Load CA root certificate at runtime in Java

Hexaholic picture Hexaholic · Sep 29, 2015 · Viewed 10.3k times · Source

tl;dr: Using custom CA without adding it to persistent keystore.

I am writing a Java application that should connect to a remote server using HTTPS. The code for the connection is ready, however the SSL certificate of the server was signed by StartSSL, which is not in Java's CA root cert store.

Using this code, I get valid certificate information from websites like https://www.google.com/:

Response Code : 200
Cipher Suite : TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

Cert Type : X.509
Cert Hash Code : -1643391404
Cert Public Key Algorithm : RSA
Cert Public Key Format : X.509

Cert Type : X.509
Cert Hash Code : 771393018
Cert Public Key Algorithm : RSA
Cert Public Key Format : X.509

Cert Type : X.509
Cert Hash Code : 349192256
Cert Public Key Algorithm : RSA
Cert Public Key Format : X.509

The same code throws a SSLHandshakeException for my domain (let's call it https://www.example.com/).

Of course I could manually add the certificate to the keystore using keytool (maybe even with Runtime.exec("keytool ...")), but this is way to dirty. What I am planning now is to add the StartSSL root certificate to my application files for distribution and then loading it into some temporary keystore at runtime. This way the "real" keystore remains untouched.

From what I have read here and here, I will have to mess with some classes like TrustManager. I even found a way to completely turn off the validation, but this is not what I want since it seems to eliminate the whole purpose of encrypted communication.

I even found some lines of code that seem to do exactly what I want, but I cannot figure out how to call this method i.e. which values to pass as arguments:

public class SSLClasspathTrustStoreLoader {
    public static void setTrustStore(String trustStore, String password) throws Exception {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream keystoreStream = SSLClasspathTrustStoreLoader.class.getResourceAsStream(trustStore);
        keystore.load(keystoreStream, password.toCharArray());
        trustManagerFactory.init(keystore);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, trustManagers, null);
        SSLContext.setDefault(sc);
    }
}

Has anyone been in a similar situation before? I will appreciate any advice on how to handle this problem. If you could even help me to get the above code running, I'd be really happy!

Answer

Boris picture Boris · Sep 29, 2015

You will need to create a custom TrustStore as you already found. In addition to this, you will need to create a custom SSL socket factory which uses the custom trust manger you mentioned, and register it with the HTTP framework you are using. Details really depends on the framework of your choice.

Nothing wrong with adding a certificate to a default key store using keytool utility. You might find there are more than a single certificate is needed. If this is a case, you have to make sure whole Java application is using the same key store as a single source of truth. It might get very hairy if you use multiple key stores within the same application.

Hope this helps.