There are three method in X509TrustManager. 1 checkClientTrusted : check whether the client's certificates are trusted. 2 checkServerTrusted: check whether the server's certificates are trusted. So what the method getAcceptedIssuers for? Where it will be called?
Asked
Active
Viewed 5,616 times
1 Answers
5
getAcceptedIssuers will return a list of Certificate Authorities (CA) from the configured/available truststore. The method is called internally by checkClientTrusted and checkServerTrusted, where it will compare the CA of the incoming certificate against the list of trusted CAs as available from the TrustStore.
Monish Sen
- 1,773
- 3
- 20
- 32
-
2What happens if we return `null` or `new X509Certificate[0];` from `getAcceptedIssuers()`? – MediumOne Nov 27 '17 at 06:25
-
@MediumOne it depends on what this method is being used for. Typically this method will be called internally when opening a https connection, if this method returns X509Certificate[0], then it means that there are no trusted CAs in your Trust Store i.e. you don't trust anybody ;) so either checkServerTrusted or checkClientTrusted will throw CertificateException depending on which is being called – Monish Sen Nov 27 '17 at 12:13
-
If you write your own implementation of x509TrustManager, then ideally you should be calling getAcceptedissuers in the implementation of checkClientTrusted and checkServerTrusted but that is entirely upto you what you want to do in the implementation. getAcceptedIssuers is more like a private method and has no external dependency to my knowledge – Monish Sen Nov 27 '17 at 12:16