[jacorb-developer] SSLServerSocketFactory for reloading of trust keystore when certificate check failed

Mon Sep 15 15:30:26 CEST 2014

Hi Nick,

    Thanks for responding.  Whenever the client certificate changes, I want to keep the new key into keystore. Is there any way to make new keys in the keystore effective without restarting the jacrob?

Thanks,
Radha.

On Monday, 15 September 2014 2:13 AM, Nick Cross <jacorb at goots.org> wrote:

Could you supply it as a unified diff, ideally as a pull request in 
github against git head. Instructions are here 
https://github.com/JacORB/JacORB and http://www.jacorb.org/contrib.html

Do you have any tests for this code please?

Regards

Nick

On 12/09/14 09:38, Radha wrote:
> Hi All,
>
>       Please review the below code snippet of SSLServerSocketFactory.java. Here, I have implemented X509TrustManager for reloading of keys dynamically when certificate check failed. Also, let me know the procedure for getting approval if I have to use the modified source code in my application,
>
>    private ServerSocketFactory createServerSocketFactory()
>          throws IOException, java.security.GeneralSecurityException
>      {
>          KeyStore key_store =
>              KeyStoreUtil.getKeyStore( keystore_location,
>                                        keystore_passphrase.toCharArray() );
>
>          KeyManagerFactory kmf = KeyManagerFactory.getInstance( "SunX509" );
>          kmf.init( key_store, keystore_passphrase.toCharArray() );
>
>          TrustManager[] trustManagers = null;
>
>         try{
>          trustManagers = new TrustManager[] { new ReloadableX509TrustManager(keystore_location,keystore_passphrase) };
>          }catch(Exception e){
>           if (logger.isErrorEnabled())
>               {
>                   logger.error("TrustManager object creation failed"+ e);
>               }
>          }
>
>          SSLContext ctx = SSLContext.getInstance( "TLS" );
>          ctx.init( kmf.getKeyManagers(),
>                    trustManagers,
>                    getSecureRandom());
>
>          return ctx.getServerSocketFactory();
>      }
>      class ReloadableX509TrustManager implements X509TrustManager {
>      private X509TrustManager trustManager;
>      private final String keystore_location;
>      private final String passphrase;
>
>      ReloadableX509TrustManager(String keystore_location, String passphrase) throws Exception {
>      this.keystore_location = keystore_location;
>      this.passphrase = passphrase;
>      reloadTrustManager();
>      }
>
>
>      public void checkClientTrusted(X509Certificate[] chain,
>      String authType) throws CertificateException {
>
>      try{
>      trustManager.checkClientTrusted(chain, authType);
>      }catch (CertificateException cx) {
>      try{
>      reloadTrustManager();
>      }catch(Exception e){
>       if (logger.isErrorEnabled())
>                   {
>                       logger.error("Reload trust Manager failed"+ e);
>                   }
>      }
>           }
>        }
>
>
>      public void checkServerTrusted(X509Certificate[] chain,
>      String authType) throws CertificateException {
>      try {
>      trustManager.checkServerTrusted(chain, authType);
>      } catch (CertificateException cx) {
>      try{
>      reloadTrustManager();
>      }catch(Exception e){
>       if (logger.isErrorEnabled())
>                   {
>                       logger.error("Reload trust failed"+ e);
>                   }
>      }
>      }
>      }
>
>
>
>      public X509Certificate[] getAcceptedIssuers() {
>      X509Certificate[] issuers
>      = trustManager.getAcceptedIssuers();
>      return issuers;
>      }
>
>      private void reloadTrustManager() throws Exception {
>
>      // load keystore from specified cert store (or default)
>       KeyStore key_store =
>                   KeyStoreUtil.getKeyStore( keystore_location,
>                                             passphrase.toCharArray() );
>
>      // initialize a new TMF with the ts we just loaded
>
>      TrustManagerFactory tmf
>      = TrustManagerFactory.getInstance(
>          "SunX509");
>       if (key_store != null)  {
>       tmf.init(key_store);
>        }
>
>      // acquire X509 trust manager from factory
>      TrustManager tms[] = tmf.getTrustManagers();
>      for (int i = 0; i < tms.length; i++) {
>      if (tms[i] instanceof X509TrustManager) {
>      trustManager = (X509TrustManager)tms[i];
>      return;
>      }
>             }
>
>      throw new NoSuchAlgorithmException(
>      "No X509TrustManager in TrustManagerFactory");
>           }
>      }
> }
> _______________________________________________
> jacorb-developer maillist  -  jacorb-developer at lists.spline.inf.fu-berlin.de
> https://lists.spline.inf.fu-berlin.de/mailman/listinfo/jacorb-developer

>