Hi folks
I've been wrestling with certificate management in Java (as relates to
PgJDBC) for a while as part of an app I'm working on, and have settled
on a solution I'm happy with. It's general enough that it'll be very
useful to other people here, so I've split it out into a separate library.
It's intended for use with PgJDBC as an alternate sslfactory= in the
jdbc url/Properties to simplify use of client certificates. Certs may be
specified using the sslfactoryarg url parameter / Properties key.
This provider is not Pg or JDBC specific and doesn't depend on either
though. You can use it anywhere you use SSL/TLS with client certs and
you want PKCS#12 support.
It's really just an SSLSocketFactory that uses PKCS#12 files to provide
certificate trust as well as user public and private keys for client
certificate authentication. It verifies that the server being connected
to has a certificate trust path to one of the CA certificates in the
PKCS#12 file. If asked by the server, it will authenticate the client
end against the server using the PKCS#12 file's client cert details.
It is completely independent of the Java `cacerts' trust list, any .jks
files installed, etc. Feeding it your own certificate source requires
implementing a one-method interface that returns an InputStream.
You can grab it from github if you want to have a play. I'm interested
in improving the interface, and would be happy to accept changes to add
an additional trusted cert list (.der / .pem file).
There's a demo in the `demo' package.
BE WARNED: This code is NOT well tested, and I am fairly new to the Java
SSL APIs. This thing might trust 'goatse.cx' for all I know. Be very
careful.
Grab code here:
git://github.com/ringerc/pkcs12provider.git
--
Craig Ringer