Discussion:
SSL related question on trust- and keymaterial
Mitchell Stevenson
2017-10-11 15:27:49 UTC
Permalink
I use httpcore 4.4.4 together with mutual ssl.

I load the key material in that way:

KeyStore trustStore = ...;
sslContextBuilder.loadTrustMaterial(trustStore, null);

Question is: If there are more than one aliases with different trusted
certs in the keystore would then all of them be trusted or just the
first one? Can not find this info in the docs. It also seems not to be
possible to specify a single alias.

The keymaterial for mutual ssl is loaded like:

sslContextBuilder.loadKeyMaterial(keystore, keyPassword, new
PrivateKeyStrategy() {
@Override
public String chooseAlias(Map<String, PrivateKeyDetails> aliases,
Socket socket) {
if(aliases == null || aliases.isEmpty()) {
return kAlias;
}
if(kAlias == null || kAlias.isEmpty()) {
return aliases.keySet().iterator().next();
}
return kAlias;
}
});

Here i like to load only keymatrial for one specific alias (kAlias) or
the first one if not given. I don't know if the code above is really
correct. I am also wondering whats the default if PrivateKeyStrategy
is not given.

Thx
Mitch

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-***@hc.apache.org
For additional commands, e-mail: httpclient-users-***@hc.apache.org
Oleg Kalnichevski
2017-10-12 09:06:51 UTC
Permalink
Post by Mitchell Stevenson
I use httpcore 4.4.4 together with mutual ssl.
KeyStore trustStore = ...;
sslContextBuilder.loadTrustMaterial(trustStore, null);
Question is: If there are more than one aliases with different
trusted
certs in the keystore would then all of them be trusted or just the
first one? Can not find this info in the docs. It also seems not to be
possible to specify a single alias.
As far as I understand all of them would be considered trusted but this
may depend on the JSSE provider. With the default Oracle JSSE
implementation one cannot influence alias selection for trust material.
Post by Mitchell Stevenson
sslContextBuilder.loadKeyMaterial(keystore, keyPassword, new
PrivateKeyStrategy() {
    public String chooseAlias(Map<String, PrivateKeyDetails> aliases,
Socket socket) {
        if(aliases == null || aliases.isEmpty()) {
            return kAlias;
         }
         if(kAlias == null || kAlias.isEmpty()) {
             return aliases.keySet().iterator().next();
          }
          return kAlias;
    }
});
Here i like to load only keymatrial for one specific alias (kAlias) or
the first one if not given. I don't know if the code above is really
correct. I am also wondering whats the default if PrivateKeyStrategy
is not given.
I suspect it is also JSSE provider specific.

Oleg

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-users-***@hc.apache.org
For additional commands, e-mail: httpclient-users-***@hc.apache.org
Loading...