[jacorb-developer] SSLServerSocketFactory for reloading of trust keystore when certificate check failed
Radha
everrad at yahoo.co.in
Fri Sep 12 10:38:45 CEST 2014
Hi All,
Please review the below code snippet of SSLServerSocketFactory.java. Here, I have implemented X509TrustManager for reloading of keys dynamically when certificate check failed. Also, let me know the procedure for getting approval if I have to use the modified source code in my application,
private ServerSocketFactory createServerSocketFactory()
throws IOException, java.security.GeneralSecurityException
{
KeyStore key_store =
KeyStoreUtil.getKeyStore( keystore_location,
keystore_passphrase.toCharArray() );
KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
kmf.init( key_store, keystore_passphrase.toCharArray() );
TrustManager[] trustManagers = null;
try{
trustManagers = new TrustManager[] { new ReloadableX509TrustManager(keystore_location,keystore_passphrase) };
}catch(Exception e){
if (logger.isErrorEnabled())
{
logger.error("TrustManager object creation failed"+ e);
}
}
SSLContext ctx = SSLContext.getInstance( "TLS" );
ctx.init( kmf.getKeyManagers(),
trustManagers,
getSecureRandom());
return ctx.getServerSocketFactory();
}
class ReloadableX509TrustManager implements X509TrustManager {
private X509TrustManager trustManager;
private final String keystore_location;
private final String passphrase;
ReloadableX509TrustManager(String keystore_location, String passphrase) throws Exception {
this.keystore_location = keystore_location;
this.passphrase = passphrase;
reloadTrustManager();
}
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
try{
trustManager.checkClientTrusted(chain, authType);
}catch (CertificateException cx) {
try{
reloadTrustManager();
}catch(Exception e){
if (logger.isErrorEnabled())
{
logger.error("Reload trust Manager failed"+ e);
}
}
}
}
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
try {
trustManager.checkServerTrusted(chain, authType);
} catch (CertificateException cx) {
try{
reloadTrustManager();
}catch(Exception e){
if (logger.isErrorEnabled())
{
logger.error("Reload trust failed"+ e);
}
}
}
}
public X509Certificate[] getAcceptedIssuers() {
X509Certificate[] issuers
= trustManager.getAcceptedIssuers();
return issuers;
}
private void reloadTrustManager() throws Exception {
// load keystore from specified cert store (or default)
KeyStore key_store =
KeyStoreUtil.getKeyStore( keystore_location,
passphrase.toCharArray() );
// initialize a new TMF with the ts we just loaded
TrustManagerFactory tmf
= TrustManagerFactory.getInstance(
"SunX509");
if (key_store != null) {
tmf.init(key_store);
}
// acquire X509 trust manager from factory
TrustManager tms[] = tmf.getTrustManagers();
for (int i = 0; i < tms.length; i++) {
if (tms[i] instanceof X509TrustManager) {
trustManager = (X509TrustManager)tms[i];
return;
}
}
throw new NoSuchAlgorithmException(
"No X509TrustManager in TrustManagerFactory");
}
}
}
More information about the jacorb-developer
mailing list