How to find current truststore on disk programatically?

user93353 picture user93353 · Dec 1, 2012 · Viewed 18.5k times · Source

Is there any function which tells me what's the current truststore being used in my program. On windows, the default trust store is at JAVA_HOME\lib\security\cacerts.

However, the default can be changed in a variety of ways.

  • Using -Djavax.net.ssl.keyStore in the command line

  • Using Keystore class.

  • If the program is running on an App Server under which the application runs may set the store path through it's panel.

  • If the program is running on Tomcat, then Tomcat settings may change the truststore.

and many other ways.

Is there a programmatic way by which I can find out the disk path of the truststore which is currently active?

Answer

Bruno picture Bruno · Dec 1, 2012

Generally speaking, you can't (this is quite similar to this question).

In the JSSE API, trusting a certificate isn't actually determined by a trust store, but by a TrustManager. Whilst it's often initialised with a keystore (the truststore), this is not necessary. In addition, the keystores themselves don't have to be files. There is nothing in the default trust manager API that lets you check where and how a potential trust store was used.

There isn't even anything in the SSLSocket that lets you get back to its SSLSocketFactory, and nothing there that lets you get back to its originating SSLContext, and nothing there that lets you get the trust managers.

Which truststore/trust manager is currently active also depends very much on the application. Nothing tells you in general that the connections an application is making are using the default SSLContext, which can be initialised by the javax.net.ssl.* system properties. Applications are free to initialise their own SSLContexts to create their sockets (this is what Tomcat do for its connectors when you specify certain values).

Since Java 6, the default (current) SSLContext can also be changed globally (via SSLContext.setDefault(...).

You can find what's being used by default from the JSSE Reference Guide. The rest will depend on the documentation of each application. Using -Djavax.net.debug=SSL,trustmanager may help if you need, but this isn't API access.

(By the way, -Djavax.net.ssl.keyStore will set up the keystore for the default key manager, not the trust store.)