Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Get SSLContext for default system truststore in Java(JSEE)

I've been using custom keystore in my program by specifying javax.net.ssl.keyStore, javax.net.ssl.keyStorePassword, javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword. My truststore contains self-signed certificates. Now I want to make some https request(say to https://google.com) and use default jre system trusstore that contains information about different CAs. To make http requests I use OkHttp library. Its client has an option to specify SslSocketFactory, but to get it I need to initialise SSLContext for default jre truststore. How can I do that?

UPDATE: The code I went with is

    KeyStore keyStore = KeyStore.getInstance("JKS");

    // load default jvm keystore
    keyStore.load(new FileInputStream(
            System.getProperties()
                  .getProperty("java.home") + File.separator
                + "lib" + File.separator + "security" + File.separator
                + "cacerts"), "changeit".toCharArray());

    TrustManagerFactory tmf = TrustManagerFactory.getInstance(
            TrustManagerFactory.getDefaultAlgorithm());

    tmf.init(keyStore);

    SSLContext ctx = SSLContext.getInstance("TLS");

    ctx.init(null, tmf.getTrustManagers(), new SecureRandom());
like image 520
vkolodrevskiy Avatar asked May 29 '15 00:05

vkolodrevskiy


People also ask

What is the default truststore in Java?

2 Answers. Show activity on this post. In Java, according to the JSSE Reference Guide, there is no default for the keystore , the default for the truststore is "jssecacerts, if it exists.

What is SSLContext in Java?

SSLContext is an engine class for an implementation of a secure socket protocol. An instance of this class acts as a factory for SSL socket factories and SSL engines. An SSLContext holds all of the state information shared across all objects created under that context.

Where can I find truststore?

Truststore. The truststore is a file that contains the root certificates for Certificate Authorities (CA) that issue certificates such as GoDaddy, Verisign, Network Solutions, and others. The truststore comes bundled with the JDK/JRE and is located in $JAVA_HOME/lib/security/cacerts .


1 Answers

The javax.net.ssl.* system properties will affect the default SSLContext, the one used by SSLSocketFactory.getDefault() and the one returned by SSLContext.getDefault(), if you haven't used SSLContext.setDefault(...) using a custom context, that is.

If you want to keep the ability to use the default truststore for some connections (not not the ones where you use these self-signed certs), you shouldn't use those properties. Instead you should make the other connections use an SSLContext built for those self-signed certs. (You can't really get the default trust store with certainty otherwise, at least not without using the private API in the JRE.)

Since the library you're using allows you to specify an SSLSocketFactory, build one from your custom SSLContext when you want to use it. (You can also build one from the default SSLContext for the other cases if needed, although that's often implied, if that library resets its settings between connections.)

like image 158
Bruno Avatar answered Oct 27 '22 22:10

Bruno