ftp ssl cert

Discussion in 'Java' started by bcr666, Aug 26, 2010.

  1. bcr666

    bcr666 Guest

    I need to write a ftp/ssl program (done actually) but I need to secure
    it, and I was provided 2 files from the destination (keycert.txt &
    trusted.txt).

    The keycert.txt has the following in it:
    -----BEGIN ENCRYPTED PRIVATE KEY-----
    MII ...snip...
    -----END ENCRYPTED PRIVATE KEY-----
    -----BEGIN CERTIFICATE-----
    MII ...snip...
    -----END CERTIFICATE-----

    The trusted.txt has the following in it:
    -----BEGIN CERTIFICATE-----
    MII ...snip...
    -----END CERTIFICATE-----=

    Notice the MII in the certificate/key areas. I suspect that it is RSA.
    I guess I'm supposed to import these into a keystore then use

    .....
    KeyManager keyManager = null;
    TrustManager trustManager = null;
    try {
    keyManager = getKeyManagers()[0];
    trustManager = getTrustManagers()[0];
    }
    catch (Exception ex) {
    ex.printStackTrace();
    }

    ftps.setControlEncoding("UTF-8");

    ftps.setKeyManager(keyManager);
    ftps.setTrustManager(trustManager);
    .....
    Can someone tell me if I'm on the right track, and how to import the
    files into a keystore?
    bcr666, Aug 26, 2010
    #1
    1. Advertising

  2. bcr666 wrote:

    > I need to write a ftp/ssl program (done actually) but I need to secure
    > it, and I was provided 2 files from the destination (keycert.txt &
    > trusted.txt).
    >
    > The keycert.txt has the following in it:
    > -----BEGIN ENCRYPTED PRIVATE KEY-----
    > MII ...snip...
    > -----END ENCRYPTED PRIVATE KEY-----
    > -----BEGIN CERTIFICATE-----
    > MII ...snip...
    > -----END CERTIFICATE-----
    >
    > The trusted.txt has the following in it:
    > -----BEGIN CERTIFICATE-----
    > MII ...snip...
    > -----END CERTIFICATE-----=


    This is the so called PEM-format, the text between the
    markers is a base64 coded DER-encoded data.

    > Notice the MII in the certificate/key areas. I suspect that it is RSA.


    can also be Diffie Helman or EC-keys, that is one of the infor-
    mations in the DER-encoded data.

    > I guess I'm supposed to import these into a keystore
    > then use
    >
    > .....
    > KeyManager keyManager = null;
    > TrustManager trustManager = null;
    > try {
    > keyManager = getKeyManagers()[0];
    > trustManager = getTrustManagers()[0];
    > }
    > catch (Exception ex) {
    > ex.printStackTrace();
    > }
    >
    > ftps.setControlEncoding("UTF-8");
    >
    > ftps.setKeyManager(keyManager);
    > ftps.setTrustManager(trustManager);


    looks OK to me without knowing what happens at getKeyManagers
    and getTrustManagers.

    > Can someone tell me if I'm on the right track,


    Looks OK.

    > and how to import the
    > files into a keystore?


    If you use BouncyCastle:

    PEMReader reader = new PEMReader(new FileInputStream("keycert.txt"));
    PrivateKey key = (PrivateKey) reader.readObject();
    X509Certificate cert = (X509Certificate) reader.readObject();

    It's possible that the reader returns a KeyPair instead of the
    private key instance but that should be easy to find out.


    Regards, Lothar
    --
    Lothar Kimmeringer E-Mail:
    PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

    Always remember: The answer is forty-two, there can only be wrong
    questions!
    Lothar Kimmeringer, Aug 26, 2010
    #2
    1. Advertising

  3. bcr666

    bcr666 Guest

    Here are the methods that you requested.

    private static KeyManager[] getKeyManagers() throws
    KeyStoreException, NoSuchAlgorithmException, CertificateException,
    FileNotFoundException, IOException, UnrecoverableKeyException {
    KeyStore ks = KeyStore.getInstance("JKS");

    ks.load(new FileInputStream(KEYSTORE_FILE_NAME),
    KEYSTORE_PASS.toCharArray());

    KeyManagerFactory tmf =
    KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    tmf.init(ks, KEYSTORE_PASS.toCharArray());

    return tmf.getKeyManagers();
    }

    private static TrustManager[] getTrustManagers() throws
    KeyStoreException, NoSuchAlgorithmException, CertificateException,
    FileNotFoundException, IOException, UnrecoverableKeyException {
    KeyStore ks = KeyStore.getInstance("JKS");
    ks.load(new FileInputStream(KEYSTORE_FILE_NAME),
    KEYSTORE_PASS.toCharArray());

    TrustManagerFactory tmf =
    TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    tmf.init(ks);

    return tmf.getTrustManagers();
    }

    If I use the code you gave me how do I use the X509Certificate to
    secure the connection?

    > looks OK to me without knowing what happens at getKeyManagers
    > and getTrustManagers.
    >
    > > and how to import the
    > > files into a keystore?

    >
    > If you use BouncyCastle:
    >
    > PEMReader reader = new PEMReader(new FileInputStream("keycert.txt"));
    > PrivateKey key = (PrivateKey) reader.readObject();
    > X509Certificate cert = (X509Certificate) reader.readObject();
    >
    > It's possible that the reader returns a KeyPair instead of the
    > private key instance but that should be easy to find out.
    bcr666, Aug 26, 2010
    #3
  4. bcr666

    Tom Anderson Guest

    On Thu, 26 Aug 2010, bcr666 wrote:

    > I need to write a ftp/ssl program (done actually) but I need to secure
    > it, and I was provided 2 files from the destination (keycert.txt &
    > trusted.txt).
    >
    > The keycert.txt has the following in it:
    > -----BEGIN ENCRYPTED PRIVATE KEY-----
    > MII ...snip...
    > -----END ENCRYPTED PRIVATE KEY-----
    > -----BEGIN CERTIFICATE-----
    > MII ...snip...
    > -----END CERTIFICATE-----
    >
    > The trusted.txt has the following in it:
    > -----BEGIN CERTIFICATE-----
    > MII ...snip...
    > -----END CERTIFICATE-----=
    >
    > Notice the MII in the certificate/key areas. I suspect that it is RSA.


    The OpenSSL command-line tools will let you verify this, inspect the
    contents, convert them into other formats, and so on and so forth. It's a
    very useful package to have if you're doing crypto stuff. For instance:

    x509 -text -inform PEM -in trusted.txt

    Will tell you all about the certificate, if it is indeed PEM.

    > I guess I'm supposed to import these into a keystore then use
    >
    > .....
    > KeyManager keyManager = null;
    > TrustManager trustManager = null;
    > try {
    > keyManager = getKeyManagers()[0];
    > trustManager = getTrustManagers()[0];
    > }
    > catch (Exception ex) {
    > ex.printStackTrace();
    > }
    >
    > ftps.setControlEncoding("UTF-8");
    >
    > ftps.setKeyManager(keyManager);
    > ftps.setTrustManager(trustManager);
    > .....
    > Can someone tell me if I'm on the right track, and how to import the
    > files into a keystore?


    The JDK's keytool will do this. Something like:

    keytool -importcert -file trusted.txt

    For the private key, keytool will import from anything it considers a
    keystore. Your file looks like it's PKCS#8, which i don't think keytool
    supports (although you could try). You could use OpenSSL to convert it to
    PKCS#12 (i think?), which i think keytool can import.

    To be honest, i find this whole business of cryptographic file formats and
    key management operations completely baffling, so this could all be
    nonsense.

    tom

    --
    I'd get more sense out of a crossed line with the Krankies
    Tom Anderson, Aug 26, 2010
    #4
  5. bcr666 wrote:

    > Here are the methods that you requested.
    >
    > private static KeyManager[] getKeyManagers() throws
    > KeyStoreException, NoSuchAlgorithmException, CertificateException,
    > FileNotFoundException, IOException, UnrecoverableKeyException {
    > KeyStore ks = KeyStore.getInstance("JKS");
    >
    > ks.load(new FileInputStream(KEYSTORE_FILE_NAME),
    > KEYSTORE_PASS.toCharArray());
    >
    > KeyManagerFactory tmf =
    > KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    > tmf.init(ks, KEYSTORE_PASS.toCharArray());
    >
    > return tmf.getKeyManagers();
    > }
    >
    > private static TrustManager[] getTrustManagers() throws
    > KeyStoreException, NoSuchAlgorithmException, CertificateException,
    > FileNotFoundException, IOException, UnrecoverableKeyException {
    > KeyStore ks = KeyStore.getInstance("JKS");
    > ks.load(new FileInputStream(KEYSTORE_FILE_NAME),
    > KEYSTORE_PASS.toCharArray());
    >
    > TrustManagerFactory tmf =
    > TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    > tmf.init(ks);
    >
    > return tmf.getTrustManagers();
    > }


    IMHO you should create the KeyStore once and pass it as parameter
    to the two methods.

    > If I use the code you gave me how do I use the X509Certificate to
    > secure the connection?


    The code I gave you allows to read in the certificate and key.
    After that you can add the certificate and the key to the
    keystore. The Keystore is then used by the FtpsServer. How it
    uses it is implementation dependend. E.g. the SSLSocket
    and SSLServerSocket-classes just load all available keys
    and certificates that are marked to be used as TLS Client
    and TLS Server. They then use the first fitting key (which
    is dependent on the result of the SSL handshake) will then
    be used.

    If you want a specific key to be used instead of the first
    fitting one, you have to write your own implementation of
    KeyManager and TrustManager (which is not very hard, they
    only consist of four methods each AFAIR).


    Regards, Lothar
    --
    Lothar Kimmeringer E-Mail:
    PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

    Always remember: The answer is forty-two, there can only be wrong
    questions!
    Lothar Kimmeringer, Aug 26, 2010
    #5
  6. bcr666

    bcr666 Guest

    OK, so it sounds like you are stating creating a KeyStore in memory. I
    was thinking of creating a keystore file with something like keytool
    that would reside in the application directory and the application
    would pick it up with those methods I included in the second post.
    bcr666, Aug 26, 2010
    #6
  7. bcr666

    bcr666 Guest

    On Aug 26, 2:30 pm, Lothar Kimmeringer <>
    wrote:
    > If you use BouncyCastle:
    >
    > PEMReader reader = new PEMReader(new FileInputStream("keycert.txt"));
    > PrivateKey key = (PrivateKey) reader.readObject();
    > X509Certificate cert = (X509Certificate) reader.readObject();


    I get a:

    org.bouncycastle.openssl.PEMException: problem parsing cert:
    java.security.NoSuchProviderException: no such provider: BC
    at org.bouncycastle.openssl.PEMReader.readCertificate(Unknown Source)
    at org.bouncycastle.openssl.PEMReader.readObject(Unknown Source)
    at com.kable.newsstand.KeyStoreTest.<init>(KeyStoreTest.java:15)
    at com.kable.newsstand.KeyStoreTest.main(KeyStoreTest.java:26)
    Caused by: java.security.NoSuchProviderException: no such provider: BC
    at java.security.Security.getEngineClassName(Unknown Source)
    at java.security.Security.getImpl(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at java.security.cert.CertificateFactory.getInstance(Unknown Source)

    at the PrivateKey line. And of course I can't find any documentation
    on this exception on BouncyCastle.org.

    Code:

    import org.bouncycastle.openssl.PEMReader;
    import java.security.PrivateKey;
    import javax.security.cert.X509Certificate;
    import java.io.*;

    public class KeyStoreTest {
    public KeyStoreTest() {
    try {
    PEMReader reader = new PEMReader(new FileReader("keycert.txt"));
    PrivateKey key = (PrivateKey) reader.readObject();
    X509Certificate cert = (X509Certificate) reader.readObject();
    reader.close();
    reader = null;
    }
    catch (Exception ex) {
    ex.printStackTrace();
    }
    }
    }
    bcr666, Aug 30, 2010
    #7
  8. bcr666

    Daniel Pitts Guest

    On 8/26/2010 8:10 AM, bcr666 wrote:
    > I need to write a ftp/ssl program (done actually) but I need to secure
    > it, and I was provided 2 files from the destination (keycert.txt&
    > trusted.txt).

    Just curious why scp, ssh, and/or sftp are not valid implementation for
    your use-case.


    --
    Daniel Pitts' Tech Blog: <http://virtualinfinity.net/wordpress/>
    Daniel Pitts, Aug 30, 2010
    #8
  9. bcr666 wrote:

    > On Aug 26, 2:30 pm, Lothar Kimmeringer <>
    > wrote:
    >> If you use BouncyCastle:
    >>
    >> PEMReader reader = new PEMReader(new FileInputStream("keycert.txt"));
    >> PrivateKey key = (PrivateKey) reader.readObject();
    >> X509Certificate cert = (X509Certificate) reader.readObject();

    >
    > I get a:
    >
    > org.bouncycastle.openssl.PEMException: problem parsing cert:
    > java.security.NoSuchProviderException: no such provider: BC


    Have you added the provider jar of BouncyCastle to your
    Classpath?

    > Caused by: java.security.NoSuchProviderException: no such provider: BC
    > at java.security.Security.getEngineClassName(Unknown Source)
    > at java.security.Security.getImpl(Unknown Source)
    >
    > at the PrivateKey line. And of course I can't find any documentation
    > on this exception on BouncyCastle.org.


    It's an exception of the JCE (part of Java) not of BouncyCastle,
    so no wonder.


    Regards, Lothar
    --
    Lothar Kimmeringer E-Mail:
    PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

    Always remember: The answer is forty-two, there can only be wrong
    questions!
    Lothar Kimmeringer, Sep 2, 2010
    #9
  10. Daniel Pitts wrote:

    > On 8/26/2010 8:10 AM, bcr666 wrote:
    >> I need to write a ftp/ssl program (done actually) but I need to secure
    >> it, and I was provided 2 files from the destination (keycert.txt&
    >> trusted.txt).

    > Just curious why scp, ssh, and/or sftp are not valid implementation for
    > your use-case.


    FTP over TLS is called FTPS with two flavors: implicit and
    explicit. Implementation is quite easy by just "wrapping" a
    SSLSocket around the plain sockets being used before. You don't
    need to change your ftp implementation very much, but adds a
    lot of new problems to the one that already exist concerning
    firewall rules.


    Regards, Lothar
    --
    Lothar Kimmeringer E-Mail:
    PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

    Always remember: The answer is forty-two, there can only be wrong
    questions!
    Lothar Kimmeringer, Sep 2, 2010
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Grey

    integrate with SSL Cert

    Grey, May 21, 2004, in forum: ASP .Net
    Replies:
    1
    Views:
    325
    Eliyahu Goldin
    May 21, 2004
  2. =?Utf-8?B?TGVubg==?=

    SSL Webservice, makecert.exe cert issue

    =?Utf-8?B?TGVubg==?=, Aug 30, 2005, in forum: ASP .Net
    Replies:
    0
    Views:
    717
    =?Utf-8?B?TGVubg==?=
    Aug 30, 2005
  3. someone

    FTP over SSL vs FTP over SSH

    someone, Apr 24, 2004, in forum: Java
    Replies:
    1
    Views:
    4,568
    iksrazal
    Apr 25, 2004
  4. David Chan via .NET 247
    Replies:
    1
    Views:
    333
    Dominick Baier [DevelopMentor]
    Jun 2, 2005
  5. D. Buck
    Replies:
    2
    Views:
    467
    D. Buck
    Jun 29, 2004
Loading...

Share This Page