SSL Trust Provider for Java

posted on Wednesday, July 06, 2005 2:46 PM

I've blogged about Self-signed Server Certificates and how they can cause havoc with client java applications. We'll I put the call out there to provide solutions and a very slick one has arrived!

XTrustProvider.java:

/*
 * The contents of this file are subject to the "END USER LICENSE AGREEMENT FOR F5
 * Software Development Kit for iControl"; you may not use this file except in
 * compliance with the License. The License is included in the iControl
 * Software Development Kit.
 *
 * Software distributed under the License is distributed on an "AS IS"
 * basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
 * the License for the specific language governing rights and limitations
 * under the License.
 *
 * The Original Code is iControl Code and related documentation
 * distributed by F5.
 *
 * Portions created by F5 are Copyright (C) 1996-2004 F5 Networks
 * Inc. All Rights Reserved.  iControl (TM) is a registered trademark of
 * F5 Networks, Inc.
 *
 * Alternatively, the contents of this file may be used under the terms
 * of the GNU General Public License (the "GPL"), in which case the
 * provisions of GPL are applicable instead of those above.  If you wish
 * to allow use of your version of this file only under the terms of the
 * GPL and not to allow others to use your version of this file under the
 * License, indicate your decision by deleting the provisions above and
 * replace them with the notice and other provisions required by the GPL.
 * If you do not delete the provisions above, a recipient may use your
 * version of this file under either the License or the GPL.
 */
import java.security.AccessController; 
import java.security.InvalidAlgorithmParameterException; 
import java.security.KeyStore; 
import java.security.KeyStoreException; 
import java.security.PrivilegedAction; 
import java.security.Security; 
import java.security.cert.X509Certificate; 
  
import javax.net.ssl.ManagerFactoryParameters; 
import javax.net.ssl.TrustManager; 
import javax.net.ssl.TrustManagerFactorySpi; 
import javax.net.ssl.X509TrustManager; 
  
public final class XTrustProvider extends java.security.Provider
{ 
    private final static String NAME = "XTrustJSSE"; 
    private final static String INFO =
        "XTrust JSSE Provider (implements trust factory with truststore validation disabled)"; 
    private final static double VERSION = 1.0D; 
     
    public XTrustProvider()
   { 
       super(NAME, VERSION, INFO); 
        
       AccessController.doPrivileged(new PrivilegedAction()
      { 
         public Object run()
         { 
                 put("TrustManagerFactory." + TrustManagerFactoryImpl.getAlgorithm(),  
                                               TrustManagerFactoryImpl.class.getName()); 
                 return null; 
             } 
       }); 
    } 
     
    public static void install()
   { 
       if(Security.getProvider(NAME) == null)
      { 
          Security.insertProviderAt(new XTrustProvider(), 2); 
          Security.setProperty("ssl.TrustManagerFactory.algorithm",
              TrustManagerFactoryImpl.getAlgorithm()); 
       } 
    } 
     
    public final static class TrustManagerFactoryImpl extends TrustManagerFactorySpi
   { 
       public TrustManagerFactoryImpl() { } 
       public static String getAlgorithm() { return "XTrust509"; } 
       protected void engineInit(KeyStore keystore) throws KeyStoreException { } 
       protected void engineInit(ManagerFactoryParameters mgrparams)
         throws InvalidAlgorithmParameterException
      { 
          throw new InvalidAlgorithmParameterException(
              XTrustProvider.NAME + " does not use ManagerFactoryParameters"); 
       } 
        
       protected TrustManager[] engineGetTrustManagers()
      { 
            return new TrustManager[] { new X509TrustManager()
         { 
             public X509Certificate[] getAcceptedIssuers() { return null; } 
             public void checkClientTrusted(X509Certificate[] certs, String authType) { } 
             public void checkServerTrusted(X509Certificate[] certs, String authType) { } 
            }}; 
        } 
    } 
 }

Calling Application:

...
XTrustProvider.install();
...

This file is up in CodeShare for those who are cut+paste challenged B-).

Hat tip to Exnihilo for posting this solution!

-Joe

[Listening to: Ob-La-Di, Ob-La-Da - The Beatles - The White Album (03:08)]

Posted In: iControl,

29 Comments

Feedback

3/6/2006 1:01 PM
		I am using the fix above with HttpUnit, but the website I have to test also requires client authentication via SSL. I have the certificate for this, but I don't know how to get HttpUnit to use my client cert. Any ideas?
Rob Whitener

3/6/2006 2:31 PM
		Wish I could help you but I've never used HttpUnit before. This has to be a pretty standard option to hook up a client cert to it's endpoint requests. At least you would think... -Joe
Joe Pruitt

3/7/2006 11:28 AM
		I figured it out, it is pretty simple acutally. To use a client certificate, just set the system properties for the keyStore, keyStoreType, and keyStorePassword like this: System.setProperty("javax.net.ssl.keyStore", "C:\\auto\\USF.ATAP.ROB01-1013682586-1-key-and-cert.p12"); System.setProperty("javax.net.ssl.keyStoreType","PKCS12"); System.setProperty("javax.net.ssl.keyStorePassword","passw0rd"); Using your own store, password and whatever type your store is. Just in case anyone else runs into this.
Rob Whitener

9/25/2006 5:25 PM
		What a great solution. No more "unable to find valid certification path to requested target" errors when testing over HTTPS to our development server. Works with HTMLUnit and HTTPUnit for me.
Adam Buckley

10/24/2006 6:26 PM
		It works!!! Thanks!!
Guest

10/26/2006 1:58 PM
		Thank you. It worked.
ken

9/3/2007 9:01 AM
		Very Good Work, thx
darmowe programy

9/5/2007 11:58 PM
		I am trying to use the iControlIntermediary classes for java. I am just trying to connect to the LB using VirtualNode but I get the "unable to find valid certification path to requested target" error. Do i have make a keystore? Sorry if this is a n00b question.. :P
Naman Joshi

9/17/2007 10:38 AM
		Saved me from hours of painful work, thanks so much!!!
Wolfgang

10/26/2007 6:56 PM
		Me too. Really thanks. Really great job!
Darmowe mp3

11/8/2007 8:30 AM
		Guys, if I want to implement this https on sap J2EE engine, what is the process ? Thanks
cris

11/8/2007 10:35 AM
		This code is somewhat outdated by the iControl Library for Java available in the Labs section of DevCentral. It encapsulates all of the connection information (including client side ssl management). -Joe
Joe Pruitt

11/10/2007 6:14 AM
		Great hint! it's work fine with HtmlUnit and webClient, for who want to know how, this is my code. final WebClient webClient = new WebClient( BrowserVersion.INTERNET_EXPLORER_7_0); XTrustProvider.install(); URL url = new URL("https://somesite.com"); htmlpage = webCliente.getPage(url);
Marcelo Daniel

11/15/2007 3:42 AM
		tanks guys works fine for me :) thumbs up
bandur

5/27/2008 8:10 AM
		I was searching for a solution to use with Commons HttpClient. Forget about EasySSLProtocolSocketFactory! XTrustProvider IS the way to go! Many thanks!
Filipe Mateus

11/27/2008 12:02 AM
		Great！ thx
周贇

12/17/2008 12:45 PM
		It works fine, however, if the server is already running and the provider is register it won't take effect unless the server is restarted. I'm trying to register the provider dynamically from the source, any ideas?
jose

12/17/2008 1:13 PM
		jose, I'm not too sure about what you are referring to when you say "server". Are you referring to the https webserver that you are trying to connect to, or are you referring to some server code that is acting as a https client to another server. If it's the former, then this client side code should be irrelevant to the status of the backend server (that is unless there is already a keepalive connection setup. If it's the later, then I'm not sure I know the answer. I would think that by executing the static install() method in the XTrustProvider class, that it should update the client side trust settings enough to not force you to do a restart but I'm not sure. -Joe
Joe Pruitt

1/13/2009 1:47 AM
		Well I have the problems now as well. I am not master of SSL, but what I read here does not make too much sense to me. There is nice way how to make server authorized - described in here:http://blogs.sun.com/andreas/entry/no_more_unable_to_find This process is done from my side. I am working with Jython. There should be no difference between Java and Jython. Does not matter if I setup full path to cacerts or just path to parent directory. I have setup also the password for it. Nothing works. From what I understood on google links there is really bad error message in SSL libraries in Java. If there is simple way how to make it work, please let me know. I was thinking about the client but do not know enough consequences where to get the client certificate and so on. Thanks
Radim

5/22/2009 1:41 PM
		This was a great simple solution for my Axis2 applet. Thanks!
Jack Curtin

9/3/2009 12:09 AM
		Perfect solution
Hussein

9/3/2009 9:17 AM
		Thanks, glad it worked for you all! @Radim, not sure what to do with Jython. Let us all know if you get it working... -Joe
Joe

11/11/2009 3:05 AM
		<p>Having self signed certificates on development machines can cause problems when HTTPUnit testing, you can get the following error:</p> <p><em>uk.ac.warwick.stresstest.SingleSignOnException: jav...
Has Beans

1/21/2010 2:31 AM
		Works just fine! Thanks a lot :-)
hans

3/29/2010 4:39 AM
		I know this sounds hokey, but have you looked at the populated myFolder string variable to see what the translated path actually is, and whether it is valid? You could do a Trace write of this and turn on page tracing temporarily to see it.....
sites de paris virtuels

5/20/2010 4:15 AM
		Thanks for the post. But I have a similar implementation and running in IBM J9 JVM. I dont have the control over SSLSocket creation [it comes from a thirt party code]. But I need that SSL handshake process to use the custom trust manager i have implemented. As specified in this post, I have set up the below things . But still My trust manager implementation does not get invoked. Security.insertProviderAt(new XTrustProvider(), 2); Security.setProperty("ssl.TrustManagerFactory.algorithm", TrustManagerFactoryImpl.getAlgorithm()); Any suggestions would be of great help
ViswaSiva

7/25/2011 2:28 AM
		Java and invalid SSL certificates (java-trustprovideragent) \| info.michael-simons.eu
Pingback/TrackBack

7/25/2011 2:30 AM
		Hi, thank you for the code. I've added a little agent around it so that i don't have to modify my sources. Here is the code, maybe someone else can use this, too: info.michael-simons.eu/.../java-and-invalid-ssl...
Michael

12/17/2011 10:41 PM
		Is this code that i could use to be able to catch https traffic with fiddler powered coming from a java program? How would i use this code to set up a proper proxy which would allow my java program to trust fiddler's root certificate?
sam

Let Me Know What You Think

Please use the form below if you have any comments, questions, or suggestions.

Title:

Name:

Email: (so we can show your gravatar)

Website:

Comment: Allowed tags: blockquote, a, strong, em, p, u, strike, super, sub, code

Remember Me?

Enter the code shown above:

Please add 5 and 3 and type the answer here:

		iControl
		WS-I
		BIG-IP
		Misc
		DevCentral
		F5
		iRules
		Conferences
		MIX06
		PDC
		Development and General
		Monitoring/Management
		XML
		Security
		ISV Solutions
		Microsoft Solutions
		Cloud Computing

		October, 2011 (1)
		October, 2010 (2)
		September, 2010 (1)
		July, 2010 (1)
		December, 2009 (1)
		October, 2009 (1)
		September, 2009 (2)
		August, 2009 (5)
		June, 2009 (4)
		May, 2009 (6)
		April, 2009 (13)
		March, 2009 (2)
		February, 2009 (6)
		January, 2009 (16)
		December, 2008 (14)
		November, 2008 (7)
		October, 2008 (17)
		September, 2008 (22)
		August, 2008 (5)
		July, 2008 (2)
		June, 2008 (3)
		May, 2008 (14)
		April, 2008 (17)
		March, 2008 (5)
		February, 2008 (3)
		January, 2008 (4)
		November, 2007 (4)
		September, 2007 (5)
		August, 2007 (2)
		July, 2007 (3)
		June, 2007 (2)
		May, 2007 (3)
		April, 2007 (3)
		January, 2007 (1)
		November, 2006 (2)
		October, 2006 (4)
		September, 2006 (4)
		August, 2006 (6)
		July, 2006 (2)
		June, 2006 (3)
		May, 2006 (4)
		April, 2006 (4)
		March, 2006 (9)
		February, 2006 (5)
		January, 2006 (7)
		December, 2005 (3)
		November, 2005 (4)
		October, 2005 (6)
		September, 2005 (7)
		August, 2005 (6)
		July, 2005 (18)
		June, 2005 (7)
		May, 2005 (7)
		April, 2005 (5)
		March, 2005 (3)
		February, 2005 (10)
		January, 2005 (4)
		December, 2004 (8)
		November, 2004 (15)
		October, 2004 (8)
		September, 2004 (5)
		August, 2004 (2)
		June, 2004 (1)
		April, 2004 (2)
		March, 2004 (3)
		January, 2004 (2)
		November, 2003 (4)
		October, 2003 (2)

		[f5] Colin Walker
		[f5] Dan Matte
		[f5] DCTV
		[f5] Jeff Browning
		[f5] Lori Mac Vittie
		Art Through RSS
		Becky Diaz
		C# FAQ
		Don Box
		Dylan Greene
		Engadget
		Hack-A-Day
		KungfuRobots.com
		MSDN Powertoys
		Nicholas Zurfluh (iRules)
		Robert Scoble
		Rory Blyth
		Scott Hanselman
		Slashdot
		SOAP::Lite
		The Darth Side
		WebServices.org