All geek questions in one place

Installing Java SSLContext by default from a resource at runtime

The main components of my question: (context follows a piece of code)

  • Is the following code a valid alternative to setting up the default Java keystore via -Djavax.net.ssl.keystore?
  • What effect, in addition to changing the default key and trusts, can this code have on SSL behavior in the affected JVM

  • Is there a better alternative to setting default trust / key stores at runtime from a resource?

    KeyStore ks = KeyStore.getInstance("JKS"); ks.load(testService.class.getClassLoader().getResourceAsStream("resources/.keystore"), "changeit".toCharArray()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(ks, "changeit".toCharArray()); SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); SSLContext.setDefault(ctx);

The context surrounding this question is as follows. I am currently developing a CXF client for a web service with mutual certificate authentication. For various reasons, adding a client certificate and key to the keystore by default is not a desirable option. Ideally, I was looking for a way to enable the keystore as a resource file in the JAR and set it as the default at runtime, as needed. I also wanted to avoid setting up each client and / or connection for each object, as well as supporting things like JaxWsDynamicClientFactory (mainly for the sake of completeness).

I searched the Internet and SO for related materials and found their ( one , two ) related questions, but none of the proposed solutions was exactly what I was looking for (although I used them as a springboard for developing the code above).

Now I understand that other solutions can be made to work, but I / I am specifically looking for a solution that meets all these requirements.

+4
source share
1 answer

Your code will use the same keystore (loaded from the class loader) as the default keystore and default trust store. This is actually equivalent to setting both -Djavax.net.ssl.keystore* and -Djavax.net.ssl.truststore* with the same value.

This is great if that is what you want to do. (You might want to close the InputStream after you have loaded the keystore.)

This will affect the entire JVM and everything that uses SSLContext.getDefault() , in particular everything that depends on the standard SSLSocketFactory ( URLConnection , etc.).

Since this will be your default trust store, the default centralized trust certificates from the primary CAs will not be in your trust store unless you also explicitly import them into a copy downloaded from the classloader.

Presumably, you will not trust a lot of new CA certificates (or self-signed certificates). It might be more convenient to store the keystore and trust store, since your trust trust can be shared by most of your clients, and usually it will be just a one-time configuration step at the beginning.

+5
source

Source: https://habr.com/ru/post/1389735/

More articles:


All Articles