You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cxf.apache.org by "David Tarr (JIRA)" <ji...@apache.org> on 2016/06/20 07:48:05 UTC
[jira] [Comment Edited] (CXF-6944) cacerts is loaded while
different truststore is specified
[ https://issues.apache.org/jira/browse/CXF-6944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15339117#comment-15339117 ]
David Tarr edited comment on CXF-6944 at 6/20/16 7:47 AM:
----------------------------------------------------------
Sure:
{code:java|title=some-init-method}
SSLSocketFactory sslSocketFactory = getSslSocketFactory();
TLSClientParameters tlsClientParameters = new TLSClientParameters();
tlsClientParameters.setCertAlias("the-alias");
tlsClientParameters.setSSLSocketFactory(factory);
...
Client client = ClientProxy.getClient(service);
HTTPConduit conduit = (HTTPConduit) client.getConduit();
conduit.setTlsClientParameters(tlsClientParameters);
....
// invoke service
{code}
{code:java|title=getSocketFactory()}
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(getTrustStore());
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, password);
KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
SSLContext sslContext = SSLContext.getInstance("TLSv1");
sslContext.init(keyManagers, trustManagers, new SecureRandom());
return sslContext.getSocketFactory();
{code}
{code:java|title=getTrustStore()}
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream streamToStore = ...
keystore.load(streamToStore, keystorePassword);
streamToStore.close();
return keystore;
{code}
When I debugged it, as far as I could tell, the trustmanager doesn't return any reference to cacerts.
was (Author: david tarr):
Sure:
{code:java|title=some-init-method}
SSLSocketFactory sslSocketFactory = getSslSocketFactory();
TLSClientParameters tlsClientParameters = new TLSClientParameters();
tlsClientParameters.setCertAlias("the-alias");
tlsClientParameters.setSSLSocketFactory(factory);
...
Client client = ClientProxy.getClient(service);
HTTPConduit conduit = (HTTPConduit) client.getConduit();
conduit.setTlsClientParameters(tlsClientParameters);
....
// invoke service
{code}
{code:java|title=getSocketFactory()}
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(getTrustStore());
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, password);
KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
SSLContext sslContext = SSLContext.getInstance("TLSv1");
sslContext.init(keyManagers, trustManagers, new SecureRandom());
return sslContext.getSocketFactory();
{code}
{code|title=getTrustStore()}
KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream streamToStore = ...
keystore.load(streamToStore, keystorePassword);
streamToStore.close();
return keystore;
{code}
When I debugged it, as far as I could tell, the trustmanager doesn't return any reference to cacerts.
> cacerts is loaded while different truststore is specified
> ---------------------------------------------------------
>
> Key: CXF-6944
> URL: https://issues.apache.org/jira/browse/CXF-6944
> Project: CXF
> Issue Type: Improvement
> Components: Transports
> Affects Versions: 2.7.18
> Reporter: David Tarr
> Priority: Minor
>
> It seems cxf still loads the cacerts eventhough a different truststore is specified (programmatically - not via cxf.xml). Could this potentially load to a security-risk?
> When I movethe trusted key from the different truststore to cacerts, the server is not trusted and the handshake fails. But I have not investigated any further.
> {noformat}
> 2016-06-17 13:45:21,213 INFO [main] spring.BusApplicationContext - Loaded configuration file cxf.xml.
> 2016-06-17 13:45:21,213 INFO [main] spring.ControlledValidationXmlBeanDefinitionReader - Loading XML bean definitions from class path resource [META-INF/cxf/cxf.xml]
> 2016-06-17 13:45:21,322 INFO [main] spring.ControlledValidationXmlBeanDefinitionReader - Loading XML bean definitions from class path resource [cxf.xml]
> 2016-06-17 13:45:21,793 INFO [main] factory.ReflectionServiceFactoryBean - Creating Service {http://www........com/.........}.... from class .............
> keyStore is :
> keyStore type is : jks
> keyStore provider is :
> init keystore
> init keymanager of type SunX509
> trustStore is: C:\Java\jdk1.7.0_79\jre\lib\security\cacerts
> trustStore type is : jks
> trustStore provider is :
> init truststore
> ...
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)