Listing certificates in JVM trust store

后端 未结 1 1524
没有蜡笔的小新
没有蜡笔的小新 2021-01-19 01:15

I\'ve defined a custom truststore via system properties:

System.setProperty(\"javax.net.ssl.trustStore\", ...);
System.setProperty(\"javax.net.ssl.trustStore         


        
1条回答
  •  南笙
    南笙 (楼主)
    2021-01-19 01:47

    When they're used, JSSE uses these settings to build its default X509TrustManager (overriding the JRE default). However, there's nothing in the JSSE API to gain access to the keystore with which the default trust manager was build since, in the JSSE architecture, the default trust manager needs not be built from a keystore in principle.

    If you want to read the content of the trust store passed via the javax.net.ssl.trustStore* properties, you will have to open the file yourself.

    The closest thing you can get hold of will be the default X509TrustManager using the default TrustManagerFactory.

    EDIT:

    For more details, you can look at the implementation in the OpenJDK.

    The logic in sun.security.ssl.DefaultSSLContextImpl (not part of the public API) is to initialise the TrustManagerFactory with a KeyStore obtained from the TrustManagerFactoryImpl (which is not part for the public API either):

    KeyStore ks = TrustManagerFactoryImpl.getCacertsKeyStore("defaultctx");
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(ks);
    

    This is consistent with the behaviour of TrustManagerFactory with tmf.init(null). This would also have relied on the default keystore, but that's documented in the public API. Indeed, the implementation (with tmf.init(null)) ends up doing the same, as shown in TrustManagerFactoryImpl (engineInit also calls getCacertsKeyStore when the keystore parameter is null).

    In both cases, the KeyStore variable is not stored in a class member, it's just a local variable that is not accessible after using these initialisation methods.

    The resulting X509TrustManagerImpl does indeed contain the list of trusted certificates, but (a) trustedCerts is a private member and (b) none of this is part of the public API of the JSSE.

    EDIT 2:

    If you want something that is likely work most of the time, but is not guaranteed to work, this answer should help. Be aware that the default trust store isn't necessarily cacerts.

    0 讨论(0)
提交回复
热议问题