stackoom
  简体   繁体   中英

Setting the default Java SSLContext from a resource at runtime

 原文  2012-01-06 21:37:42       java/ ssl/ jax-ws/ keystore

Question

The basic components of my question are (context follows code snippet)

  1. Is the following code a valid alternative to setting the default Java keystore via the -Djavax.net.ssl.keystore?
  2. What impact, other than changing the default key and trust managers, might this code have on the behavior of SSL within the affected JVM

  3. Is there a better alternative to setting the default trust/key stores, at run-time, from a resource? 

     KeyStore ks = KeyStore.getInstance("JKS"); ks.load(testService.class.getClassLoader().getResourceAsStream("resources/.keystore"), "changeit".toCharArray()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(ks); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(ks, "changeit".toCharArray()); SSLContext ctx = SSLContext.getInstance("TLS"); ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); SSLContext.setDefault(ctx);

The context surrounding this question is as follows. I am currently developing a CXF client for a web service with mutual certificate authentication. For various reasons, adding the client certificate and key to the default keystore is not a desirable option. Ideally, I was looking for a way include a keystore as a resource file in the JAR, and set it as the default at run-time, as the need arose. I also wanted to avoid configuring each client and/or connection on a per-object basis, and also support the operation of things such as JaxWsDynamicClientFactory (mostly for the sake of "completeness").

I scoured the internet and SO for relevant material and found these ( one , two ) related questions, but none of the solutions offered were exactly what I was looking for (although I did use them as a springboard to develop the code above).

Now, I realize that other solutions could be made to work, but I was/am specifically looking for a solution that would meet all of these requirements.

1 answers

solution1
 5 ACCPTED  2012-01-06 22:13:45

Your code will use the same keystore (loaded from the classloader) as the default key store and the default trust store. That's effectively equivalent to setting both -Djavax.net.ssl.keystore* and -Djavax.net.ssl.truststore* with the same value.

This is fine if that's what you want to do. (You may want to close the InputStream once you've loaded the keystore, though.)

This will affect the entire JVM, and everything that uses SSLContext.getDefault() , in particular everything that relies on the default SSLSocketFactory ( URLConnection and so on).

Since this will be your default trust store, the default trusted CA certificates from the major CAs won't be in your trust store unless you've also explicitly imported them into the copy you load from the classloader.

Presumably, you won't have a large number of new CA (or self-signed) certificates to trust. It might be more convenient to keep the keystore and truststore separated, since your truststore might be common to most of your clients, and it would usually just be a one-off configuration step at the beginning.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Conversion of SSLContext from Java to Kotlin Get SSLContext for default system truststore in Java(JSEE) Java use SSLContext for HttpsURLConnection Extract certificate from SSLContext setting java 18 on my iMac as default version from java 8 Setting the default java compiler Java - Reflection setting value at runtime resource path setting java jar Replace SSLContext default with own implementation and trust manger How do I set up a SSLContext using certificate from Azure KeyVault in Java
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM