[jacorb-developer] SSLServerSocketFactory for reloading of trust keystore when certificate check failed
Nick Cross
jacorb at goots.org
Sun Sep 14 22:42:04 CEST 2014
Could you supply it as a unified diff, ideally as a pull request in
github against git head. Instructions are here
https://github.com/JacORB/JacORB and http://www.jacorb.org/contrib.html
Do you have any tests for this code please?
Regards
Nick
On 12/09/14 09:38, Radha wrote:
> Hi All,
>
> Please review the below code snippet of SSLServerSocketFactory.java. Here, I have implemented X509TrustManager for reloading of keys dynamically when certificate check failed. Also, let me know the procedure for getting approval if I have to use the modified source code in my application,
>
> private ServerSocketFactory createServerSocketFactory()
> throws IOException, java.security.GeneralSecurityException
> {
> KeyStore key_store =
> KeyStoreUtil.getKeyStore( keystore_location,
> keystore_passphrase.toCharArray() );
>
> KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
> kmf.init( key_store, keystore_passphrase.toCharArray() );
>
> TrustManager[] trustManagers = null;
>
> try{
> trustManagers = new TrustManager[] { new ReloadableX509TrustManager(keystore_location,keystore_passphrase) };
> }catch(Exception e){
> if (logger.isErrorEnabled())
> {
> logger.error("TrustManager object creation failed"+ e);
> }
> }
>
> SSLContext ctx = SSLContext.getInstance( "TLS" );
> ctx.init( kmf.getKeyManagers(),
> trustManagers,
> getSecureRandom());
>
> return ctx.getServerSocketFactory();
> }
> class ReloadableX509TrustManager implements X509TrustManager {
> private X509TrustManager trustManager;
> private final String keystore_location;
> private final String passphrase;
>
> ReloadableX509TrustManager(String keystore_location, String passphrase) throws Exception {
> this.keystore_location = keystore_location;
> this.passphrase = passphrase;
> reloadTrustManager();
> }
>
>
> public void checkClientTrusted(X509Certificate[] chain,
> String authType) throws CertificateException {
>
> try{
> trustManager.checkClientTrusted(chain, authType);
> }catch (CertificateException cx) {
> try{
> reloadTrustManager();
> }catch(Exception e){
> if (logger.isErrorEnabled())
> {
> logger.error("Reload trust Manager failed"+ e);
> }
> }
> }
> }
>
>
> public void checkServerTrusted(X509Certificate[] chain,
> String authType) throws CertificateException {
> try {
> trustManager.checkServerTrusted(chain, authType);
> } catch (CertificateException cx) {
> try{
> reloadTrustManager();
> }catch(Exception e){
> if (logger.isErrorEnabled())
> {
> logger.error("Reload trust failed"+ e);
> }
> }
> }
> }
>
>
>
> public X509Certificate[] getAcceptedIssuers() {
> X509Certificate[] issuers
> = trustManager.getAcceptedIssuers();
> return issuers;
> }
>
> private void reloadTrustManager() throws Exception {
>
> // load keystore from specified cert store (or default)
> KeyStore key_store =
> KeyStoreUtil.getKeyStore( keystore_location,
> passphrase.toCharArray() );
>
> // initialize a new TMF with the ts we just loaded
>
> TrustManagerFactory tmf
> = TrustManagerFactory.getInstance(
> "SunX509");
> if (key_store != null) {
> tmf.init(key_store);
> }
>
> // acquire X509 trust manager from factory
> TrustManager tms[] = tmf.getTrustManagers();
> for (int i = 0; i < tms.length; i++) {
> if (tms[i] instanceof X509TrustManager) {
> trustManager = (X509TrustManager)tms[i];
> return;
> }
> }
>
> throw new NoSuchAlgorithmException(
> "No X509TrustManager in TrustManagerFactory");
> }
> }
> }
> _______________________________________________
> jacorb-developer maillist - jacorb-developer at lists.spline.inf.fu-berlin.de
> https://lists.spline.inf.fu-berlin.de/mailman/listinfo/jacorb-developer
>
More information about the jacorb-developer
mailing list