2

I work on webApi base on spring boot 2.0.3, and already enable ssl with self-signed certificates through application.properties, I add a new feature to validate local CRL and customized trustManager, but spring boot doesn't pick the code.

could you help to figure out where the problem is? if someone could show how to check local CRL file, that's also helpful.

config properties like this.

application.properties:
        server.ssl.key-alias=server
        server.ssl.key-password=123456
        server.ssl.key-store=classpath:serverStore.keystore
        server.ssl.key-store-type=jks
        server.ssl.client-auth=NEED
        server.ssl.trust-store= classpath:trustStore.keystore
        server.ssl.trust-store-password=123456
        server.ssl.trust-store-type=jks

inject customized trust manager like this:

@Configuration
public class CRLChecker {
    @PostConstruct
   public void check() throws  Exception{
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(
                TrustManagerFactory.getDefaultAlgorithm());
// Initialise the TMF as you normally would, for example:
        tmf.init((KeyStore)null);

        TrustManager[] trustManagers = tmf.getTrustManagers();
        final X509TrustManager origTrustmanager = (X509TrustManager)trustManagers[0];

        TrustManager[] wrappedTrustManagers = new TrustManager[] {
                new X509TrustManager() {
                    @Override
                    public java.security.cert.X509Certificate[] getAcceptedIssuers() {
                        return origTrustmanager.getAcceptedIssuers();
                    }
                    @Override
                    public void checkClientTrusted(X509Certificate[] certs, String authType) throws CertificateException {
                        origTrustmanager.checkClientTrusted(certs, authType);
                    }
                    @Override
                    public void checkServerTrusted(X509Certificate[] certs, String authType) throws CertificateException {
                         //add more my logical code to validate CRL
                            origTrustmanager.checkServerTrusted(certs, authType);
                    }
                }
        };

        SSLContext sc = SSLContext.getInstance("TLS");
        sc.init(null, wrappedTrustManagers, null);
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    }
}
Max
  • 21
  • 6
  • What part of your app do you expect to use the custom trust manager? Is you intention that it’ll be used by the embedded server? – Andy Wilkinson Dec 11 '18 at 06:50
  • @Andy Wilkinson, just want to wrap the original trust manager to validate local CRL file – Max Dec 11 '18 at 07:33
  • Which "original trust manager"? What component in your app do you want to perform the validation? – Andy Wilkinson Dec 11 '18 at 08:21
  • @Andy Wilkinson tmf.getTrustManagers(); the result is original trust manager. and I want to inject my code to sslconext of checkServerTrusted method , as above mentioned. – Max Dec 11 '18 at 09:01

0 Answers0