Java Custom Trust Manager - Vertx 3

504 views
Skip to first unread message

Dominic H

unread,
Feb 14, 2017, 1:57:32 PM2/14/17
to vert.x
I need to override the default trust manager to allow unsigned keys on both sides of the connection. This is for a P2P application in which there is only a need for authentication after the first connection.

I found an implementation for this in Vertx2, but I cannot find where it has been moved in vertx3. http://vertx.io/vertx2/api/java/org/vertx/java/core/SSLSupport.html#setSSLContext(javax.net.ssl.SSLContext)

If there is a way to do this without vertx that would also be fantastic.

    SSLContext sslContext = getSSLContext();
    SSLContext.setDefault(sslContext);
    HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());

Does not work. Vertx ends up loading the default keystore at:

    "/usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts"

with a private key (I presume it manually injects)


    ***
    found key for : dummy-entry
    chain [0] = [

    ...

    ]
    ***
    trustStore is: /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts
    trustStore type is : jks
    trustStore provider is : 
    init truststore
    adding as trusted cert:

    ...

    trigger seeding of SecureRandom
    done seeding SecureRandom

Any leads as to what I can do to load my own trust manager would be fantastic.

Julien Viet

unread,
Feb 14, 2017, 3:17:44 PM2/14/17
to ve...@googlegroups.com
Hi,

you can try to provide your own TrustOptions, this interface provides :

default TrustManagerFactory getTrustManagerFactory(Vertx vertx) throws Exception {
  return KeyStoreHelper.create((VertxInternal) vertx, this).getTrustMgrFactory((VertxInternal) vertx);
}

that you can you to create your own TrustManagerFactory.

Julien


--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/vertx.
To view this discussion on the web, visit https://groups.google.com/d/msgid/vertx/e4a71e6a-e1b7-4738-9ff9-1fd8baafda77%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Dominic H

unread,
Feb 14, 2017, 4:47:49 PM2/14/17
to vert.x
Thanks Julien. I have created my own TrustOptions, and although the TrustManagerFactory is instantiated, the TrustManager inside is never initialised or retrieved.

Do you have any idea what I'm doing incorrectly?

I have attached the code I have created below.

NetServerOptions netServerOptions = new NetServerOptions()
                .setPort(port)
                .setLogActivity(true)
                .setClientAuth(ClientAuth.REQUIRED)
                .setSsl(true)
                .setTrustOptions(trustOptions)
                .setPemKeyCertOptions(pemKeyCertOptions);

public class ReloadableTrustOptions implements TrustOptions {
    private final Logger logger = LogManager.getLogger();

    @Override
    public TrustManagerFactory getTrustManagerFactory(Vertx vertx) throws Exception {
        logger.debug("Creating custom Reloadable Trust Manager Factory.");
        return new ReloadableTrustManagerFactory();
    }

    @Override
    public TrustOptions clone() {
        return new ReloadableTrustOptions();
    }
}

public class ReloadableTrustManagerFactory extends TrustManagerFactory {
    public ReloadableTrustManagerFactory() throws NoSuchAlgorithmException {
        super(new TrustManagerFactorySpi() {

            private Logger logger = LogManager.getLogger();
            private TrustManager[] trustManagers;

            @Override
            protected void engineInit(KeyStore keyStore) throws KeyStoreException {
                try {
                    logger.info("Initialising Reloadable Trust Manager");
                    TrustManager trustManager = new ReloadableX509TrustManager(null);
                    trustManagers = new TrustManager[]{trustManager};
                } catch (AuthException e) {
                    logger.error("Failed to initialise Reloadable Trust Manager");
                    throw new KeyStoreException(e);
                }
            }

            @Override
            protected void engineInit(ManagerFactoryParameters managerFactoryParameters) throws InvalidAlgorithmParameterException {
                try {
                    this.engineInit((KeyStore) null);
                } catch (KeyStoreException e) {
                    throw new InvalidAlgorithmParameterException(e);
                }
            }

            @Override
            protected TrustManager[] engineGetTrustManagers() {
                logger.info("Getting Reloadable Trust Manager");
                return trustManagers;
            }
        }, KeyPairGenerator.getInstance("RSA").getProvider(), KeyPairGenerator.getInstance("RSA").getAlgorithm());
    }
}
 

Dominic H

unread,
Feb 14, 2017, 5:58:37 PM2/14/17
to vert.x
Future Readers:

The above code works with the following caveats:
  • Logging does not work
  • You MUST call engineInit(<any>) from the constructor. Vertx does not call it for you. This will most likely be fixed in future revisions (^3.4.0), but may not be when you come to read this.

Julien Viet

unread,
Feb 14, 2017, 7:42:26 PM2/14/17
to ve...@googlegroups.com
this kind of integration has been internal so far, but it seems to be useful, so it would be good if you can contribute tests to be more supportable.

--
You received this message because you are subscribed to the Google Groups "vert.x" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vertx+un...@googlegroups.com.
Visit this group at https://groups.google.com/group/vertx.
Reply all
Reply to author
Forward
0 new messages