ssledz/README.md Secret

## README.md

      
    Raw
  

              README.md
            
          
    Resources:

oracle cryptoSpec
oracle keytool
how-can-i-use-different-certificates-on-specific-connections
accept-servers-self-signed-ssl-certificate-in-java-client
how-to-add-a-certificate-authority-ca-certificate-to-the-openjdk-cacerts
InstallCert.java
cacerts


## self signed ssl certificate + support for letsencrypt
keystore_file=my-keystore.jks
keystore_password=changeit

keytool -genkeypair -alias my-app -keystore $keystore_file -keypass $keystore_password -storepass $keystore_password -dname "cn=my-app, ou=main, o=sof-tech.pl, l=Warszawa, st=Warszawa, c=pl" -validity 7000
keytool -exportcert  -alias 'letsencryptisrgx1 [jdk]' -file letsencrypt.der -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
keytool -exportcert  -alias 'identrustdstx3 [jdk]' -file identrustdstx3.der -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
keytool -importcert -trustcacerts -file letsencrypt.der -alias 'letsencryptisrgx1 [jdk]' -keystore $keystore_file -storepass $keystore_password
keytool -importcert -trustcacerts -file identrustdstx3.der -alias 'identrustdstx3 [jdk]' -keystore $keystore_file -storepass $keystore_password

## SSLExample.java

import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.PKIXParameters;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;

import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManagerFactory;

public class SSLExample {
  // BEGIN ------- ADDME
  static {
    try {
      KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
      Path ksPath = Paths.get(System.getProperty("java.home"),
          "lib", "security", "cacerts");
      keyStore.load(Files.newInputStream(ksPath),
          "changeit".toCharArray());

      CertificateFactory cf = CertificateFactory.getInstance("X.509");
      try (InputStream caInput = new BufferedInputStream(
            SSLExample.class.getResourceAsStream("DSTRootCAX3.der"))) {
        Certificate crt = cf.generateCertificate(caInput);
        System.out.println("Added Cert for " + ((X509Certificate) crt)
            .getSubjectDN());

        keyStore.setCertificateEntry("DSTRootCAX3", crt);
            }
      if (false) { // enable to see
        System.out.println("Truststore now trusting: ");
        PKIXParameters params = new PKIXParameters(keyStore);
        params.getTrustAnchors().stream()
          .map(TrustAnchor::getTrustedCert)
          .map(X509Certificate::getSubjectDN)
          .forEach(System.out::println);
        System.out.println();
      }

      TrustManagerFactory tmf = TrustManagerFactory
        .getInstance(TrustManagerFactory.getDefaultAlgorithm());
      tmf.init(keyStore);
      SSLContext sslContext = SSLContext.getInstance("TLS");
      sslContext.init(null, tmf.getTrustManagers(), null);
      SSLContext.setDefault(sslContext);
    } catch (Exception e) {
      throw new RuntimeException(e);
    }
  }
  // END ---------- ADDME

  public static void main(String[] args) throws IOException {
    // signed by default trusted CAs.
    testUrl(new URL("https://google.com"));
    testUrl(new URL("https://www.thawte.com"));

    // signed by letsencrypt
    testUrl(new URL("https://helloworld.letsencrypt.org"));
    // signed by LE's cross-sign CA
    testUrl(new URL("https://letsencrypt.org"));
    // expired
    testUrl(new URL("https://tv.eurosport.com/"));
    // self-signed
    testUrl(new URL("https://www.pcwebshop.co.uk/"));

  }

  static void testUrl(URL url) throws IOException {
    URLConnection connection = url.openConnection();
    try {
      connection.connect();
      System.out.println("Headers of " + url + " => "
          + connection.getHeaderFields());
    } catch (SSLHandshakeException e) {
      System.out.println("Untrusted: " + url);
    }
  }

}
	keystore_file=my-keystore.jks
	keystore_password=changeit

	keytool -genkeypair -alias my-app -keystore $keystore_file -keypass $keystore_password -storepass $keystore_password -dname "cn=my-app, ou=main, o=sof-tech.pl, l=Warszawa, st=Warszawa, c=pl" -validity 7000
	keytool -exportcert -alias 'letsencryptisrgx1 [jdk]' -file letsencrypt.der -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
	keytool -exportcert -alias 'identrustdstx3 [jdk]' -file identrustdstx3.der -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
	keytool -importcert -trustcacerts -file letsencrypt.der -alias 'letsencryptisrgx1 [jdk]' -keystore $keystore_file -storepass $keystore_password
	keytool -importcert -trustcacerts -file identrustdstx3.der -alias 'identrustdstx3 [jdk]' -keystore $keystore_file -storepass $keystore_password

	import java.io.BufferedInputStream;
	import java.io.IOException;
	import java.io.InputStream;
	import java.net.URL;
	import java.net.URLConnection;
	import java.nio.file.Files;
	import java.nio.file.Path;
	import java.nio.file.Paths;
	import java.security.KeyStore;
	import java.security.cert.Certificate;
	import java.security.cert.CertificateFactory;
	import java.security.cert.PKIXParameters;
	import java.security.cert.TrustAnchor;
	import java.security.cert.X509Certificate;

	import javax.net.ssl.SSLContext;
	import javax.net.ssl.SSLHandshakeException;
	import javax.net.ssl.TrustManagerFactory;

	public class SSLExample {
	// BEGIN ------- ADDME
	static {
	try {
	KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
	Path ksPath = Paths.get(System.getProperty("java.home"),
	"lib", "security", "cacerts");
	keyStore.load(Files.newInputStream(ksPath),
	"changeit".toCharArray());

	CertificateFactory cf = CertificateFactory.getInstance("X.509");
	try (InputStream caInput = new BufferedInputStream(
	SSLExample.class.getResourceAsStream("DSTRootCAX3.der"))) {
	Certificate crt = cf.generateCertificate(caInput);
	System.out.println("Added Cert for " + ((X509Certificate) crt)
	.getSubjectDN());

	keyStore.setCertificateEntry("DSTRootCAX3", crt);
	}
	if (false) { // enable to see
	System.out.println("Truststore now trusting: ");
	PKIXParameters params = new PKIXParameters(keyStore);
	params.getTrustAnchors().stream()
	.map(TrustAnchor::getTrustedCert)
	.map(X509Certificate::getSubjectDN)
	.forEach(System.out::println);
	System.out.println();
	}

	TrustManagerFactory tmf = TrustManagerFactory
	.getInstance(TrustManagerFactory.getDefaultAlgorithm());
	tmf.init(keyStore);
	SSLContext sslContext = SSLContext.getInstance("TLS");
	sslContext.init(null, tmf.getTrustManagers(), null);
	SSLContext.setDefault(sslContext);
	} catch (Exception e) {
	throw new RuntimeException(e);
	}
	}
	// END ---------- ADDME

	public static void main(String[] args) throws IOException {
	// signed by default trusted CAs.
	testUrl(new URL("https://google.com"));
	testUrl(new URL("https://www.thawte.com"));

	// signed by letsencrypt
	testUrl(new URL("https://helloworld.letsencrypt.org"));
	// signed by LE's cross-sign CA
	testUrl(new URL("https://letsencrypt.org"));
	// expired
	testUrl(new URL("https://tv.eurosport.com/"));
	// self-signed
	testUrl(new URL("https://www.pcwebshop.co.uk/"));

	}

	static void testUrl(URL url) throws IOException {
	URLConnection connection = url.openConnection();
	try {
	connection.connect();
	System.out.println("Headers of " + url + " => "
	+ connection.getHeaderFields());
	} catch (SSLHandshakeException e) {
	System.out.println("Untrusted: " + url);
	}
	}

	}