Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / March 2006

Tip: Looking for answers? Try searching our database.

truststore in JAR-File

Thread view: 
Enable EMail AlertsStart New Thread
Volker Boehm - 28 Feb 2006 13:51 GMT
Hello,
I wrote a Client application, which accesses the server via a
RMI-SSL-connection (Java 1.5, SslRMIClientSocketFactory). The public
certificate of the server, which is necessary for checking the server's
identity is stored in a file 'Client.truststore' and the location is told
to the Program with
   System.setProperty("javax.net.ssl.trustStore", "Client.truststore");

As long as this File is kept in the local directory, everythig works fine.
But as soon as I put it into the JAR-File where all other classes and files
for the application reside, it isn't found any more.

In Google I found this question several times in several languages but no
thread contains any answer.

Therefor my question is: How can you tell the java SSL-mechanism to read the
truststore file out of it's own JAR-file and not somewhere from the
filesystem?
You can get the corresponding URL from
   getClass().getResource("Client.truststore");
but you can't use an URL or the 'toString()' of this URL in the
'setProperty()'-statement.

Or is there any workaround where you can first load the truststore file into
a KeyStore and then tell the SslRMIClientSocketFactory to use a
SSLSocketFactory whist itself uses the read KeyStore as truststore or
something like that?

I hope that someone can solve this problem. Until now I distibute the client
in a single JAR-file via webstart, but this doesn't work when I also have
to distibute this bloody trustfile seperately.

regards Volker
Reply to this Message
Dieter Schicker - 28 Feb 2006 15:03 GMT
Hi,

I know a quick and dirty solution:

1) get the file out of the jar
2) write it to a temporary file
3) work with that temporary file in your application
4) when the application exits, don't forget to delete the temporary file!

As I said, it's dirty but it works.

-- Didi

PS: Attached is a code snippet that I use for this purpose:

import java.io.*;
import java.util.jar.*;

public class Helper implements GewiAdminConstants {

    private String home;

    public Helper() {

    home =
getClass().getProtectionDomain().getCodeSource().getLocation().getPath().replaceAll("%20",
" ");
    }

    public static String getTmpDir() {
   
    String tmp = System.getProperty("java.io.tmpdir");
    if (!tmp.endsWith("/"))
       tmp += "/";
    return tmp;
    }

    public void getResource(String name) {

    try {
       JarFile jar = new JarFile(home);
       JarEntry entry = jar.getJarEntry(name);
       File f = new File(getTmpDir() + entry.getName());
       if (!f.exists()) {
        InputStream entryStream = jar.getInputStream(entry);
        FileOutputStream fos = new FileOutputStream(getTmpDir() +
entry.getName());
        byte[] buffer = new byte[1024];
        int bytesRead;
        while ((bytesRead = entryStream.read(buffer)) != -1)
           fos.write(buffer, 0, bytesRead);
        entryStream.close();
        fos.close();
       }
    }
    catch (IOException ex) {
       ex.printStackTrace();
       System.err.println("Could not get resource '" + name + "'!");
    }
    }

}

> Hello,
> I wrote a Client application, which accesses the server via a
[quoted text clipped - 29 lines]
>
> regards Volker
Reply to this Message
Volker Boehm - 28 Feb 2006 17:06 GMT
> I know a quick and dirty solution:
>
[quoted text clipped - 4 lines]
>
> As I said, it's dirty but it works.

Hello Dieter,
yes it's very dirty, but it works ... as long as your application has the
right to create a file - at least a temporary file -. When you distibute
your applications with Webstart you must either sign your JAR and the user
must accept the certificate or the certificate must be authenticated by an
offical CA (like verisign).
In my case the application even starts external applications
(AcrobatReader); so I had to sign the jar anyway.

Here is my implementation of the workaround:

Instead of the single line
   System.setProperty("javax.net.ssl.trustStore", "MyClient.truststore");
which doesn't work any more if the truststore file is inside the jar, I put
these lines
   File tf = File.createTempFile("myclient",".truststore");
   tf.deleteOnExit();
   byte buffer[] = new byte[0x1000];
   InputStream in =
       getClass().getResourceAsStream("MyClient.truststore");
   FileOutputStream out = new FileOutputStream(tf);
   int cnt;
   while ((cnt = in.read(buffer)) != -1)
       out.write(buffer,0,cnt);
   in.close();
   out.close();
   System.setProperty("javax.net.ssl.trustStore", tf.getAbsolutePath());

regards Volker
Reply to this Message
Dieter Schicker - 01 Mar 2006 10:40 GMT
Well, at least it's not totally dirty, because the jar file gets
downloaded and a user could extract the file from the jar archive, too ...

Anyway, I would highly appreciate if anyone had a better solution!

Dieter

>>I know a quick and dirty solution:
>>
[quoted text clipped - 34 lines]
>
> regards Volker
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.