OK, to help you out here an copy-and-paste complete example:
package foo.bar;
|
| import java.io.BufferedInputStream;
| import java.io.IOException;
| import java.io.InputStream;
| import java.security.cert.Certificate;
| import java.security.cert.CertificateException;
| import java.security.cert.CertificateFactory;
| import java.security.cert.X509Certificate;
| import java.util.ArrayList;
| import javax.net.ssl.X509TrustManager;
| import org.slf4j.Logger;
| import org.slf4j.LoggerFactory;
| import sun.security.validator.Validator;
| import com.ehsbe.commons.common.Misc;
|
| /**
| * @author Jens Elkner
| * @version $Revision$
| */
| public class CaHandler
| implements X509TrustManager
| {
| private static final Logger log = LoggerFactory
| .getLogger(CaHandler.class);
| private static X509TrustManager manager;
| private ArrayList<X509Certificate> issuers;
| private Validator valServer;
| private Validator valClient;
|
| private CaHandler() {
| try {
| init();
| } catch (CertificateException e) {
| log.warn(e.getLocalizedMessage());
| if (log.isDebugEnabled()) {
| log.debug("init()", e);
| }
| } catch (IOException e) {
| log.warn(e.getLocalizedMessage());
| if (log.isDebugEnabled()) {
| log.debug("init()", e);
| }
| }
| }
|
| private void init() throws CertificateException, IOException {
| ClassLoader cl = Thread.currentThread().getContextClassLoader();
| InputStream in =
| cl.getResourceAsStream(Misc.getResourcePath(this) +
"ca-bundle.crt");
| if (in == null) {
| throw new IOException("Certificate bundle not found");
| }
| BufferedInputStream bis = null;
| try {
| bis = new BufferedInputStream(in);
| CertificateFactory cf =
CertificateFactory.getInstance("X.509");
| issuers = new ArrayList<X509Certificate>();
| while (bis.available() > 0) {
| Certificate cert = cf.generateCertificate(bis);
| if (cert instanceof X509Certificate) {
| issuers.add((X509Certificate) cert);
| }
| }
| } finally {
| try { bis.close(); } catch (Exception e) { /* */ }
| }
| }
|
| /**
| * Get the singleton, which handles local certs.
| * @return always the same instance.
| */
| public static X509TrustManager getInstance() {
| if (manager == null) {
| manager = new CaHandler();
| }
| return manager;
| }
|
| /**
| * [EMAIL PROTECTED]
| */
| public void checkClientTrusted(X509Certificate[] chain, String authType)
| throws CertificateException
| {
| if (valClient == null) {
| valClient = Validator.getInstance(Validator.TYPE_PKIX,
| Validator.VAR_TLS_CLIENT, issuers);
| }
| valClient.validate(chain, null, authType);
| }
|
| /**
| * [EMAIL PROTECTED]
| */
| public void checkServerTrusted(X509Certificate[] chain, String authType)
| throws CertificateException
| {
| if (valServer == null) {
| valServer = Validator.getInstance(Validator.TYPE_PKIX,
| Validator.VAR_TLS_SERVER, issuers);
| }
| valServer.validate(chain, null, authType);
| }
|
|
|
| /**
| * [EMAIL PROTECTED]
| */
| public X509Certificate[] getAcceptedIssuers() {
| return issuers.toArray(new X509Certificate[issuers.size()]);
| }
| }
and somewhere else something like that should work:
private static SSLContext ctx;
| ...
| ctx = SSLContext.getInstance("TLS");
| ctx.init(null, CaHandler.getInstance(), null);
| ...
If you wanna trust the default certs (i.e. coming with the JDK) as well, you
might wrap the default into CaHandler. To get the default stuff, one may use:
...
| TrustManagerFactory factory =
| TrustManagerFactory.getInstance("PKIX",
"SunJSSE");
| KeyStore ks = null;
| factory.init(ks);
| TrustManager[] managers = factory.getTrustManagers();
| for (int k=0; k < managers.length; k++) {
| if (managers[k] instanceof X509TrustManager) {
| origTrustManager = (X509TrustManager)
managers[k];
| break;
| }
| }
| if (origTrustManager == null) {
| throw new UnsupportedOperationException(
| "no TrustManager PKIX/SunJSSE found");
| }
| ...
With small adaption you should be able to use it, where you want ...
View the original post :
http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3956267#3956267
Reply to the post :
http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3956267
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
JBoss-user mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/jboss-user
