How do I do TLS with BouncyCastle?

by

This is a very basic example, with server-only authentication and self-signed cert. The code is based on BC 1.49, mostly leightweight API:

ServerSocket serverSocket = new ServerSocket(SERVER_PORT);
final KeyPair keyPair = ...
final Certificate bcCert = new Certificate(new org.spongycastle.asn1.x509.Certificate[] {
    new X509V3CertificateStrategy().selfSignedCertificateHolder(keyPair).toASN1Structure()}); 
while (true) {
    Socket socket = serverSocket.accept();
    TlsServerProtocol tlsServerProtocol = new TlsServerProtocol(
    socket.getInputStream(), socket.getOutputStream(), secureRandom);
    tlsServerProtocol.accept(new DefaultTlsServer() {
        protected TlsSignerCredentials getRSASignerCredentials() throws IOException {
            return tlsSignerCredentials(context);
        }               
    });      
    new PrintStream(tlsServerProtocol.getOutputStream()).println("Hello TLS");
}

where

private TlsSignerCredentials tlsSignerCredentials(TlsContext context) throws IOException {
    return new DefaultTlsSignerCredentials(context, bcCert,
            PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded()));                
}

This is the client code:

Socket socket = new Socket(<server IP>, SERVER_PORT);
TlsClientProtocol tlsClientProtocol = new TlsClientProtocol(    
    socket.getInputStream(), socket.getOutputStream());
tlsClientProtocol.connect(new DefaultTlsClient() {          
    public TlsAuthentication getAuthentication() throws IOException {
        return new ServerOnlyTlsAuthentication() {                  
            public void notifyServerCertificate(Certificate serverCertificate) throws IOException {
                validateCertificate(serverCertificate);
            }
        };
    }
});
String message = new BufferedReader(
    new InputStreamReader(tlsClientProtocol.getInputStream())).readLine();

You need to use the input and output stream from tlsClient/ServerProtocol to read and write encrypted data (e.g. tlsClientProtocol.getInputStream()). Otherwise, if you used e.g. socket.getOutputStream(), you would just write unencrypted data.

How to implement validateCertificate? I am using self-signed certificates. This means I just look them up in the key-store without any certificate chains. This is how I create the key store:

KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null, password);
X509Certificate certificate = ...;
keyStore.setCertificateEntry(alias, certificate);

And this is the validation:

private void validateCertificate(org.spongycastle.crypto.tls.Certificate cert) throws IOException, CertificateException, KeyStoreException {
    byte[] encoded = cert.getCertificateList()[0].getEncoded();
    java.security.cert.Certificate jsCert = 
        CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(encoded));
    String alias = keyStore.getCertificateAlias(jsCert);
    if(alias == null) {
        throw new IllegalArgumentException("Unknown cert " + jsCert);
    }
}

What is rather confusing, are the three different Certificate classes. You have to convert between them as shown above.

More Related Contents:

  1. Self signed X509 Certificate with Bouncy Castle in Java
  2. Trusting all certificates using HttpClient over HTTPS
  3. why doesn’t java send the client certificate during SSL handshake?
  4. Getting RSA private key from PEM BASE64 Encoded private key file
  5. How to fix the “java.security.cert.CertificateException: No subject alternative names present” error?
  6. How to extract CN from X509Certificate in Java?
  7. How to programmatically set the SSLContext of a JAX-WS client?
  8. Read RSA private key of format PKCS1 in JAVA
  9. How to ignore PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException?
  10. How to convert certificate from PEM to JKS?
  11. PKIX path building failed in Java application
  12. Wrong version of keystore on android call
  13. Using HTTPS with REST in Java
  14. TLS 1.2 + Java 1.6 + BouncyCastle
  15. Can we load multiple Certificates & Keys in a Key Store?
  16. Resolving javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed Error?
  17. Java SSLHandshakeException “no cipher suites in common”
  18. How to use TLS 1.2 in Java 6
  19. Importing the private-key/public-certificate pair in the Java KeyStore [duplicate]
  20. HTTPS GET (SSL) with Android and self-signed server certificate
  21. SQL Server JDBC Error on Java 8: The driver could not establish a secure connection to SQL Server by using Secure Sockets Layer (SSL) encryption
  22. HttpGet with HTTPS : SSLPeerUnverifiedException
  23. Why does Java’s SSLSocket send a version 2 client hello?
  24. SSLHandshakeException while connecting to a https site
  25. SSLHandShakeException No Appropriate Protocol
  26. Properly closing SSLSocket
  27. SSL Connection Reset
  28. How can I know if the request to the servlet was executed using HTTP or HTTPS?
  29. Maven: resource binary changes file size after build
  30. Ignore self-signed ssl cert using Jersey Client [duplicate]

Leave a Comment