Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to find current truststore on disk programatically?

Is there any function which tells me what's the current truststore being used in my program. On windows, the default trust store is at JAVA_HOME\lib\security\cacerts.

However, the default can be changed in a variety of ways.

  • Using -Djavax.net.ssl.keyStore in the command line

  • Using Keystore class.

  • If the program is running on an App Server under which the application runs may set the store path through it's panel.

  • If the program is running on Tomcat, then Tomcat settings may change the truststore.

and many other ways.

Is there a programmatic way by which I can find out the disk path of the truststore which is currently active?

like image 494
user93353 Avatar asked Dec 01 '12 07:12

user93353


People also ask

How do you find a truststore?

The truststore is a file that contains the root certificates for Certificate Authorities (CA) that issue certificates such as GoDaddy, Verisign, Network Solutions, and others. The truststore comes bundled with the JDK/JRE and is located in $JAVA_HOME/lib/security/cacerts .

How do I get a certificate from truststore?

To Create the Keystore and Trust StoreExport the certificate to a file. The certificate is stored in the file that you specified. Import the certificate into a new trust store. The trust store is created.

What is the default truststore?

In Java, according to the JSSE Reference Guide, there is no default for the keystore , the default for the truststore is "jssecacerts, if it exists. Otherwise, cacerts".

Is JKS keystore or truststore?

A Java Keystore (JKS) is a common keystore type that is used for Java environments because it is easier to set up. JKSs use files with a . jks extension that are stored in the zFS file system. The JKS is referenced by the keyStore element in the server.


1 Answers

Generally speaking, you can't (this is quite similar to this question).

In the JSSE API, trusting a certificate isn't actually determined by a trust store, but by a TrustManager. Whilst it's often initialised with a keystore (the truststore), this is not necessary. In addition, the keystores themselves don't have to be files. There is nothing in the default trust manager API that lets you check where and how a potential trust store was used.

There isn't even anything in the SSLSocket that lets you get back to its SSLSocketFactory, and nothing there that lets you get back to its originating SSLContext, and nothing there that lets you get the trust managers.

Which truststore/trust manager is currently active also depends very much on the application. Nothing tells you in general that the connections an application is making are using the default SSLContext, which can be initialised by the javax.net.ssl.* system properties. Applications are free to initialise their own SSLContexts to create their sockets (this is what Tomcat do for its connectors when you specify certain values).

Since Java 6, the default (current) SSLContext can also be changed globally (via SSLContext.setDefault(...).

You can find what's being used by default from the JSSE Reference Guide. The rest will depend on the documentation of each application. Using -Djavax.net.debug=SSL,trustmanager may help if you need, but this isn't API access.

(By the way, -Djavax.net.ssl.keyStore will set up the keystore for the default key manager, not the trust store.)

like image 161
Bruno Avatar answered Oct 13 '22 17:10

Bruno