We use Java to implement SSL security connections. When you encounter untrusted certificates, pop up a dialog box, let users choose whether to trust the site, trust, to import the certificate provided by this site into the local certificate library.
In order to achieve this, we need to overload the X509TrustManager class
StoreCertTrustManager.java ------------------------------------------------------------------------------------- ------------------------------------- Import java.io. *; import java.awt. *; import java.awt.event. *; import java.util. *; import java.security. *; import java.security.cert. *; import javax.swing. *; import javax.swing.border. *; import javax.swing.event *;. import javax.net.ssl *;... / *** This class implements a TrustManager for authenticating the servers certificate * It enhances the default behaviour * / class StoreCertTrustManager implements X509TrustManager {/ ** The trustmanager instance used to delegate to default behaviour * / private TrustManager tm = null;. / ** Password for own keystore * / private final char [] keyStorePassword = new String ( "changeit") toCharArray ();. / ** Path to own keystore Store it into the home directory to avoid permission problems * / private final String keyStorePath = System.getProperty ( "user.home") "/ https-keystore";.. / ** The stream for reading from the keystore . * / Fileinputstream = null; / ** THE INS tance of the keystore * / private KeyStore keyStore = null; / *** Creates a TrustManager which first checks the default behaviour of the X509TrustManager * If the default behaviour throws a CertificateException ask the user if the certificate * should be declared trustable *.. * @throws Exception: If SSL - initialization failed * / StoreCertTrustManager () throws Exception {/ * Try to set the truststore system property to our keystore * if we have the appropriate permissions * / try {File httpsKeyStore = new File (keyStorePath.. ); if (httpskeystore.exists () == true) {System.SetProperty ("javax.net.ssl.truststore", KeyStorePath;
}} Catch (SecurityException se) {} / * Create the TrustManagerFactory We use the SunJSSE provider * for this purpose * / TrustManagerFactory tmf = TrustManagerFactory.getInstance ( "SunX509", "SunJSSE");.. Tmf.init ((java. security.KeyStore) null); tm = tmf.getTrustManagers () [0]; / * Something failed we could not get a TrustManager instance * / if (tm == null) {throw new SSLException ( "Could not get default TrustManager. instance ");.} / * Create the file input stream for the own keystore * / try {keyStoreIStream = new FileInputStream (keyStorePath);.} catch (FileNotFoundException fne) {// If the path does not exist then a null stream means // the keystore is initialized empty If an untrusted // certificate chain is trusted by the user, then it will be // saved in the file pointed to by keyStorePath.keyStoreIStream = null;.} / * Now create the keystore * /. try {keyStore = KeyStore.getInstance (KeyStore.getDefaultType ()); keyStore.load (keyStoreIStream, keyStorePassword);} catch (KeyStoreException ke) {System.out.println ( "Loading of https keystore from file < " keyStorePath "> failed error message: " ke.getMessage ()); keyStore = null;}} / *** Authenticates a client certificate For we do not need that case only implement the.. * default behaviour ** @param chain In:. The certificate chain to be authenticated * @param authType In:.. The key exchange algorithm * / public void checkClientTrusted (X509Certificate [] chain, String authType) throws CertificateException {((X509TrustManager) TM) .CheckclientTrusted (chain, authtype);} / *** Authenticates a server certificate. if the given certificate is untrusted ask the * user WHETHER TO Proceed or not. ** @
param chain In: The certificate chain to be authenticated * @param authType In:.. The key exchange algorithm * / public void checkServerTrusted (X509Certificate [] chain, String authType) throws CertificateException {/ * Output the certifcate chain for debugging purposes * / System.out.println ("Got X509 Certificate from Server:"); for (int i = 0; i }} Catch (Exception ge) {/ * Got an unexpected exception so throw the original exception * / System.out.println ( "in checkServerTrusted: got exception type:". Ge.getClass () "message:" ge .getMessage ()); throw ce;}}} / *** Merges the system wide accepted issuers and the own ones and * returns them ** @return:.. Array of X509 certificates of the accepted issuers * / public java. security.cert.X509Certificate [] getAcceptedIssuers () {(tm (X509TrustManager)) X509Certificate [] cf = .getAcceptedIssuers (); X509Certificate [] allCfs = cf; if (! keyStore = null) {try {Enumeration ownCerts = keyStore.aliases (); Vector certsVect = new Vector (); while (ownCerts.hasMoreElements ()) {Object cert = ownCerts.nextElement (); certsVect.add (keyStore.getCertificate (cert.toString ()));} int newLength = cf .ley (); allcfs = new x509certificate [newLength]; itrator it = ceertsvect.iterator (); for (int i = 0; i private final String certParms [] = { "Version", "Serial Number", "Signature Algorithm", "Issuer", "Validity Period", "Subject", "Signature", "Certificate Fingerprint"}; private X509Certificate [] chain ; private int chainIdx = 0; / *** Creates an instance of the class and stores the certificate to show internally ** @param chain In: The certificate chain to show * / AskForTrustability (X509Certificate [] chain) {this... chain = chain;} / *** This method shows a dialog with all interesting information of the certificate and * asks the user if the certificate is trustable or not This method blocks until * the user presses the 'Yes' or 'No'. . button ** @return: true: The certificate chain is trustable * false: The certificate chain is not trustable * / public boolean showCertificateAndGetDecision () {if (chain == null || chain.length == 0) {return false; } Trust = New JDIALOG ((Frame) NULL, "Untrusted Server Certificate for SSL Connection", TRUE); Container Cont = Trust.getContentPane (); GridbagLayout GL = New GridbagLayout (); Cont.set Layout (GL); JPANel Plabel = New JPanel (New BorderLayout ()); icon icon = UIManager.Geticon ("optionpane.warningicon"); Plabel.Add (New Jlabel (icon), BorderLayout.west); Jtextarea label = new Jtextarea ("THE CERTIFICATE SENT BY THE Server IS Unknown and not trustable! / N" "Do you want to thing limited server? / N / n" "NOTE: if you answer 'yes' the CERTIFICATE Will be stored in the file / n / n " keystorepath " / n / n " " and the next time treated trustable automaticly. if you want to remove / n " " the certificate delete the file or use keytool to remove certificates / n " " selectively ");. label.setEditable (false); label.setBackground (cont.getBackground ());. label.setFont (label.getFont () deriveFont (Font.BOLD)); pLabel.add (label, BorderLayout.EAST); GridBagConstraints gc = new GridBagConstraints (); gc.fill = GridBagConstraints.HORIZONTAL; gl.setConstraints (pLabel, gc); pLabel.setBorder (new EmptyBorder ( 4, 4, 4, 4)); cont.add (plab); vector choices = new vector (); for (int i = 0; i certValues.setLineWrap (true); certValues.setWrapStyleWord (true); JPanel pVals = new JPanel (new BorderLayout ()); pVals.add (certValues); pVals.setBorder (new TitledBorder (new EtchedBorder (), "Variable value") ); gc = new gridbagconstraints (); gc.insets = new INSETS (4, 4, 4, 4); gc.weightx = 1.0; gc.weighty = 1.0; gc.fill = gridbagconstros.both; gc.gridy = 3 Gl.SetConstraints (PVALS, GC); Cont.Add (pvals); JPANEL P = New jPanel (); Yes.AddActionListener (this); No.AddActionListener (this); p.Add (YES); P.ADD ( NO); gc = new gridbagconstraints (); gc.weightx = 1.0; gc.fill = gridbagconstraints.horizontal; gc.gridy = 4; gl.SetConstraints (p, gc); Cont.Add (p); // this SHOULD be the subject itemcertItems.setSelectedIndex (5); certItems.requestFocus (); trust.pack (); trust.setSize (500,600); trust.setVisible (true); return isTrusted;} / *** Listener method for changin the contents . of the JTextArea according to the * selected list item * / public void valueChanged (ListSelectionEvent e) {if (e.getValueIsAdjusting ()) {return;} JList theList = (JList) e.getSource (); if (theLi St.isSselectionEmpty ()) {CERTVALUES.SETTEXT ("");} else {string sell selval = thelist.getSelectedValue (). Tostring (); if (SelVal.equals ("Version") == true) {CertVales.setText String.valueof (chain));} else if ("serial number" == true) {CERTVALUES.SETTEXT (ByteArrayToHex (chain [chainidx] .getserialNumber (). TobyTearray )))));} else if ("SiGNature Algorithm") == true) {CHAINIDX] .GetsigalgName ());} else if (SelVal.equals ("Issuer") == True) {CERTVALUES.SETTEXT (chain [chainidx] .GetissuerDn (). getname ());} else if (SelVal.equals ("Validity Period) == True) {CHAINIDX] .GETNOTBEFORE (). Tostring () "-" chain [chainidx] .GetNotAfter (). Tostring ();} else if (SELVAL.EQUALS ("SELVAL.EQUALS (" Subject ") == True) {CERTVALUES.SETTEXT (chain [chainidx] .Getsubjectdn (). getname ());} else if ("SELVAL.EQUALS (" Signature ") == true) {CERTVALUES.SETTEXT (ByteArrayToHex (chain [chainiDX] .getsignature ()));} else IF ("Certificate Fingerprint") == true) {Try {certVales.setText (GetfingerPrint (chain [chainidx] .getencoded (), "md5") "/ n " getfingerprint (chain [chainidx] .getencoded ()," sha1 ")));} catch (exception fingere) {CERTVALUES.SETTEXT (" couldn't Calculate Fingerprints of the Certificate./nreason: " FingeRe.getMessage () ..);}}}} / *** This method calculates the fingerprint of the certificate It takes the encoded form of * the certificate and calculates a hash value from it ** @param certificateBytes In: The byte array of the encoded data . * @Param algorithm in: The algorithm to be used for calculating the hash value. * Two area Possible: MD5 and sha1 ** @return: Retur . Ns a hex formated string of the fingerprint * / private String getFingerprint (byte [] certificateBytes, String algorithm) throws Exception {MessageDigest md = MessageDigest.getInstance (algorithm); md.update (certificateBytes); byte [] digest = md. Digest (); return new string (Algorithm ":" ByteArrayToHex (Digest));} / *** this method Converts a byte array to a hex formatted string. ** @Param Bytedata in: The data to be converted. * * @Return: The formatted string. * / prince string ByteArrayToHex (byte [] Bytedata) {StringBuffer SB = new stringbuffer (); for (int i = 0; i ) {IF (i! = 0) sb.append (":"); int b = bytedata [i] & 0xff; string hex = integer.tohexstring (b); if (hex.length () == 1) Sb.append ("0"); sb.append (hex);} return sb.tostring ();} / *** the listener for the 'yes', 'no' buttons. * / public void ActionPerformed (ActionEvent E ) {Object entry = E.getsource (); if (entry.equals (yes) == true) {istrusted = true; trust.dispose ();} else} {intRy (certchain) == true) {int selIndex = certChain.getSelectedIndex (); if (selIndex> = 0 && selIndex Then we call in the primary class: SSLSocketFactory factory = null; KeyManager [] km = null; TrustManager [] tm = {new StoreCertTrustManager ()}; SSLContext sslContext = SSLContext.getInstance ( "SSL", "SunJSSE"); sslContext.init (null, tm, new java .Security.securerandom ()); factory = sslcontext.getsocketFactory (); sslsocket socket = (sslsocket) Factory.createsocket ("LocalHost", 7002);
