Expand Authors Top

If you have a few years of experience in the Java ecosystem and you’d like to share that with the community, have a look at our Contribution Guidelines.

Expanded Audience – Frontegg – Security (partner)
announcement - icon User management is very complex, when implemented properly. No surprise here.

Not having to roll all of that out manually, but instead integrating a mature, fully-fledged solution - yeah, that makes a lot of sense.
That's basically what Frontegg is - User Management for your application. It's focused on making your app scalable, secure and enjoyable for your users.
From signup to authentication, it supports simple scenarios all the way to complex and custom application logic.

Have a look:

>> Elegant User Management, Tailor-made for B2B SaaS

November Discount Launch 2022 – Top
We’re finally running a Black Friday launch. All Courses are 30% off until tomorrow:

>> GET ACCESS NOW

NPI – Frontegg – Security – (partner)
announcement - icon User management is very complex, when implemented properly. No surprise here.

Not having to roll all of that out manually, but instead integrating a mature, fully-fledged solution - yeah, that makes a lot of sense.
That's basically what Frontegg is - User Management for your application. It's focused on making your app scalable, secure and enjoyable for your users.
From signup to authentication, it supports simple scenarios all the way to complex and custom application logic.

Have a look:

>> Elegant User Management, Tailor-made for B2B SaaS

1. Overview

In this quick tutorial, we'll learn how to read a list of trusted certificates in Java through quick and practical examples.

2. Loading the KeyStore

Java stores the trusted certificates in a special file named cacerts that lives inside our Java installation folder.

Let's start by reading this file and loading it into the KeyStore:

private KeyStore loadKeyStore() {
    String relativeCacertsPath = "/lib/security/cacerts".replace("/", File.separator);
    String filename = System.getProperty("java.home") + relativeCacertsPath;
    FileInputStream is = new FileInputStream(filename);

    KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
    String password = "changeit";
    keystore.load(is, password.toCharArray());

    return keystore;
}

The default password for this KeyStore is “changeit”, but it could be different if it was previously changed in our system.

Once loaded, the KeyStore will hold our trusted certificates, and next, we'll see how to read them.

3. Reading Certificates From a Specified KeyStore

We're going to use the PKIXParameters class, which takes a KeyStore as a constructor parameter:

@Test
public void whenLoadingCacertsKeyStore_thenCertificatesArePresent() {
    KeyStore keyStore = loadKeyStore();
    PKIXParameters params = new PKIXParameters(keyStore);

    Set<TrustAnchor> trustAnchors = params.getTrustAnchors();
    List<Certificate> certificates = trustAnchors.stream()
      .map(TrustAnchor::getTrustedCert)
      .collect(Collectors.toList());

    assertFalse(certificates.isEmpty());
}

The PKIXParameters class is usually used for validating a certificate, but in our example, we simply used it to exact the certificates from our KeyStore.

When creating an instance of PKIXParametrs, it builds a list of TrustAnchor that will contain the trusted certificates present in our KeyStore.

A TrustAnchor instance simply represents a trusted certificate.

4. Reading Certificates From Default KeyStore

We can also get a list of the trusted certificates present in our system by using the TrustManagerFactory class and initializing it without a KeyStore, which will use the default KeyStore.

If we don't provide a KeyStore explicitly, the same one from the previous chapter will be used by default:

@Test
public void whenLoadingDefaultKeyStore_thenCertificatesArePresent() {
    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    trustManagerFactory.init((KeyStore) null);

    List<TrustManager> trustManagers = Arrays.asList(trustManagerFactory.getTrustManagers());
    List<X509Certificate> certificates = trustManagers.stream()
      .filter(X509TrustManager.class::isInstance)
      .map(X509TrustManager.class::cast)
      .map(trustManager -> Arrays.asList(trustManager.getAcceptedIssuers()))
      .flatMap(Collection::stream)
      .collect(Collectors.toList());

    assertFalse(certificates.isEmpty());
}

In the above example, we've used X509TrustManager, which is a specialized TrustManager used to authenticate the remote part of an SSL connection.

Note that this behavior may depend on the specific JDK implementation, as the specification doesn't define what should happen in case the init() KeyStore parameter is null.

5. Certificate Aliases

A certificate alias is simply a String that uniquely identifies a certificate.

Among the default certificates imported by Java, there's also a well-known certificate issued by GoDaddy, a public Internet domain registrar, which we'll use in our tests:

String GODADDY_CA_ALIAS = "godaddyrootg2ca [jdk]";

Let's see how we can read all certificate aliases present in our KeyStore:

@Test
public void whenLoadingKeyStore_thenGoDaddyCALabelIsPresent() {
    KeyStore keyStore = loadKeyStore();

    Enumeration<String> aliasEnumeration = keyStore.aliases();
    List<String> aliases = Collections.list(aliasEnumeration);
    assertTrue(aliases.contains(GODADDY_CA_ALIAS));
}

In the next example, we'll see how we can retrieve a certificate by its alias:

@Test
public void whenLoadingKeyStore_thenGoDaddyCertificateIsPresent() {
    KeyStore keyStore = loadKeyStore();

    Certificate goDaddyCertificate = keyStore.getCertificate(GODADDY_CA_ALIAS);
    assertNotNull(goDaddyCertificate);
}

6. Conclusion

In this quick article, we've looked at different ways of listing trusted certificates in Java through quick and practical examples.

As always, code snippets can be found over on GitHub.

November Discount Launch 2022 – Bottom
We’re finally running a Black Friday launch. All Courses are 30% off until tomorrow:

>> GET ACCESS NOW

Security footer banner
2 Comments
Oldest
Newest
Inline Feedbacks
View all comments
Comments are closed on this article!