0

I'm trying to connect to a SSL webservice that requires a PKCS12 certificate.

Question: is it possible to not installing the certificate to the local keystore, but load it dynamically during runtime?

I tried as follows:

static {
        KeyStore.getInstance("PKCS12").load(this.getClass().getClassLoader()
           .getResourceAsStream("myfile.p12"), "password".toCharArray());
}

But the result:

sun.security.validator.ValidatorException: PKIX path building failed. sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target.

So obviously it does not work. But why?

Sidenote: the linked SO question does not answer my question, as it targets trustStore, but my question is about keystore.

membersound
  • 81,582
  • 193
  • 585
  • 1,120
  • It needs to be in the **CERTSTORE**, as that's what java uses to verify the certificates (the key store is something different). You might be able to do this in a different way, but you'll have to write a lot of complex code - Check this other question to see how to add a certificate to a certstore dynamically: [Adding certificate to keystore using java code](http://stackoverflow.com/questions/10077714/adding-certificate-to-keystore-using-java-code) – Augusto Mar 09 '16 at 09:53
  • @Augusto but there is no `TrustManagerFactory.getInstance("PKCS12");`. – membersound Mar 09 '16 at 10:52

2 Answers2

1

The problem has nothing to do with this code. Your truststore doesn't trust the server's certificate. If it's self-signed, you'll have to import it. Better still, get it signed by a CA.

user207421
  • 305,947
  • 44
  • 307
  • 483
  • I just received 4 files from the webservice owner: `crt, csr, key, p12`. Now I'm just trying to connect to that webservice via `https`. Maybe I'm doing things wrong? – membersound Mar 09 '16 at 11:14
  • 1
    @membersound There's something odd... did they give you **their** private key? Or is this something to do [mutual authentication](https://en.wikipedia.org/wiki/Mutual_authentication)? (which would still be weird, because then **they** could have a copy of you private key). There's definitely a missing piece of the puzzle... without that I'm not sure other people will be able to help. – Augusto Mar 09 '16 at 11:26
  • Actually your have been right: the server provides a self-signed certificate. I configured the TrustStoreManager to trust the server certificate always, which resolved the error. As `keystore` file I created my own `pfx` from `crt + key`. I assume that I could have been using the provided `p12` *if* they gave me the pass - which they didn't. Also I assume that I should have never received the `csr` key as a client. – membersound Mar 10 '16 at 11:01
-1

The problem is that although your keystore has been created and loaded with your client certificate (assuming that everything is good with it), the SSLContext is not configured to use it.

Try:

Keystore keystore = KeyStore.getInstance("PKCS12").load(this.getClass().getClassLoader()
       .getResourceAsStream("myfile.p12"), "password".toCharArray());
SSLContext sslcontext = SSLContexts.custom().loadKeyMaterial(keyStore,"password".toCharArray()).build();
SSLContext.setDefault(sslcontext);
Bruno Piqueras
  • 91
  • 3