[jacorb-developer] SSLServerSocketFactory for reloading of trust keystore when certificate check failed

Tue Sep 16 16:15:33 CEST 2014

Hi Nick,

     Attached code snippet in my previous mail doesn't throw the exception even there is a certificate mismatch. Although I don't have client key in my keystore, SSL communication is going successful. Any idea what could be missing?

thanks,
Radha.

On Monday, 15 September 2014 9:42 PM, Nick Cross <jacorb at goots.org> wrote:

Hi,

Did you try the suggestions from Marcus?

Regards

Nick

On 15/09/14 14:30, Radha wrote:
> Hi Nick,
>
>      Thanks for responding.  Whenever the client certificate changes, I
> want to keep the new key into keystore. Is there any way to make new
> keys in the keystore effective without restarting the jacrob?
>
> Thanks,
> Radha.
>
>
> On Monday, 15 September 2014 2:13 AM, Nick Cross <jacorb at goots.org> wrote:
>
>
>
> Could you supply it as a unified diff, ideally as a pull request in
> github against git head. Instructions are here
> https://github.com/JacORB/JacORB <https://github.com/JacORB/JacORB>and
> http://www.jacorb.org/contrib.html
>
> Do you have any tests for this code please?
>
> Regards
>
> Nick
>
>
> On 12/09/14 09:38, Radha wrote:
>  > Hi All,
>  >
>  >      Please review the below code snippet of
> SSLServerSocketFactory.java. Here, I have implemented X509TrustManager
> for reloading of keys dynamically when certificate check failed. Also,
> let me know the procedure for getting approval if I have to use the
> modified source code in my application,
>  >
>  >    private ServerSocketFactory createServerSocketFactory()
>  >          throws IOException, java.security.GeneralSecurityException
>  >      {
>  >          KeyStore key_store =
>  >              KeyStoreUtil.getKeyStore( keystore_location,
>  >
> keystore_passphrase.toCharArray() );
>  >
>  >          KeyManagerFactory kmf = KeyManagerFactory.getInstance(
> "SunX509" );
>  >          kmf.init( key_store, keystore_passphrase.toCharArray() );
>  >
>  >          TrustManager[] trustManagers = null;
>  >
>  >        try{
>  >          trustManagers = new TrustManager[] { new
> ReloadableX509TrustManager(keystore_location,keystore_passphrase) };
>  >          }catch(Exception e){
>  >          if (logger.isErrorEnabled())
>  >              {
>  >                  logger.error("TrustManager object creation failed"+ e);
>  >              }
>  >          }
>  >
>  >          SSLContext ctx = SSLContext.getInstance( "TLS" );
>  >          ctx.init( kmf.getKeyManagers(),
>  >                    trustManagers,
>  >                    getSecureRandom());
>  >
>  >          return ctx.getServerSocketFactory();
>  >      }
>  >      class ReloadableX509TrustManager implements X509TrustManager {
>  >      private X509TrustManager trustManager;
>  >      private final String keystore_location;
>  >      private final String passphrase;
>  >
>  >      ReloadableX509TrustManager(String keystore_location, String
> passphrase) throws Exception {
>  >      this.keystore_location = keystore_location;
>  >      this.passphrase = passphrase;
>  >      reloadTrustManager();
>  >      }
>  >
>  >
>  >      public void checkClientTrusted(X509Certificate[] chain,
>  >      String authType) throws CertificateException {
>  >
>  >      try{
>  >      trustManager.checkClientTrusted(chain, authType);
>  >      }catch (CertificateException cx) {
>  >      try{
>  >   reloadTrustManager();
>  >      }catch(Exception e){
>  >      if (logger.isErrorEnabled())
>  >                  {
>  >                      logger.error("Reload trust Manager failed"+ e);
>  >                  }
>  >      }
>  >          }
>  >        }
>  >
>  >
>  >      public void checkServerTrusted(X509Certificate[] chain,
>  >      String authType) throws CertificateException {
>  >      try {
>  > trustManager.checkServerTrusted(chain, authType);
>  >      } catch (CertificateException cx) {
>  >      try{
>  >      reloadTrustManager();
>  >      }catch(Exception e){
>  >      if (logger.isErrorEnabled())
>  >                  {
>  >                      logger.error("Reload trust failed"+ e);
>  >                  }
>  >      }
>  >      }
>  >      }
>  >
>  >
>  >
>  >      public X509Certificate[] getAcceptedIssuers() {
>  >      X509Certificate[] issuers
>  >      = trustManager.getAcceptedIssuers();
>  >      return issuers;
>  >      }
>  >
>  >      private void reloadTrustManager() throws Exception {
>  >
>  >      // load keystore from specified cert store (or default)
>  >      KeyStore key_store =
>  >                  KeyStoreUtil.getKeyStore( keystore_location,
>  >                                            passphrase.toCharArray() );
>  >
>  >      // initialize a new TMF with the ts we just loaded
>  >
>  >      TrustManagerFactory tmf
>  >      = TrustManagerFactory.getInstance(
>  >          "SunX509");
>  >      if (key_store != null)  {
>  >      tmf.init(key_store);
>  >        }
>  >
>  >      // acquire X509 trust manager from factory
>  >      TrustManager tms[] = tmf.getTrustManagers();
>  >      for (int i = 0; i < tms.length; i++) {
>  >      if (tms[i] instanceof X509TrustManager) {
>  >      trustManager = (X509TrustManager)tms[i];
>  >      return;
>  >      }
>  >            }
>  >
>  >      throw new NoSuchAlgorithmException(
>  >      "No X509TrustManager in TrustManagerFactory");
>
>  >          }
>  >      }
>  > }
>  > _______________________________________________
>  > jacorb-developer maillist  -
> jacorb-developer at lists.spline.inf.fu-berlin.de
> <mailto:jacorb-developer at lists.spline.inf.fu-berlin.de>

>  > https://lists.spline.inf.fu-berlin.de/mailman/listinfo/jacorb-developer
>
>  >
>
>
>