| From: | Craig Ringer <craig(at)postnewspapers(dot)com(dot)au> |
|---|---|
| To: | Marc-André Laverdière <marc-andre(at)atc(dot)tcs(dot)com> |
| Cc: | pgsql-jdbc(at)postgresql(dot)org |
| Subject: | Re: Support for cert auth in JDBC |
| Date: | 2011-05-18 07:02:20 |
| Message-ID: | 4DD36EFC.6070707@postnewspapers.com.au |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-jdbc |
On 18/05/2011 2:06 PM, Marc-André Laverdière wrote:
> Hello,
>
> This implementations allows to specify which keystore and which
> truststore to load. This allows certificate authentication in the
> application easily.
It's already pretty easy. You can:
- Load your keys in the standard keystore;
- Populate a new JECKSf-format keystore with your cert and key and use
the javax.net.ssl.trustStore etc system properties on the cmdline or via
System.setProperty() to use that store instead of the default store;
- Provide your own javax.net.ssl.SSLSocketFactory that wraps the default
implementation with any additional behavior you need.
PgJDBC could use some documentation/examples for the latter option, but
it shouldn't need any changes to the PgJDBC code.
> The Java SSL API is not very well known to the JDBC driver developers
> and we would be interested in any interesting and generally useful
> extensions that you have implemented using this mechanism. Specifically
> it would be nice to be able to provide client certificates to be
> validated by the server.
> </quote>
>
> What I'm talking about is this factory referred to in the last paragraph.
OK, so you've just written an easy-to-use canned SSLSocketFactory that
loads client certificates from an application-configurable
keystore/truststore?
I did this in my app to allow it to use a PKCS#12 format X.509
certificate directly and it was a pretty low-pain procedure. It'd be
nice to have more general purpose examples in the PgJDBC sources,
though. Maybe I should dig out the examples I posted to this mailing
list a while ago and submit them, too?
I'm not one of the PgJDBC developers, but I'd be happy to have a look at
what you've done and see if I can be of any help, provide useful
feedback, etc.
It'd probably be best if you published your work as a patch ("diff")
against PgJDBC CVS HEAD, posting the patch to this mailing list so
people can look at it and try it. Make sure the email you send the patch
in clearly explains the reason for any change to the existing PgJDBC
code, and if you do change the core PgJDBC code make sure it passes any
tests and that it compiles under the oldest supported JDK.
--
Craig Ringer
Tech-related writing at http://soapyfrogs.blogspot.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Marc-André Laverdière | 2011-05-18 07:48:21 | Re: Support for cert auth in JDBC |
| Previous Message | Marc-André Laverdière | 2011-05-18 06:06:02 | Re: Support for cert auth in JDBC |