not-yet-commons-ssl

About Not-Yet-Commons-SSL

5 Design Goals:

1. Make SSL and Java Easier. Ever wanted to work with self-signed certificates in your Java application in a secure fashion? Ever wanted to use more than one client certificate in a single running JVM? You can edit your $JAVA_HOME/jre/lib/security/cacerts file, and you can invoke Java with -Djavax.net.ssl.keyStore=/path/to/keystore. Both of these approaches are great at first, but they don't scale well. Do you really want to pollute every SSL socket in your JVM (HTTP, LDAP, JDBC, RMI, etc...) with those system-wide changes? Commons-SSL let's you control the SSL options you need in an natural way for each SSLSocketFactory, and those options won't bleed into the rest of your system.
2. Improve Security. CRL checking turned on by default. We hope to add support for OCSP soon! It's obnoxious to have to download CRL files around 500KB each from Thawte and Verisign every 24 hours. OCSP improves on that.
3. Improve Flexibility. Checking hostnames, expirations, CRL's, and many other options can be enabled/disabled for each SSLSocketFactory created.
4. Support more file formats, and support these formats more robustly.
   • commons-ssl supports over 50 formats of PKCS8 and OpenSSL Encrypted Private Keys in PEM or DER
   • X.509 Certificates can be PEM or DER encoded. Can also come in PKCS7 chains. (To be fair, Java always supported this.)
   • PKCS12 files can be in PEM (as created by openssl pkcs12).
   • Parsing of Base64-PEM is more tolerant of extra whitespace or comments, especially outside the Base64 sections:

     any comments or whitespace up here are ignored
     
     -----BEGIN TYPE-----
     [...base64....]
     -----END TYPE-----
     
     any comments or whitespace down here are also ignored

5. Automatically detect type of KeyMaterial or TrustMaterial. Consumer does not need to know whether keystore is PKCS12 or JKS. They just need to know the password to decrypt the private key.