Menu
I am trying to understand what TrustStrategy is to adopt for the method loadTrustMaterial.
public SSLContextBuilder loadTrustMaterial(KeyStore truststore,
TrustStrategy trustStrategy)
throws NoSuchAlgorithmException,
KeyStoreException
I found four different examples and I am very curious to know the difference between these four as the description is too little to understand the differences/usages/advantages/disadvantages.
Here are the four different code examples:
TrustStrategy: This seems like here we are overriding the standard JSSE certificate verification process but it always returning true so does it trust invalid certificates too?
TrustStrategy trustStrategy = new TrustStrategy() {
@Override
public boolean isTrusted(X509Certificate[] x509Certificates, String authType) throws CertificateException {
return true;
}
};
SSLContextBuilder sslContextBuilder = SSLContexts.custom()
.loadTrustMaterial(trustStore, trustStrategy);
NULL: We are NOT giving any Strategy so what it will do?
SSLContextBuilder sslContextBuilder = SSLContexts.custom()
.loadTrustMaterial(trustStore, null);
TrustAllStrategy: It will trust all singed certificate so is that secure though?
SSLContextBuilder sslContextBuilder = SSLContexts.custom()
.loadTrustMaterial(trustStore, new TrustAllStrategy());
TrustSelfSignedStrategy: What is the difference between this and TrustAllStrategy?
SSLContextBuilder sslContextBuilder = SSLContexts.custom()
.loadTrustMaterial(trustStore, new TrustSelfSignedStrategy());
Help me to understand the difference between these four versions of the example, please? Thanks in Advance.
835
The SSL keystore holds the identity key for the server and the SSL truststore serves as the repository for trusted certificates. The SSL truststore is used for trusting or authenticating client certificates (for two-way SSL).
public interface TrustStrategy. A strategy to establish trustworthiness of certificates without consulting the trust manager configured in the actual SSL context. This interface can be used to override the standard JSSE certificate verification process.
A trust strategy that accepts self-signed certificates as trusted. Verification of all other certificates is done by the trust manager configured in the SSL context. Since: 4.1. Field Summary.
The truststore is a file that contains the root certificates for Certificate Authorities (CA) that issue certificates such as GoDaddy, Verisign, Network Solutions, and others. The truststore comes bundled with the JDK/JRE and is located in $JAVA_HOME/lib/security/cacerts .
What is the Chain of Trust? The Chain of Trust refers to your SSL certificate and how it is linked back to a trusted Certificate Authority.
If the certificate is valid and can be chained back to a trusted root, it will be trusted. If it can’t be chained back to a trusted root, the browser will issue a warning about the certificate. You will occasionally receive errors regarding your certificate’s Chain of Trust if something has been configured incorrectly.
Each website or device you make a connection to, using an Secure Sockets Layer (SSL) or Transport Layer Security (TLS) connection, will have its own unique Certificate. An SSL Certificate can only be issued for a domain, IP address or Email address after a verification process.
If it can’t be chained back to a trusted root, the browser will issue a warning about the certificate. You will occasionally receive errors regarding your certificate’s Chain of Trust if something has been configured incorrectly.
First of all, trusting all certificates is highly discouraged. Rather add the certificates to the truststore.
The TrustStategy is an interface, implemented by some types.
All these methods here are from the apache httpclient - the first one (overriding the isTrusted method) is more or less equal to the TrustAllStrategy and just creating a custom instance of a TrustStrategy where you could define your own way to determine whether a certificate is trusted or not.
See the sourcecode of the TrustAllStrategy here:
public class TrustAllStrategy implements TrustStrategy {
public static final TrustAllStrategy INSTANCE = new TrustAllStrategy();
@Override
public boolean isTrusted(final X509Certificate[] chain, final String authType) throws CertificateException {
return true;
}
Setting the TrustStrategy to null will result in not having any TrustManager:
public SSLContextBuilder loadTrustMaterial(
final KeyStore truststore,
final TrustStrategy trustStrategy) throws NoSuchAlgorithmException, KeyStoreException {
final TrustManagerFactory tmfactory = TrustManagerFactory.getInstance(
trustManagerFactoryAlgorithm == null ? TrustManagerFactory.getDefaultAlgorithm()
: trustManagerFactoryAlgorithm);
tmfactory.init(truststore);
final TrustManager[] tms = tmfactory.getTrustManagers();
if (tms != null) {
if (trustStrategy != null) {
for (int i = 0; i < tms.length; i++) {
final TrustManager tm = tms[i];
if (tm instanceof X509TrustManager) {
tms[i] = new TrustManagerDelegate(
(X509TrustManager) tm, trustStrategy);
}
}
}
for (final TrustManager tm : tms) {
this.trustManagers.add(tm);
}
}
return this;
}
The TrustSelfSignedStrategy works as follows:
@Override
public boolean isTrusted(
final X509Certificate[] chain, final String authType) throws CertificateException {
return chain.length == 1;
}
A self singed certificate is issued by the target of the certificate. It's generated by default in many applications and often used for intranet purposes.
96
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
