Hi,

I have some certificates from SAML metadata XML files and I will need
to use SSL to communicate with the relying party, in order to set up
SSL connection, I would create truststore. However, the standard
truststore will require a keystore backed by a file, and so I will have
to import all certificates found in my XML files to a keystore file
using the keytool. My desire is to simplify the administration so I can
just read and create X509Certificate from my XML file at runtime and
use those certificates as the trusts.

Method 1: I tried to this:

           trustStore = KeyStore.getInstance("X509");
           trustStore.load(null, pwd.toCharArray());
           tmf = TrustManagerFactory.getInstance("SunX509");
           tmf.init(trustStore);
           SSLContext sslctx = SSLContext.getInstance("SSL");
           sslctx.init(kmf.getKeyManagers(), tmf.getTrustManagers(),
null);
           // when I need to do SSL
           X509Certificate idpCert = ... // find the cert from my
cache
           trustStore.setCertificateEntry(idpURL, idpCert );
           conn.setSSLSocketFactory(sslctx.getSocketFactory());

But I still keep getting "javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: No trusted certificate
found".

What's wrong here?

Method 2: I would attempt to implement my own X509TrustManager

class MyX509TrustManager implements X509TrustManager {
   public void checkServerTrusted(X509Certificate[] x509Certificates,
String authType) ... {
      // (a)
   }

   public X509Certificate[] getAcceptedIssuers() {
      // (b)
   }

If I go this, what is the algorithm at (a)? Is there any utility
library out there that can help me do chain verification?

At (b), should I just return the certificate I'm expecting, i.e.
idpCert?

Thanks a lot!