Skip to main content

Using two private keys (keystore) and two public keys (truststore) in one SSL Socket Connection



I need to use to key-pair in one socket ssl connection without change nothing in clients.





Why?





Because one client use a CN attribute in trust store for connection handshake and other clients using another value in the same attribute to process the same task in the same way.





So I need to use two key store (private) with distinct CN attributes and also aliases and share two different trust store (public key) with distinct CN attributes and also aliases too.





Describing bellow:





keyStore1 Keystore type: JKS Keystore provider: SUN ... Alias name: identity1 ... Owner: CN=app1, OU=..., ... Issuer: CN=app1, OU=..., ... ...





keyStore2 ... Alias name: identity2 ... Owner: CN=app2, OU=..., ... Issuer: CN=app2, OU=..., ...





trustStore1 ... Alias name: identity1 ... Owner: CN=app1, OU=..., ... Issuer: CN=app1, OU=..., ... ...





trustStore2 ... Alias name: identity2 ... Owner: CN=app2, OU=..., ... Issuer: CN=app2, OU=..., ...





I tried to implement this feature in this way:







KeyStore KeyStore1;



try {

String keyStoreFile1 = "privatekey1";

String keyStoreType1 = "jks";

char[] keyStorePwd1 = "password".toCharArray();



keyStore1 = KeyStore.getInstance(keyStoreType1);

keyStore1.load(new FileInputStream(keyStoreFile1), keyStorePwd1);

} catch (java.security.GeneralSecurityException thr) {

throw new IOException("Cannot load keystore (" + thr + ")");

}



KeyStore trustStore1;



try {

String trustStoreFile1 = "publickey1";

String trustStoreType1 = "jks";

char[] trustStorePwd1 = "password".toCharArray();



trustStore1 = KeyStore.getInstance(trustStoreType1);

trustStore.load(new FileInputStream(trustStoreFile1), trustStorePwd1);

} catch (java.security.GeneralSecurityException thr) {

throw new IOException("Cannot load truststore (" + thr + ")");

}





KeyStore keyStore2;



try {

String keyStoreFile2 = "privatekey2";

String keyStoreType2 = "jks";

char[] keyStorePwd2 = "anotherpass".toCharArray();



keyStore2 = KeyStore.getInstance(key2StoreType);

keyStore2.load(new FileInputStream(keyStoreFile2), keyStorePwd2);

} catch (java.security.GeneralSecurityException thr) {

throw new IOException("Cannot load keystore (" + thr + ")");

}



KeyStore trustStore2;



try {

String trustStoreFile2 = "publickey2";

String trustStoreType2 = "jks";

char[] trustStorePwd2 = "anotherpass".toCharArray();



trustStore2 = KeyStore.getInstance(trustStoreType2);

trustStore2.load(new FileInputStream(trustStoreFile2), trustStorePwd2);

} catch (java.security.GeneralSecurityException thr) {

throw new IOException("Cannot load truststore (" + thr + ")");

}







KeyManagerFactory kmfkey1 =

KeyManagerFactory.getInstance(KeyManagerFactory.getkey1Algorithm());

kmfkey1.init(keyStore1, "password".toCharArray());



TrustManagerFactory tmfkey1 =

TrustManagerFactory.getInstance(TrustManagerFactory.getkey1Algorithm());

tmfkey1.init(trustStore1);





SSLContext ctx = SSLContext.getInstance("SSL");

ctx.init(kmfkey1.getKeyManagers(), tmfkey1.getTrustManagers(), null);





KeyManagerFactory kmfkey2 =

KeyManagerFactory.getInstance(KeyManagerFactory.getkey1Algorithm());

kmfkey2.init(keyStore2, "password".toCharArray());



TrustManagerFactory tmfkey2 =

TrustManagerFactory.getInstance(TrustManagerFactory.getkey1Algorithm());

tmfkey2.init(trustStore2);





SSLContext ctxkey2 = SSLContext.getInstance("SSL");

ctxkey2.init(kmfkey2.getKeyManagers(), tmfkey2.getTrustManagers(), null);



SSLServerSocketFactory sslSrvSockFact = (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();



serverSocket = sslSrvSockFact.createServerSocket(port);







But I received this error message





... java.security.KeyStoreException: Uninitialized keystore at java.security.KeyStore.aliases(KeyStore.java:941) at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.(SunX509KeyManagerImpl.java:106) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:41) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:192) ....





So I really want to know if is possible to use to key-pairs in one socket connection or solve this in a different way that I can't see or deal with.


Comments

  1. The simples way would be to put everything in one key store - all keys and all trust certificates. That would eliminate your problem.

    ReplyDelete
  2. The "obvious" problem is that you're not actually making any use of the SSLContexts you create:

    SSLServerSocketFactory sslSrvSockFact =
    (SSLServerSocketFactory) SSLServerSocketFactory.getDefault();


    This should at least be:

    SSLServerSocketFactory sslSrvSockFact =
    (SSLServerSocketFactory) ctx.getServerSocketFactory();


    The problem is that you would have to choose between one context or the other...

    The solution to your problem is in the answer I gave to your other similar question a couple of days ago: you need to implement your own X509KeyManager to be able to choose which key you're going to use.

    Whether you want to use a single keystore or load your key/cert from two keystores doesn't matter that much: if you really want to, you can certainly implement getPrivateKey and getCertificateChain so that they load the keys/certs from two distinct keystores depending in the alias. It would be unnecessarily complicated, though. You will still have to do something based on the alias selection anyway, so you might as well load both keys/certificates from a single key store, using different aliases.

    From the server point of view, the only way to choose one alias (and therefore key/cert pair) is to use what's available in the socket (or engine if you're using an X509ExtendedKeyManager). Since Java 7 doesn't support Server Name Indication (which would let the client tell which host name it's requesting ahead of this selection process), you may have to do this based on the client IP address, or on which of your server IP addresses is being used (if you have more than one).


    Using two private keys (keystore) and two public keys (truststore)


    You seem to be confused about what the keystore and the truststore are. Unless you're planning to use client-certificate authentication, you can ignore the trust store settings on the server. You can used the default (null) as the second parameter of your SSLContext.init(...). Your "keystore (keystore)" is the information used by the local party (your server in this case), the "truststore (keystore)" is used to determine which remote party to trust.

    The public key (or, to be precised, the certificate) you're going to present to the client is also in your keystore, associated with your private key, not in the truststore.

    ReplyDelete

Post a Comment

Popular posts from this blog

Wildcards in a hosts file

I want to setup my local development machine so that any requests for *.local are redirected to localhost . The idea is that as I develop multiple sites, I can just add vhosts to Apache called site1.local , site2.local etc, and have them all resolve to localhost , while Apache serves a different site accordingly.