Registering Multiple Keystores in Jvm

Registering multiple keystores in JVM

After playing with the code I have received from ZZ Coder, sylvarking and Software Monkey, I have found a solution that works:

First, I wrote a X509KeyManager that works combines a custom keystore and a default keystore.

class MultiKeyStoreManager implements X509KeyManager {
private static final Logger logger = Logger.getLogger(MultiKeyStoreManager.class);
private final X509KeyManager jvmKeyManager;
private final X509KeyManager customKeyManager;

public MultiKeyStoreManager(X509KeyManager jvmKeyManager, X509KeyManager customKeyManager ) {
this.jvmKeyManager = jvmKeyManager;
this.customKeyManager = customKeyManager;
}

@Override
public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket) {
// try the first key manager
String alias = customKeyManager.chooseClientAlias(keyType, issuers, socket);
if( alias == null ) {
alias = jvmKeyManager.chooseClientAlias(keyType, issuers, socket);
logger.warn("Reverting to JVM CLIENT alias : " + alias);
}

return alias;

}

@Override
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket) {
// try the first key manager
String alias = customKeyManager.chooseServerAlias(keyType, issuers, socket);
if( alias == null ) {
alias = jvmKeyManager.chooseServerAlias(keyType, issuers, socket);
logger.warn("Reverting to JVM Server alias : " + alias);
}
return alias;
}

@Override
public X509Certificate[] getCertificateChain(String alias) {
X509Certificate[] chain = customKeyManager.getCertificateChain(alias);
if( chain == null || chain.length == 0) {
logger.warn("Reverting to JVM Chain : " + alias);
return jvmKeyManager.getCertificateChain(alias);
} else {
return chain;
}
}

@Override
public String[] getClientAliases(String keyType, Principal[] issuers) {
String[] cAliases = customKeyManager.getClientAliases(keyType, issuers);
String[] jAliases = jvmKeyManager.getClientAliases(keyType, issuers);
logger.warn("Supported Client Aliases Custom: " + cAliases.length + " JVM : " + jAliases.length);
return ArrayUtils.join(cAliases,jAliases);
}

@Override
public PrivateKey getPrivateKey(String alias) {
PrivateKey key = customKeyManager.getPrivateKey(alias);
if( key == null ) {
logger.warn("Reverting to JVM Key : " + alias);
return jvmKeyManager.getPrivateKey(alias);
} else {
return key;
}
}

@Override
public String[] getServerAliases(String keyType, Principal[] issuers) {
String[] cAliases = customKeyManager.getServerAliases(keyType, issuers);
String[] jAliases = jvmKeyManager.getServerAliases(keyType, issuers);
logger.warn("Supported Server Aliases Custom: " + cAliases.length + " JVM : " + jAliases.length);
return ArrayUtils.join(cAliases,jAliases);
}

}

Then, you can use this keystore manager when creating an SSL Context or SocketFactory. The code needs some refactoring and tidying up but it works perfectly.

 /**
* Returns an array of KeyManagers, set up to use the required keyStore.
* This method does the bulk of the work of setting up the custom trust managers.
*
* @param props
*
* @return an array of KeyManagers set up accordingly.
*/
private static KeyManager[] getKeyManagers(Properties props) throws IOException, GeneralSecurityException {
// First, get the default KeyManagerFactory.
String alg = KeyManagerFactory.getDefaultAlgorithm();
KeyManagerFactory kmFact = KeyManagerFactory.getInstance(alg);
// Next, set up the KeyStore to use. We need to load the file into
// a KeyStore instance.
FileInputStream fis = new FileInputStream(props.getProperty(SSL_KEYSTORE));
logger.info("Loaded keystore");
KeyStore ks = KeyStore.getInstance("jks");
String keyStorePassword = props.getProperty(SSL_KEYSTORE_PASSWORD);
ks.load(fis, keyStorePassword.toCharArray());
fis.close();
// Now we initialise the KeyManagerFactory with this KeyStore
kmFact.init(ks, keyStorePassword.toCharArray());

// default
KeyManagerFactory dkmFact = KeyManagerFactory.getInstance(alg);
dkmFact.init(null,null);

// Get the first X509KeyManager in the list
X509KeyManager customX509KeyManager = getX509KeyManager(alg, kmFact);
X509KeyManager jvmX509KeyManager = getX509KeyManager(alg, dkmFact);

KeyManager[] km = { new MultiKeyStoreManager(jvmX509KeyManager, customX509KeyManager) };
logger.debug("Number of key managers registered:" + km.length);
return km;
}

/**
* Find a X509 Key Manager compatible with a particular algorithm
* @param algorithm
* @param kmFact
* @return
* @throws NoSuchAlgorithmException
*/
private static X509KeyManager getX509KeyManager(String algorithm, KeyManagerFactory kmFact)
throws NoSuchAlgorithmException {
KeyManager[] keyManagers = kmFact.getKeyManagers();

if (keyManagers == null || keyManagers.length == 0) {
throw new NoSuchAlgorithmException("The default algorithm :" + algorithm + " produced no key managers");
}

X509KeyManager x509KeyManager = null;

for (int i = 0; i < keyManagers.length; i++) {
if (keyManagers[i] instanceof X509KeyManager) {
x509KeyManager = (X509KeyManager) keyManagers[i];
break;
}
}

if (x509KeyManager == null) {
throw new NoSuchAlgorithmException("The default algorithm :"+ algorithm + " did not produce a X509 Key manager");
}
return x509KeyManager;
}

private static void initialiseManager(Properties props) throws IOException, GeneralSecurityException {
// Next construct and initialise a SSLContext with the KeyStore and
// the TrustStore. We use the default SecureRandom.
SSLContext context = SSLContext.getInstance("SSL");
context.init(getKeyManagers(props), getTrustManagers(props), null);
SSLContext.setDefault(context);

}

Let me know if anyone has any question or need any demonstration codes.

How to set different truststore keystore with setProperty

Finally I found the solution:

    KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());

String path1 = ..absolute path of keystore..
path1 = path1.replaceAll("%20", " ");
InputStream trustStore1 = new FileInputStream(path1);
keyStore.load(trustStore1, new String(..keystore password..).toCharArray());
trustStore1.close();

KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
keyManagerFactory.init(keyStore, new String(..keystore password..).toCharArray());

TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
SSLContext ctx = SSLContext.getInstance("SSL");
ctx.init(keyManagerFactory.getKeyManagers(), tmf.getTrustManagers(), null);
HttpsURLConnection.setDefaultSSLSocketFactory(ctx.getSocketFactory());

It's possibile to change at runtime the keystore simply using the method "init" of object SSLContext. The parameters of this function are KeyManager and TrustManager, initialized like in the script. So, in this way it's possible to simulate System.setProperty.
Thank you to everyone!

Using a custom truststore in java as well as the default one

You could use a similar pattern to what I've mentioned in a previous answer (for a different problem).

Essentially, get hold of the default trust manager, create a second trust manager that uses your own trust store. Wrap them both in a custom trust manager implementation that delegates call to both (falling back on the other when one fails).

TrustManagerFactory tmf = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
// Using null here initialises the TMF with the default trust store.
tmf.init((KeyStore) null);

// Get hold of the default trust manager
X509TrustManager defaultTm = null;
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
defaultTm = (X509TrustManager) tm;
break;
}
}

FileInputStream myKeys = new FileInputStream("truststore.jks");

// Do the same with your trust store this time
// Adapt how you load the keystore to your needs
KeyStore myTrustStore = KeyStore.getInstance(KeyStore.getDefaultType());
myTrustStore.load(myKeys, "password".toCharArray());

myKeys.close();

tmf = TrustManagerFactory
.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(myTrustStore);

// Get hold of the default trust manager
X509TrustManager myTm = null;
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
myTm = (X509TrustManager) tm;
break;
}
}

// Wrap it in your own class.
final X509TrustManager finalDefaultTm = defaultTm;
final X509TrustManager finalMyTm = myTm;
X509TrustManager customTm = new X509TrustManager() {
@Override
public X509Certificate[] getAcceptedIssuers() {
// If you're planning to use client-cert auth,
// merge results from "defaultTm" and "myTm".
return finalDefaultTm.getAcceptedIssuers();
}

@Override
public void checkServerTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
try {
finalMyTm.checkServerTrusted(chain, authType);
} catch (CertificateException e) {
// This will throw another CertificateException if this fails too.
finalDefaultTm.checkServerTrusted(chain, authType);
}
}

@Override
public void checkClientTrusted(X509Certificate[] chain,
String authType) throws CertificateException {
// If you're planning to use client-cert auth,
// do the same as checking the server.
finalDefaultTm.checkClientTrusted(chain, authType);
}
};

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { customTm }, null);

// You don't have to set this as the default context,
// it depends on the library you're using.
SSLContext.setDefault(sslContext);

You don't have to set that context as the default context. How you use it depends on the client library you're using (and where it gets its socket factories from).


This being said, in principle, you'd always have to update the truststore as required anyway. The Java 7 JSSE Reference Guide had an "important note" about this, now downgraded to just a "note" in version 8 of the same guide:

The JDK ships with a limited number of trusted root certificates in
the java-home/lib/security/cacerts file. As documented in keytool
reference pages, it is your responsibility to maintain (that is, add
and remove) the certificates contained in this file if you use this
file as a truststore.

Depending on the certificate configuration of the servers that you
contact, you may need to add additional root certificates. Obtain the
needed specific root certificates from the appropriate vendor.

Add different p12 certificates to jvm

It seems you are doing this to enable mutual certificate authentication as opposed to setting up a simple HTTPS connector.

I would suggest combining the certificates in a single .pfx by exporting them both as plaintext .pem files and concatenating them. This can also be used to manually create certificate chains as well.

  1. Convert PFX to PEM (convert both PFX file):
    openssl pkcs12 -in example.pfx -out example.pem -nodes
  2. Concatenate both PEM files including the BEGIN CERTIFICATE and END CERTIFICATE tags
  3. Convert the combined PEM file back to PFX: openssl pkcs12 -export -in example.pem -out example-concat.pfx

How to add multiple truststore paths to “java.net.ssl.trustStore”?

You can't have multiple paths for javax.net.ssl.trustStore.

The easiest would be to make a local copy of the JRE's cacerts and import the certificates from your other store into it (effectively merging them). (See keytool -importkeystore.)

Otherwise, if you know in advance that all your LDAP connections will use your second keystore (and you also want to be able to use the default truststore for other, non-related connections), you could configure that trust store for that SSLSocketFactory only. I'm not familiar with com.org.ldap.LDAPSocketFactory, but it might have an option to do so. (Otherwise, you could create your custom SSLContext initialised with your second truststore and get an SSLSocketFactory, as described in this answer).

Another, more complicated way, would be to create a custom X509TrustManager that wraps the default trust manager, catches its exceptions and tries again with another trust manager initialised using your second store. It's feasible, but you'd need to make sure it still throws the exception if neither trust managers accept your certificate (otherwise, there would be a security hole). If you're not familiar with the JSSE API (or Java altogether), it's probably not the best option.

In addition, be careful when you use System.setProperty("javax.net.ssl.trustStore", ...) in your code: it is what's read to initialise the default SSLContext, but the default SSLContext is only initialised once, the first time it's required. Setting this system property afterwards would have no effect (unless of course, other classes from other libraries also rely on this value).


It's also not clear what you're trying to achieve with this, since you'll always ever succeed to add a security provider that's already there:

  try 
{
SSLContext se = SSLContext.getInstance("TLS");
Security.addProvider(se.getProvider());
}
catch(NoSuchAlgorithmException e) { }


Related Topics



Leave a reply



Submit