Implementing X509TrustManager - passing on part of the verification to existing verifier
I need to ignore the PKIX path building exception
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed:
-
Instead of implementing
X509TrustManagerto trust any certificate, you can create a trust manager from the specific certificate in question. Load the certificate from a.p12or.jkskeystore or from a.crt-file (you can copy a certificate from the browser into a file, in Chrome by clicking the padlock and selecting Certificate). The code is shorter than implementing your ownX509TrustManager:private static SSLSocketFactory createSSLSocketFactory(File crtFile) throws GeneralSecurityException, IOException { SSLContext sslContext = SSLContext.getInstance("SSL"); // Create a new trust store, use getDefaultType for .jks files or "pkcs12" for .p12 files KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); // You can supply a FileInputStream to a .jks or .p12 file and the keystore password as an alternative to loading the crt file trustStore.load(null, null); // Read the certificate from disk X509Certificate result; try (InputStream input = new FileInputStream(crtFile)) { result = (X509Certificate) CertificateFactory.getInstance("X509").generateCertificate(input); } // Add it to the trust store trustStore.setCertificateEntry(crtFile.getName(), result); // Convert the trust store to trust managers TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(trustStore); TrustManager[] trustManagers = tmf.getTrustManagers(); sslContext.init(null, trustManagers, null); return sslContext.getSocketFactory(); }You can use it by calling
HttpsURLConnection.setSSLSocketFactory(createSSLSocketFactory(crtFile))(you probably want to initialize the socket factory once and reuse it, though).讨论(0) -
You can get hold of the existing default trust manager and wrap it in your own using something like this:
TrustManagerFactory tmf = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); // Using null here initialises the TMF with the default trust store. tmf.init((KeyStore) null); // Get hold of the default trust manager X509TrustManager x509Tm = null; for (TrustManager tm : tmf.getTrustManagers()) { if (tm instanceof X509TrustManager) { x509Tm = (X509TrustManager) tm; break; } } // Wrap it in your own class. final X509TrustManager finalTm = x509Tm; X509TrustManager customTm = new X509TrustManager() { @Override public X509Certificate[] getAcceptedIssuers() { return finalTm.getAcceptedIssuers(); } @Override public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { finalTm.checkServerTrusted(chain, authType); } @Override public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { finalTm.checkClientTrusted(chain, authType); } }; SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(null, new TrustManager[] { customTm }, null); // You don't have to set this as the default context, // it depends on the library you're using. SSLContext.setDefault(sslContext);You can then implement your own logic around
finalTm.checkServerTrusted(chain, authType);.However, you should make sure you're making an exception for the specific certificate you want to ignore.
What you're doing in the following is letting through any certificate with these Issuer DN and Subject DN (which isn't difficult to forge):
if(chain[0].getIssuerDN().getName().equals("MyTrustedServer") && chain[0].getSubjectDN().getName().equals("MyTrustedServer")) return true;You could instead load the
X509Certificateinstance from a known reference and compare the actual value in the chain.In addition,
checkClientTrustedandcheckServerTrustedare not methods that returntrueorfalse, butvoidmethods that will succeed silently by default. If there's something wrong with the certificate you expect, throw aCertificateExceptionexplicitly.讨论(0)
加载中...
- 热议问题