Google

Monday, April 2, 2007

Dummny certificate authentication implementation

Certificates is one of the way of Authorization/Authentication while implementing SSL based authentication. When browser accesses any web based application which has certificates implemented to authenticate user, browser is asked to validate certificate if it has, or accept certificate for a session or temporary. Browser knows this behavior and knows how to respond or deal with it.

When we access web based system through program program looks at a fixed set of locations (depends on language that you are using) for certificates; and if it does not find it throws an exception. This all happens while creating a socket connection with web application.

In case of Java, It uses javax.net.ssl.SSLSocketFactory to create socket connection. That class asks to javax.net.ssl.X509TrustManager instance for certificate validation.
X509TrustManager searches for certificate into JAVA_HOME/jre/lib/security/certs file which is collection of certificates. If it does not find it then it throws an exception.

One option to deal with this is, Find out which all web applications will your program use and using keytool add certificates for those web applications into JAVA_HOME/jre/lib/security/certs file. But that is hard coding in some sense. If you want your application to use some other web application which also has certificate authentication, then administrator will have to do that for you. You can also write a java code for that but which again is lots of coding that programmer has to do.

There is one more approach which will make programmers work easy. It is DummyCertificate approach. In this case we will create dummy certificate validate which will validate all certificates. To implement it in Java programmer will have to write two classesDummySSLSocketFactory and DummyTrustManager.

DummySSLSocketFactory will be used for creating sockets and DummyTrustManager
will be used for certificate validation which will return true for any
certificate it is asked to validate.

We will need to ask java to use DummySSLSocketFactory to create sockets which will ask DummyTrustManager to validate certificate. There are two ways one can do so. One is to edit JAVA_HOME\jre\lib\security\java.security.Security file. Find ssl.ServerSocketFactory.provider in that file and specify there fully classified class name of DummySSLSocketFactory. One can also do this programmatically. java.security.Security class has a static method setProperty. using that you can ask java to use DummySSLSocketFactory to create sockets.
Ex: Security.setProperty("ssl.SocketFactory.provider", com.persistent.DummySSLSocketFactory);

DummySSLSocketFactory implementation asks DummyTrustManager to validate certificates which will validate all certificates and will return true for all certificates.

So this is how one can deal with certificate validation issue through programs.

Code for DummySSLSocketFactory and DummyTrustManager. These code are tested against JavaMail 1.4 and JDK 1.5.

import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
import java.security.Security;
import javax.net.SocketFactory;
import javax.net.ssl.*;

public class DummySSLSocketFactory extends SSLSocketFactory {
private SSLSocketFactory factory;

public DummySSLSocketFactory() {
try {
SSLContext sslcontext = SSLContext.getInstance("TLS");
sslcontext.init(null,
new TrustManager[] { new DummyTrustManager()},
null);
factory = (SSLSocketFactory)sslcontext.getSocketFactory();
} catch(Exception ex) {
// ignore
}
}

public static SocketFactory getDefault() {
return new DummySSLSocketFactory();
}

public Socket createSocket(Socket socket, String s, int i, boolean flag)
throws IOException {
return factory.createSocket(socket, s, i, flag);
}

public Socket createSocket(InetAddress inaddr, int i,
InetAddress inaddr1, int j) throws IOException {
return factory.createSocket(inaddr, i, inaddr1, j);
}

public Socket createSocket(InetAddress inaddr, int i)
throws IOException {
return factory.createSocket(inaddr, i);
}

public Socket createSocket(String s, int i, InetAddress inaddr, int j)
throws IOException {
return factory.createSocket(s, i, inaddr, j);
}

public Socket createSocket(String s, int i) throws IOException {
return factory.createSocket(s, i);
}

public String[] getDefaultCipherSuites() {
return factory.getDefaultCipherSuites();
}
public Socket createSocket() throws IOException {
System.out.println( "createSocket 0");
return factory.createSocket();
}
public String[] getSupportedCipherSuites() {
return factory.getSupportedCipherSuites();
}
}

import javax.net.ssl.X509TrustManager;
import java.security.cert.X509Certificate;

public class DummyTrustManager implements X509TrustManager {

public void checkClientTrusted(X509Certificate[] cert, String authType) {
}

public void checkServerTrusted(X509Certificate[] cert, String authType) {
}

public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
}
If you find any issues please feel free to ping on thakkar.kiran@gmail.com

Labels: , ,