Menu
I've been using custom keystore in my program by specifying javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword, javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword. My truststore contains self-signed certificates. Now I want to make some https request(say to https://google.com) and use default jre system trusstore that contains information about different CAs. To make http requests I use OkHttp library. Its client has an option to specify SslSocketFactory, but to get it I need to initialise SSLContext for default jre truststore. How can I do that?
UPDATE: The code I went with is
KeyStore keyStore = KeyStore.getInstance("JKS");
// load default jvm keystore
keyStore.load(new FileInputStream(
System.getProperties()
.getProperty("java.home") + File.separator
+ "lib" + File.separator + "security" + File.separator
+ "cacerts"), "changeit".toCharArray());
TrustManagerFactory tmf = TrustManagerFactory.getInstance(
TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("TLS");
ctx.init(null, tmf.getTrustManagers(), new SecureRandom());
520
2 Answers. Show activity on this post. In Java, according to the JSSE Reference Guide, there is no default for the keystore , the default for the truststore is "jssecacerts, if it exists.
SSLContext is an engine class for an implementation of a secure socket protocol. An instance of this class acts as a factory for SSL socket factories and SSL engines. An SSLContext holds all of the state information shared across all objects created under that context.
Truststore. The truststore is a file that contains the root certificates for Certificate Authorities (CA) that issue certificates such as GoDaddy, Verisign, Network Solutions, and others. The truststore comes bundled with the JDK/JRE and is located in $JAVA_HOME/lib/security/cacerts .
The javax.net.ssl.* system properties will affect the default SSLContext, the one used by SSLSocketFactory.getDefault() and the one returned by SSLContext.getDefault(), if you haven't used SSLContext.setDefault(...) using a custom context, that is.
If you want to keep the ability to use the default truststore for some connections (not not the ones where you use these self-signed certs), you shouldn't use those properties. Instead you should make the other connections use an SSLContext built for those self-signed certs. (You can't really get the default trust store with certainty otherwise, at least not without using the private API in the JRE.)
Since the library you're using allows you to specify an SSLSocketFactory, build one from your custom SSLContext when you want to use it. (You can also build one from the default SSLContext for the other cases if needed, although that's often implied, if that library resets its settings between connections.)
158
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
