RSS

javax.net.ssl.trustStore Option Behaviour

Introduction

In this tutorial we will test the behaviour of javax.net.ssl.trustStore option.

The objective is to check whether -Djavax.net.ssl.trustStore option append or replace the default java keystore being used by java.

javax.net.ssl.trustStore behaviour test plan

  1. Create HttpsUrlReader app to test https connection to two sites, https://helloworld.letsencrypt.org/ (Signed by let’s encrypt) and https://icanhazip.com (signed by Comodo)
  2. Using default trust store /etc/ssl/certs/java/cacerts connect to both sites above.
  3. Remove Let’s Encrypt Root certificates (ISRG and DST / TrustID) from default cacerts. Connection to https://helloworld.letsencrypt.org/ will be failed but connection to https://icanhazip.com will be successful.
  4. Create new keystore with contents ISRG and DST root certificates.
  5. Use the new keystore to connect, connection to https://helloworld.letsencrypt.org/ will be successful but connection to https://icanhazip.com (and other sites using SSL certs not issued by let’s encrypt and DST / TrustCA will be failed.

javax.net.ssl.trustStore Step By Step Test

  1. Install openjdk-8-jdk on Ubuntu 16.04
sudo apt-get install openjdk-8-jdk
  1. Create <strong>HttpsUrlReader</strong> app . Source code can be found in this link

  2. Check connections without providing custom keystore (both will succeed)

java HttpsUrlReader https://icanhazip.com
java HttpsUrlReader https://helloworld.letsencrypt.org
  1. Remove Let’s Encrypt Root certificates
sudo keytool -delete -alias debian:isrg_root_x1.pem -keystore /etc/ssl/certs/java/cacerts
sudo keytool -delete -alias debian:dst_root_ca_x3.pem -keystore /etc/ssl/certs/java/cacerts

Note:

To search alias we can list all certificates inside keystore using command below.

keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep Alias
  1. Check connection without providing custom keystore (icanhazip.com will succeed, helloworld.letsencrypt.org will fail)
java HttpsUrlReader https://icanhazip.com
java HttpsUrlReader https://helloworld.letsencrypt.org
  1. Download ISRG And DST / TrustID Root
wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/isrgrootx1.pem
wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/trustid-x3-root.pem
  1. Add ISRG and DST root to new keystore named customKeystore
keytool -import -trustcacerts -alias debian:isrg_root_x1.pem -file isrgrootx1.pem -keystore customKeystore

keytool -import -trustcacerts -alias debian:dst_root_ca_x3.pem -file trustid-x3-root.pem -keystore customKeystore

new keystore <strong>customKeystore</strong> will be created on current working directory.

  1. Check connection using new <strong>customKeystore</strong>. Let’s encrypt will success, icanhazip.com will fail
java -Djavax.net.ssl.trustStore=customKeystore -Djavax.net.debug=ssl HttpsUrlReader https://icanhazip.com

java -Djavax.net.ssl.trustStore=customKeystore HttpsUrlReader https://helloworld.letsencrypt.org

Conclusion

When we provide javax.net.ssl.trustStore option to java application, the default keystore will not be used. The custom trust store passed by javax.net.ssl.trustStore option replace the default keystore.

References