Skip site navigation (1) Skip section navigation (2)

Re: Support for cert auth in JDBC

From: Craig Ringer <craig(at)postnewspapers(dot)com(dot)au>
To: Marc-André Laverdière <marc-andre(at)atc(dot)tcs(dot)com>
Cc: pgsql-jdbc(at)postgresql(dot)org
Subject: Re: Support for cert auth in JDBC
Date: 2011-05-19 05:58:31
Message-ID: 4DD4B187.6080002@postnewspapers.com.au (view raw or flat)
Thread:
Lists: pgsql-jdbc
On 05/18/2011 03:48 PM, Marc-André Laverdière wrote:
> It is true that anyone who knows the right Java APIs can put that
> factory together with little pain. I just think that the average user
> shouldn't have to bother about it.
>
> Also, some use cases do not allow to use the default keystore and trust
> store for everything.

I agree, and I think you're right that the PgJDBC  code should have a 
re-usable class to provide support for these use cases without everyone 
having to code their own.

I've taken your code and re-worked it a bit to:

- Use the PgJDBC WrappedFactory rather than re-implementing an
   effectively identical one;

- Separate the basic construction process of the SSLSocketFactory
   from its configuration, providing an abstract superclass that does
   the construction via a few simple method calls, so someone who needs
   different configuration sources/methods can re-use the code;

- Provided a concrete subclass of the above that gets its configuration
   from system properties and uses the superclass methods to construct
   the factory. This class has the same functionality as what you posted
   originally plus a few additional configuration options for additional
   use cases like non-default KeyStore types (pkcs12 etc); and

- Added more extensive JavaDoc

It's also possible to pass your own KeyStore and/or TrustStore instances 
directly if your app has to do something funky like manage an in-memory 
KeyStore.

What I haven't done yet is tested it! This is a preview so you can 
comment on it and tell me if you think I've gone completely off the 
rails or not.

The simplest uses of the code remain as simple as they were with your 
original version. You just set some system properties and specify 
SysPropCertAuthFactory as the sslsocketfactory class. More complex use 
cases become possible without having to re-implement the whole lot - in 
particular, if you can't fetch your configuration from system properties 
you can provide alternative mechanisms to look it up without having to 
re-write all the JSSE crap.

So: thanks VERY much for posting this code. My original demos weren't 
flexible enough to be included in PgJDBC, and by posting this you really 
helped motivate me to try to turn your code and my original demoes into 
something that _was_.

What do you think? Note that you'll need PgJDBC on your classpath to 
complile this now, because it uses org.postgresql.ssl.WrappedFactory  .

--
Craig Ringer

Attachment: SysPropCertAuthFactory.java
Description: text/plain (5.6 KB)
Attachment: AbstractCertAuthFactory.java
Description: text/plain (7.3 KB)

In response to

Responses

pgsql-jdbc by date

Next:From: Marc-André LaverdièreDate: 2011-05-19 06:14:13
Subject: Re: Support for cert auth in JDBC
Previous:From: Craig RingerDate: 2011-05-19 05:46:57
Subject: Re: Support for cert auth in JDBC

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group