This tip implements a X509TrustManager that asks clients before it rejects a certificate chain. The keystore used is just an example— you can adapt it for any other keystore:
import java.security.*;
import java.security.cert.*;
import java.net.*;
import javax.net.*;
import javax.net.ssl.*;
import java.io.*;
import java.awt.*;
import java.awt.event.*;
class X509TrustManagerDialog implements ActionListener{
Button accept=new Button("ACCEPT");
Button reject=new Button("REJECT");
Label label1=new Label("A X.509 certificate was rejected to the standard verification");
Label label2=new Label("Accept / Reject this certificate ?");
Dialog t=null;
public X509TrustManagerDialog()
{
t=new Dialog(new Frame());
t.setSize(400,100);
t.setLocation(50,50);
t.setModal(true);
t.setResizable(false);
t.setLayout(new FlowLayout());
t.add(label1);t.add(label2);t.add(accept);t.add(reject);
accept.addActionListener(this);
reject.addActionListener(this);
t.setVisible(true);
}
public void actionPerformed(ActionEvent e)
{
if((e.getActionCommand()).equals("ACCEPT"))
{
t.setVisible(false);
return;
}
if((e.getActionCommand()).equals("REJECT"))
System.exit(1);
}
}
class QueryX509TrustManager implements X509TrustManager{
X509TrustManager X509TM=null; //default X.509 TrustManager
TrustManagerFactory ClientTMF=null; //SunX509 factory from SunJSSE provider
KeyStore ClientKS=null; //keystore SSLCert - just an example
TrustManager[] ClientTMs=null; //all the TrustManagers from SunX509 factory
char[] ClientKeystorePassword="Varonmykey".toCharArray();//SSLCert access password
//QueryX509TrustManager constructor
public QueryX509TrustManager(){
//get an KeyStore object of type JKS (default type)
try{
ClientKS=KeyStore.getInstance("JKS");
}catch(java.security.KeyStoreException e)
{System.out.println("1: "+e.getMessage());}
//loading SSLCert keystore
try{
ClientKS.load(new FileInputStream("SSLKeystore"),ClientKeystorePassword);
}catch(java.io.IOException e)
{System.out.println("2: "+e.getMessage());
}catch(java.security.NoSuchAlgorithmException e)
{System.out.println("3: "+e.getMessage());
}catch(java.security.cert.CertificateException e)
{System.out.println("4: "+e.getMessage());}
//TrustManagerFactory of SunJSSE
try{
ClientTMF=TrustManagerFactory.getInstance("SunX509","SunJSSE");
}catch(java.security.NoSuchAlgorithmException e)
{System.out.println("5: "+e.getMessage());
}catch(java.security.NoSuchProviderException e)
{System.out.println("6: "+e.getMessage());}
//call init method for ClientTMF
try{
ClientTMF.init(ClientKS);
}catch(java.security.KeyStoreException e)
{System.out.println("7: "+e.getMessage());}
//get all the TrustManagers
ClientTMs=ClientTMF.getTrustManagers();
//looking for a X509TrustManager instance
for(int i=0;i < ClientTMs.length;i++)
{
if(ClientTMs[i] instanceof X509TrustManager)
{
System.out.println("X509TrustManager certificate found...");
X509TM=(X509TrustManager)ClientTMs[i];
return;
}
}
}
//checkClientTrusted
public void checkClientTrusted(X509Certificate[] chain,String authType)
throws CertificateException{
try{
System.out.println("Verify-client...");
X509TM.checkClientTrusted(chain,authType);
}catch(CertificateException e)
{
System.out.println("I: "+e.getMessage());
X509TrustManagerDialog valid=new X509TrustManagerDialog();
}
}
//checkServerTrusted
public void checkServerTrusted(X509Certificate[] chain,String authType)
throws CertificateException{
try{
System.out.println("Verify-server...");
//ask the user what to do ?
X509TM.checkServerTrusted(chain,authType);
}catch(CertificateException
e)
{
System.out.println("II: "+e.getMessage());
//ask the user what to do ?
X509TrustManagerDialog valid=new X509TrustManagerDialog();
}
}
//getAcceptedIssuers
public X509Certificate[] getAcceptedIssuers(){
return X509TM.getAcceptedIssuers();
}
}
No comments:
Post a Comment