0

I am developing a secure chat program in Java using JSSE.

For 2 people to communicate you specify the keystore to use e.g. Bob will start the program with bob.keystore and alice will start program with alice.keystore

The way I have it setup and working is as follows

On Bob's side he has a keystore that has his keypair and has Alice's certificate imported as a trusted cert.

On Alices's side she has a keystore with her keypair and Bob's certificate imported as a trusted cert.

Is this the correct setup/procedure?

roukzz
  • 129
  • 1
  • 2
  • 10

1 Answers1

0

On Bob's side he has a keystore that has his keypair and has Alice's certificate imported as a trusted cert.

Bob should have:

  • a keystore containing his keypair and certificate, and
  • a truststore containing Alice's exported certificate.

On Alices's side she has a keystore with her keypair and Bob's certificate imported as a trusted cert.

Alice should have:

  • a keystore containing her keypair and certificate, and
  • a truststore containing Bob's exported certificate.

Is this the correct setup/procedure?

No. A keystore is a precious, private thing containing privacy-critical data. A truststore just contains other people's certificates so there is nothing precious about it. You should not use the same physical file for both purposes. That's why they are separated in JSSE.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • I can only load in one file though, I am parsing it in as a command line argument purely to show off JSSE's debug output which is currently working. What if Alice wanted to communicate with Bob, Alice loads her keystore into the program on one side and Bob loads his truststore (which contains Bob's cert) on the other side. Alice then trys to communicate with bob would this be a viable option? – roukzz Jan 16 '15 at 16:20
  • Why can you only load one file? – user207421 Jan 21 '15 at 00:29
  • Well in the main method the code to load the keystore file in is `int arg_length = args.length; switch (arg_length) { case 2: if (args[0].equalsIgnoreCase("/keystore")) { keystore = args[1]; File test = new File(keystore); if (!test.exists()) { displayHelpInformation(); } } else { displayHelpInformation(); } break;` – roukzz Jan 21 '15 at 17:26
  • keystore corresponds to a string in the `private SSLServerSocketFactory getSSLServerSocketFactory() method` ---- `ks.load(new FileInputStream(keystore), password); kmf.init(ks, password); tmf.init(ks); ctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); } catch (Exception e) { e.printStackTrace(); } return ctx.getServerSocketFactory(); }` – roukzz Jan 21 '15 at 17:31
  • You can load a KeyStore into the key manager and a truststore into the trust manager. The limitation to one file is just a limitation of your own code, not of JSSE. – user207421 Jan 21 '15 at 20:01