Home.... | log in.... | Pub my question! | Sign-up....

Java-index >> Security >> Java Secure Socket Extension (JSSE)

How does one augment the default TrustManager for HTTPS Connections

I'm implementing HTTPS communication and I would like to programatically add trusted root certificates. Ideally, I would like to be able to get the default trust manager and do something like:

publicvoid checkClientTrusted( X509Certificate[] chain, String authType )

{

_defaultTrustManager.checkClientTrusted( chain, authType );

}

publicvoid checkServerTrusted( X509Certificate[] chain, String authType )

{

_defaultTrustManager.checkServerTrusted( chain, authType );

}

public X509Certificate[] getAcceptedIssuers()

{

if( _myTrustedCerts !=null ){

return _myTrustedCerts;

}

return _defaultTrustManager.getAceptedIssuers();

}

I want the certificates authenticated as normal but with my list of trusted root certificates.

Thanks,

Philippe Bertrand

[1369 byte] By [Philippe.Bertrabda] at [2007-11-27 6:53:37]

«« system clock keep in having wrong time.
»» NCSM and Kiosk mode for DTU's

# 1

See the Javadoc/Guide toFeatures/Security/JSSE Reference Guide

ejpa at 2007-7-12 18:28:25 >

top of Java-index,Security,Java Secure Socket Extension (JSSE)...

# 2

I found the code for TrustManagerFactory but how do I know what algorithm to ask for? I think the "PKIK" will do but then it says I have to init() the trust manager with a key store - so where do I get it?ThanksPhilippe

Philippe.Bertrabda at 2007-7-12 18:28:25 >

# 3

Then you don't need your own trust manager at all, what you really need is your own trust store containing the list of root certificates you are prepared to accept.

ejpa at 2007-7-12 18:28:25 >

# 4

In reading all the section on the security stuff, my confusion comes from the fact that there seems to be multiple key stores; the key store that comes with the KeyManager and one that initializes the TrustManagerFactory (referred to as the trust store).

So if I don't need a TrustManager at all, how do I specify the list of root certificates?

Will the following do or is there a simpler way?

KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());

java.io.FileInputStream fis =

new java.io.FileInputStream("keyStoreName");

ks.load(fis, password);

fis.close();

TrustManagerFactory tmf =

TrustManagerFactory.getInstance( "PKIX", "SunJSSE" );

tmf.init( ks );

SSLContext sc = SSLContext.getInstance("SSLv3");

sc.init(null, tmf.getTrustManagers(), null);

SSLSocketFactory _socketFactory = sc.getSocketFactory();

((HttpsURLConnection)conn).setSSLSocketFactory( _socketFactory );

Thanks,

Philippe

Philippe.Bertrabda at 2007-7-12 18:28:25 >

# 5

There are two keystores:

(a) a 'KeyStore' that is the source of private keys and signed certificates. The server needs one of these; the client only needs one if the server is in useClientMode or has set needClientAuth=true.

(b) a 'truststore' that is the source of trusted CA certificates against which incoming certificates are checked. The truststore needs to contain exactly the root certificates you are prepared to trust.

They are both in the same format and they are both administrated with the 'keytool' tool.

That's it. You don't need to build your own TrustManager implementation. Just build your truststore and set javax.net.ssl.truststore to its location. No other code required.

ejpa at 2007-7-12 18:28:25 >

Java programming resources: FAQs, tutorials, compiler and browser download sites, documentation, books lists, IDEs, etc.

How does one augment the default TrustManager for HTTPS Connections

Security Hot Topic

Security

All Classified