commons-ssl



Ping

"org.apache.commons.ssl.Ping" contains a main method to help you diagnose SSL issues. It's modeled on OpenSSL's very handy "s_client" utility. We've been very careful to make sure "org.apache.commons.ssl.Ping" can execute without any additional jar files on the classpath (except if using Java 1.3 - then you'll need jsse.jar).

"Ping" Utility Attempts "HEAD / HTTP/1.1" Request
This utility is very handy because it can get you the server's public
certificate even if your client certificate is bad (so even though the SSL
handshake fails).  And unlike "openssl s_client", this utility can bind
against any IP address available.

$Name: commons-ssl-0_3_8 $ compiled=[EST:2007-02-22/10:12:26.000]
Usage:  java -jar not-yet-commons-ssl-0.3.7.jar [options]
Options:   (*=required)
*  -t  --target           [hostname[:port]]             default port=443
   -b  --bind             [hostname[:port]]             default port=0 "ANY"
   -r  --proxy            [hostname[:port]]             default port=80
   -tm --trust-cert       [path to trust material]  *.{pem, der, crt, jks}
   -km --client-cert      [path to client's private key]  *.{jks, pkcs12, pkcs8}
   -cc --cert-chain       [path to client's cert chain if using pkcs8/OpenSSL key]
   -p  --password         [client cert password]

Example:

java -jar commons-ssl.jar -t cucbc.com:443 -c ./client.pfx -p `cat ./pass.txt`

TODO:
Apparently Java 6.0 includes support for grabbing passwords from standard-in without echoing the typed characters. Would be nice to use that feature when it's available, instead of requiring the password to be specified as a command-line argument.


KeyStoreBuilder

java -cp commons-ssl-0.3.7.jar org.apache.commons.ssl.KeyStoreBuilder

KeyStoreBuilder converts PKCS12 and PKCS8 to Java "Keystore", and vice versa.

KeyStoreBuilder:  creates '[alias].jks' (Java Key Store)
    -topk8 mode:  creates '[alias].pem' (x509 chain + unencrypted pkcs8)
[alias] will be set to the first CN value of the X509 certificate.
-------------------------------------------------------------------
Usage1: [password] [file:pkcs12]
Usage2: [password] [file:private-key] [file:certificate-chain]
Usage3: -topk8 [password] [file:jks]
-------------------------------------------------------------------
[private-key] can be openssl format, or pkcs8.
[password] decrypts [private-key], and also encrypts outputted JKS file.
All files can be PEM or DER.


Warning:  -topk8 outputs the private key UNENCRYPTED! Cut and paste the private key into a separate file, and then use "openssl rsa" or "openssl dsa" to encrypt it with a password.