Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Java SSL connect, add server cert to keystore programmatically

Tags:

java

ssl

I am connecting an SSL client to my SSL server. When the client fails to verify a certificate due to the root not existing in the client's key store, I need the option to add that certificate to the local key store in code and continue. There are examples for always accepting all certificates, but I want the user to verify the cert and add it to local key store without leaving the application.

SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault(); SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("localhost", 23467); try{     sslsocket.startHandshake(); } catch (IOException e) {     //here I want to get the peer's certificate, conditionally add to local key store, then reauthenticate successfully } 

There is a whole lot of stuff about custom SocketFactory, TrustManager, SSLContext, etc and I don't really understand how they all fit together or which would be the shortest path to my goal.

like image 632
iratepr Avatar asked Jul 19 '11 23:07

iratepr


People also ask

How add self signed certificate to keystore?

Open a terminal and change directory to the jre/bin directory. The default installation location is /opt/tivoli/tsm/jre/bin. Make a backup copy of the Java cacerts file by running the following command: cp ../lib/security/cacerts ../lib/security/cacerts. original .

How do I import a self signed certificate into Java keystore?

Copy the file JAVA_HOME\lib\security\cacerts to another folder. Click OK for the warning about the trust path. Click OK when it displays the details about the certificate. Click Yes to accept the certificate as trusted.


1 Answers

You could implement this using a X509TrustManager.

Obtain an SSLContext with

SSLContext ctx = SSLContext.getInstance("TLS"); 

Then initialize it with your custom X509TrustManager by using SSLContext#init. The SecureRandom and the KeyManager[] may be null. The latter is only useful if you perform client authentication, if in your scenario only the server needs to authenticate you don't need to set it.

From this SSLContext, get your SSLSocketFactory using SSLContext#getSocketFactory and proceed as planned.

As concerns your X509TrustManager implementation, it could look like this:

TrustManager tm = new X509TrustManager() {     public void checkClientTrusted(X509Certificate[] chain,                     String authType)                     throws CertificateException {         //do nothing, you're the client     }      public X509Certificate[] getAcceptedIssuers() {         //also only relevant for servers     }      public void checkServerTrusted(X509Certificate[] chain,                     String authType)                     throws CertificateException {         /* chain[chain.length -1] is the candidate for the          * root certificate.           * Look it up to see whether it's in your list.          * If not, ask the user for permission to add it.          * If not granted, reject.          * Validate the chain using CertPathValidator and           * your list of trusted roots.          */     } }; 

Edit:

Ryan was right, I forgot to explain how to add the new root to the existing ones. Let's assume your current KeyStore of trusted roots was derived from cacerts (the 'Java default trust store' that comes with your JDK, located under jre/lib/security). I assume you loaded that key store (it's in JKS format) with KeyStore#load(InputStream, char[]).

KeyStore ks = KeyStore.getInstance("JKS"); FileInputStream in = new FileInputStream("<path to cacerts""); ks.load(in, "changeit".toCharArray); 

The default password to cacerts is "changeit" if you haven't, well, changed it.

Then you may add addtional trusted roots using KeyStore#setEntry. You can omit the ProtectionParameter (i.e. null), the KeyStore.Entry would be a TrustedCertificateEntry that takes the new root as parameter to its constructor.

KeyStore.Entry newEntry = new KeyStore.TrustedCertificateEntry(newRoot); ks.setEntry("someAlias", newEntry, null); 

If you'd like to persist the altered trust store at some point, you may achieve this with KeyStore#store(OutputStream, char[].

like image 172
emboss Avatar answered Sep 24 '22 09:09

emboss