Hosting Secure Servlets: Registering Servlets

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

The code that registers servlets:

    HandlerCollection handlerCollection = new HandlerCollection(true);
    handlerCollection.addHandler(resourceHandler);

    jetty.setHandler(handlerCollection);

Then to add servlets:

    servletHandler.addServletWithMapping(, );

Jetty says that a handler can be "mutable at runtime" but I haven't had too much luck with that.

Hosting Secure Servlets: What's in this Section?

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

How to Host Secure Web Services

• Using Jetty
• Define Jetty's properties
• Register the servlets
• Register the SSL handler
• Start Jetty

I was going to do this in one slide, but realized that there was too much material, so I made it into it's own section.

Java and SSL: Signing a CSR with Java

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

public static X509Certificate sign(PrivateKey caPrivate, PublicKey signeePublic,
                                   X500Name issuer, Date notValidBefore, Date notValidAfter, BigInteger serialNumber,
                                   X500Name subject)
        throws InvalidKeyException, NoSuchAlgorithmException,
        NoSuchProviderException, SignatureException, IOException,
        OperatorCreationException, CertificateException {

    AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder()
            .find("SHA1withRSA");
    AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder()
            .find(sigAlgId);

    AsymmetricKeyParameter foo = PrivateKeyFactory.createKey(caPrivate.getEncoded());
    SubjectPublicKeyInfo keyInfo = SubjectPublicKeyInfo.getInstance(signeePublic.getEncoded());
        
    org.bouncycastle.asn1.x500.X500Name bcIssuer = new org.bouncycastle.asn1.x500.X500Name(issuer.getName());
    org.bouncycastle.asn1.x500.X500Name bcSubject = new org.bouncycastle.asn1.x500.X500Name(subject.getName());
    X509v3CertificateBuilder myCertificateGenerator = new X509v3CertificateBuilder(bcIssuer, serialNumber, 
            notValidBefore, notValidAfter, bcSubject, keyInfo);
        
    ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId)
            .build(foo);

    X509CertificateHolder holder = myCertificateGenerator.build(sigGen);
    X509CertificateStructure eeX509CertificateStructure = holder.toASN1Structure();

    CertificateFactory cf = CertificateFactory.getInstance("X.509", "BC");

    InputStream is1 = new ByteArrayInputStream(eeX509CertificateStructure.getEncoded());
    X509Certificate theCert = (X509Certificate) cf.generateCertificate(is1);
    is1.close();
    return theCert;
}


This is complex...and it really shouldn't be.  But at least there is a way to do this in Java.

Java and SSL: Signing a CSR with OpenSSL

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

Signing a CSR with OpenSSL

openssl x509 -req -CA ca-certificate.pem.txt -CAkey ca-key.pem.txt -in private.csr \

    -out private.cer  -days 365 -CAcreateserial

Java doesn't make creating CAs or signing part of keytool. This is very strange.  Creating CAs and 

signing CSRs seem like a fundamental abilities that users would want. The fact that they are left out 

is another indication of how primitive SSL is with Java.

Java and SSL: How to sign a CSR

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

How to Sign a CSR

• What this does

A signed CSR is a certificate.  This is basically just a public key, and a hash code encrypted with the private key of the signer. 

Java and SSL: Creating a Certificate Signing Request from Java

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

Creating a CSR from Java:

X500Name x500Name = new X500Name(distinguishedName);

String signatureAlgorithmName = "SHA1WithRSA";
Signature signature = Signature.getInstance(signatureAlgorithmName);
signature.initSign(getPrivateKey());

PKCS10 pkcs10 = new PKCS10(getPublicKey());
pkcs10.encodeAndSign(x500Name,signature);

return pkcs10;

This was relatively easy to find out how to do.  The one snag I hit was around the "encodeAndSign" method, which at first I thought needed an instance of X500Singer.  It seems that support was dropped for X500Singer as of JDK1.7.  It turned out that X500Singer is not needed, and that it just needs an instance of X500Name.

Java and SSL: Creating a Certificate Signing Request with Keytool

This post is part of a series about the worlds of Java and SSL.  I hope to do 1 post a day on this topic. The resulting posts will become the basis for another section of a talk that I am scheduled to give on August 10 at the Boulder/Denver Cybersecurity Meetup.

Creating a Certificate Signing Request with Keytool

keytool -certreq -keystore temp -storepass whatever -file temp.csr