Secure LDAP - validating certificate using thumbprint in java

Question

I'm trying to connect to the ldap server over SSL.

I'm using spring ldap template and having a custom SSL Socket factory.

My requirement is to do validate certificate using the thumbprint (not using the java keystore)

I will have the thumbprint information in my DB and that needs to be validated with the server's certificate thumbprint.

Hi Ivar, am trying to develop a custom SSLSocketFactory which will be consumed by my spring LdapContextSource , am not sure how can i create a custom SSLSocketfactory which will validate the AD server's certificate using thumbprint. I dont want to use the keystore. — Vinson M S, Feb 02 '16 at 17:09

score 0 · Answer 1 · answered Feb 03 '16 at 15:04

You need to create a custom TrustManager that implements X509TrustManager and reads the certificate extracting the "thumbprint" and comparing it to (Not sure what value).

Then you need to use the when setting up the SSLContext something like:

TrustManager[] tms =
        { new com.willeke.security.FakeX509TrustManager() };
        SSLContext context = null;
        try
        {
            context = SSLContext.getInstance("TLS", "SunJSSE");
            /**
             * The first parameter - null means use the default key manager. The desired TrustManager The third parameter - null means use the default value secure random".
             */
            context.init(null, tms, null);
        }
        catch (... ex)
}

Thanks, i have created a custom trustmanager which extracts the thumbprint, i am checking the generated thumbprint with the thumbprint saved in the DB. Is there a way where in the DB if the thumbprint doesn't exists then we get an SSLhandshake exception and we show to the user the certificate information like issued by, expiration date etc to accept once user accepts the certificate the thumbprint is saved in DB. — Vinson M S, Feb 04 '16 at 06:17

Secure LDAP - validating certificate using thumbprint in java

1 Answers1