How do I get a hold of Java's default SSL Trust Manager?

Hi,

I need my program to be able to make HTTPS posts. I know that you can disable server authentication by creating a new X509TrustManager as described here: http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html?l=rel. But what I really want is for my X509TrustManager to wrap the default TrustManager. Then if the default TM throws a CertificationException, my own X509TrustManager will have the option to squash it on a case-by-case basis.

So the question is, how do I get a hold of the JVM's default Trust Manager?

Thank you,
Yuriy
[ February 28, 2007: Message edited by: Yuriy Zilbergleyt ]

Does anyone know the answer to my question?

Thanks,
Yuriy

You can follow the following link:

http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#TrustManager

The following code is copied from the above link and is what you want:

class MyX509TrustManager implements X509TrustManager {
 
     /*
      * The default X509TrustManager returned by SunX509.  We'll delegate
      * decisions to it, and fall back to the logic in this class if the
      * default X509TrustManager doesn't trust it.
      */
     X509TrustManager sunJSSEX509TrustManager;
 
     MyX509TrustManager() throws Exception {
         // create a "default" JSSE X509TrustManager.
 
         KeyStore ks = KeyStore.getInstance("JKS");
         ks.load(new FileInputStream("trustedCerts"),
             "passphrase".toCharArray());
 
         TrustManagerFactory tmf =
TrustManagerFactory.getInstance("SunX509", "SunJSSE");
         tmf.init(ks);
 
         TrustManager tms [] = tmf.getTrustManagers();
 
         /*
          * Iterate over the returned trustmanagers, look
          * for an instance of X509TrustManager.  If found,
          * use that as our "default" trust manager.
          */
         for (int i = 0; i < tms.length; i++) {
             if (tms[i] instanceof X509TrustManager) {
                 sunJSSEX509TrustManager = (X509TrustManager) tms[i];
                 return;
             }
         }
 
         /*
          * Find some other way to initialize, or else we have to fail the
          * constructor.
          */
         throw new Exception("Couldn't initialize");
     }
 
     /*
      * Delegate to the default trust manager.
      */
     public void checkClientTrusted(X509Certificate[] chain, String authType)
                 throws CertificateException {
         try {
             sunJSSEX509TrustManager.checkClientTrusted(chain, authType);
         } catch (CertificateException excep) {
             // do any special handling here, or rethrow exception.
         }
     }
 
     /*
      * Delegate to the default trust manager.
      */
     public void checkServerTrusted(X509Certificate[] chain, String authType)
                 throws CertificateException {
         try {
             sunJSSEX509TrustManager.checkServerTrusted(chain, authType);
         } catch (CertificateException excep) {
             /*
              * Possibly pop up a dialog box asking whether to trust the
              * cert chain.
              */
         }
     }
 
     /*
      * Merely pass this through.
      */
     public X509Certificate[] getAcceptedIssuers() {
         return sunJSSEX509TrustManager.getAcceptedIssuers();
     }
}

Thank you!

Yuriy

Hello,

Here is a sample of code to get the JVM's default Trust Managers :

I get the following result on my Apple 1.6.0_17 JVM :

JVM Default Trust Managers: com.sun.net.ssl.internal.ssl.X509TrustManagerImpl@687b6889 Accepted issuers count : 163

Hope this helps,

Cyrille