\r
+<div class="box"><code>Jigsaw[2.2.4]: serving at\r
+https://troi:8002/</code></div>\r
+<p>You can also use the secure protocol for webdav, in which case\r
+the daemon class must be set to</p>\r
+<div class="box">\r
+<code>org.w3c.jigsaw.<b>webdavs.webdavsd</b></code></div>\r
+<p><font color="blue">Server authentication enables a client to\r
+verify in a secure way, which server she or he is talking\r
+to.</font></p>\r
+<i>The SUN provider uses the proprietary JKS default key store\r
+type. When using a suitable security provider, e.g. bouncy castle,\r
+the standard PKCS#12 key store type is available as an option. The\r
+SUN provider also offers PKCS#12 in jdk 1.5.x.<br>\r
+<br>\r
+In addition, jdk 1.5.x supplies the PKCS#11 key store type for\r
+accessing suitable hardware tokens, e.g. the eToken physical store\r
+or other smartcard types. Hardware tokens provide a stronger level\r
+of security by effectively preventing the private key from being\r
+copied or stolen: <b>The private key never leaves the\r
+token</b>.<br>\r
+<br>\r
+With the current Jigsaw https implementation, you can use any of\r
+the above at your choice.</i><br>\r
+<br>\r
+ Note:<br>\r
+For using <font color="red">hardware tokens</font> to store your\r
+server certificate, you must install the PKCS#11 driver software\r
+for your token and add the SUN PKCS#11 provider bridge to the\r
+security configuration file of your java runtime environment\r
+($JAVA_HOME/lib/security/java.security). \r
+<div class="box">\r
+<pre>security.provider.7=sun.security.pkcs11.SunPKCS11 ${java.home}/lib/pkcs11.properties\r
+</pre></div>\r
+The specified provider configuration file\r
+($JAVA_HOME/lib/pkcs11.properties) must contain a reference to the\r
+PKCS#11 driver of your token. The file content might look like this\r
+(sample for eToken on a Windows system): \r
+<div class="box">\r
+<pre>name = eToken\r
+library = /WINDOWS/SYSTEM32/eTpkcs11.dll\r
+</pre></div>\r
+After these prerequisites (cf. the JDK PKCS#11 guide for further\r
+details), you can adapt your Jigsaw ssl properties, i.e. you must\r
+set your key store type to PKCS#11 and the password to the pin of\r
+your token. The path to the key store must remain undefined, i.e.\r
+null or blank.<br>\r
+ \r
+<div class="box">\r
+<pre>org.w3c.jigsaw.ssl.keystore.type=<b>pkcs11</b>\r
+org.w3c.jigsaw.ssl.keystore.password=myPin1234\r
+</pre></div>\r
+<p>Jigsaw also provides for <font color="blue">client\r
+authentication</font>, which addresses the other way around: It\r
+<font color="blue">enables a server (and a web application) to\r
+verify in a secure way, which client accesses the server.</font>\r
+Although, client authentication is rarely used in the web, it is a\r
+powerful infrastructure for building secure web applications with\r
+distributed user management.</p>\r
+<p>For clients to be verified, they must present a certificate,\r
+which can be checked by the server using public key\r
+infrastructure.<br>\r
+In order to do so, the server needs an additional <b>trust\r
+store</b> for also keeping track of the CA certificates used to\r
+sign client certificates.</p>\r
+<p>Extending the SSL configuration for also verifying clients is a\r
+two-step process again. First the trust store has to be populated\r
+with CA certificates (at least one, the so-called "trust anchor"),\r
+and then the jigsaw server needs to be configured.</p>\r
+<p>You can obtain a client certificate from an authority like\r
+verisign and store it in your browser for being presented to the\r
+server during the SSL handshake. In this case, you also need to\r
+import the authority's certificate used to sign yours into the\r
+server's trust store. The latter task can be performed using\r
+keytool again.</p>\r
+<p>If you prefer acting as your own CA, keytool and the SUN JCE\r
+implementation are not sufficient, because they currently do not\r
+provide for signing certificates other than your own. However, you\r
+can download a free JCE extension from <a href="http://www.bouncycastle.org/">bouncy castle</a>, which also\r
+provides for certificate signing features. You can modify the\r
+following sample code for playing CA:</p>\r
+<p>Make sure that the bouncy castle bcprov-jdk14-121.jar file is in\r
+your JRE/lib/ext directory.</p>\r
+<div class="box">\r
+<pre>/**\r
+ * Copyright (c) 2004 Thomas.Kopp@dialogika.de\r
+ * All rights reserved.\r
+ *\r
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND\r
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\r
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\r
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE\r
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\r
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS\r
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\r
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\r
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\r
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\r
+ * SUCH DAMAGE.\r
+ */\r
+import java.io.*;\r
+import java.util.*;\r
+\r
+import java.security.Security;\r
+import java.security.KeyStore;\r
+import java.security.PrivateKey;\r
+import java.security.cert.*;\r
+\r
+import org.bouncycastle.jce.*;\r
+import org.bouncycastle.jce.provider.*;\r
+import org.bouncycastle.asn1.x509.*;\r
+\r
+/**\r
+ * Sample signing utility developped for simplified interoperability with keytool.\r
+ *\r
+ * It assumes that the CA has a self-signed certificate with alias "ca" in the "ca.db" JKS type keystore.\r
+ * In addition, it assumes that a self-signed client certificate with alias "foo" resides in\r
+ * the "bar.db" JKS type keystore. The CA-signed version gets stored with alias "foo" again in \r
+ * the "bar.p12" PKCS12 type keystore, so that it can easily be imported by web browsers.\r
+ *\r
+ * The ca uses the "manager" password for accessing its own store and the "example"\r
+ * password for accessing the client stores and certificates.\r
+ */ \r
+public class signtool {\r
+\r
+ static {\r
+ // add the bouncy castle provider\r
+ Security.addProvider(new BouncyCastleProvider());\r
+ }\r
+ \r
+ public static void main(String[] args) {\r
+ try {\r
+ // The issuer certificate access\r
+ KeyStore ksca = KeyStore.getInstance("JKS");\r
+ ksca.load(new FileInputStream("ca.db"), "manager".toCharArray());\r
+ X509Certificate cacert = (X509Certificate)ksca.getCertificate("ca");\r
+ PrivateKey caprivate = (PrivateKey)ksca.getKey("ca", "manager".toCharArray());\r
+\r
+ // The subject certificate access\r
+ KeyStore ksbar = KeyStore.getInstance("JKS");\r
+ ksbar.load(new FileInputStream("bar.db"), "example".toCharArray());\r
+ X509Certificate foocert = (X509Certificate)ksbar.getCertificate("foo");\r
+ PrivateKey fooprivate = (PrivateKey)ksbar.getKey("foo", "example".toCharArray());\r
+\r
+ // The certificate chain building process\r
+ X509V3CertificateGenerator engine = new X509V3CertificateGenerator();\r
+ engine.setSerialNumber(foocert.getSerialNumber());\r
+ engine.setSignatureAlgorithm(foocert.getSigAlgName());\r
+ engine.setNotBefore(foocert.getNotBefore());\r
+ engine.setNotAfter(foocert.getNotAfter());\r
+ engine.setPublicKey(foocert.getPublicKey());\r
+ engine.setSubjectDN(new X509Name(true, foocert.getSubjectX500Principal().getName()));\r
+ engine.setIssuerDN(new X509Name(true, cacert.getSubjectX500Principal().getName()));\r
+ \r
+ // ... and a little signature ...\r
+ X509Certificate foosigned = engine.generateX509Certificate(caprivate);\r
+ \r
+ X509Certificate[] signedchain = new X509Certificate[] { foosigned, cacert };\r
+ \r
+ // The signed certificate update\r
+ KeyStore ksbarca = KeyStore.getInstance("PKCS12", "BC");\r
+ ksbarca.load(null, null); // for initializing the keystore\r
+ ksbarca.setKeyEntry("foo", fooprivate, "example".toCharArray(), signedchain);\r
+ ksbarca.store(new FileOutputStream("bar.p12"), "example".toCharArray());\r
+ \r
+ System.out.println(Arrays.asList(signedchain));\r
+ }\r
+ catch (Exception ex) {\r
+ ex.printStackTrace();\r
+ }\r
+ }\r
+}\r
+</pre></div>\r
+<p>Now, being able to set up a server-side trust store keeping a CA\r
+certificate and to import a CA-signed certificate into your\r
+browser's certificate store, we can complete the client\r
+authentication configuration.</p>\r
+<ol>\r
+<li>Create a key store (named "trust store") with keytool\r
+containing your self-signed or a true, imported CA certificate.\r
+(cf. previous section for details)</li>\r
+<li>Create a key store with keytool containing your own self-signed\r
+client certificate.</li>\r
+<li>Either sign your own client certificate with your own CA\r
+certificate as explained above or let it sign by a true CA.</li>\r
+<li>Import the signed client certificate into your browser's\r
+certificate store.<br>\r
+<br>\r
+ Note: Browsers normally require the PKCS#12 key store type for\r
+import.</li>\r
+<li style="list-style-type: none; list-style-image: none; list-style-position: outside;"><br></li>\r
+<li>Edit the https-XXXXX.props file and add the following entries: \r
+<div class="box">\r
+<pre> # Points to the trust store (cf. 1. above, don't forget to put the full path to the truststore)\r
+ org.w3c.jigsaw.ssl.truststore.path=\r
+ # Supplies the password for accessing the trust store ...\r
+ org.w3c.jigsaw.ssl.truststore.password=\r
+ # Optionally, you can decide, whether to force clients (right side set to: true) to authenticate or \r
+ # also admit a client without successful authentication (right side set to: false), which is the default\r
+ org.w3c.jigsaw.ssl.must.authenticate=\r
+</pre></div></li></ol>\r
+<p>This should cover the setup requirements. When starting and\r
+accessing a server url, you should (after server certificate\r
+presentation) be asked to type your browser's certificate store\r
+password, because the server wants to check your client\r
+certificate. If this is successful or the\r
+<code>org.w3c.jigsaw.ssl.must.authenticate</code> option is set to\r
+<code>false</code> you are allowed to continue.</p>\r
+<p>Note, client certificates and other SSL characteristics are also\r
+transparent to a servlet via the <code>getAuthType</code>,\r
+<code>getRemoteUser</code>, <code>getUserPrincipal</code> methods\r
+and the following request attributes of the servlet api:</p>\r
+<div class="box">\r
+<pre> javax.servlet.request.cipher_suite\r
+ javax.servlet.request.key_size\r
+ javax.servlet.request.X509Certificate\r
+ \r
+</pre></div>\r
+<p><br></p>\r
+<i>Finally, Jigsaw offers a <b>generic key store</b> feature, which\r
+provides for bridging to the Java Certification Path API in order\r
+to use PKIX standards for validating client certificates. The\r
+feature is provided by using the key manager or trust manager\r
+factory initialization with the\r
+<code>javax.net.ssl.ManagerFactoryParameters</code> parameter when\r
+the generic key or trust store flag is set to\r
+<code>true</code>.<br>\r
+<br>\r
+In this case, the ManagerFactoryParameters implementation must be\r
+supplied to Jigsaw as an arbitray Java class in the class path,\r
+with its class name being configured as the\r
+<code>org.w3c.jigsaw.ssl.truststore.type</code> property and with\r
+the class implementing the following method:</i> \r
+<div class="box">\r
+<pre>public static ManagerFactoryParameters getInstance(String path, String password)\r
+ throws InvalidAlgorithmParameterException;\r
+</pre></div>\r
+<i>The path and password parameters of the method are taken from\r
+the respective properties of the Jigsaw key or trust store\r
+configuration.</i><br>\r
+<br>\r
+ The following example shows how to use Jigsaw <font color="red">PKIX client certificate validation</font>.<br>\r
+ \r
+<ol>\r
+<li>Configure a generic trust store for the\r
+<code>foo.MyStore</code> implementation class.\r
+<div class="box">\r
+<pre>org.w3c.jigsaw.ssl.truststore.generic=true\r
+org.w3c.jigsaw.ssl.truststore.type=foo.MyStore\r
+org.w3c.jigsaw.ssl.truststore.path=...\r
+org.w3c.jigsaw.ssl.truststore.password=...\r
+</pre></div></li>\r
+<li>Make the <code>foo.MyStore</code> class available in the class\r
+path. The corresponding Java source might look like this: \r
+<div class="box">\r
+<pre>/**\r
+ * Copyright (c) 2004 Thomas.Kopp@dialogika.de\r
+ * All rights reserved.\r
+ *\r
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND\r
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE\r
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE\r
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE\r
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL\r
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS\r
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)\r
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT\r
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY\r
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF\r
+ * SUCH DAMAGE.\r
+ */\r
+package foo;\r
+\r
+import java.io.BufferedInputStream;\r
+import java.io.FileInputStream;\r
+\r
+import java.lang.reflect.Constructor;\r
+\r
+import java.util.ArrayList;\r
+import java.util.Collection;\r
+import java.util.Enumeration;\r
+import java.util.Iterator;\r
+import java.util.StringTokenizer;\r
+\r
+import java.security.InvalidAlgorithmParameterException;\r
+import java.security.KeyStore;\r
+import java.security.KeyStoreException;\r
+\r
+import java.security.cert.Certificate;\r
+import java.security.cert.CertPathParameters;\r
+import java.security.cert.CertStore;\r
+import java.security.cert.CollectionCertStoreParameters;\r
+import java.security.cert.PKIXBuilderParameters;\r
+import java.security.cert.X509CertSelector;\r
+\r
+import javax.net.ssl.ManagerFactoryParameters;\r
+\r
+/**\r
+ * This class delegates trust store features to the jce certpath api.\r
+ * It compiles under JDK 1.4.x, but requires at least JDK 1.5.x at runtime.\r
+ *\r
+ * In this example, a simple collection only is used for storing trust material.\r
+ * For a more realistic scenario, you might choose to regularily refresh \r
+ * the collection from an underlying relational database or to use an\r
+ * LDAP certificate store instead. Refreshing could be performed by \r
+ * implementing the MyStore class as a Runnable and using a periodically \r
+ * running background thread that updates the collection.\r
+ */ \r
+public class MyStore {\r
+ \r
+ public static PKIXBuilderParameters getParameters(String path, String password) \r
+ throws InvalidAlgorithmParameterException {\r
+ try {\r
+ // path contains a list of ordinary key store paths with \r
+ // identical passwords and with the first list element being \r
+ // the trust anchor \r
+ StringTokenizer list = new StringTokenizer(path, java.io.File.pathSeparator);\r
+ \r
+ // get a keystore with the CA trust anchor\r
+ KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());\r
+ ks.load(new BufferedInputStream(new FileInputStream(list.nextToken())), \r
+ (null != password) ? password.toCharArray() : new char[0]);\r
+ \r
+ // wrap it as a PKIX builder parameters instance\r
+ PKIXBuilderParameters pkix = \r
+ new PKIXBuilderParameters(ks, new X509CertSelector());\r
+\r
+ // set additional attributes, e.g no revocation list checking for simplicity.\r
+ // Otherwise certores will have to be added using the addCertStore method for\r
+ // adding additional certificate and crl material\r
+ pkix.setRevocationEnabled(false);\r
+\r
+ // the list of additional signer certificates for populating the trust store\r
+ Collection untrusted = new ArrayList();\r
+ while (list.hasMoreTokens()) {\r
+ KeyStore ks2 = KeyStore.getInstance(KeyStore.getDefaultType());\r
+ ks2.load(new BufferedInputStream(new FileInputStream(list.nextToken())), \r
+ (null != password) ? password.toCharArray() : new char[0]);\r
+ Enumeration keys = ks2.aliases();\r
+ while (keys.hasMoreElements()) {\r
+ String alias = keys.nextElement().toString();\r
+ Certificate cert = ks2.getCertificate(alias);\r
+ if (cert != null) {\r
+ untrusted.add(cert);\r
+ }\r
+ }\r
+ }\r
+ \r
+ // create an untrusted collection store and add it\r
+ CollectionCertStoreParameters params = \r
+ new CollectionCertStoreParameters(untrusted);\r
+ CertStore store = CertStore.getInstance("Collection", params);\r
+ pkix.addCertStore(store);\r
+ \r
+ return pkix;\r
+ }\r
+ catch (Exception ex) {\r
+ InvalidAlgorithmParameterException sub = \r
+ new InvalidAlgorithmParameterException(ex.toString());\r
+ sub.initCause(ex);\r
+ throw sub;\r
+ }\r
+ }\r
+ \r
+ public static ManagerFactoryParameters getInstance(String path, String password) \r
+ throws InvalidAlgorithmParameterException {\r
+ try {\r
+ PKIXBuilderParameters pkix = getParameters(path, password);\r
+ \r
+ // wrap the certification path resolution bundle \r
+ // as a suitable trust manager wrapper instance\r
+ Class wrapper = Class.forName("javax.net.ssl.CertPathTrustManagerParameters");\r
+ Constructor c = wrapper.getConstructors()[0];\r
+ ManagerFactoryParameters mfp = \r
+ (ManagerFactoryParameters)c.newInstance(new Object[] {pkix});\r
+ return mfp;\r
+ }\r
+ catch (InvalidAlgorithmParameterException ex) {\r
+ throw ex;\r
+ }\r
+ catch (Exception ex) {\r
+ InvalidAlgorithmParameterException sub = \r
+ new InvalidAlgorithmParameterException(ex.toString());\r
+ sub.initCause(ex);\r
+ throw sub;\r
+ }\r
+ }\r
+}\r
+</pre></div></li></ol></div>\r
+<!-- body -->\r
+<div class="footer">\r
+<hr noshade="noshade">\r
+<a href="mailto:jigsaw@w3.org">Jigsaw Team</a><br>\r
+ <span class="mini">$Id: ssl.html,v 1.11 2004/02/10 14:36:22 ylafon\r
+Exp $</span> \r
+<p class="policyfooter"><font size="-1"><a href="http://www.w3.org/Consortium/Legal/ipr-notice.html#Copyright">Copyright</a>\r
+© 2003 <a href="http://www.w3.org/">W3C</a> (<a href="http://www.lcs.mit.edu/">MIT</a>, <a href="http://www.ercim.org/">ERCIM</a>, <a href="http://www.keio.ac.jp/">Keio</a> ), All Rights Reserved. W3C\r
+<a href="http://www.w3.org/Consortium/Legal/ipr-notice.html#Legal%20Disclaimer">\r
+liability,</a> <a href="http://www.w3.org/Consortium/Legal/ipr-notice.html#W3C%20Trademarks">\r
+trademark</a> , <a href="http://www.w3.org/Consortium/Legal/copyright-documents.html">document\r
+use</a> and <a href="http://www.w3.org/Consortium/Legal/copyright-software.html">software\r
+licensing</a> rules apply. Your interactions with this site are in\r
+accordance with our <a href="http://www.w3.org/Consortium/Legal/privacy-statement.html#Public">public</a>\r
+and <a href="http://www.w3.org/Consortium/Legal/privacy-statement.html#Members">\r
+Member</a> privacy statements.</font></p></div>\r
+</body></html>
\ No newline at end of file
projects / Benchmarks_CSolver.git / blobdiff