How do I load truststore from classpath with Apache CXF?

Question

I'm using Apache CXF (v2.7.3) to call a SOAP service over HTTPS. I can load the truststore from a file but not from the classpath - I get "Invalid keystore format" error.

I have this config in my cfx.xml file:

<http:conduit name="*.http-conduit">
  <http:tlsClientParameters>
    <sec:trustManagers>
      <!--  For some reason, when I use the resource field, I get a "Invalid keystore format" exception -->
      <sec:keyStore type="JKS" password="MYPASSWORD"
                     resource="truststore.jks" />

      <!-- THIS WORKS FINE:  <sec:keyStore type="JKS" password="MYPASSWORD"
                    file="/fullPathToMyTrustStore/truststore.jks" /> -->
      </sec:trustManagers>
    </http:tlsClientParameters>
</http:conduit>

I can load the trust store from file, but not from the classpath. I can tell from the exception that truststore.jks file is being found, but it is invalid. This is the stacktrace of exception thrown.

Caused by: java.io.IOException: Invalid keystore format
at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:633)
at sun.security.provider.JavaKeyStore$JKS.engineLoad(JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils.getKeyStore(TLSParameterJaxBUtils.java:142)
at org.apache.cxf.configuration.jsse.TLSParameterJaxBUtils.getTrustManagers(TLSParameterJaxBUtils.java:292)
at org.apache.cxf.configuration.jsse.TLSClientParametersConfig.createTLSClientParametersFromType(TLSClientParametersConfig.java:114)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:149)

Answer 1

I had exactly the same problem and blamed CXF at the beginning, but actually certificates were invalid on the classpath. The first thing to check is that the file in the jar is the same as in the project structure (before packing in jar).

Here are possible suspects to blame and possible solutions:

1) If you are using Maven, then filtering process may corrupt binaries (my case)

Solution: exclude certificates from Maven filtering process e.g:

<resources>
  <resource>
    <directory>src/main/resources</directory>
    <filtering>true</filtering>
    <includes>
      <include>**/*</include>
    </includes>
    <excludes>
      <exclude>**/*.jks</exclude>
    </excludes>
  </resource>
  <resource>
    <directory>src/main/resources</directory>
    <filtering>false</filtering>
    <includes>
      <include>**/*.jks</include>
    </includes>
  </resource>
</resources>

2) If you are using maven-assembly-plugin for building your distribution, it may corrupt binaries:

Solution: http://jira.codehaus.org/browse/MASSEMBLY-412