javax.net.ssl.trustStore Option Behaviour

Introduction

In this tutorial we will test the behaviour of javax.net.ssl.trustStore option.

The objective is to check whether -Djavax.net.ssl.trustStore option append or replace the default java keystore being used by java.

javax.net.ssl.trustStore behaviour test plan

  1. Create HttpsUrlReader app to test https connection to two sites, https://helloworld.letsencrypt.org/ (Signed by let’s encrypt) and https://icanhazip.com (signed by Comodo)
  2. Using default trust store /etc/ssl/certs/java/cacerts connect to both sites above.
  3. Remove Let’s Encrypt Root certificates (ISRG and DST / TrustID) from default cacerts. Connection to https://helloworld.letsencrypt.org/ will be failed but connection to https://icanhazip.com will be successful.
  4. Create new keystore with contents ISRG and DST root certificates.
  5. Use the new keystore to connect, connection to https://helloworld.letsencrypt.org/ will be successful but connection to https://icanhazip.com (and other sites using SSL certs not issued by let’s encrypt and DST / TrustCA will be failed.

javax.net.ssl.trustStore Step By Step Test

1. Install openjdk-8-jdk on Ubuntu 16.04

sudo apt-get install openjdk-8-jdk

2. Create <strong>HttpsUrlReader</strong> app . Source code can be found in this link

3. Check connections without providing custom keystore (both will succeed)

java HttpsUrlReader https://icanhazip.com
java HttpsUrlReader https://helloworld.letsencrypt.org

4. Remove Let’s Encrypt Root certificates

sudo keytool -delete -alias debian:isrg_root_x1.pem -keystore /etc/ssl/certs/java/cacerts
sudo keytool -delete -alias debian:dst_root_ca_x3.pem -keystore /etc/ssl/certs/java/cacerts

Note:

To search alias we can list all certificates inside keystore using command below.

keytool -list -v -keystore /etc/ssl/certs/java/cacerts | grep Alias

5. Check connection without providing custom keystore (icanhazip.com will succeed, helloworld.letsencrypt.org will fail)

java HttpsUrlReader https://icanhazip.com
java HttpsUrlReader https://helloworld.letsencrypt.org

6. Download ISRG And DST / TrustID Root

wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/isrgrootx1.pem
wget -c https://raw.githubusercontent.com/letsencrypt/website/master/static/certs/trustid-x3-root.pem

7. Add ISRG and DST root to new keystore named customKeystore

keytool -import -trustcacerts -alias debian:isrg_root_x1.pem -file isrgrootx1.pem -keystore customKeystore

keytool -import -trustcacerts -alias debian:dst_root_ca_x3.pem -file trustid-x3-root.pem -keystore customKeystore

new keystore <strong>customKeystore</strong> will be created on current working directory.

8. Check connection using new <strong>customKeystore</strong>. Let’s encrypt will success, icanhazip.com will fail

java -Djavax.net.ssl.trustStore=customKeystore -Djavax.net.debug=ssl HttpsUrlReader https://icanhazip.com

java -Djavax.net.ssl.trustStore=customKeystore HttpsUrlReader https://helloworld.letsencrypt.org

Conclusion

When we provide javax.net.ssl.trustStore option to java application, the default keystore will not be used. The custom trust store passed by javax.net.ssl.trustStore option replace the default keystore.

References

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.