Java SSL connect, add server cert to keystore programmatically

by

You could implement this using a X509TrustManager.

Obtain an SSLContext with 

SSLContext ctx = SSLContext.getInstance("TLS");

Then initialize it with your custom X509TrustManager by using SSLContext#init. The SecureRandom and the KeyManager[] may be null. The latter is only useful if you perform client authentication, if in your scenario only the server needs to authenticate you don’t need to set it.

From this SSLContext, get your SSLSocketFactory using SSLContext#getSocketFactory and proceed as planned.

As concerns your X509TrustManager implementation, it could look like this:

TrustManager tm = new X509TrustManager() {
    public void checkClientTrusted(X509Certificate[] chain,
                    String authType)
                    throws CertificateException {
        //do nothing, you're the client
    }

    public X509Certificate[] getAcceptedIssuers() {
        //also only relevant for servers
    }

    public void checkServerTrusted(X509Certificate[] chain,
                    String authType)
                    throws CertificateException {
        /* chain[chain.length -1] is the candidate for the
         * root certificate. 
         * Look it up to see whether it's in your list.
         * If not, ask the user for permission to add it.
         * If not granted, reject.
         * Validate the chain using CertPathValidator and 
         * your list of trusted roots.
         */
    }
};

Edit:

Ryan was right, I forgot to explain how to add the new root to the existing ones. Let’s assume your current KeyStore of trusted roots was derived from cacerts (the ‘Java default trust store’ that comes with your JDK, located under jre/lib/security). I assume you loaded that key store (it’s in JKS format) with KeyStore#load(InputStream, char[]). 

KeyStore ks = KeyStore.getInstance("JKS");
FileInputStream in = new FileInputStream("<path to cacerts"");
ks.load(in, "changeit".toCharArray);

The default password to cacerts is “changeit” if you haven’t, well, changed it.

Then you may add addtional trusted roots using KeyStore#setEntry. You can omit the ProtectionParameter (i.e. null), the KeyStore.Entry would be a TrustedCertificateEntry that takes the new root as parameter to its constructor. 

KeyStore.Entry newEntry = new KeyStore.TrustedCertificateEntry(newRoot);
ks.setEntry("someAlias", newEntry, null);

If you’d like to persist the altered trust store at some point, you may achieve this with KeyStore#store(OutputStream, char[].

More Related Contents:

  1. Trusting all certificates using HttpClient over HTTPS
  2. Https Connection Android
  3. How to import an existing X.509 certificate and private key in Java keystore to use in SSL?
  4. Which Cipher Suites to enable for SSL Socket?
  5. How to fix the “java.security.cert.CertificateException: No subject alternative names present” error?
  6. How to handle invalid SSL certificates with Apache HttpClient? [duplicate]
  7. Ignoring SSL certificate in Apache HttpClient 4.3
  8. How to create a BKS (BouncyCastle) format Java Keystore that contains a client certificate chain
  9. Registering multiple keystores in JVM [duplicate]
  10. java – path to trustStore – set property doesn’t work?
  11. SSL peer shut down incorrectly in Java
  12. How to ignore PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException?
  13. Simple Java HTTPS server
  14. SSLHandshakeException: No subject alternative names present
  15. Disable SSL certificate check in retrofit library
  16. Is it possible to get Java to ignore the “trust store” and just accept whatever SSL certificate it gets?
  17. Is it possible to change plain socket to SSLSocket?
  18. Java: Overriding function to disable SSL certificate check
  19. CertificateException: No name matching ssl.someUrl.de found
  20. Apache HTTPClient SSLPeerUnverifiedException
  21. PKIX path building failed in Java application
  22. Enabling specific SSL protocols with Android WebViewClient
  23. How to override the cipherlist sent to the server by Android when using HttpsURLConnection?
  24. Generate certificates, public and private keys with Java [closed]
  25. javax.net.ssl.SSLException: SSL handshake aborted Connection reset by peer while calling webservice Android
  26. SSLContext initialization
  27. How to make Java 6, which fails SSL connection with “SSL peer shut down incorrectly”, succeed like Java 7?
  28. SNI client-side mystery using Java8
  29. Ignore self-signed ssl cert using Jersey Client [duplicate]
  30. Java HttpsURLConnection and TLS 1.2

Leave a Comment