[jacorb-developer] SSLServerSocketFactory for reloading of trust keystore when certificate check failed
Nick Cross
jacorb at goots.org
Tue Sep 16 17:39:19 CEST 2014
I have not examined your code snippet in detail as it is not in a format
that makes it easy to try against the current git head.
Have you got a successful communication using the SSL demo without any
changes using the current version / git head?
If you could try and supply a pull request or diff that would help.
Thanks
Nick
On 16/09/14 15:15, Radha wrote:
> Hi Nick,
>
> Attached code snippet in my previous mail doesn't throw the
> exception even there is a certificate mismatch. Although I don't have
> client key in my keystore, SSL communication is going successful. Any
> idea what could be missing?
>
> thanks,
> Radha.
>
>
> On Monday, 15 September 2014 9:42 PM, Nick Cross <jacorb at goots.org> wrote:
>
>
>
> Hi,
>
> Did you try the suggestions from Marcus?
>
> Regards
>
> Nick
>
>
> On 15/09/14 14:30, Radha wrote:
> > Hi Nick,
> >
> > Thanks for responding. Whenever the client certificate changes, I
> > want to keep the new key into keystore. Is there any way to make new
> > keys in the keystore effective without restarting the jacrob?
> >
> > Thanks,
> > Radha.
> >
> >
> > On Monday, 15 September 2014 2:13 AM, Nick Cross <jacorb at goots.org
> <mailto:jacorb at goots.org>> wrote:
> >
> >
> >
> > Could you supply it as a unified diff, ideally as a pull request in
> > github against git head. Instructions are here
> > https://github.com/JacORB/JacORB
> <https://github.com/JacORB/JacORB><https://github.com/JacORB/JacORB>and
> > http://www.jacorb.org/contrib.html
> >
> > Do you have any tests for this code please?
> >
> > Regards
> >
> > Nick
> >
> >
> > On 12/09/14 09:38, Radha wrote:
> > > Hi All,
> > >
> > > Please review the below code snippet of
> > SSLServerSocketFactory.java. Here, I have implemented X509TrustManager
> > for reloading of keys dynamically when certificate check failed. Also,
> > let me know the procedure for getting approval if I have to use the
> > modified source code in my application,
> > >
> > > private ServerSocketFactory createServerSocketFactory()
> > > throws IOException, java.security.GeneralSecurityException
> > > {
> > > KeyStore key_store =
> > > KeyStoreUtil.getKeyStore( keystore_location,
> > >
> > keystore_passphrase.toCharArray() );
> > >
> > > KeyManagerFactory kmf = KeyManagerFactory.getInstance(
> > "SunX509" );
> > > kmf.init( key_store, keystore_passphrase.toCharArray() );
> > >
> > > TrustManager[] trustManagers = null;
> > >
> > > try{
> > > trustManagers = new TrustManager[] { new
> > ReloadableX509TrustManager(keystore_location,keystore_passphrase) };
> > > }catch(Exception e){
> > > if (logger.isErrorEnabled())
> > > {
> > > logger.error("TrustManager object creation
> failed"+ e);
> > > }
> > > }
> > >
> > > SSLContext ctx = SSLContext.getInstance( "TLS" );
> > > ctx.init( kmf.getKeyManagers(),
> > > trustManagers,
> > > getSecureRandom());
> > >
> > > return ctx.getServerSocketFactory();
> > > }
> > > class ReloadableX509TrustManager implements X509TrustManager {
> > > private X509TrustManager trustManager;
> > > private final String keystore_location;
> > > private final String passphrase;
> > >
> > > ReloadableX509TrustManager(String keystore_location, String
> > passphrase) throws Exception {
> > > this.keystore_location = keystore_location;
> > > this.passphrase = passphrase;
> > > reloadTrustManager();
> > > }
> > >
> > >
> > > public void checkClientTrusted(X509Certificate[] chain,
> > > String authType) throws CertificateException {
> > >
> > > try{
> > > trustManager.checkClientTrusted(chain, authType);
> > > }catch (CertificateException cx) {
> > > try{
> > > reloadTrustManager();
> > > }catch(Exception e){
> > > if (logger.isErrorEnabled())
> > > {
> > > logger.error("Reload trust Manager failed"+ e);
> > > }
> > > }
> > > }
> > > }
> > >
> > >
> > > public void checkServerTrusted(X509Certificate[] chain,
> > > String authType) throws CertificateException {
> > > try {
> > > trustManager.checkServerTrusted(chain, authType);
> > > } catch (CertificateException cx) {
> > > try{
> > > reloadTrustManager();
> > > }catch(Exception e){
> > > if (logger.isErrorEnabled())
> > > {
> > > logger.error("Reload trust failed"+ e);
> > > }
> > > }
> > > }
> > > }
> > >
> > >
> > >
> > > public X509Certificate[] getAcceptedIssuers() {
> > > X509Certificate[] issuers
> > > = trustManager.getAcceptedIssuers();
> > > return issuers;
> > > }
> > >
> > > private void reloadTrustManager() throws Exception {
> > >
> > > // load keystore from specified cert store (or default)
> > > KeyStore key_store =
> > > KeyStoreUtil.getKeyStore( keystore_location,
> > > passphrase.toCharArray() );
> > >
> > > // initialize a new TMF with the ts we just loaded
> > >
> > > TrustManagerFactory tmf
> > > = TrustManagerFactory.getInstance(
> > > "SunX509");
> > > if (key_store != null) {
> > > tmf.init(key_store);
> > > }
> > >
> > > // acquire X509 trust manager from factory
> > > TrustManager tms[] = tmf.getTrustManagers();
> > > for (int i = 0; i < tms.length; i++) {
> > > if (tms[i] instanceof X509TrustManager) {
> > > trustManager = (X509TrustManager)tms[i];
> > > return;
> > > }
> > > }
> > >
> > > throw new NoSuchAlgorithmException(
> > > "No X509TrustManager in TrustManagerFactory");
> >
> > > }
> > > }
> > > }
> > > _______________________________________________
> > > jacorb-developer maillist -
> > jacorb-developer at lists.spline.inf.fu-berlin.de
> <mailto:jacorb-developer at lists.spline.inf.fu-berlin.de>
> > <mailto:jacorb-developer at lists.spline.inf.fu-berlin.de
> <mailto:jacorb-developer at lists.spline.inf.fu-berlin.de>>
>
> > >
> https://lists.spline.inf.fu-berlin.de/mailman/listinfo/jacorb-developer
> >
> > >
> >
> >
> >
>
>
>
More information about the jacorb-developer
mailing list