Dynamically chainging the truststore(keystore)
Can any one please tell me a way to dynamically change the current truststore that java is using
what i need to do is
1. Execute a HTTP get command
2. Check the truststore for any valid certificates.
3. If the truststore doesn抰 have the valid certificate obtain it from the end server and store it in the truststore.
4. reexecute the HTTP get command. Have to make sure that the truststore used is the newly updated truststore.
I am able to do steps 1-3 successfully.
But I am not able to reexecute the HTTP command again successfully as it still only obtains certificates from the old truststore not the new updated one.
System.setProperty("javax.net.ssl.trustStore", keyStore);
System.setProperty("javax.net.ssl.trustStorePassword", PW);
does not work. Please help
[885 byte] By [
sridanua] at [2007-11-27 9:29:09]
> 3. If the truststore doesn抰 have the valid> certificate obtain it from the end server and store> it in the truststore. Why? Are you/is your manager aware that this is insecure?
ejpa at 2007-7-12 22:36:35 >
The thing is im connecting to a few specifi sites. And i need my application to run on a continuos basis (say for a few years in a row). So during that time the end sites may change their certificates every few months or so. So theres where the problem is.BTW- Thanks for the reply
Fine but it's still insecure to accept a certificate dynamically unless you surround that process with another security regime which is at least as strong as what it is replacing. You may as well not use HTTPS at all.
ejpa at 2007-7-12 22:36:35 >
That may be true. But right now im more concerned with making it happen. Can u please tell me a way to do it?
That is true. I could tell you how to do it if I could recommend the approach, but I can't. How many years are we talking about? CA certificates are good for 30 years. If your server certificates are signed by a CA known to 'cacerts' you have no problem. And if they aren't you shouldn't be deploying the application for years on end anyway.
ejpa at 2007-7-12 22:36:35 >
Yes. But its not just about adding new certificates for exsisting sites.
For example. During the cource of its use. My application may be required to connect to some new sites to which i dont have the certificates for. So then my application needs to add the new certificates and continue on functioning.
> new sites to which i dont have the certificates forYou don't need the certificates. You only need them to be issued by a trusted issuer. And if they weren't, you shouldn't trust them.I suggest you investigate this aspect of the problem much more closely.
ejpa at 2007-7-12 22:36:35 >
Its like this.
Say for example i start off my application by adding a certificate issued by 'A'. Then when my application is used to connect to all sites that have been provided certificates by A then it works fine.
But if and when i need to connect to a site to which the certificates have been issued by 'B'. Then i need to add those as well. But since pointing to the trustStore via a property file doesnt work. My application will fail. Even though i have added the necessary certificates.
Once again this proves you need to do more research. All the trusted CAs are validated by a very small set of root certififcates which are already present in the 'cacerts' file issued with every JDK and JRE.
ejpa at 2007-7-12 22:36:35 >
Yes i know that. But it seems that cacerts doenst contain all the necessary certificates. And that is why i need to create my application the way i have described.I assure you if it could be done any other way i would have. But i have no alternative. Please help
> Yes i know that. But it seems that cacerts doenst
> contain all the necessary certificates. And that is
> why i need to create my application the way i have
> described.
I'm sorry but this does not make sense. If you are just going to download any certificates regardless of who they belong to (and you seem to be asking for this) then you are in effect allowing your application to connect to any site. Based on this you should not be checking the certificate from the site - you should just use SSL to provide a secure private connection between you and whoever happens to be at the other end of the connection.
>
> I assure you if it could be done any other way i
> would have. But i have no alternative. Please help
You have no alternative but to create an insecure system?
I don't know how to perform what you are asking though I can make an educated guess at an approach but I won't publish it.
its like this. The people who use my application use it to connect to a few secure sites. Since some of these sites have not been created yet they need to make sure that my application will be able to handle all such sites without manual intervention.
I belive that they dont connect to insecure sites only trusted ones. But it may be a case where they connect to one secure site when the application is deployed and connect to another in a few years time. At which point the problem MAY occur
> its like this. The people who use my application use
> it to connect to a few secure sites. Since some of
> these sites have not been created yet they need to
> make sure that my application will be able to handle
> all such sites without manual intervention.
>
> I belive that they dont connect to insecure sites
> only trusted ones. But it may be a case where they
> connect to one secure site when the application is
> deployed and connect to another in a few years time.
> At which point the problem MAY occur
Again this does not make sense! How is your application going to know [the] 'only trusted ones' without manual intervention? Can any Jo Blogs say to your program "I am a trusted site" and your program would answer '"OK, I trust you so give me your certificate and, by the way, if I don't know the Certificate Authority on your certificate then please tell me who it is so I can add it to my trust store" .
Really secure!
ok. ok. I realize that my application may not be a secure one. And im afraid i cannot go into the details of it. And my application doesn't need to know if it is a trusted site or not.
The people who are using it will ONLY connect to their selected few trusted sites. This has nothing to do with my application trusting/not trusting.
I see that my explanation of the problem seems to be confusing so can someone just please tell me a way to dynamically point to a new trustStore during runtime.
I've seen many posts on many sites that claim it can be done. But no one seems to know how exactly it can be done.
> And im afraid i cannot go into the> details of it.I'm sorry but I can't help. You seem to be bucking Kerckhoff's principle - http://en.wikipedia.org/wiki/Kerckhoffs'_principle .
> But no one seems to know how exactly it can be done.On the contrary. Nobody is willing to tell you how it's done because it's not an appropriate answer to your problem, if indeed the problem really exists.
ejpa at 2007-7-21 23:02:40 >
