[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-jce] untrusted server cert chain



Hi Jarek,

Try this example:

String page="https://..."; //any https link
String str;
try
 {//Connect secure
  X509TrustManager tm = new MyX509TrustManager();
  KeyManager []km = null;
  TrustManager []tma = {tm};
  SSLContext sc = SSLContext.getInstance("SSL");
  sc.init(km,tma,new java.security.SecureRandom());
  SSLSocketFactory sf1 = sc.getSocketFactory();
  HttpsURLConnection.setDefaultSSLSocketFactory(sf1);
  //Read page
  URL verisign = new URL(page);
  BufferedReader in = new BufferedReader(new
InputStreamReader(verisign.openStream()));
  while ((str = in.readLine()) != null)
  {System.out.println(str);
  }
 }
 catch (Exception e)
 {System.err.println("Exception " + e);
 }

class MyX509TrustManager implements X509TrustManager
{
/*************************************************************************************************/
public boolean isClientTrusted(java.security.cert.X509Certificate[]
chain)
{return true;
}
/*************************************************************************************************/
public boolean isServerTrusted(java.security.cert.X509Certificate[]
chain)
{return true;
}
/*************************************************************************************************/
public java.security.cert.X509Certificate[] getAcceptedIssuers()
{return null;
}
/*************************************************************************************************/
}

Gr.

Rajesh

Jarogniew Rykowski wrote:
> 
> Hi,
> I saw your message on IAIK mail archive. Unfortunately, I could not join the
> real-live disscussion - I've found only this archive and there is not an URL
> of the news group inside the messages.
> 
> I've got the same problem. Could you send me any information about responses
> to your mail or how to join your news discussion?
> 
> I've found that the servers signed by VeriSign work correctly. The reason
> lies in ...\jdk1.2.x\bin\jre\lib\security\cacerts file, which has only the
> trusted keys for VeriSign, and not for other CAs. Do you know the way to add
> any trusted certificate to this file? Once I tried to create my own keystore
> (i.e., "cacerts") file, I've got and error:
> keytool -keystore ...\my_keyfile -import -file e:sample.cer -alias sample
> Enter keystore password:  ****
> keytool error: Signature not available
> 
> I've tried with several certificates (VeriSign, Thawte), both got from their
> sites or exported from Internet Explorer. No success...
> 
> If you do not know the answers to my questions, feel free to send my mail to
> your discussion group and/or  send me an URL of this group.
> 
> Regards
> 
> Jarek
begin:vcard 
n:Lachman;Rajesh
tel;fax:+31 70 374 0651
tel;work:+31 70 374 0856
x-mozilla-html:FALSE
url:http://www.tno.nl
org:TNO-FEL;Group Security
version:2.1
email;internet:lachman@fel.tno.nl
title:R & D
adr;quoted-printable:;;Oude Waalsdorperweg 63=0D=0A;The Hague;;2509 JG;The Netherlands
fn:ir. R. Lachman
end:vcard