How do I get a hold of Java's default SSL Trust Manager?

Hi,

I need my program to be able to make HTTPS posts. I know that you can disable server authentication by creating a new X509TrustManager as described here: http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html?l=rel. But what I really want is for my X509TrustManager to wrap the default TrustManager. Then if the default TM throws a CertificationException, my own X509TrustManager will have the option to squash it on a case-by-case basis.

So the question is, how do I get a hold of the JVM's default Trust Manager?

Thank you,
Yuriy
[ February 28, 2007: Message edited by: Yuriy Zilbergleyt ]

Does anyone know the answer to my question?

Thanks,
Yuriy

You can follow the following link:

http://java.sun.com/j2se/1.5.0/docs/guide/security/jsse/JSSERefGuide.html#TrustManager

The following code is copied from the above link and is what you want:

class MyX509TrustManager implements X509TrustManager { /* * The default X509TrustManager returned by SunX509. We'll delegate * decisions to it, and fall back to the logic in this class if the * default X509TrustManager doesn't trust it. */ X509TrustManager sunJSSEX509TrustManager; MyX509TrustManager() throws Exception { // create a "default" JSSE X509TrustManager. KeyStore ks = KeyStore.getInstance("JKS"); ks.load(new FileInputStream("trustedCerts"), "passphrase".toCharArray()); TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509", "SunJSSE"); tmf.init(ks); TrustManager tms [] = tmf.getTrustManagers(); /* * Iterate over the returned trustmanagers, look * for an instance of X509TrustManager. If found, * use that as our "default" trust manager. */ for (int i = 0; i < tms.length; i++) { if (tms[i] instanceof X509TrustManager) { sunJSSEX509TrustManager = (X509TrustManager) tms[i]; return; } } /* * Find some other way to initialize, or else we have to fail the * constructor. */ throw new Exception("Couldn't initialize"); } /* * Delegate to the default trust manager. */ public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { sunJSSEX509TrustManager.checkClientTrusted(chain, authType); } catch (CertificateException excep) { // do any special handling here, or rethrow exception. } } /* * Delegate to the default trust manager. */ public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException { try { sunJSSEX509TrustManager.checkServerTrusted(chain, authType); } catch (CertificateException excep) { /* * Possibly pop up a dialog box asking whether to trust the * cert chain. */ } } /* * Merely pass this through. */ public X509Certificate[] getAcceptedIssuers() { return sunJSSEX509TrustManager.getAcceptedIssuers(); } }

Thank you!

Yuriy

Hello,

Here is a sample of code to get the JVM's default Trust Managers :
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init((KeyStore)null); System.out.println("JVM Default Trust Managers:"); for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) { System.out.println(trustManager); if (trustManager instanceof X509TrustManager) { X509TrustManager x509TrustManager = (X509TrustManager)trustManager; System.out.println("\tAccepted issuers count : " + x509TrustManager.getAcceptedIssuers().length); } }

I get the following result on my Apple 1.6.0_17 JVM :

JVM Default Trust Managers:
com.sun.net.ssl.internal.ssl.X509TrustManagerImpl@687b6889
Accepted issuers count : 163


Hope this helps,

Cyrille