How can I use different certificates on specific connections

Question

A module I m adding to our large Java application has to converse with another company s SSL-secured website   The problem is that the site uses a self-signed certificate   I have a copy of the certificate to verify that I m not encountering a man-in-the-middle attack  and I need to incorporate this certificate into our code in such a way that the connection to the server will be successful   Here s the basic code   void sendRequest String dataPacket      String urlStr    https   host example com      URL url   new URL urlStr     HttpURLConnection conn    HttpURLConnection url openConnection      conn setMethod  POST      conn setRequestProperty  Content-Length   data length       conn setDoOutput true     OutputStreamWriter o   new OutputStreamWriter conn getOutputStream       o write data     o flush        Without any additional handling in place for the self-signed certificate  this dies at conn getOutputStream   with the following exception   Exception in thread  main  javax net ssl SSLHandshakeException  sun security validator ValidatorException  PKIX path building failed  sun security provider certpath SunCertPathBuilderException  unable to find valid certification path to requested target      Caused by  sun security validator ValidatorException  PKIX path building failed  sun security provider certpath SunCertPathBuilderException  unable to find valid certification path to requested target      Caused by  sun security provider certpath SunCertPathBuilderException  unable to find valid certification path to requested target   Ideally  my code needs to teach Java to accept this one self-signed certificate  for this one spot in the application  and nowhere else   I know that I can import the certificate into the JRE s certificate authority store  and that will allow Java to accept it   That s not an approach I want to take if I can help  it seems very invasive to do on all of our customer s machines for one module they may not use  it would affect all other Java applications using the same JRE  and I don t like that even though the odds of any other Java application ever accessing this site are nil   It s also not a trivial operation  on UNIX I have to obtain access rights to modify the JRE in this way   I ve also seen that I can create a TrustManager instance that does some custom checking   It looks like I might even be able to create a TrustManager that delegates to the real TrustManager in all instances except this one certificate   But it looks like that TrustManager gets installed globally  and I presume would affect all other connections from our application  and that doesn t smell quite right to me  either   What is the preferred  standard  or best way to set up a Java application to accept a self-signed certificate   Can I accomplish all of the goals I have in mind above  or am I going to have to compromise   Is there an option involving files and directories and configuration settings  and little-to-no code

User · Answer

I read through LOTS of places online to solve this thing. This is the code I wrote to make it work:

ByteArrayInputStream derInputStream = new ByteArrayInputStream(app.certificateString.getBytes());
CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
X509Certificate cert = (X509Certificate) certificateFactory.generateCertificate(derInputStream);
String alias = "alias";//cert.getSubjectX500Principal().getName();

KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null);
trustStore.setCertificateEntry(alias, cert);
KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509");
kmf.init(trustStore, null);
KeyManager[] keyManagers = kmf.getKeyManagers();

TrustManagerFactory tmf = TrustManagerFactory.getInstance("X509");
tmf.init(trustStore);
TrustManager[] trustManagers = tmf.getTrustManagers();

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(keyManagers, trustManagers, null);
URL url = new URL(someURL);
conn = (HttpsURLConnection) url.openConnection();
conn.setSSLSocketFactory(sslContext.getSocketFactory());

app.certificateString is a String that contains the Certificate, for example:

static public String certificateString=
        "-----BEGIN CERTIFICATE-----\n" +
        "MIIGQTCCBSmgAwIBAgIHBcg1dAivUzANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UE" +
        "BhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzApBgNVBAsTIlNlY3VyZSBE" +
        ... a bunch of characters...
        "5126sfeEJMRV4Fl2E5W1gDHoOd6V==\n" +
        "-----END CERTIFICATE-----";

I have tested that you can put any characters in the certificate string, if it is self signed, as long as you keep the exact structure above. I obtained the certificate string with my laptop's Terminal command line.

User · Answer

If creating a SSLSocketFactory is not an option  just import the key into the JVM   Retrieve the public key   openssl s client -connect dev-server 443  then create a file dev-server pem that looks like  -----BEGIN CERTIFICATE-----  lklkkkllklklklklllkllklkl lklkkkllklklklklllkllklkl lklkkkllklk     -----END CERTIFICATE-----  Import the key   keytool -import -alias dev-server -keystore  JAVA HOME jre lib security cacerts -file dev-server pem  Password  changeit Restart JVM   Source  How to solve javax net ssl SSLHandshakeException

User · Answer

We copy the JRE s truststore and add our custom certificates to that truststore  then tell the application to use the custom truststore with a system property   This way we leave the default JRE truststore alone   The downside is that when you update the JRE you don t get its new truststore automatically merged with your custom one     You could maybe handle this scenario by having an installer or startup routine that verifies the truststore jdk and checks for a mismatch or automatically updates the truststore   I don t know what happens if you update the truststore while the application is running   This solution isn t 100  elegant or foolproof but it s simple  works  and requires no code

User · Answer

I ve had to do something like this when using commons-httpclient to access an internal https server with a self-signed certificate  Yes  our solution was to create a custom TrustManager that simply passed everything  logging a debug message    This comes down to having our own SSLSocketFactory that creates SSL sockets from our local SSLContext  which is set up to have only our local TrustManager associated with it  You don t need to go near a keystore certstore at all   So this is in our LocalSSLSocketFactory   static       try           SSL CONTEXT   SSLContext getInstance  SSL            SSL CONTEXT init null  new TrustManager     new LocalSSLTrustManager      null         catch  NoSuchAlgorithmException e            throw new RuntimeException  Unable to initialise SSL context   e         catch  KeyManagementException e            throw new RuntimeException  Unable to initialise SSL context   e            public Socket createSocket String host  int port  throws IOException  UnknownHostException       LOG trace  createSocket host   gt      port   gt        new Object     host  new Integer port           return SSL CONTEXT getSocketFactory   createSocket host  port       Along with other methods implementing SecureProtocolSocketFactory  LocalSSLTrustManager is the aforementioned dummy trust manager implementation

User · Answer

Create an SSLSocket factory yourself  and set it on the HttpsURLConnection before connecting       HttpsURLConnection conn    HttpsURLConnection url openConnection    conn setSSLSocketFactory sslFactory   conn setMethod  POST          You ll want to create one SSLSocketFactory and keep it around  Here s a sketch of how to initialize it      Load the keyStore that includes self-signed cert as a  trusted  entry     KeyStore keyStore        TrustManagerFactory tmf      TrustManagerFactory getInstance TrustManagerFactory getDefaultAlgorithm     tmf init keyStore   SSLContext ctx   SSLContext getInstance  TLS    ctx init null  tmf getTrustManagers    null   sslFactory   ctx getSocketFactory      If you need help creating the key store  please comment     Here s an example of loading the key store   KeyStore keyStore   KeyStore getInstance KeyStore getDefaultType     keyStore load trustStore  trustStorePassword   trustStore close      To create the key store with a PEM format certificate  you can write your own code using CertificateFactory  or just import it with keytool from the JDK  keytool won t work for a  key entry   but is just fine for a  trusted entry     keytool -import -file selfsigned pem -alias server -keystore server jks

[java] How can I use different certificates on specific connections?

Examples related to java

Examples related to ssl

Examples related to keystore

Examples related to truststore

Examples related to jsse