private SSLSocketFactory getSocketFactory() { try { Security.addProvider(new BouncyCastleProvider()); TrustManagerFactory trustManagerFactory = createAndInitTrustManagerFactory(); KeyManagerFactory keyManagerFactory = createAndInitKeyManagerFactory(); SSLContext context = SSLContext.getInstance(TLS_VERSION); context.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null); return context.getSocketFactory(); } catch (Exception e) { log.error("[{}:{}:{}:{}] Creating TLS factory failed!", caCert, cert, privateKey, password, e); throw new RuntimeException("Creating TLS factory failed!", e); } }
public static SSLContext newSSLContext(final KeyStore ks, final String password, final String ksAlgorithm) throws InvalidSSLConfig { try { // Get a KeyManager and initialize it final KeyManagerFactory kmf = KeyManagerFactory.getInstance(ksAlgorithm); kmf.init(ks, password.toCharArray()); // Get a TrustManagerFactory with the DEFAULT KEYSTORE, so we have all the certificates in cacerts trusted final TrustManagerFactory tmf = TrustManagerFactory.getInstance(ksAlgorithm); tmf.init((KeyStore) null); // Get the SSLContext to help create SSLSocketFactory final SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); return sslContext; } catch (final GeneralSecurityException e) { throw new InvalidSSLConfig(e); } }
private void upgradeToTls(Socket socket) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException, KeyManagementException { KeyStore keyStore = keyStoreProvider.getKeyStore(); String defaultAlgorithm = KeyManagerFactory.getDefaultAlgorithm(); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(defaultAlgorithm); keyManagerFactory.init(keyStore, keyStoreProvider.getPassword()); SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(keyManagerFactory.getKeyManagers(), null, null); SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory(); SSLSocket sslSocket = (SSLSocket) sslSocketFactory.createSocket( socket, socket.getInetAddress().getHostAddress(), socket.getPort(), true); sslSocket.setUseClientMode(false); sslSocket.startHandshake(); input = Okio.buffer(Okio.source(sslSocket.getInputStream())); output = Okio.buffer(Okio.sink(sslSocket.getOutputStream())); }
public SslHandlerFactory(AmqpServerConfiguration configuration) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException { KeyStore keyStore = getKeyStore(configuration.getSsl().getKeyStore().getType(), configuration.getSsl().getKeyStore().getLocation(), configuration.getSsl().getKeyStore().getPassword()); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(configuration.getSsl() .getKeyStore() .getCertType()); keyManagerFactory.init(keyStore, configuration.getSsl().getKeyStore().getPassword().toCharArray()); KeyStore trustStore = getKeyStore(configuration.getSsl().getTrustStore().getType(), configuration.getSsl().getTrustStore().getLocation(), configuration.getSsl().getTrustStore().getPassword()); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(configuration.getSsl() .getTrustStore() .getCertType()); trustManagerFactory.init(trustStore); sslContext = SSLContext.getInstance(configuration.getSsl().getProtocol()); sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null); }
private static KeyManagerFactory createKeyManagerFactory( final String clientCertificateFileName, final String clientKeyFileName, final String clientKeyPassword) throws InvalidKeySpecException, NoSuchAlgorithmException, KeyStoreException, IOException, CertificateException, UnrecoverableKeyException { // Creates a key manager factory // Load and create the client certificate final X509Certificate clientCertificate = createX509CertificateFromFile(clientCertificateFileName); // Load the private client key final PrivateKey privateKey = createPrivateKeyFromPemFile(clientKeyFileName); // Client key and certificate are sent to server final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.load(null, null); keyStore.setCertificateEntry("certificate", clientCertificate); keyStore.setKeyEntry("private-key", privateKey, clientKeyPassword.toCharArray(), new Certificate[] { clientCertificate }); final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, clientKeyPassword.toCharArray()); return keyManagerFactory; }
/** * 获得SSLSocektFactory * * @param password 密码 * @param keyStorePath 密钥库路径 * @param trustStorePath 信任库路径 * @return SSLSocketFactory * @throws Exception */ private static SSLSocketFactory getSSLSocketFactory(String password, String keyStorePath, String trustStorePath) throws Exception { // 实例化密钥库 KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); // 获得密钥库 KeyStore keyStore = getKeyStore(keyStorePath, password); // 初始化密钥工厂 keyManagerFactory.init(keyStore, password.toCharArray()); // 实例化信任库 TrustManagerFactory trustManagerFactory = TrustManagerFactory .getInstance(TrustManagerFactory.getDefaultAlgorithm()); // 获得信任库 KeyStore trustStore = getKeyStore(trustStorePath, password); // 初始化信任库 trustManagerFactory.init(trustStore); // 实例化SSL上下文 SSLContext ctx = SSLContext.getInstance(PROTOCOL); // 初始化SSL上下文 ctx.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom()); // 获得SSLSocketFactory return ctx.getSocketFactory(); }
public static KeyManager[] createKeyManagers(final KeyStore keystore, char[] keyvalue) { try { KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmfactory.init(keystore, keyvalue); return kmfactory.getKeyManagers(); } catch (Exception e) { throw new IllegalArgumentException("Bad key store." + e.getMessage()); } }
/** * Creates an SSLSocketFactory for HTTPS. Pass a KeyStore resource with your * certificate and passphrase */ public static SSLServerSocketFactory makeSSLSocketFactory(String keyAndTrustStoreClasspathPath, char[] passphrase) throws IOException { try { KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); InputStream keystoreStream = NanoHTTPD.class.getResourceAsStream(keyAndTrustStoreClasspathPath); if (keystoreStream == null) { throw new IOException("Unable to load keystore from classpath: " + keyAndTrustStoreClasspathPath); } keystore.load(keystoreStream, passphrase); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keystore, passphrase); return makeSSLSocketFactory(keystore, keyManagerFactory); } catch (Exception e) { throw new IOException(e.getMessage()); } }
private void addToStore(String alias, KeyPair kp, Certificate cert) throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException, UnrecoverableKeyException { Certificate[] chain = { cert, }; keyStore.setKeyEntry(alias, kp.getPrivate(), "".toCharArray(), chain); keyStore.store(new FileOutputStream(keyStoreFile), "".toCharArray()); /* * After adding an entry to the keystore we need to create a fresh * KeyManager by reinitializing the KeyManagerFactory with the new key * store content and then rewrapping the default KeyManager with our own */ KeyManagerFactory keyManagerFactory = KeyManagerFactory .getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, "".toCharArray()); KeyManager defaultKeyManager = keyManagerFactory.getKeyManagers()[0]; KeyManager wrappedKeyManager = new KerplappKeyManager((X509KeyManager) defaultKeyManager); keyManagers = new KeyManager[] { wrappedKeyManager, }; }
private static SSLContext createSslContext(ApacheThriftClientConfig config) { try { KeyStore trustStore = loadTrustStore(config.getTrustCertificate()); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(trustStore); KeyManager[] keyManagers = null; if (config.getKey() != null) { Optional<String> keyPassword = Optional.ofNullable(config.getKeyPassword()); KeyStore keyStore = loadKeyStore(config.getTrustCertificate(), config.getKey(), keyPassword); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, new char[0]); keyManagers = keyManagerFactory.getKeyManagers(); } SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(keyManagers, trustManagerFactory.getTrustManagers(), null); return sslContext; } catch (IOException | GeneralSecurityException e) { throw new IllegalArgumentException("Unable to load SSL keys", e); } }
private static KeyManager[] prepareKeyManager(InputStream bksFile, String password) { if (bksFile == null || password == null) { return null; } KeyStore clientKeyStore; try { clientKeyStore = KeyStore.getInstance("BKS"); clientKeyStore.load(bksFile, password.toCharArray()); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(clientKeyStore, password.toCharArray()); return keyManagerFactory.getKeyManagers(); } catch (Exception e) { e.printStackTrace(); } return null; }
/** * Creates an SSLSocketFactory for HTTPS. Pass a KeyStore resource with your * certificate and passphrase */ public static SSLServerSocketFactory makeSSLSocketFactory(String keyAndTrustStoreClasspathPath, char[] passphrase) { try { KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); File keystrorefile = new File(keyAndTrustStoreClasspathPath); System.out.println(keystrorefile.getAbsolutePath()); InputStream keystoreStream = new FileInputStream(keystrorefile);//NanoHTTPD.class.getResourceAsStream(keyAndTrustStoreClasspathPath); // if (keystoreStream == null) // { // System.out.println("Unable to load keystore from classpath: " + keyAndTrustStoreClasspathPath); // //throw new IOException("Unable to load keystore from classpath: " + keyAndTrustStoreClasspathPath); // return null; // } keystore.load(keystoreStream, passphrase); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keystore, passphrase); return makeSSLSocketFactory(keystore, keyManagerFactory); } catch (Exception e) { System.out.println(e.toString()); //throw new IOException(e.getMessage()); } return null; }
private DseCluster.Builder withSSL(DseCluster.Builder builder) throws KeyStoreException, NoSuchAlgorithmException, IOException, CertificateException, KeyManagementException, UnrecoverableKeyException { // JKS Truststore KeyStore truststore = KeyStore.getInstance("JKS"); truststore.load(new FileInputStream(sslTruststoreFile), sslTruststorePassword.toCharArray()); TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(truststore); SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); // Keystore details means supporting client authentication if (null != sslKeystoreFile && sslKeystoreFile.length() > 0 && null != sslKeystorePassword && sslKeystorePassword.length() > 0) { KeyStore keystore = KeyStore.getInstance("JKS"); keystore.load(new FileInputStream(sslKeystoreFile), sslKeystorePassword.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(keystore, sslKeystorePassword.toCharArray()); sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), new java.security.SecureRandom()); } else { sslContext.init(null, tmf.getTrustManagers(), new java.security.SecureRandom()); } return builder.withSSL(RemoteEndpointAwareJdkSSLOptions.builder().withSSLContext(sslContext).build()); }
private static KeyManagerFactory keyManager(NetworkSslConfig cfg, ResourceService res) throws GeneralSecurityException, IOException, ResourceLoadingException { KeyManagerFactory factory; if (cfg.getKeyStoreAlgorithm() == null || cfg.getKeyStoreAlgorithm().isEmpty()) { factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); } else { factory = KeyManagerFactory.getInstance(cfg.getKeyStoreAlgorithm()); } KeyStore store = keyStore(cfg.getKeyStorePath(), cfg.getKeyStorePassword(), cfg.getKeyStoreType(), res); factory.init(store, cfg.getKeyStorePassword().toCharArray()); return factory; }
@Override public Pair<TrustManagerFactory, KeyManagerFactory> getTrustManagerFactory() { try { KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(null); InputStream stream = this.getAssets().open("server.crt"); BufferedInputStream bis = new BufferedInputStream(stream); CertificateFactory cf = CertificateFactory.getInstance("X.509"); while (bis.available() > 0) { Certificate cert = cf.generateCertificate(bis); trustStore.setCertificateEntry("cert" + bis.available(), cert); } KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmfactory.init(trustStore, "1234".toCharArray()); TrustManagerFactory tmf=TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); tmf.init(trustStore); return new Pair<>(tmf, kmfactory); } catch (Exception e) { e.printStackTrace(); } return null; }
private SSLContext createServerSSLContext() { try { KeyStore ks = KeyStore.getInstance(keystoreType); ks.load(new FileInputStream(keystore), keystorePassword.toCharArray()); // Set up key manager factory to use our key store KeyManagerFactory kmf = KeyManagerFactory.getInstance(getAlgorithm()); kmf.init(ks, keystorePassword.toCharArray()); SSLContext serverContext = SSLContext.getInstance("TLS"); serverContext.init(kmf.getKeyManagers(), null, null); return serverContext; } catch (Exception e) { throw new Error("Failed to initialize the server-side SSLContext", e); } }
/** * 创建Http/Https请求对象 * @author Rocye * @param url 请求地址 * @param method 请求方式:GET/POST * @param certPath 证书路径 * @param certPass 证书密码 * @param useCert 是否需要证书 * @return Https连接 * @throws Exception 任何异常 * @version 2017.11.14 */ private HttpsURLConnection createRequest(String url, String method, String certPath, String certPass, boolean useCert) throws Exception{ URL realUrl = new URL(url); HttpsURLConnection connection = (HttpsURLConnection)realUrl.openConnection(); //设置证书 if(useCert){ KeyStore clientStore = KeyStore.getInstance("PKCS12"); InputStream inputStream = new FileInputStream(certPath); clientStore.load(inputStream, certPass.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(clientStore, certPass.toCharArray()); KeyManager[] kms = kmf.getKeyManagers(); SSLContext sslContext = SSLContext.getInstance("TLSv1"); sslContext.init(kms, null, new SecureRandom()); connection.setSSLSocketFactory(sslContext.getSocketFactory()); } // 设置通用的请求属性 connection.setRequestProperty("Accept", "*/*"); connection.setRequestProperty("Connection", "Keep-Alive"); connection.setConnectTimeout(this.connectTimeout); connection.setReadTimeout(this.readTimeout); if("POST".equals(method)){ // 发送POST请求必须设置如下两行 connection.setDoOutput(true); connection.setDoInput(true); connection.setUseCaches(false); // 忽略缓存 connection.setRequestMethod("POST"); } return connection; }
public EventWebSocketSecureServer(int port, String keystorepath, String keystorepassword, InetAddress ip) { super(port, ip); try { SSLContext sslContext = SSLContext.getInstance("TLS"); char ksPassword[] = keystorepassword.toCharArray(); if (!keystorepath.equals("")) { KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(new File(keystorepath)), ksPassword); KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, ksPassword); TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); tmf.init(ks); sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); } else { sslContext.init(null, null, null); } this.setWebSocketFactory(new DefaultSSLWebSocketServerFactory(sslContext)); } catch (Exception e) { com.gmt2001.Console.out.println("Secure EventSocketServer failed: " + e); e.printStackTrace(); } }
public MusicWebSocketSecureServer(int port, String keystorepath, String keystorepassword, InetAddress ip) { super(port, ip); try { SSLContext sslContext = SSLContext.getInstance("TLS"); char ksPassword[] = keystorepassword.toCharArray(); if (!keystorepath.equals("")) { KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream(new File(keystorepath)), ksPassword); KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, ksPassword); TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); tmf.init(ks); sslContext.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); } else { sslContext.init(null, null, null); } this.setWebSocketFactory(new DefaultSSLWebSocketServerFactory(sslContext)); } catch (Exception e) { com.gmt2001.Console.out.println("Secure EventSocketServer failed: " + e); e.printStackTrace(); } }
/** * Creates an SSLSocketFactory for HTTPS. * * Pass a KeyStore resource with your certificate and passphrase */ public static void configureSSL(String keyAndTrustStoreClasspathPath, char[] passphrase) throws IOException { try { // Android does not have the default jks but uses bks KeyStore keystore = KeyStore.getInstance("BKS"); InputStream keystoreStream = WebService.class.getResourceAsStream(keyAndTrustStoreClasspathPath); keystore.load(keystoreStream, passphrase); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keystore); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keystore, passphrase); sslContext = SSLContext.getInstance("TLS"); sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null); sslServerSocketFactory = sslContext.getServerSocketFactory(); } catch (Exception e) { throw new IOException(e.getMessage()); } }
private KeyManagerFactory createAndInitKeyManagerFactory() throws Exception { X509Certificate certHolder = certificateConverter.getCertificate((X509CertificateHolder) readPEMFile(cert)); Object keyObject = readPEMFile(privateKey); char[] passwordCharArray = "".toCharArray(); if (!StringUtils.isEmpty(password)) { passwordCharArray = password.toCharArray(); } JcaPEMKeyConverter keyConverter = new JcaPEMKeyConverter().setProvider("BC"); KeyPair key; if (keyObject instanceof PEMEncryptedKeyPair) { PEMDecryptorProvider provider = new JcePEMDecryptorProviderBuilder().build(passwordCharArray); key = keyConverter.getKeyPair(((PEMEncryptedKeyPair) keyObject).decryptKeyPair(provider)); } else { key = keyConverter.getKeyPair((PEMKeyPair) keyObject); } KeyStore clientKeyStore = KeyStore.getInstance(KeyStore.getDefaultType()); clientKeyStore.load(null, null); clientKeyStore.setCertificateEntry("cert", certHolder); clientKeyStore.setKeyEntry("private-key", key.getPrivate(), passwordCharArray, new Certificate[] { certHolder }); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(clientKeyStore, passwordCharArray); return keyManagerFactory; }
public static SSLContext createSSLContext() { try { KeyStore keyStore = KeyStore.getInstance("JKS"); keyStore.load(new FileInputStream("A2KeyStore.jks"), "1234567890".toCharArray()); // Create key manager KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509"); keyManagerFactory.init(keyStore, "1234567890".toCharArray()); KeyManager[] km = keyManagerFactory.getKeyManagers(); // Create trust manager TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("SunX509"); trustManagerFactory.init(keyStore); TrustManager[] tm = trustManagerFactory.getTrustManagers(); // Initialize SSLContext SSLContext sslContext = SSLContext.getInstance("TLSv1.2"); sslContext.init(km, tm, null); return sslContext; } catch (Exception ex) { ex.printStackTrace(); } return null; }
/** * Returns SSLContext with TESTED_SECURITY_PROTOCOL protocol and * sets up keys. * * @return - SSLContext with a protocol specified by * TESTED_SECURITY_PROTOCOL. */ public static SSLContext getContext() { try { java.security.Security.setProperty( "jdk.tls.disabledAlgorithms", ""); java.security.Security.setProperty( "jdk.certpath.disabledAlgorithms", ""); KeyStore ks = KeyStore.getInstance("JKS"); KeyStore ts = KeyStore.getInstance("JKS"); char[] passphrase = PASSWD.toCharArray(); try (FileInputStream keyFileStream = new FileInputStream(KEY_FILE_NAME)) { ks.load(keyFileStream, passphrase); } try (FileInputStream trustFileStream = new FileInputStream(TRUST_FILE_NAME)) { ts.load(trustFileStream, passphrase); } KeyManagerFactory kmf = KeyManagerFactory.getInstance("SunX509"); kmf.init(ks, passphrase); TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509"); tmf.init(ts); SSLContext sslCtx = SSLContext.getInstance(TESTED_SECURITY_PROTOCOL); sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); return sslCtx; } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | UnrecoverableKeyException | KeyManagementException ex) { throw new Error("Unexpected exception", ex); } }
public SslClient build() { try { // Put the certificate in a key store. char[] password = "password".toCharArray(); KeyStore keyStore = newEmptyKeyStore(password); if (keyPair != null) { Certificate[] certificates = chainCertificates.toArray( new Certificate[chainCertificates.size()]); keyStore.setKeyEntry("private", keyPair.getPrivate(), password, certificates); } for (int i = 0; i < certificates.size(); i++) { keyStore.setCertificateEntry("cert_" + i, certificates.get(i)); } // Wrap it up in an SSL context. KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, password); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keyStore); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) { throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers)); } SSLContext sslContext = SSLContext.getInstance("TLS"); sslContext.init(keyManagerFactory.getKeyManagers(), trustManagers, new SecureRandom()); return new SslClient(sslContext, (X509TrustManager) trustManagers[0]); } catch (GeneralSecurityException gse) { throw new AssertionError(gse); } }
/** * Returns a trust manager that trusts {@code certificates} and none other. HTTPS services whose * certificates have not been signed by these certificates will fail with a {@code * SSLHandshakeException}. * * <p>This can be used to replace the host platform's built-in trusted certificates with a custom * set. This is useful in development where certificate authority-trusted certificates aren't * available. Or in production, to avoid reliance on third-party certificate authorities. * * <p>See also {@link CertificatePinner}, which can limit trusted certificates while still using * the host platform's built-in trust store. * * <h3>Warning: Customizing Trusted Certificates is Dangerous!</h3> * * <p>Relying on your own trusted certificates limits your server team's ability to update their * TLS certificates. By installing a specific set of trusted certificates, you take on additional * operational complexity and limit your ability to migrate between certificate authorities. Do * not use custom trusted certificates in production without the blessing of your server's TLS * administrator. */ private X509TrustManager trustManagerForCertificates(InputStream in) throws GeneralSecurityException { CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509"); Collection<? extends Certificate> certificates = certificateFactory.generateCertificates(in); if (certificates.isEmpty()) { throw new IllegalArgumentException("expected non-empty set of trusted certificates"); } // Put the certificates a key store. char[] password = "password".toCharArray(); // Any password will work. KeyStore keyStore = newEmptyKeyStore(password); int index = 0; for (Certificate certificate : certificates) { String certificateAlias = Integer.toString(index++); keyStore.setCertificateEntry(certificateAlias, certificate); } // Use it to build an X509 trust manager. KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance( KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, password); TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(keyStore); TrustManager[] trustManagers = trustManagerFactory.getTrustManagers(); if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) { throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers)); } return (X509TrustManager) trustManagers[0]; }
private static KeyManager[] prepareKeyManager(InputStream bksFile, String password) { try { if (bksFile == null || password == null) return null; KeyStore clientKeyStore = KeyStore.getInstance("BKS"); clientKeyStore.load(bksFile, password.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(clientKeyStore, password.toCharArray()); return kmf.getKeyManagers(); } catch (Exception e) { OkLogger.printStackTrace(e); } return null; }
private static KeyManager[] prepareKeyManager(InputStream bksFile, String password) { try { if (bksFile == null || password == null) { return null; } KeyStore clientKeyStore = KeyStore.getInstance("BKS"); clientKeyStore.load(bksFile, password.toCharArray()); KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(clientKeyStore, password.toCharArray()); return kmf.getKeyManagers(); } catch (Exception e) { OkLogger.printStackTrace(e); } return null; }
/** * Creates an SSLSocketFactory for HTTPS. Pass a loaded KeyStore and a * loaded KeyManagerFactory. These objects must properly loaded/initialized * by the caller. */ public static SSLServerSocketFactory makeSSLSocketFactory(KeyStore loadedKeyStore, KeyManagerFactory loadedKeyFactory) throws IOException { try { return makeSSLSocketFactory(loadedKeyStore, loadedKeyFactory.getKeyManagers()); } catch (Exception e) { throw new IOException(e.getMessage()); } }
