Обсуждение: SSL - Providing client certificates


SSL - Providing client certificates


http://jdbc.postgresql.org/documentation/83/ssl-factory.html states :

"Specifically it would be nice to be able to provide client certificates to be validated by the server."

http://jdbc.postgresql.org/documentation/83/ssl-client.html refers to validating the server's identity only, using javax.net.ssl.trustStore JVM-wide setting.

However, if we set javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword, the SSL connection is established and the client certificate is verified.

This seems contradictory with the documntation, or I am missing something.

I would be happy to read your comments.

Thank you.

Re: SSL - Providing client certificates

Kris Jurka

On Fri, 20 Feb 2009, Saleem EDAH-TALLY wrote:

> However, if we set javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword,
> the SSL connection is established and the client certificate is verified.

When the code was first written, this wasn't tested and it was just
assumed that it wouldn't work.  Recently we got a report that it did work,
but the documentation was not updated.

What I don't understand is how it selects the certificate to send.  If you
have multiple keys in your keystore, how do you indicate which one to use?

Kris Jurka

Re: SSL - Providing client certificates

Guillaume Cottenceau
Kris Jurka <books 'at' ejurka.com> writes:

> On Fri, 20 Feb 2009, Saleem EDAH-TALLY wrote:
>> However, if we set javax.net.ssl.keyStore and javax.net.ssl.keyStorePassword,
>> the SSL connection is established and the client certificate is verified.
> When the code was first written, this wasn't tested and it was just
> assumed that it wouldn't work.  Recently we got a report that it did
> work, but the documentation was not updated.
> What I don't understand is how it selects the certificate to send.  If
> you have multiple keys in your keystore, how do you indicate which one
> to use?

My quite limited understanding of the behaviour of SSL client
authentication may potentially help a little:

You initially send a certificate signing request to the
admin/owner of the server (signed with your private key); when
you receive the certificate reply (signed with their private
key), you can build a chain of trust between you and the server,
your keystore will look like:

Entry type: PrivateKeyEntry
Certificate chain length: 2

Owner: <you>
Issuer: <server>

Owner: <server>
Issuer: <server>

Then at the SSL handshake time, first the server presents his
certificate, second it asks for a client certificate, at that
time you are able to present the certificate belonging to the
chain of trust containing the server certificate on top.

Guillaume Cottenceau

Re: SSL - Providing client certificates

Regarding Kris Jurka's question :

> > What I don't understand is how it selects the certificate to send. If
> > you have multiple keys in your keystore, how do you indicate which one
> > to use?

http://java.sun.com/javase/6/docs/api/javax/net/ssl/SSLContext.html#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], java.security.SecureRandom)


Only the first instance of a particular key and/or trust manager implementation type in the array is used...

Hence it's not necessary to overload a keystore or a truststore.

And who knows how the entries in the keystore are sorted an presented to SSLContext.init. My guess they are sorted in ascending order of the aliases, but it's just a guess.

As an add-on to this thread, the following class allows to build a SSLSocketFactory that is not JVM wide but specific to a connection. It can be passed as sslfactory, and a label passed as sslfactoryarg.
It may be adapted and included in the jdbc-driver if found useful.

public class SSLBoth extends javax.net.ssl.SSLSocketFactory{
private String ksFile = null;
private String ksType = null;
private String ksPwd = null;
private String tsFile = null;
private String tsType = null;
private String tsPwd = null;
private javax.net.ssl.SSLSocketFactory ssf = null;

public SSLBoth(String label) {
javax.net.ssl.KeyManagerFactory kmf = makeKMF();
javax.net.ssl.TrustManagerFactory tmf = makeTMF();
javax.net.ssl.SSLContext sslc = makeSSLContext(kmf.getKeyManagers(), tmf.getTrustManagers());
ssf = sslc.getSocketFactory();

private void setParams(String label) {
ksFile = System.getProperty("KEYSTORE_FILE_" + label);
ksType = System.getProperty("KEYSTORE_TYPE_" + label);
ksPwd = System.getProperty("KEYSTORE_PWD_" + label);
tsFile = System.getProperty("TRUSTSTORE_FILE_" + label);
tsType = System.getProperty("TRUSTSTORE_TYPE_" + label);
tsPwd = System.getProperty("TRUSTSTORE_PWD_" + label);
private javax.net.ssl.KeyManagerFactory makeKMF() {
java.security.KeyStore ks = loadKeyStore(ksFile, ksType, ksPwd);
if (ks != null) {
try {
javax.net.ssl.KeyManagerFactory kmf = javax.net.ssl.KeyManagerFactory.getInstance(javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, ksPwd.toCharArray());
return kmf;
} catch (java.security.KeyStoreException ex) {
} catch (java.security.UnrecoverableKeyException ex) {
} catch (java.security.NoSuchAlgorithmException ex) {
return null;
private javax.net.ssl.TrustManagerFactory makeTMF() {
java.security.KeyStore ts = loadKeyStore(tsFile, tsType, tsPwd);
if (ts != null) {
try {
javax.net.ssl.TrustManagerFactory tmf = javax.net.ssl.TrustManagerFactory.getInstance(javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm());
return tmf;
} catch (java.security.KeyStoreException ex) {
} catch (java.security.NoSuchAlgorithmException ex) {
return null;
private javax.net.ssl.SSLContext makeSSLContext(javax.net.ssl.KeyManager[] km, javax.net.ssl.TrustManager[] tm) {
try {
javax.net.ssl.SSLContext sslc = javax.net.ssl.SSLContext.getInstance("TLS");
sslc.init(km, tm, new java.security.SecureRandom());
return sslc;
} catch (java.security.KeyManagementException ex) {
} catch (java.security.NoSuchAlgorithmException ex) {
return null;
public static java.security.KeyStore loadKeyStore(String ksPath, String type, String pwd) {
try {
java.security.KeyStore ks = java.security.KeyStore.getInstance(type);
java.io.FileInputStream fis = new java.io.FileInputStream(ksPath);
ks.load(fis, pwd.toCharArray());
return ks;

catch (java.security.KeyStoreException ex) {
catch (java.io.FileNotFoundException ex) {
catch (java.io.IOException ex) {
catch (java.security.NoSuchAlgorithmException ex) {
catch (java.security.cert.CertificateException ex) {
return null;

public String[] getDefaultCipherSuites() {
return ssf.getDefaultCipherSuites();

public String[] getSupportedCipherSuites() {
return ssf.getSupportedCipherSuites();

public java.net.Socket createSocket(java.net.Socket arg0, String arg1, int arg2, boolean arg3) throws java.io.IOException {
return ssf.createSocket(arg0, arg1, arg2, arg3);

public java.net.Socket createSocket(String arg0, int arg1) throws java.io.IOException, java.net.UnknownHostException {
return ssf.createSocket(arg0, arg1);

public java.net.Socket createSocket(String arg0, int arg1, java.net.InetAddress arg2, int arg3) throws java.io.IOException, java.net.UnknownHostException {
return ssf.createSocket(arg0, arg1, arg2, arg3);

public java.net.Socket createSocket(java.net.InetAddress arg0, int arg1) throws java.io.IOException {
return ssf.createSocket(arg0, arg1);

public java.net.Socket createSocket(java.net.InetAddress arg0, int arg1, java.net.InetAddress arg2, int arg3) throws java.io.IOException {
return ssf.createSocket(arg0, arg1, arg2, arg3);

