advertisement
javaboutique
Search Tips
Articles  |   Tutorials  |   Reviews  |   Tools  |   by Category  |   by Date  |   by Name  |   Submit  |   Source  |   Forums  |  
javaboutique
Browse DevX


Partners & Affiliates


advertisement

Tutorials : Customize Your JSSE Key and Trust Material Managers :

The X509KeyManager

The X509KeyManager interface is an extension of the KeyManager interface and is dedicated for working with X.509 certificates. When you want to be sure that the authentication "package" sent to the peer is based on X.509 certificates, provide a X509KeyManager object to the current SSLContext.

In this section, you will see how to customize the default implementation of this interface. Here are the methods you will need to implemented:

  • String[] getClientAliases(String keyType,Principal[] CA): This methods returns an array of strings that represents the aliases of the entries from a keystore. All these entries respect the public key type indicated by the keyType argument (like RSA, DSA) and they fit into the list of certificate issuer authorities recognized by the peer. This method is called for the client side. If there is no match, the method returns null.

  • String[] getServerAliases(String keyType, Principal[] CA): This method is identical with the above one, but it is called for the server side.

  • String chooseClientAlias(String[] keyType, Principal[] CA, Socket socket): This method is called for the client and returns the alias name for the desired key, or null if there are no matches. The match is based on:
    • keyType: The key algorithm type name/names, ordered with the most-preferred key type first.

    • CA: The list of acceptable CA issuer subject names or null if it does not matter which issuers are used.

    • socket: The socket to be used for this connection. This parameter can be null, which indicates that implementations are free to select an alias applicable to any socket.

  • String chooseServerAlias(String keyType, Principal[] CA,Socket socket): This method is identical with the above one, but it is called for the server side.

  • X509Certificate[] getCertificateChain(String alias): This method returns the chain of certificates for the alias alias. If this alias can't be found that the method returns null.
Listing 5 is an example implementation of the X509KeyManager interface. This implementation is for the server-side and it allows you to choose the entry from the current keystore. This operation is automatically done by the key manager. You can use this example in a real application for testing your authentication "packages."

To send an instance of this class to the current SSLContext on the server-side, the code from Listing 3's SSLServerSide.java has been modified to that shown in Listing 6.


Figure 3. Select a entry from a keystore.

The X509TrustManager

The X509TrustManager interface is an extension of the TrustManager interface and is dedicated for authentication of the X.509 certificates. When you want to be sure that you are using this kind of authentication, provide a X509TrustManager object to the current SSLContext.

In this section, you'll see how to customize the default implementation of this interface. These are the methods that must be implemented:

  • void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException: This method receives the chain of certificates (the chain argument) from the peer and verifies whether the chain can be validated. The authentication type is determined by the actual certificate used (the authType argument). If the chain of certificates can't be validated, the method throws a CertificateException exception.

  • void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException: This is similar to the pervious method, but the authentication type is the key exchange algorithm portion of the cipher suites, represented as a String. If the chain of certificates can't be validated, the method throws a CertificateException exception.

  • X509Certificate[] getAcceptedIssuers(): This method returns an array of certificate authority certificates Certificate Authorities (CAs).
Listing 7 is an example implementation of the X509TrustManager interface. This implementation is for the client-side and it allows you to validate a certificate that was automatically rejected by the TrustManager. When a certificate is invalid, the entire chain is rejected and communication is shut off, by default. With this implementation, you can continue to communicate with the peer—even if the authentication wasn't very correct.

To use this implementation, you have to provide an instance of it to the SSLContext context of the client. The SSLClientSide.java from Listing 3 has been modified in Listing 8.


Figure 4. Decide if a certificate should be accepted or rejected.

Deactivating the Validation of Certificates

The above section showed you how to develop an implementation of the X509TrustManager interface in order to validate certificates—a process that depends on user decisions. Now, let's go beyond that and develop an implementation of the X509TrustManager that deactivates the validation of certificates. This implementation will automatically accept any certificate—even if it's invalid.

This a very simple operation. All you have to do is to create a class that implements the X509TrustManager interface and overrides the methods of it with blank code, as shown in Listing 9.

The client application can then use this trust manager: 


…
TrustManager[] queryX509=null;
SSLContext ClientContext=null;
…
try{
   NoValidationX509TrustManager NVX509TM=new NoValidationX509TrustManager();
   queryX509=new TrustManager[]{NVX509TM};
   }catch(java.lang.Exception e)
      {System.out.println("Error:"+e.getMessage());}
        
  //initialize the above SSLContext  
  try{
     ClientContext.init(null, queryX509, null);
     }catch(java.security.KeyManagementException e)
        {System.out.println("Error:"+e.getMessage());}
…

Customization Equals Control

When you develop applications using JSSE, it's very important to know how to customize the default implementation— it's an important skill that can help you create "administrator" applications for your keys and certificates, debuggers for a "handshake" mechanism, or to change your policy of authentication from a permissive level to a very strict level. You can see and control exactly the flow of the authentication before of transmitting any important information.

Home / Articles / Customize Your JSSE Key and Trust Material Managers / 1 / 2 / 3 / 4/

How to Add Java Applets to Your Site

New on the Java Boutique:

New Review:

Time Management Made Easy with the Quartz Enterprise Job Scheduler
Why not just use the Java timer API? This open source scheduling API boasts simplicity, ease-of-integration, a well-rounded feature set, and it's free!

New Applet:

Reverse Complement
Reverse Complement is a simple applet that converts DNA or RNA sequences into three useful formats.

Elsewhere on internet.com:

WebDeveloper Java
Lots of Java information on webdeveloper.com

WDVL Java
Thorough Java resource at the Web Developer's Virtual Library.

ScriptSearch Java
Hundreds of free Java code files to download.

jGuru: Your View of the Java Universe
Customizable portal with online training, FAQs, regular news updates, and tutorials.

 Avaya DevConnect Center
 Service Component Architecture/Service Data Objects Solution Center
 Intel Go Parallel Portal
 Internet.com eBook Library
 IBM Software Construction Toolbox
 Microsoft RIA Development Center
 Destination .NET
XML error: not well-formed (invalid token) at line 53
advertisement
Receive Articles via our XML/RSS feed
Receive Articles via our XML/RSS feed

JavaBytes
Internet Cyclone
This powerful, easy-to-use, internet optimizer is for Windows 95, 98, ME, NT, 2000 and XP. It's designed to automatically optimize your Windows settings, boosting your Internet connection up to 200%.

Red Hat Takes on HPC Market, Microsoft
Python's New Release Bridges the Gap
No Flash Seen on iPhone Horizon
Apple Yields to Complaints Over iPhone NDA
Microsoft Shows Some Ankle With Visual Studio
Gentoo Linux Cancels Distribution
It's Official: Windows 7 at PDC, WinHEC
Oracle Keeps Building on Spoils From BEA
Intel, Oracle Head For 'The Cloud'
Oracle Focuses on Grid, Developer Tools

eCryptfs: Single-File Encryption in Linux
CCXML in Action: A CCXML Auto Attendant
Ballmer: Current Woes Won't Halt Tech, Microsoft
Microsoft Uses VMworld to Hype Its Hypervisor
Microsoft Charges Ahead in Virtualization
Microsoft Shows Some Ankle With Visual Studio
Top 5 Reasons to Adopt SQL Server 2008
Make Application Development Easy With Software Plus Services
SharePoint Applied: 10 Things You Wish They Had Told You?Part 2
Introducing Zend_Search_Lucene

Advertising Info  |   Member Services  |   Contact Us  |   Help  |   Feedback  |   Site Map  |   Network Map  |   About



JupiterOnlineMedia

internet.comearthweb.comDevx.commediabistro.comGraphics.com

Search:

Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info


Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers
Solutions
Whitepapers and eBooks
IBM Whitepaper: Innovative Collaboration to Advance Your Business
Internet.com eBook: Real Life Rails
Avaya Article: Call Control XML - Powerful, Standards-Based Call Control
Internet.com eBook: The Pros and Cons of Outsourcing
Go Parallel Article: Scalable Parallelism with Intel(R) Threading Building Blocks
Internet.com eBook: Best Practices for Developing a Web Site
IBM CXO Whitepaper: The 2008 Global CEO Study "The Enterprise of the Future"
Avaya Article: Call Control XML in Action - A CCXML Auto Attendant
Go Parallel Article: James Reinders on the Intel Parallel Studio Beta Program
IBM CXO Whitepaper: Unlocking the DNA of the Adaptable Workforce--The Global Human Capital Study 2008
Adobe Acrobat Connect Pro: Web Conferencing and eLearning Whitepapers
Go Parallel Article: Getting Started with TBB on Windows
HP eBook: Storage Networking , Part 1
MORE WHITEPAPERS, EBOOKS, AND ARTICLES
Webcasts
Go Parallel Video: Intel(R) Threading Building Blocks: A New Method for Threading in C++
HP Video: Is Your Data Center Ready for a Real World Disaster?
Microsoft Partner Portal Video: Microsoft Gold Certified Partners Build Successful Practices
HP On Demand Webcast: Virtualization in Action
Go Parallel Video: Performance and Threading Tools for Game Developers
 Rackspace Hosting Center: Customer Videos
Intel vPro Developer Virtual Bootcamp
HP Disaster-Proof Solutions eSeminar
HP On Demand Webcast: Discover the Benefits of Virtualization
MORE WEBCASTS, PODCASTS, AND VIDEOS
Downloads and eKits
Microsoft Download: Silverlight 2 Software Development Kit Beta 2
30-Day Trial: SPAMfighter Exchange Module
Red Gate Download: SQL Toolbelt
Iron Speed Designer Application Generator
Microsoft Download: Silverlight 2 Beta 2 Runtime
MORE DOWNLOADS, EKITS, AND FREE TRIALS
Tutorials and Demos
IBM IT Innovation Article: Green Servers Provide a Competitive Advantage
Microsoft Article: Expression Web 2 for PHP Developers--Simplify Your PHP Applications
 Featured Algorithm: Intel Threading Building Blocks - parallel_reduce
MORE TUTORIALS, DEMOS AND STEP-BY-STEP GUIDES