Hi, I am using HttpClient (2.0RC3) to make HTTP requests over SSL. At first I specified the keystore with the trusted certificates by the system properties javax.net.ssl.trustStore=/path/to/keystorefile and javax.net.ssl.trustStorePassword=password The performance was good in this case but I wanted to manage the keystore(s) in the java code. So I used the EasySSLProtocolSocketFactory and EasyX509TrustManager classes from the contrib directory and adjusted them to my needs. The functionality is alright but the time cost is very much higher than with the system property method. I added debug messages at various positions to see where the time is lost and I found that between the end of the checkServerTrusted method in EasyX509TrustManager and the end of the method executeMethod in HttpClient the highest amount of time gets lost. I donīt know what is happening between these two points. Any hints?
Stephan // EasyX509TrustManager.java /* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 2002-2003 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Commons", and "Apache Software * Foundation" must not be used to endorse or promote products derived * from this software without prior written permission. For written * permission, please contact [EMAIL PROTECTED] * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * <http://www.apache.org/>. * * [Additional notices, if required by prior licensing conditions] * */ package stephan.httpclient.tutorial; import java.security.KeyStore; import java.security.KeyStoreException; import java.security.NoSuchAlgorithmException; import java.security.cert.Certificate; import java.security.cert.CertificateException; import java.security.cert.X509Certificate; import java.util.Enumeration; import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; import javax.net.ssl.X509TrustManager; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; /** * <p> * EasyX509TrustManager unlike default [EMAIL PROTECTED] X509TrustManager} accepts * self-signed certificates. * </p> * <p> * This trust manager SHOULD NOT be used for productive systems * due to security reasons, unless it is a concious decision and * you are perfectly aware of security implications of accepting * self-signed certificates * </p> * * @author <a href="mailto:[EMAIL PROTECTED]">Adrian Sutton</a> * @author <a href="mailto:[EMAIL PROTECTED]">Oleg Kalnichevski</a> * * DISCLAIMER: HttpClient developers DO NOT actively support this component. * The component is provided as a reference material, which may be inappropriate * to be used without additional customization. */ public class EasyX509TrustManager implements X509TrustManager { private KeyStore keystore; private X509TrustManager standardTrustManager = null; /** Log object for this class. */ private static final Log LOG = LogFactory.getLog(EasyX509TrustManager.class); /** * Constructor for EasyX509TrustManager. */ public EasyX509TrustManager(KeyStore keystore) throws NoSuchAlgorithmException, KeyStoreException { super(); TrustManagerFactory factory = TrustManagerFactory.getInstance("SunX509"); LOG.debug("factory init start"); factory.init(keystore); LOG.debug("factory init finished"); this.keystore = keystore; TrustManager[] trustmanagers = factory.getTrustManagers(); if (trustmanagers.length == 0) { throw new NoSuchAlgorithmException("SunX509 trust manager not supported"); } this.standardTrustManager = (X509TrustManager)trustmanagers[0]; } /** * @see com.sun.net.ssl.X509TrustManager#getAcceptedIssuers() */ public X509Certificate[] getAcceptedIssuers() { return this.standardTrustManager.getAcceptedIssuers(); } /* (non-Javadoc) * @see javax.net.ssl.X509TrustManager#checkClientTrusted(java.security.cert.X509Certificate[], java.lang.String) */ public void checkClientTrusted(X509Certificate[] certificates, String authType) throws CertificateException { this.standardTrustManager.checkClientTrusted(certificates, authType); } /* (non-Javadoc) * @see javax.net.ssl.X509TrustManager#checkServerTrusted(java.security.cert.X509Certificate[], java.lang.String) */ public void checkServerTrusted(X509Certificate[] certificates, String authType) throws CertificateException { if ((certificates != null) && LOG.isDebugEnabled()) { LOG.debug("Server certificate chain:"); for (int i = 0; i < certificates.length; i++) { LOG.debug("X509Certificate[" + i + "]=" + certificates[i]); } } // print out the content of the truststore try { Enumeration aliases = keystore.aliases(); int number = 0; while(aliases.hasMoreElements()) { number++; LOG.debug("number "+ (number)); String alias = (String) aliases.nextElement(); Certificate[] trustedCertificates = keystore.getCertificateChain(alias); Certificate trustedCertificate = keystore.getCertificate(alias); if(trustedCertificate != null) { LOG.debug("Trusted Certificate= "+trustedCertificate); } } LOG.debug("number of certificates in keystore: "+number); } catch (KeyStoreException e1) { LOG.debug(e1.getMessage()); e1.printStackTrace(); } this.standardTrustManager.checkServerTrusted(certificates, authType); LOG.debug("Certificate is valid."); } } // EasySSLProtocolSocketFactory.java /* * ==================================================================== * * The Apache Software License, Version 1.1 * * Copyright (c) 2002-2003 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, if * any, must include the following acknowlegement: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowlegement may appear in the software itself, * if and wherever such third-party acknowlegements normally appear. * * 4. The names "The Jakarta Project", "Commons", and "Apache Software * Foundation" must not be used to endorse or promote products derived * from this software without prior written permission. For written * permission, please contact [EMAIL PROTECTED] * * 5. Products derived from this software may not be called "Apache" * nor may "Apache" appear in their names without prior written * permission of the Apache Group. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * <http://www.apache.org/>. * * [Additional notices, if required by prior licensing conditions] * */ package stephan.httpclient.tutorial; import java.io.File; import java.io.FileInputStream; import java.io.FileOutputStream; import java.io.IOException; import java.net.InetAddress; import java.net.Socket; import java.net.UnknownHostException; import java.security.KeyStore; import java.security.cert.Certificate; import java.util.Enumeration; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; import javax.net.ssl.TrustManager; import org.apache.commons.httpclient.protocol.SecureProtocolSocketFactory; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; /** * <p> * EasySSLProtocolSocketFactory can be used to creats SSL [EMAIL PROTECTED] Socket}s * that accept self-signed certificates. * </p> * <p> * This socket factory SHOULD NOT be used for productive systems * due to security reasons, unless it is a concious decision and * you are perfectly aware of security implications of accepting * self-signed certificates * </p> * * @author <a href="mailto:[EMAIL PROTECTED]">Oleg Kalnichevski</a> * * DISCLAIMER: HttpClient developers DO NOT actively support this component. * The component is provided as a reference material, which may be inappropriate * to be used without additional customization. */ public class EasySSLProtocolSocketFactory implements SecureProtocolSocketFactory { /** Log object for this class. */ private static final Log LOG = LogFactory.getLog(EasySSLProtocolSocketFactory.class); private static TrustManager trustManagers[]; /** * Constructor for EasySSLProtocolSocketFactory. * * Code sample: * * <blockquote> * Protocol easyhttps = new Protocol( * "https", new EasySSLProtocolSocketFactory(), 443); * * HttpClient client = new HttpClient(); * client.getHostConfiguration().setHost("localhost", 443, easyhttps); * </blockquote> */ public EasySSLProtocolSocketFactory() { super(); LOG.info("Constructor of EasySSLProtocolSocketFactory"); try { // number of keystores to use int keyStoreNumber = 4; // filename and password of keystores String[] keyStoreFileNames = new String[keyStoreNumber]; String[] keyStorePasswd = new String[keyStoreNumber]; keyStoreFileNames[0] = "C:/SSL/opensslbin/openssl/keystore"; keyStorePasswd[0] = "..."; keyStoreFileNames[1] = "C:/SSL/opensslbin/openssl/keystoreapphoneserver"; keyStorePasswd[1] = "..."; keyStoreFileNames[2] = "C:/SSL/opensslbin/openssl/thawtekeystore"; keyStorePasswd[2] = "..."; keyStoreFileNames[3] = "C:/SSL/opensslbin/openssl/verisign-website-keystore"; keyStorePasswd[3] = "..."; KeyStore tempKeyStore; File tempFile; FileInputStream tempFileIn; // the data of all keystores will be stored in overallKeyStore KeyStore overallKeyStore = KeyStore.getInstance("JKS"); overallKeyStore.load(null, null); int aliasNumbers = 0; // go through the list of keystores for(int i = 0; i < keyStoreFileNames.length; i++) { // open keystore tempKeyStore = KeyStore.getInstance("JKS"); tempFile = new File(keyStoreFileNames[i]); tempFileIn = new FileInputStream(tempFile); tempKeyStore.load(tempFileIn, keyStorePasswd[i].toCharArray()); tempFileIn.close(); // get entry Enumeration aliases = tempKeyStore.aliases(); while(aliases.hasMoreElements()) { aliasNumbers++; String alias = (String) aliases.nextElement(); Certificate cert = tempKeyStore.getCertificate(alias); if(cert != null) { // write entry into overallKeyStore overallKeyStore.setCertificateEntry(new Integer(aliasNumbers).toString(), cert); } } } File fileOut = new File("C:/SSL/opensslbin/openssl/overallkeystore"); FileOutputStream fileOutStream = new FileOutputStream(fileOut); overallKeyStore.store(fileOutStream, "...".toCharArray()); fileOutStream.close(); trustManagers = new TrustManager[1]; trustManagers[0] = new EasyX509TrustManager(overallKeyStore); LOG.info("Constructor ready"); } catch (Exception e) { LOG.error(e.getMessage(), e); throw new RuntimeException(e.toString()); } } private static SSLSocketFactory getEasySSLSocketFactory() { SSLContext context = null; try { LOG.debug("getEasySSLSocketFactory start"); context = SSLContext.getInstance("SSL"); context.init(null, trustManagers, null); LOG.debug("getEasySSLSocketFactory ready"); } catch (Exception e) { LOG.error(e.getMessage(), e); throw new RuntimeException(e.toString()); } return context.getSocketFactory(); } /** * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int,java.net.InetAddress,int) */ public Socket createSocket( String host, int port, InetAddress clientHost, int clientPort) throws IOException, UnknownHostException { Socket socket = getEasySSLSocketFactory().createSocket( host, port, clientHost, clientPort ); return socket; } /** * @see SecureProtocolSocketFactory#createSocket(java.lang.String,int) */ public Socket createSocket(String host, int port) throws IOException, UnknownHostException { return getEasySSLSocketFactory().createSocket( host, port ); } /** * @see SecureProtocolSocketFactory#createSocket(java.net.Socket,java.lang.String,int,boolean) */ public Socket createSocket( Socket socket, String host, int port, boolean autoClose) throws IOException, UnknownHostException { return getEasySSLSocketFactory().createSocket( socket, host, port, autoClose ); } } --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
