Maksym Maksym - 4 months ago 18
Java Question

Does JSSE use a certificate in a PrivateKeyEntry as a trust anchor?

If a key store containing one or more

PrivateKeyEntry
is specified as a trust store, will JSSE create a trust anchor from the end-entity certificate in each of those entries?

In other words, is it enough to have a certificate under a
PrivateKeyEntry
if we have one keystore with both trusted and private entries? Or, must we also add that certificate as a
TrustedCertificateEntry
?

Answer

It doesn't matter where certificate placed either under PrivateKeyEntry or under trustedCertEntry , JVM trusts host from certificate anyway.

Tested locally.

Run local server with https and keystore with only one PrivateKeyEntry.

And run client with code :

public static String getHTML(String urlToRead) throws Exception {
    StringBuilder result = new StringBuilder();
    URL url = new URL(urlToRead);
    HttpURLConnection conn = (HttpURLConnection) url.openConnection();
    conn.setRequestMethod("GET");
    BufferedReader rd = new BufferedReader(new InputStreamReader(conn.getInputStream()));
    String line;
    while((line = rd.readLine()) != null) {
        result.append(line);
    }
    rd.close();
    return result.toString();
}

public static void main(String[] args) throws Exception {
    String testUrl="https://localhost/test";
    System.out.println(getHTML(testUrl));
}

Without any:

Exception in thread "main" javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

With truststore that contains only one PrivateKeyEntry (the same jks file that was used for server as keystore):

<!DOCTYPE....</html>