PKI Tutorials - Herong's Tutorial Examples - v2.32, by Herong Yang
javax.net.ssl.trustStore System Property
This section provides a tutorial example on how Java uses the default trusted KeyStore file, if the system property, javax.net.ssl.trustStore, is not specified.
In the previous tutorial, we learned that the openStream() method on an java.net.URL object can be used to communicate with an HTTPS server.
The next step is to find out if the openStream() method validates the server certificate or not.
By reading the Java Secure Socket Extension (JSSE) Reference Guide, I found these rules on how Java uses the TrustManagerFactory to manage root CA certificates:
Now, let's verify these rules.
1. To find out if I have default KeyStore files or not, run this command. Note that the path name "\local\jdk\jre" might be different on your computer, depending how you installed JDK (Java Development Kit).
herong> dir \local\jdk\jre\lib\security 4,054 blacklist 1,273 blacklisted.certs 113,367 cacerts 9,989 default.policy 125,803 public_suffix_list.dat
Ok. Looks like JDK was using the default KeyStore file, "cacerts", to verify server certificates, since I did not specify javax.net.ssl.trustStore in my previous tests.
2. To find out what will happen if I specify javax.net.ssl.trustStore with a non exist file, run this command:
herong> java -Djavax.net.ssl.trustStore=non_exist_file \ HttpsUrlReader https://login.yahoo.com javax.net.ssl.SSLException: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl.... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLS... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSo... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSo... at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient... at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.c... at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Http... at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStrea... at java.net.URL.openStream(URL.java:1010) at HttpsUrlReader.main(HttpsUrlReader.java:11) Caused by: java.lang.RuntimeException: Unexpected error: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:... at sun.security.validator.Validator.getInstance(Validator.java:161... at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(... at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTr... at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTr... at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate... at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Cl... at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker.... at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshak... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocket... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandsh... at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSo... ... 7 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameter... at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:10... at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderPara... at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:... ... 18 more
Obviously, JSSE does not like a non exist KeyStore file. It throughs SSLException and InvalidAlgorithmParameterException on you.
Table of Contents
Introduction of PKI (Public Key Infrastructure)
Introduction of HTTPS (Hypertext Transfer Protocol Secure)
Using HTTPS with Google Chrome
Using HTTPS with Mozilla Firefox
HTTPS with IE (Internet Explorer)
Android and Server Certificate
Windows Certificate Stores and Console
RDP (Remote Desktop Protocol) and Server Certificate
macOS Certificate Stores and Keychain Access
Perl Scripts Communicating with HTTPS Servers
PHP Scripts Communicating with HTTPS Servers
►Java Programs Communicating with HTTPS Servers
Java Secure Socket Extension (JSSE)
Using openStream() Method in java.net.URL Class
►javax.net.ssl.trustStore System Property
Default Trusted KeyStore File - cacerts
PKIX Path Building Failed - No CA Certificate
Using openConnection() Method in java.net.URL Class
.NET Programs Communicating with HTTPS Servers
CAcert.org - Root CA Offering Free Certificates
PKI CA Administration - Issuing Certificates
Comodo Free Personal Certificate
Digital Signature - Microsoft Word
Digital Signature - OpenOffice.org 3