# HELP java programmers



## Anjali (Sep 24, 2004)

Hi,
I am trying to access a https site programmatically using SSL over Sockets.
The server requires client authentication. I have the certificate that is needed for client authentication. However I am not able to access the site through my program. I have gone through the JSSE docs site and am trying to do the same.
My certificate is in p12 format. After a lot of search and changes now I am completely confused as to how to use the keystore ,whther it should be jks or pkcs12 and then what to do with truststore.
I am adding the code that i have written but am sure is wrong. Can someone point in my code where I am going wrong and what has to be done.


import java.net.*;
import java.io.*;
import javax.net.ssl.*;

/*
 * This example demostrates how to use a SSLSocket as client to
 * send a HTTP request and get response from an HTTPS server.
 * It assumes that the client is not behind a firewall
 */

public class SSLSocketClient {

    public static void main(String[] args) throws Exception {
     try {
         SSLSocketFactory factory =
          (SSLSocketFactory)SSLSocketFactory.getDefault();
         SSLSocket socket =
          (SSLSocket)factory.createSocket("www.TransUnionNetAccess.com", 3019);

         /*
          * send http request
          *
          * Before any application data is sent or received, the
          * SSL socket will do SSL handshaking first to set up
          * the security attributes.
          *
          * SSL handshaking can be initiated by either flushing data
          * down the pipe, or by starting the handshaking by hand.
          *
          * Handshaking is started manually in this example because
          * PrintWriter catches all IOExceptions (including
          * SSLExceptions), sets an internal error flag, and then
          * returns without rethrowing the exception.
          *
          * Unfortunately, this means any error messages are lost,
          * which caused lots of confusion for others using this
          * code.  The only way to tell there was an error is to call
          * PrintWriter.checkError().
          */
         socket.startHandshake();

         PrintWriter out = new PrintWriter(
                      new BufferedWriter(
                      new OutputStreamWriter(
                           socket.getOutputStream())));

         out.println("GET / HTTP/1.0");
         out.println();
         out.flush();

         /*
          * Make sure there were no surprises
          */
         if (out.checkError())
          System.out.println(
              "SSLSocketClient:  java.io.PrintWriter error");

         /* read response */
         BufferedReader in = new BufferedReader(
                        new InputStreamReader(
                        socket.getInputStream()));

         String inputLine;
         while ((inputLine = in.readLine()) != null)
          System.out.println(inputLine);

         in.close();
         out.close();
         socket.close();

     } catch (Exception e) {
         e.printStackTrace();
     }
    }
}


----------



## #/bin/sh (Sep 24, 2004)

let me know,
what error are you getting?


----------



## Anjali (Sep 24, 2004)

java.io.IOException: Could not parse certificate: java.io.IOException: DerInputsream.getLength() :LengthTag = 109, too big.
 at SSLSocketClientWithClientAuth.main(SSLSocketClientWithClientAuth.java: 137>

The thing is that I am tryin something from the cacerts file which I guess is wrong. This is the default truststore and I have imported my Keystore into this file.
But I am sure this is wrong.
Can you point me to what to do with my .p12 file. I mean to convert it into which format and then what to import and export with the keytool.
I am new in SSL certificates and so have no idea of what to do.


----------



## Anjali (Sep 24, 2004)

To give you a more detailed idea  : 
My certificate is in p12 format. Its not in X>509 format. So using keytool I havent been able to create a truststore for this certificate.
I am getting the error saying the certificate is not X.509.
So since I dont have a truststore I am not able to load it in my SSLcontext.
I guess I need to figure this problem out first.


----------



## #/bin/sh (Sep 24, 2004)

I'm not sure which JDK you are using, but keytool does support alternate formats in JDK 1.4 and later.

keytool provides an option for specifying the keystore 'type' at the point of creation. So, for example, to create a new jssecacerts keystore in PKCS12 format, use:

del jssecacerts (in the current directory)
keytool -import -file %CERT_FILE_NAME% -keystore jssecacerts -storetype pkcs12 -storepass changeit

... and keytool will create a new 'jssecacerts' file in the current directory. You can then copy this file to %JRE%/lib/security where it will be checked by JSSE when searching for keystores.

use keytool -list to see your imported certificate. Check for an existing jssecacerts before copying the new one over.

See also: *java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html
*www.alphaworks.ibm.com/tech/keyman


You might also look into Apache Jakarta HTTPClient as it provides a nice means of doing SSL without all that socket messiness.


----------



## Anjali (Sep 27, 2004)

Thanks for your reply.
But the thing is that my J2sdk is 1.4.2.
I am not able to get the keytool command. The error is : 

keytool error: java.lang.Exception: Input not an X.509 certificate

The cert File Name was with extension .p12.
Can you tell me what can be done about it.


----------



## #/bin/sh (Sep 27, 2004)

I have JDK1.4.2_04 installed. On my system, keytool is located at C:\j2sdk1.4.2_04\bin\keytool.exe

.p12 extension tells me that it is a PKCS12 certificate. the -storetype flag to keytool will let you specify the kind of certificates you are importing.

Run:  
keytool -import -file %CERT_FILENAME% -keystore %KEYSTORE__FILENAME% -storetype pkcs12 -storepass changeit

Where the values in %% are the actual paths to files on your system.


----------



## Anjali (Sep 27, 2004)

I perfectly understand about the p12 thing now.
My version is JDK1.4.2_05. The keytool is the location you specified.
But still the command doesn't work.
U:\My Documents\SSLCertificate>keytool -import -file TUNA+Prod+Client+Cert.p12 -keystore truse -storetype pkcs12 -storepass PANGALACTIC
keytool error: java.lang.Exception: Input not an X.509 certificate
Where 'truse' is a Keystore which will be created ,I suppose. Before running this command there is no file named truse.
Can you tell me if I am anywhere wrong in this line.
All your help is highly appreciated.


----------



## #/bin/sh (Sep 27, 2004)

Are you completely sure the certificate is a pkcs12? Where did it come from? If from your local browser, consider re-exporting it and paying careful attention to the options.


----------



## #/bin/sh (Sep 27, 2004)

Also, you can use keytool -printcert to examine the certificates before importing them.


----------



## #/bin/sh (Sep 27, 2004)

I forgot to say: Your keytool command looks ok.

Try to export the certificate in X.509  format and then run the import.


----------

