#1 Dynamic SSL certificate creation based on a single Paros CA
Intro:
----------
I've hacked some code against cvs-head, which handles
SSL certificates better. It uses a so called Paros CA
certificate and creates and signs on the fly new SSL
certificates, when a SSL connection is created.
In other words, it's an in memory instant reacting
Certificate Authority.
So you only have to import Paros CA certificate to
your trusted certificates in your Browser settings and
viola, you'll never be blamed with and invalid
certificate again (to be honest, not until 2035 ;-) ).
Technical informations:
---------------------------
The patch was created with Eclipse and contains a
binary file (JKS-Java Key Store). This binary file
is probably not handled by standard CVS patch tools.
So I highly propose to use Eclipse for applying
the patch.
The patch was build on top of CVS HEAD 2008-08-28.
I raised the requirement for minimum Java version
to 1.5. Java 1.4.x is no more supported.
So you also need minimum JDK 1.5.x.
Tested with Sun JDK 1.5.16 (win32).
You will need to extra download and include the
Bouncy Castle Crypto library. For example:
"bcprov-jdk15-140.jar"
You don't need the Java unrestricted security
policy. I developed the code, that the unrestricted
crypto strength patch from Sun is not needed.
Regards
Martin
patch in unified diff format, created with Eclipse
File Added: root-ca-junit-test.patch
JUnit4 test case for dynamic SSL cert creation
I've added a JUnit4 test case for dynamic SSL certificate creation.
To get it running, you need to have the Paros source running as a
project inside Eclipse. When applying the patch you will get a new
folder "tests". You have to add this "tests" folder as additionally
source folder within the projects (built-)properties.
Of course,you need to have JUnit4 in your classpath.
And last but most important, download BouncyCastle crypto provider
and put it into your project's library dependencies.
Simply google for it. Most likely the name looks like "bcprov-jdk15-140.jar".
After all you can right click with your mouse and say "Run As" -> "Junit Test".
When it runs, it will load the root-ca JKS file and will create
two different certificates for one domain.
So you can 1st test your projects setup and 2nd your paros-ca file.
In case of you have trouble to apply the 'paros-ca' file, follow this instructions.
1.) apply the patch regularly but exlude 'paros-ca'
2.) add bcprov-jdk15-145.jar to project's class path
3.) download and run additional tool called 'Portecle'
3.1) create a new key pair and fill in all requested values by using your fantasy ;-)
3.2) use alias name for key pair 'paros-ca'
3.3) export public key of this paros-ca cert (recommended format: CER)
3.4) import the public key as trusted root CA in your browser or HTTP client (hint: don't choose automatic store selection, but rather user manual selection)
3.5) save the key pair as JKS file, using password as using in source file SslCertificateService.java, and storing as file called 'paros-ca' in $project/src/resource/paros-ca
4.) when running make sure, all files from resource folder are accessible by classpath (hint: use Eclipse's launch configuration and use working directory "${workspace_loc:parosng/output}")
Hopefully that helps ;-)