Return-Path: <issues-return-38357-archive-asf-public=cust-asf.ponee.io@cxf.apache.org>
X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io
Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io
Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183])
	by cust-asf2.ponee.io (Postfix) with ESMTP id 74C84200B35
	for <archive-asf-public-internal@cust-asf2.ponee.io>; Mon, 20 Jun 2016 09:48:08 +0200 (CEST)
Received: by cust-asf.ponee.io (Postfix)
	id 73C67160A55; Mon, 20 Jun 2016 07:48:08 +0000 (UTC)
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by cust-asf.ponee.io (Postfix) with SMTP id BCCAF160A65
	for <archive-asf-public@cust-asf.ponee.io>; Mon, 20 Jun 2016 09:48:07 +0200 (CEST)
Received: (qmail 19967 invoked by uid 500); 20 Jun 2016 07:48:06 -0000
Mailing-List: contact issues-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:issues-help@cxf.apache.org>
List-Unsubscribe: <mailto:issues-unsubscribe@cxf.apache.org>
List-Post: <mailto:issues@cxf.apache.org>
List-Id: <issues.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list issues@cxf.apache.org
Received: (qmail 18660 invoked by uid 99); 20 Jun 2016 07:48:05 -0000
Received: from arcas.apache.org (HELO arcas) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 20 Jun 2016 07:48:05 +0000
Received: from arcas.apache.org (localhost [127.0.0.1])
	by arcas (Postfix) with ESMTP id 61CF92C1F60
	for <issues@cxf.apache.org>; Mon, 20 Jun 2016 07:48:05 +0000 (UTC)
Date: Mon, 20 Jun 2016 07:48:05 +0000 (UTC)
From: "David Tarr (JIRA)" <jira@apache.org>
To: issues@cxf.apache.org
Message-ID: <JIRA.12980170.1466165473000.41649.1466408885398@Atlassian.JIRA>
In-Reply-To: <JIRA.12980170.1466165473000@Atlassian.JIRA>
References: <JIRA.12980170.1466165473000@Atlassian.JIRA> <JIRA.12980170.1466165473129@arcas>
Subject: [jira] [Commented] (CXF-6944) cacerts is loaded while different
 truststore is specified
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394
archived-at: Mon, 20 Jun 2016 07:48:08 -0000


    [ https://issues.apache.org/jira/browse/CXF-6944?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15339117#comment-15339117 ] 

David Tarr commented on CXF-6944:
---------------------------------

Sure:

{code:java|title=some-init-method}
    SSLSocketFactory sslSocketFactory = getSslSocketFactory();

    TLSClientParameters tlsClientParameters = new TLSClientParameters();
    tlsClientParameters.setCertAlias("the-alias");
    tlsClientParameters.setSSLSocketFactory(factory);

    ...

    Client client = ClientProxy.getClient(service);
    HTTPConduit conduit = (HTTPConduit) client.getConduit();
    conduit.setTlsClientParameters(tlsClientParameters);

    ....

    // invoke service
{code}

{code:java|title=getSocketFactory()}
    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    trustManagerFactory.init(getTrustStore());
    TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
    
    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keyStore, password);
    KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
    
    SSLContext sslContext = SSLContext.getInstance("TLSv1");
    sslContext.init(keyManagers, trustManagers, new SecureRandom());
    return sslContext.getSocketFactory();    
{code}

{code|title=getTrustStore()}
    KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
    InputStream streamToStore = ...
    keystore.load(streamToStore, keystorePassword);
    streamToStore.close();
    
    return keystore;
{code}

When I debugged it, as far as I could tell, the trustmanager doesn't return any reference to cacerts.

> cacerts is loaded while different truststore is specified
> ---------------------------------------------------------
>
>                 Key: CXF-6944
>                 URL: https://issues.apache.org/jira/browse/CXF-6944
>             Project: CXF
>          Issue Type: Improvement
>          Components: Transports
>    Affects Versions: 2.7.18
>            Reporter: David Tarr
>            Priority: Minor
>
> It seems cxf still loads the cacerts eventhough a different truststore is specified (programmatically - not via cxf.xml). Could this potentially load to a security-risk?
> When I movethe trusted key from the different truststore to cacerts, the server is not trusted and the handshake fails. But I have not investigated any further.
> {noformat}
> 2016-06-17 13:45:21,213 INFO  [main] spring.BusApplicationContext  - Loaded configuration file cxf.xml.
> 2016-06-17 13:45:21,213 INFO  [main] spring.ControlledValidationXmlBeanDefinitionReader  - Loading XML bean definitions from class path resource [META-INF/cxf/cxf.xml]
> 2016-06-17 13:45:21,322 INFO  [main] spring.ControlledValidationXmlBeanDefinitionReader  - Loading XML bean definitions from class path resource [cxf.xml]
> 2016-06-17 13:45:21,793 INFO  [main] factory.ReflectionServiceFactoryBean  - Creating Service {http://www........com/.........}.... from class .............
> keyStore is : 
> keyStore type is : jks
> keyStore provider is : 
> init keystore
> init keymanager of type SunX509
> trustStore is: C:\Java\jdk1.7.0_79\jre\lib\security\cacerts
> trustStore type is : jks
> trustStore provider is : 
> init truststore
> ...
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)