-1

I was recently assigned a java project. I am not very familiar with Java. I have been trying to build the projects but I am having the following error:

the trustAnchors parameter must be non-empty
    at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200)
    at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:120)
    at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:104)
    at java.base/sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:94)

I am confused on how to set the trustAnchors parameter. I am not sure if this is related but I can also only see the keystore certificate when I am an admin as seen in the picture linked below:

enter image description here

Thanks

ParanoidAndroid
  • 1
  • 1
  • 3
  • 1
    Does this answer your question? [Error - trustAnchors parameter must be non-empty](https://stackoverflow.com/questions/6784463/error-trustanchors-parameter-must-be-non-empty) – andrewJames May 12 '22 at 13:23
  • The [documentation of trust anchors can be found here](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/cert/TrustAnchor.html). `TrustAnchor` has three constructors. Which one did you choose with which parameter values? Please show your code. – howlger May 12 '22 at 13:49
  • @andrewJames I saw that link before but I am still confused on how to resolve my issue. – ParanoidAndroid May 12 '22 at 16:26
  • @howlger I didn't write the code. However, the code base works for my entire team except me....I am not sure what I did wrong during the set up. I spent a lot of time on calls with the team to no avail. :( – ParanoidAndroid May 12 '22 at 16:28
  • The [Javadoc](https://docs.oracle.com/en/java/javase/17/docs/api/java.base/java/security/cert/PKIXParameters.html#setTrustAnchors%28java.util.Set%29) says: _" InvalidAlgorithmParameterException - if the specified Set is empty (trustAnchors.isEmpty() == true)"_. The method `setTrustAnchors` is called with an empty set. In your stack trace, the line before the line `Caused by: ...` refers where the method is called. Unfortunately, you didn't show that stack trace line nor the code. – howlger May 12 '22 at 23:08

2 Answers2

0

turns out that spring-boot was using a different version java. It was therefore not finding the cacert file.

ParanoidAndroid
  • 1
  • 1
  • 3
  • `cacert` is only the default certificate store. It is akin to using your browser's root certificate store without requiring one specific provider. That provides a relatively low amount of security; you may want to use a specific root certificate as trust anchor, or possibly even a pinned leaf certificate. – Maarten Bodewes Apr 06 '23 at 13:43
0

Trust-anchors is a term that is defined in the X.509 specifications, currently documented in RFC 5280. In general a trust anchor is simply defined as a certificate at the start of a trust path. For browsers the trust anchors are usually consist of the set of root certificates. In Java this is mimicked by the standard cacerts file that is delivered as part of the Java runtime. This file is used by e.g. the SSL/TLS services offered by the Java JSSE provider.

However, it is perfectly possible and quite often advantageous to limit the trust that you extend to certificates. In the most simple case it might be that you don't want to trust all the root certificates stored in the cacerts file. You may just want to trust a single root certificate, an underlying (intermediate) CA certificate or - in the extreme case - just the certificate used to authenticate a particular server (certificate pinning).

For this reason you can offer a set of certificates to a CertPathValidator which validates the chain of certificates. This CertPathValidator is an abstract class that could handle any kind of certificates. The Java runtime however contains just the single, mandated implementation "PKIX", which indicates a Public Key Infrastructure consisting of X.509 certificates (the X in the acronym).

This PKIXValidator service implementation in turn can be configured using the PKIXParameters class. This class has constructors and "setters" to indicate the trust anchors. This usually consists of a "trust store", i.e. a key store containing trusted certificates. The cacerts file would be the default trust store used by the PKIXValidator used by the JSSE provider.

Alternatively a Set of TrustAnchor instances can be provided. A trust anchor usually just consists of a certificate and optional "name constraints". However, it may also just contain a description of a certificate, such as the name and public key of a certificate. This would e.g. allow you to "pin" a specific public key / name combination while allowing the other party to update their certificate.

It goes a bit far to dive deep into the encoding of the name constraints, but in short the DNS names or IP address within the subject field of a particular certificates in a certificate tree may be validated using these. The parameter may be null if no particular constrains are required. The procedure to validate the name constrains is of course also indicated in RFC 5280.

Note that documentation of (older) Java versions may refer to the now obsolete RFC 3280 instead of RFC 5280.

Maarten Bodewes
  • 90,524
  • 13
  • 150
  • 263