ftp ssl cert

[bcr666]

I need to write a ftp/ssl program (done actually) but I need to secure
it, and I was provided 2 files from the destination (keycert.txt &
trusted.txt).

The keycert.txt has the following in it:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MII ...snip...
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MII ...snip...
-----END CERTIFICATE-----

The trusted.txt has the following in it:
-----BEGIN CERTIFICATE-----
MII ...snip...
-----END CERTIFICATE-----=

Notice the MII in the certificate/key areas. I suspect that it is RSA.
I guess I'm supposed to import these into a keystore then use

.....
KeyManager keyManager = null;
TrustManager trustManager = null;
try {
keyManager = getKeyManagers()[0];
trustManager = getTrustManagers()[0];
}
catch (Exception ex) {
ex.printStackTrace();
}

ftps.setControlEncoding("UTF-8");

ftps.setKeyManager(keyManager);
ftps.setTrustManager(trustManager);
.....
Can someone tell me if I'm on the right track, and how to import the
files into a keystore?

 

[Lothar Kimmeringer]

I need to write a ftp/ssl program (done actually) but I need to secure
it, and I was provided 2 files from the destination (keycert.txt &
trusted.txt).

The keycert.txt has the following in it:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MII ...snip...
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MII ...snip...
-----END CERTIFICATE-----

The trusted.txt has the following in it:
-----BEGIN CERTIFICATE-----
MII ...snip...
-----END CERTIFICATE-----=

This is the so called PEM-format, the text between the
markers is a base64 coded DER-encoded data.

Notice the MII in the certificate/key areas. I suspect that it is RSA.

can also be Diffie Helman or EC-keys, that is one of the infor-
mations in the DER-encoded data.

I guess I'm supposed to import these into a keystore
then use

.....
KeyManager keyManager = null;
TrustManager trustManager = null;
try {
keyManager = getKeyManagers()[0];
trustManager = getTrustManagers()[0];
}
catch (Exception ex) {
ex.printStackTrace();
}

ftps.setControlEncoding("UTF-8");

ftps.setKeyManager(keyManager);
ftps.setTrustManager(trustManager);

looks OK to me without knowing what happens at getKeyManagers
and getTrustManagers.

Can someone tell me if I'm on the right track,

Looks OK.

and how to import the
files into a keystore?

If you use BouncyCastle:

PEMReader reader = new PEMReader(new FileInputStream("keycert.txt"));
PrivateKey key = (PrivateKey) reader.readObject();
X509Certificate cert = (X509Certificate) reader.readObject();

It's possible that the reader returns a KeyPair instead of the
private key instance but that should be easy to find out.


Regards, Lothar
--
Lothar Kimmeringer E-Mail: (e-mail address removed)
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

 

[bcr666]

Here are the methods that you requested.

private static KeyManager[] getKeyManagers() throws
KeyStoreException, NoSuchAlgorithmException, CertificateException,
FileNotFoundException, IOException, UnrecoverableKeyException {
KeyStore ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream(KEYSTORE_FILE_NAME),
KEYSTORE_PASS.toCharArray());

KeyManagerFactory tmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
tmf.init(ks, KEYSTORE_PASS.toCharArray());

return tmf.getKeyManagers();
}

private static TrustManager[] getTrustManagers() throws
KeyStoreException, NoSuchAlgorithmException, CertificateException,
FileNotFoundException, IOException, UnrecoverableKeyException {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(KEYSTORE_FILE_NAME),
KEYSTORE_PASS.toCharArray());

TrustManagerFactory tmf =
TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
tmf.init(ks);

return tmf.getTrustManagers();
}

If I use the code you gave me how do I use the X509Certificate to
secure the connection?

 

[Tom Anderson]

I need to write a ftp/ssl program (done actually) but I need to secure
it, and I was provided 2 files from the destination (keycert.txt &
trusted.txt).

The keycert.txt has the following in it:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MII ...snip...
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MII ...snip...
-----END CERTIFICATE-----

The trusted.txt has the following in it:
-----BEGIN CERTIFICATE-----
MII ...snip...
-----END CERTIFICATE-----=

Notice the MII in the certificate/key areas. I suspect that it is RSA.

The OpenSSL command-line tools will let you verify this, inspect the
contents, convert them into other formats, and so on and so forth. It's a
very useful package to have if you're doing crypto stuff. For instance:

x509 -text -inform PEM -in trusted.txt

Will tell you all about the certificate, if it is indeed PEM.

I guess I'm supposed to import these into a keystore then use

.....
KeyManager keyManager = null;
TrustManager trustManager = null;
try {
keyManager = getKeyManagers()[0];
trustManager = getTrustManagers()[0];
}
catch (Exception ex) {
ex.printStackTrace();
}

ftps.setControlEncoding("UTF-8");

ftps.setKeyManager(keyManager);
ftps.setTrustManager(trustManager);
.....
Can someone tell me if I'm on the right track, and how to import the
files into a keystore?

The JDK's keytool will do this. Something like:

keytool -importcert -file trusted.txt

For the private key, keytool will import from anything it considers a
keystore. Your file looks like it's PKCS#8, which i don't think keytool
supports (although you could try). You could use OpenSSL to convert it to
PKCS#12 (i think?), which i think keytool can import.

To be honest, i find this whole business of cryptographic file formats and
key management operations completely baffling, so this could all be
nonsense.

tom

 

[Lothar Kimmeringer]

Here are the methods that you requested.

private static KeyManager[] getKeyManagers() throws
KeyStoreException, NoSuchAlgorithmException, CertificateException,
FileNotFoundException, IOException, UnrecoverableKeyException {
KeyStore ks = KeyStore.getInstance("JKS");

ks.load(new FileInputStream(KEYSTORE_FILE_NAME),
KEYSTORE_PASS.toCharArray());

KeyManagerFactory tmf =
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
tmf.init(ks, KEYSTORE_PASS.toCharArray());

return tmf.getKeyManagers();
}

private static TrustManager[] getTrustManagers() throws
KeyStoreException, NoSuchAlgorithmException, CertificateException,
FileNotFoundException, IOException, UnrecoverableKeyException {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(new FileInputStream(KEYSTORE_FILE_NAME),
KEYSTORE_PASS.toCharArray());

TrustManagerFactory tmf =
TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
tmf.init(ks);

return tmf.getTrustManagers();
}

IMHO you should create the KeyStore once and pass it as parameter
to the two methods.

If I use the code you gave me how do I use the X509Certificate to
secure the connection?

The code I gave you allows to read in the certificate and key.
After that you can add the certificate and the key to the
keystore. The Keystore is then used by the FtpsServer. How it
uses it is implementation dependend. E.g. the SSLSocket
and SSLServerSocket-classes just load all available keys
and certificates that are marked to be used as TLS Client
and TLS Server. They then use the first fitting key (which
is dependent on the result of the SSL handshake) will then
be used.

If you want a specific key to be used instead of the first
fitting one, you have to write your own implementation of
KeyManager and TrustManager (which is not very hard, they
only consist of four methods each AFAIR).


Regards, Lothar
--
Lothar Kimmeringer E-Mail: (e-mail address removed)
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

 

[bcr666]

OK, so it sounds like you are stating creating a KeyStore in memory. I
was thinking of creating a keystore file with something like keytool
that would reside in the application directory and the application
would pick it up with those methods I included in the second post.

 

[bcr666]

If you use BouncyCastle:

PEMReader reader = new PEMReader(new FileInputStream("keycert.txt"));
PrivateKey key = (PrivateKey) reader.readObject();
X509Certificate cert = (X509Certificate) reader.readObject();

I get a:

org.bouncycastle.openssl.PEMException: problem parsing cert:
java.security.NoSuchProviderException: no such provider: BC
at org.bouncycastle.openssl.PEMReader.readCertificate(Unknown Source)
at org.bouncycastle.openssl.PEMReader.readObject(Unknown Source)
at com.kable.newsstand.KeyStoreTest.<init>(KeyStoreTest.java:15)
at com.kable.newsstand.KeyStoreTest.main(KeyStoreTest.java:26)
Caused by: java.security.NoSuchProviderException: no such provider: BC
at java.security.Security.getEngineClassName(Unknown Source)
at java.security.Security.getImpl(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at java.security.cert.CertificateFactory.getInstance(Unknown Source)

at the PrivateKey line. And of course I can't find any documentation
on this exception on BouncyCastle.org.

Code:

import org.bouncycastle.openssl.PEMReader;
import java.security.PrivateKey;
import javax.security.cert.X509Certificate;
import java.io.*;

public class KeyStoreTest {
public KeyStoreTest() {
try {
PEMReader reader = new PEMReader(new FileReader("keycert.txt"));
PrivateKey key = (PrivateKey) reader.readObject();
X509Certificate cert = (X509Certificate) reader.readObject();
reader.close();
reader = null;
}
catch (Exception ex) {
ex.printStackTrace();
}
}
}

 

[Daniel Pitts]

I need to write a ftp/ssl program (done actually) but I need to secure
it, and I was provided 2 files from the destination (keycert.txt&
trusted.txt).

Just curious why scp, ssh, and/or sftp are not valid implementation for
your use-case.

 

[Lothar Kimmeringer]

I get a:

org.bouncycastle.openssl.PEMException: problem parsing cert:
java.security.NoSuchProviderException: no such provider: BC

Have you added the provider jar of BouncyCastle to your
Classpath?

Caused by: java.security.NoSuchProviderException: no such provider: BC
at java.security.Security.getEngineClassName(Unknown Source)
at java.security.Security.getImpl(Unknown Source)

at the PrivateKey line. And of course I can't find any documentation
on this exception on BouncyCastle.org.

It's an exception of the JCE (part of Java) not of BouncyCastle,
so no wonder.


Regards, Lothar
--
Lothar Kimmeringer E-Mail: (e-mail address removed)
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!

 

[Lothar Kimmeringer]

Just curious why scp, ssh, and/or sftp are not valid implementation for
your use-case.

FTP over TLS is called FTPS with two flavors: implicit and
explicit. Implementation is quite easy by just "wrapping" a
SSLSocket around the plain sockets being used before. You don't
need to change your ftp implementation very much, but adds a
lot of new problems to the one that already exist concerning
firewall rules.


Regards, Lothar
--
Lothar Kimmeringer E-Mail: (e-mail address removed)
PGP-encrypted mails preferred (Key-ID: 0x8BC3CD81)

Always remember: The answer is forty-two, there can only be wrong
questions!