I need to ignore the PKIX path building exception
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderExc
ption: unable to find valid certification path to requested target
I know how to do this by writing my own class implementing X509TrustManager
where I always return true
from isServerTrusted
.
However, I don't want to trust all servers & all clients.
- I want all the default verification to be done for clients as is done currently.
- For servers, I want to ignore server cert verification only for one particular cert but want to go ahead and verify it as is done currently (for eg. using cacerts store).
How can I achieve something like this - i.e. pass on part of the verification to whatever was the X509TrustFactory object before I replaced it.
i.e. this is what I want to do
public boolean isServerTrusted(X509Certificate[] chain)
{
if(chain[0].getIssuerDN().getName().equals("MyTrustedServer") && chain[0].getSubjectDN().getName().equals("MyTrustedServer"))
return true;
// else I want to do whatever verification is normally done
}
Also I don't want to disturb the existing isClientTrusted
verification.
How can I do this?
You can get hold of the existing default trust manager and wrap it in your own using something like this:
You can then implement your own logic around
finalTm.checkServerTrusted(chain, authType);
.However, you should make sure you're making an exception for the specific certificate you want to ignore.
What you're doing in the following is letting through any certificate with these Issuer DN and Subject DN (which isn't difficult to forge):
You could instead load the
X509Certificate
instance from a known reference and compare the actual value in the chain.In addition,
checkClientTrusted
andcheckServerTrusted
are not methods that returntrue
orfalse
, butvoid
methods that will succeed silently by default. If there's something wrong with the certificate you expect, throw aCertificateException
explicitly.