Add support for SASL EXTERNAL: PKI (Client SSL Cert) Support
Description
Environment
Activity
Florian Schmaus February 12, 2015 at 8:25 AM
Support for SASL EXTERNAL was added in Smack 4.1. Basically connect without a password/auth token set. See c682091a47f8638b6ab404341c9bf69ef22c2010 and 7e4e3699a17d84950717b8b6df9e93f2215d35ac
Christopher Oezbek July 30, 2009 at 2:07 AM
John Pontious January 3, 2008 at 11:40 PM
I have been attempting to get the client side certificates working with Openfire, and smack. Last night I pulled down the Smack source from SVN, and started taking a peek.
I think I found a bug, and a fix:
in XMPPConnection.proceedTLSReceived() , around on line 1343
I moved the ks.load, to happen after the callbackhandler is set up.
//orig
//ks.load(new FileInputStream(configuration.getKeystorePath()), pcb.getPassword());
//pcb = new PasswordCallback("Keystore Password: ",false);
//callbackHandler.handle(new Callback[]{pcb});
//new
pcb = new PasswordCallback("Keystore Password: ",false);
callbackHandler.handle(new Callback[]{pcb});
ks.load(new FileInputStream(configuration.getKeystorePath()), pcb.getPassword());
I am running OpenFire 3.4.1 with xmpp.client.cert.policy=needed, and I was able to connect to the server with a client cert. I did a little testing, and things seemed to work, at least as far as connection and a join().
conn.isUsingTLS() reported true
conn.isSecure() reported true
I have not looked at any of the other handling of other keystore types in this method, only default jks.
Add support for Public Key Infrastructure (PKI). This is accomplished via SASL EXTERNAL with the client providing an SSL Certificate to the server. Support should include certificates via external files (in PEM or DER format), in the Java Keystore, or via PCKS#11 tokens.