Is it possible to test that two-way truststores match using Java code without opening a socket?

StackOverflow https://stackoverflow.com/questions/21849971

Question

Suppose I have have a scenario where I want to do a two-way Trusted connection using keystores and truststores on Java.

Imagine I am using the following code:

import java.io.FileInputStream;
import java.io.PrintStream;
import java.net.ServerSocket;
import java.net.Socket;
import java.security.KeyStore;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLServerSocketFactory;

public class MainClass {
  public static void main(String args[]) throws Exception {
    SSLContext context;
    KeyManagerFactory kmf;
    KeyStore ks;
    char[] storepass = "newpass".toCharArray();
    char[] keypass = "wshr.ut".toCharArray();
    String storename = "newstore";

    context = SSLContext.getInstance("TLS");
    kmf = KeyManagerFactory.getInstance("SunX509");
    FileInputStream fin = new FileInputStream(storename);
    ks = KeyStore.getInstance("JKS");
    ks.load(fin, storepass);

    kmf.init(ks, keypass);
    context.init(kmf.getKeyManagers(), null, null);
    SSLServerSocketFactory ssf = context.getServerSocketFactory();

    ServerSocket ss = ssf.createServerSocket(5432);
    while (true) {
      Socket s = ss.accept();
      PrintStream out = new PrintStream(s.getOutputStream());
      out.println("Hi");
      out.close();
      s.close();
    }
  }
}

Now suppose this code used to work - but someone has jumbled the certs for the different servers and now we don't know which client cert (for which box) matches with server truststore.

I want to validate that a Server and Client KeyStore and Truststore match using Java code without opening a socket.

My question is: Is it possible to test that two-way truststores match using Java code without opening a socket? Could you modify the linked Java code to achieve this?

Assumptions:

  • I'm looking for some code something like

boolean trusted = keyStore1.checkTrust(trustStore2);

Was it helpful?

Solution

It is certainly possible, but only by duplicating, or nearly duplicating, all the code that is executed when you do create an SSL socket. The point is that you aren't testing anything except your own code, when you should be testing the code that's executed by SSLSocket and friends. So it's pointless. It's not a useful test.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top