SSL Trust Provider for Java

I've blogged about Self-signed Server Certificates and how they can cause havoc with client java applications. We'll I put the call out there to provide solutions and a very slick one has arrived!
 

XTrustProvider.java:

/*
 * The contents of this file are subject to the "END USER LICENSE AGREEMENT FOR F5
 * Software Development Kit for iControl"; you may not use this file except in
 * compliance with the License. The License is included in the iControl
 * Software Development Kit.
 *
 * Software distributed under the License is distributed on an "AS IS"
 * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
 * the License for the specific language governing rights and limitations
 * under the License.
 *
 * The Original Code is iControl Code and related documentation
 * distributed by F5.
 *
 * Portions created by F5 are Copyright (C) 1996-2004 F5 Networks
 * Inc. All Rights Reserved.  iControl (TM) is a registered trademark of
 * F5 Networks, Inc.
 *
 * Alternatively, the contents of this file may be used under the terms
 * of the GNU General Public License (the "GPL"), in which case the
 * provisions of GPL are applicable instead of those above.  If you wish
 * to allow use of your version of this file only under the terms of the
 * GPL and not to allow others to use your version of this file under the
 * License, indicate your decision by deleting the provisions above and
 * replace them with the notice and other provisions required by the GPL.
 * If you do not delete the provisions above, a recipient may use your
 * version of this file under either the License or the GPL.
 */
import java.security.AccessController; 
import java.security.InvalidAlgorithmParameterException; 
import java.security.KeyStore; 
import java.security.KeyStoreException; 
import java.security.PrivilegedAction; 
import java.security.Security; 
import java.security.cert.X509Certificate; 
  
import javax.net.ssl.ManagerFactoryParameters; 
import javax.net.ssl.TrustManager; 
import javax.net.ssl.TrustManagerFactorySpi; 
import javax.net.ssl.X509TrustManager; 
  
public final class XTrustProvider extends java.security.Provider
{ 
    private final static String NAME = "XTrustJSSE"; 
    private final static String INFO =
        "XTrust JSSE Provider (implements trust factory with truststore validation disabled)"; 
    private final static double VERSION = 1.0D; 
     
    public XTrustProvider()
   { 
       super(NAME, VERSION, INFO); 
        
       AccessController.doPrivileged(new PrivilegedAction()
      { 
         public Object run()
         { 
                 put("TrustManagerFactory." + TrustManagerFactoryImpl.getAlgorithm(),  
                                               TrustManagerFactoryImpl.class.getName()); 
                 return null; 
             } 
       }); 
    } 
     
    public static void install()
   { 
       if(Security.getProvider(NAME) == null)
      { 
          Security.insertProviderAt(new XTrustProvider(), 2); 
          Security.setProperty("ssl.TrustManagerFactory.algorithm",
              TrustManagerFactoryImpl.getAlgorithm()); 
       } 
    } 
     
    public final static class TrustManagerFactoryImpl extends TrustManagerFactorySpi
   { 
       public TrustManagerFactoryImpl() { } 
       public static String getAlgorithm() { return "XTrust509"; } 
       protected void engineInit(KeyStore keystore) throws KeyStoreException { } 
       protected void engineInit(ManagerFactoryParameters mgrparams)
         throws InvalidAlgorithmParameterException
      { 
          throw new InvalidAlgorithmParameterException(
              XTrustProvider.NAME + " does not use ManagerFactoryParameters"); 
       } 
        
       protected TrustManager[] engineGetTrustManagers()
      { 
            return new TrustManager[] { new X509TrustManager()
         { 
             public X509Certificate[] getAcceptedIssuers() { return null; } 
             public void checkClientTrusted(X509Certificate[] certs, String authType) { } 
             public void checkServerTrusted(X509Certificate[] certs, String authType) { } 
            }}; 
        } 
    } 
 }

Calling Application:

...
XTrustProvider.install();
...

This file is up in CodeShare for those who are cut+paste challenged B-).

Hat tip to Exnihilo for posting this solution!

-Joe

 

[Listening to: Ob-La-Di, Ob-La-Da - The Beatles - The White Album (03:08)]
Published Jul 06, 2005
Version 1.0
devops
iControl
java
security

Was this article helpful?

4 Comments

Sort By
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Mar 06, 2006
    Wish I could help you but I've never used HttpUnit before. This has to be a pretty standard option to hook up a client cert to it's endpoint requests. At least you would think...

     

     

    -Joe
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Nov 08, 2007
    This code is somewhat outdated by the iControl Library for Java available in the Labs section of DevCentral. It encapsulates all of the connection information (including client side ssl management).

     

     

    -Joe
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Dec 17, 2008
    jose, I'm not too sure about what you are referring to when you say "server". Are you referring to the https webserver that you are trying to connect to, or are you referring to some server code that is acting as a https client to another server. If it's the former, then this client side code should be irrelevant to the status of the backend server (that is unless there is already a keepalive connection setup. If it's the later, then I'm not sure I know the answer. I would think that by executing the static install() method in the XTrustProvider class, that it should update the client side trust settings enough to not force you to do a restart but I'm not sure.

     

     

    -Joe
  • Joe_Pruitt's avatar
    Joe_Pruitt
    Sep 03, 2009
    Thanks, glad it worked for you all!

     

     

    @Radim, not sure what to do with Jython. Let us all know if you get it working...

     

     

    -Joe