

Java Q&A 
by Cliff Berg

Listing One
static final int MyServerPortNo = 1000;
SSLParams params = new SSLParams();
short cs[] = { SSLParams.SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA,
                 SSLParams.SSL_RSA_WITH_3DES_EDE_CBC_SHA };
	// these are the cipher suites that our client will accept
	// when negotiating with an SSL server. Note that we are saying
	// we have RSA support.

params.setClientCipherSuites(cs);

// Do the following five lines if client authentication is required
// by the server:
SSLCertificate cert = new SSLCertificate();
cert.certificateList = new Vector();
cert.certificateList.addElement(new X509(new File("client-cert.der")));
cert.certificateList.addElement(new X509(new File("ca-cert.der")));
cert.privateKey = new RSAPrivateKeyPKCS8("password",
		new File("encrypted-client-key.der"));
params.setClientCert(cert);

SSLSocket s = new SSLSocket("myserverhost.com", MyServerPortNo, params);
// Note: the above checks the validity of all certificates up to the
// root certificate.

// Get the certificate chain presented by the server
SSLCertificate schain = s.getServerCert();

if (schain != null)	// if the server cert chain is presented
{
	// Check if the root CA of the server cert chain is valid
	if (! schain.rootCAvalid())
		throw new Exception("Invaild CA certificate");
		// (usually, abort when this exception occurs)
	

	// Here we get information about the root certificate; in an
	// actual application, you would likely make this information
	// available only upon user request.

	// Get the actual root certificate from the server certificate chain
	X509 ca = schain.rootCA();
	System.out.println("CA=" + ca.getIssuer().toString());

	// Get the CA's public key
	System.out.println("CA public key=" +
		ca.getPublicKey().toString());
}

PrintWriter os = new PrintWriter(s.getOutputStream());
BufferedReader is = new BufferedReader(
	new InputStreamReader(s.getInputStream()));
	  
// ...start reading and writing on connection...




Listing Two
SSLParams params = new SSLParams();

// Construct a server certificate chain
SSLCertificate cert = new SSLCertificate();
cert.certificateList = new Vector();
cert.certificateList.addElement(new X509(new File("server-cert.der")));
cert.certificateList.addElement(new X509(new File("ca-cert.der")));
cert.privateKey = new RSAPrivateKeyPKCS8("password",
		new File("encrypted-server-key.der"));
params.setServerCert(cert);

// Turn on client authentication - the client will have to present
// a client certificate (this is optional)
params.setRequestClientCert(true);

// Create a server socket to listen for connection requests
SSLServerSocket ss = new SSLServerSocket(MyServerPortNo, params);

// Start listening (this and all the following code would normally 
// be in a loop that allocates a thread to service each incoming
// connection)
SSLSocket s = (SSLSocket)ss.accept();

if (s.getClientCert() == null)
	throw new Exception("Client has no certificate!");

if (! s.getClientCert().rootCAValid())
	throw new Exception("Invalid CA certificate!");

PrintWriter os = new PrintWriter(s.getOutputStream());
BufferedReader is = new BufferedReader(
	new InputStreamReader(s.getInputStream()));
	  
//...start reading and writing on connection...


