Login | Register   
Twitter
RSS Feed
Download our iPhone app
TODAY'S HEADLINES  |   ARTICLE ARCHIVE  |   FORUMS  |   TIP BANK
Browse DevX
Sign up for e-mail newsletters from DevX


Tip of the Day
Language: Java
Expertise: Advanced
Dec 5, 2005

Ask Users Before Rejecting X509 Certificate

This tip implements a X509TrustManager that asks clients before it rejects a certificate chain. The keystore used is just an example— you can adapt it for any other keystore:

import java.security.*;
import java.security.cert.*;
import java.net.*;
import javax.net.*;
import javax.net.ssl.*;
import java.io.*;
import java.awt.*;
import java.awt.event.*;

class X509TrustManagerDialog implements ActionListener{

Button accept=new Button("ACCEPT");
Button reject=new Button("REJECT");
Label label1=new Label("A X.509 certificate was rejected to the standard verification...");
Label label2=new Label("Accept / Reject this certificate ?");
Dialog t=null;

public X509TrustManagerDialog()
  {
  t=new Dialog(new Frame());
     
  t.setSize(400,100);
  t.setLocation(50,50);
  t.setModal(true);
  t.setResizable(false);
  t.setLayout(new FlowLayout());
  t.add(label1);t.add(label2);t.add(accept);t.add(reject);
    
  accept.addActionListener(this);
  reject.addActionListener(this);
    
  t.setVisible(true);       
  }
  
public void actionPerformed(ActionEvent e)
    {
    if((e.getActionCommand()).equals("ACCEPT"))
           {
           t.setVisible(false);
           return;
           }
           
    if((e.getActionCommand()).equals("REJECT"))
           System.exit(1);
    }

}

class QueryX509TrustManager implements X509TrustManager{

X509TrustManager X509TM=null;          //default X.509 TrustManager
TrustManagerFactory ClientTMF=null;    //SunX509 factory from SunJSSE provider
KeyStore ClientKS=null;                //keystore SSLCert - just an example
 
TrustManager[] ClientTMs=null;         //all the TrustManagers from SunX509 factory

char[] ClientKeystorePassword="Varonmykey".toCharArray();//SSLCert access password

    //QueryX509TrustManager constructor
    public QueryX509TrustManager(){    
    
    //get an KeyStore object of type JKS (default type)
    try{
       ClientKS=KeyStore.getInstance("JKS");
       }catch(java.security.KeyStoreException e)
        {System.out.println("1: "+e.getMessage());}

    //loading SSLCert keystore
    try{
       ClientKS.load(new FileInputStream("SSLKeystore"),ClientKeystorePassword);
       }catch(java.io.IOException e)
          {System.out.println("2: "+e.getMessage());
       }catch(java.security.NoSuchAlgorithmException e)
          {System.out.println("3: "+e.getMessage());
       }catch(java.security.cert.CertificateException e)
          {System.out.println("4: "+e.getMessage());}
          
    //TrustManagerFactory of SunJSSE
    try{
       ClientTMF=TrustManagerFactory.getInstance("SunX509","SunJSSE");
       }catch(java.security.NoSuchAlgorithmException e)
          {System.out.println("5: "+e.getMessage());
       }catch(java.security.NoSuchProviderException e)
          {System.out.println("6: "+e.getMessage());}

    //call init method for ClientTMF
    try{
       ClientTMF.init(ClientKS);
       }catch(java.security.KeyStoreException e)
          {System.out.println("7: "+e.getMessage());}

    //get all the TrustManagers
    ClientTMs=ClientTMF.getTrustManagers();
    
    //looking for a X509TrustManager instance
    for(int i=0;i<ClientTMs.length;i++)
         {
         if(ClientTMs[i] instanceof X509TrustManager)
             {
             System.out.println("X509TrustManager certificate found...");
             X509TM=(X509TrustManager)ClientTMs[i];
             return;
             }
         }
}

//checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain,String authType)
throws CertificateException{
try{
   System.out.println("Verify-client...");
   X509TM.checkClientTrusted(chain,authType);   
   }catch(CertificateException e)
      {
      System.out.println("I:  "+e.getMessage());
      X509TrustManagerDialog valid=new X509TrustManagerDialog();
      }
}

//checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain,String authType)
throws CertificateException{
try{
   System.out.println("Verify-server...");
   
   //ask the user what to do ?
   X509TM.checkServerTrusted(chain,authType);   
   }catch(CertificateException 
   e)
      {
      System.out.println("II:  "+e.getMessage());
      
      //ask the user what to do ?
      X509TrustManagerDialog valid=new X509TrustManagerDialog();
      }
}

//getAcceptedIssuers
public X509Certificate[] getAcceptedIssuers(){                          
      return X509TM.getAcceptedIssuers();
      }
}    
Leonard Anghel
 
Comment and Contribute

 

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

 

Sitemap