Implementing X509TrustManager - passing on part of

2019-01-23 06:04发布

站内问答 / Java
1862 1 5

I need to ignore the PKIX path building exception

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc
ption: unable to find valid certification path to requested target

I know how to do this by writing my own class implementing X509TrustManager where I always return true from isServerTrusted.

However, I don't want to trust all servers & all clients.

  • I want all the default verification to be done for clients as is done currently.
  • For servers, I want to ignore server cert verification only for one particular cert but want to go ahead and verify it as is done currently (for eg. using cacerts store).

How can I achieve something like this - i.e. pass on part of the verification to whatever was the X509TrustFactory object before I replaced it.

i.e. this is what I want to do

public boolean isServerTrusted(X509Certificate[] chain)
{
    if(chain[0].getIssuerDN().getName().equals("MyTrustedServer") && chain[0].getSubjectDN().getName().equals("MyTrustedServer"))
        return true;

    // else I want to do whatever verification is normally done
}

Also I don't want to disturb the existing isClientTrusted verification.

How can I do this?

1条回答
叼着烟拽天下
2楼-- · 2019-01-23 06:27

You can get hold of the existing default trust manager and wrap it in your own using something like this:

TrustManagerFactory tmf = TrustManagerFactory
        .getInstance(TrustManagerFactory.getDefaultAlgorithm());
// Using null here initialises the TMF with the default trust store.
tmf.init((KeyStore) null);

// Get hold of the default trust manager
X509TrustManager x509Tm = null;
for (TrustManager tm : tmf.getTrustManagers()) {
    if (tm instanceof X509TrustManager) {
        x509Tm = (X509TrustManager) tm;
        break;
    }
}

// Wrap it in your own class.
final X509TrustManager finalTm = x509Tm;
X509TrustManager customTm = new X509TrustManager() {
    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return finalTm.getAcceptedIssuers();
    }

    @Override
    public void checkServerTrusted(X509Certificate[] chain,
            String authType) throws CertificateException {
        finalTm.checkServerTrusted(chain, authType);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] chain,
            String authType) throws CertificateException {
        finalTm.checkClientTrusted(chain, authType);
    }
};

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { customTm }, null);

// You don't have to set this as the default context,
// it depends on the library you're using.
SSLContext.setDefault(sslContext);

You can then implement your own logic around finalTm.checkServerTrusted(chain, authType);.

However, you should make sure you're making an exception for the specific certificate you want to ignore.

What you're doing in the following is letting through any certificate with these Issuer DN and Subject DN (which isn't difficult to forge):

if(chain[0].getIssuerDN().getName().equals("MyTrustedServer") && chain[0].getSubjectDN().getName().equals("MyTrustedServer"))
    return true;

You could instead load the X509Certificate instance from a known reference and compare the actual value in the chain.

In addition, checkClientTrusted and checkServerTrusted are not methods that return true or false, but void methods that will succeed silently by default. If there's something wrong with the certificate you expect, throw a CertificateException explicitly.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)