Have I mentioned recently how much of a pain java crypto can be?

About Kevin Sonney

Kevin Sonney - who, contrary to popular opinion was NOT raised by wolves - grew up in central North Carolina. He fell into the technology field by accident in 1991, when he gave up the wild and crazy lifestyle of an on-air AM radio DJ to become a mundane technical support monkey. The technology industry has never really recovered from this. Kevin has worked for such names as IBM, Red Hat, webslingerZ, and Lulu Technologies (we won't mention the ones that didn't survive the experience). He currently works as a Linux Administrator for Apptio. In his spare time he rescues stray animals and plays video games with his two sons. His wife, we're sad to say, helps him get past the really hard bits. Kevin is still not very mundane, he just got better at hiding it.
This entry was posted in Uncategorized. Bookmark the permalink.

4 Responses to 473

  1. flavor says:

    Preach on, brother!

    FWIW, we’re converting our java-ssl from std. jsse package to itissl so we can get native speed ssl without having to continue to use stunnel. I like stunnel and all, but it’s just got a little too many flaky issues when handling real-world short-lived connections to hundreds of clients. It’s better than it used to be, but our checkers still have to restart it around once a day or so. Not horrible, but the weak link of our software chain in stability.


  2. alchemist says:

    For me it’s worse.I’ve got to do a public/private key sig, and then verify it later.

    making the keys is easy. But I can’t actually use the keyfiles once they’ve been generated. Everything from classcast exceptions to invalid object signatures.


  3. flavor says:

    ok, i’ll be the first to admit to being pretty lost in this arena, but when I needed to get our RSA pair that we were using under Apache loaded into a keystore (KeyStore’s are much easier to deal with in my experience, fwiw), I had to

    1) convert the public server.key to a PKCS#8 format, using the “openssl” tool
    2) use the server.key.pkcs8 generated and the private server.crt to create a keystore with a “tomcat” entry with the two together.

    Importing either one separately was easy enough with keytool, but doing them coupled as one entry was not, so on advice from #java on efnet I whipped up a simple piece of code that would do that (the openssl invokation in step 1 is in a comment in the source), available at http://www.sublogic.com/Import.java

    Again, I’m still pretty lost, so this is probably useless for you, but here’s hoping it can help in some way :)

  4. alchemist says:

    Nah, this dea is :
    – generate DSA keypair
    – embed one in JAR file (I may actually use the META-INF for this long-term)
    – generate signature for license file with non-distributed private key
    – verify signature in license at every program start with embeded public key

    Which was mostly cool, except the guy who wrote the keygen routines (not me) goofed up and actually sabed the public key to the private key file. Which casued me no end of pain, but the debugging of which got me to bone up on Java Crypto somewhat.

    Oh, and the O’Reilly tiger book rules.

Comments are closed.