[jacorb-developer] SSLServerSocketFactory for reloading of trust keystore when certificate check failed
Radha
everrad at yahoo.co.in
Tue Sep 16 16:15:33 CEST 2014
Hi Nick,
Attached code snippet in my previous mail doesn't throw the exception even there is a certificate mismatch. Although I don't have client key in my keystore, SSL communication is going successful. Any idea what could be missing?
thanks,
Radha.
On Monday, 15 September 2014 9:42 PM, Nick Cross <jacorb at goots.org> wrote:
Hi,
Did you try the suggestions from Marcus?
Regards
Nick
On 15/09/14 14:30, Radha wrote:
> Hi Nick,
>
> Thanks for responding. Whenever the client certificate changes, I
> want to keep the new key into keystore. Is there any way to make new
> keys in the keystore effective without restarting the jacrob?
>
> Thanks,
> Radha.
>
>
> On Monday, 15 September 2014 2:13 AM, Nick Cross <jacorb at goots.org> wrote:
>
>
>
> Could you supply it as a unified diff, ideally as a pull request in
> github against git head. Instructions are here
> https://github.com/JacORB/JacORB <https://github.com/JacORB/JacORB>and
> http://www.jacorb.org/contrib.html
>
> Do you have any tests for this code please?
>
> Regards
>
> Nick
>
>
> On 12/09/14 09:38, Radha wrote:
> > Hi All,
> >
> > Please review the below code snippet of
> SSLServerSocketFactory.java. Here, I have implemented X509TrustManager
> for reloading of keys dynamically when certificate check failed. Also,
> let me know the procedure for getting approval if I have to use the
> modified source code in my application,
> >
> > private ServerSocketFactory createServerSocketFactory()
> > throws IOException, java.security.GeneralSecurityException
> > {
> > KeyStore key_store =
> > KeyStoreUtil.getKeyStore( keystore_location,
> >
> keystore_passphrase.toCharArray() );
> >
> > KeyManagerFactory kmf = KeyManagerFactory.getInstance(
> "SunX509" );
> > kmf.init( key_store, keystore_passphrase.toCharArray() );
> >
> > TrustManager[] trustManagers = null;
> >
> > try{
> > trustManagers = new TrustManager[] { new
> ReloadableX509TrustManager(keystore_location,keystore_passphrase) };
> > }catch(Exception e){
> > if (logger.isErrorEnabled())
> > {
> > logger.error("TrustManager object creation failed"+ e);
> > }
> > }
> >
> > SSLContext ctx = SSLContext.getInstance( "TLS" );
> > ctx.init( kmf.getKeyManagers(),
> > trustManagers,
> > getSecureRandom());
> >
> > return ctx.getServerSocketFactory();
> > }
> > class ReloadableX509TrustManager implements X509TrustManager {
> > private X509TrustManager trustManager;
> > private final String keystore_location;
> > private final String passphrase;
> >
> > ReloadableX509TrustManager(String keystore_location, String
> passphrase) throws Exception {
> > this.keystore_location = keystore_location;
> > this.passphrase = passphrase;
> > reloadTrustManager();
> > }
> >
> >
> > public void checkClientTrusted(X509Certificate[] chain,
> > String authType) throws CertificateException {
> >
> > try{
> > trustManager.checkClientTrusted(chain, authType);
> > }catch (CertificateException cx) {
> > try{
> > reloadTrustManager();
> > }catch(Exception e){
> > if (logger.isErrorEnabled())
> > {
> > logger.error("Reload trust Manager failed"+ e);
> > }
> > }
> > }
> > }
> >
> >
> > public void checkServerTrusted(X509Certificate[] chain,
> > String authType) throws CertificateException {
> > try {
> > trustManager.checkServerTrusted(chain, authType);
> > } catch (CertificateException cx) {
> > try{
> > reloadTrustManager();
> > }catch(Exception e){
> > if (logger.isErrorEnabled())
> > {
> > logger.error("Reload trust failed"+ e);
> > }
> > }
> > }
> > }
> >
> >
> >
> > public X509Certificate[] getAcceptedIssuers() {
> > X509Certificate[] issuers
> > = trustManager.getAcceptedIssuers();
> > return issuers;
> > }
> >
> > private void reloadTrustManager() throws Exception {
> >
> > // load keystore from specified cert store (or default)
> > KeyStore key_store =
> > KeyStoreUtil.getKeyStore( keystore_location,
> > passphrase.toCharArray() );
> >
> > // initialize a new TMF with the ts we just loaded
> >
> > TrustManagerFactory tmf
> > = TrustManagerFactory.getInstance(
> > "SunX509");
> > if (key_store != null) {
> > tmf.init(key_store);
> > }
> >
> > // acquire X509 trust manager from factory
> > TrustManager tms[] = tmf.getTrustManagers();
> > for (int i = 0; i < tms.length; i++) {
> > if (tms[i] instanceof X509TrustManager) {
> > trustManager = (X509TrustManager)tms[i];
> > return;
> > }
> > }
> >
> > throw new NoSuchAlgorithmException(
> > "No X509TrustManager in TrustManagerFactory");
>
> > }
> > }
> > }
> > _______________________________________________
> > jacorb-developer maillist -
> jacorb-developer at lists.spline.inf.fu-berlin.de
> <mailto:jacorb-developer at lists.spline.inf.fu-berlin.de>
> > https://lists.spline.inf.fu-berlin.de/mailman/listinfo/jacorb-developer
>
> >
>
>
>
More information about the jacorb-developer
mailing list