Create a new Java keystore. Add your trusted certificates. #java #jks #certificate #ssl #keystore

create-java-keystore.md

Create Java keystore

1. Create a new java keystore as a clone of the default keystore (αν υπαρχει τετοιο)
2. Add your trusted certs using -trustcacerts
3. Pass your keystore to runtime enviroment of your JVM (-Dname=value or via some *.properties file) using the proper values for javax.net.ssl.trustStore, javax.net.ssl.trustStorePassword parameters.

Create a new empty keystore "keystore.jks" with a dummy certificate (you will be propmted for a password):

keytool -genkey -keyalg RSA -keystore keystore.jks -keysize 2048

Add a trusted certificate as a CA certifcate (e.g. apps.dev.olomeleia.gr):

keytool -import -trustcacerts -alias root1 -keystore keystore.jks -file apps.dev.olomeleia.gr.crt

List entries in keystore:

keytool -list -keystore keystore.jks

Run your tests to ensure that the SSL handshake completes successfully:

java -Djavax.net.ssl.trustStore=/var/local/certs/keystore.jks -Djavax.net.ssl.trustStorePassword=qaz123 TestUrl

TestSkipValidation.java

import java.io.InputStreamReader;
import java.io.Reader;
import java.io.BufferedReader;
import java.io.InputStream;
import java.net.URL;
import java.net.URLConnection;

import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;

import java.security.KeyStore;
import java.security.cert.X509Certificate;

public class TestSkipValidation 
{
	private static SSLSocketFactory default_factory = null;
	
	private static HostnameVerifier default_hostname_verifier;
	
	private static class DummyTrustManager implements X509TrustManager 
	{
		public java.security.cert.X509Certificate[] getAcceptedIssuers() { return null; }
		public void checkClientTrusted(X509Certificate[] certs, String authType) {}
		public void checkServerTrusted(X509Certificate[] certs, String authType) {}
	}
	
	private static class DummyHostnameVerifier implements HostnameVerifier 
	{
		public boolean verify(String hostname, SSLSession session) {
			return true;
		}
	}
	
	public static void main(String[] args) throws Exception 
	{
		String request_url;
		if (args.length > 0) {
			request_url = args[0];
		} else {
			System.out.println("Usage: java TestSkipValidation <https-url>");
			return;
		}
		System.out.println("Testing on: "+request_url);
		
		default_factory = HttpsURLConnection.getDefaultSSLSocketFactory();
		default_hostname_verifier = HttpsURLConnection.getDefaultHostnameVerifier();
		
		System.out.println(" --- Req #1 (without validation) ---");
		requestWithoutValidation(request_url);
		
		System.out.println(" --- Req #2 (with validation) ---");
		requestWithValidation(request_url);
		
		return;
	}
	
	public static void requestWithValidation(String request_url) throws Exception
	{	
		// Restore default factories
		HttpsURLConnection.setDefaultSSLSocketFactory(default_factory);
		HttpsURLConnection.setDefaultHostnameVerifier(default_hostname_verifier);
		
		URL url = new URL(request_url);
		URLConnection con = url.openConnection();
		
		consumeInput(con);
	}
	
	public static void requestWithoutValidation(String request_url) throws Exception 
	{
		// Create a dummy all=trusting trust manager
		TrustManager[] dummy_manager = new TrustManager[] {
			new DummyTrustManager() 
		};

		// Install the all-trusting trust manager
		SSLContext ssl_context = SSLContext.getInstance("SSL");
		ssl_context.init(null, dummy_manager, new java.security.SecureRandom());
		HttpsURLConnection.setDefaultSSLSocketFactory(ssl_context.getSocketFactory());

		// Create and install all-trusting host name verifier
		HostnameVerifier dummy_hostname_verifier = new DummyHostnameVerifier();
		HttpsURLConnection.setDefaultHostnameVerifier(dummy_hostname_verifier);

		URL url = new URL(request_url);
		URLConnection con = url.openConnection();
		
		consumeInput(con);
	}
	
	private static void consumeInput(URLConnection con) throws Exception
	{
		InputStream istr = con.getInputStream();
		BufferedReader inp1 = new BufferedReader(new InputStreamReader(istr));
        String line;
		System.out.println(" -- Start Response (10 lines) --");
        int nl = 0;
		while ((nl < 10) && (line = inp1.readLine()) != null) { 
            System.out.println(line);
			nl++;
	    }
		System.out.println(" -- End Response --");
        inp1.close();
	}
	
}

TestUrl.java

import java.net.*;
import java.io.*;

public class TestUrl 
{
    public static void main(String[] args) throws Exception 
	{
        URL url1 = new URL(args[0]);
        URLConnection conn1 = url1.openConnection();
        BufferedReader inp1 = new BufferedReader(new InputStreamReader(conn1.getInputStream()));
        String line;
		System.out.println(" -- Start Response --");
        while ((line = inp1.readLine()) != null) 
            System.out.println(line);
		System.out.println(" -- End Response --");
        inp1.close();
    }
}