Search code examples
ssltomcat7truststore

tomcat get all trust certificates

I have a small security application with server and client certificates which is running in a tomcat 7. Each client has an own certificate.

In the webapp I want a tab with all known trusted certificates aliases because each client have to report all X minutes. If the client do not report after X minutes the server has to mark this client.

So my idea was to get all trusted certificates from the truststoreFile which is defined in the Server.xml of the Tomcat, because I have to know all clients/certificates which are registered.

My problem is that I do not find any api to get all certificates, which the tomcat will trust.

Can somebody help?

Solution

  • First, are you sure your truststore will (always) contain the client certs? The "official" (X.509/PKIX) way of client authentication aka client certificate(s) is to have a CA (or several CAs) issue certs to the clients; then your server doesn't need to trust the client certs individually, only the CA(s). Such a CA could be a public CA, an enterprise one, or one you (or your group/division/whatever) runs just for your server. Only for selfsigned client certs is it necessary to have them individually in the server truststore.

    Second, it doesn't appear possible for webapp (servlet) code to get the connector configuration, possibly as a security feature, see Accessing SSL Private Key From a Servlet .

    But, if you do have all the certs in a truststore file and can locate that file (usually JKS), then:

    • use KeyStore.getInstance(String) to obtain a keystore object of the correct type (JKS)

    • create a FileInputStream for the file, and feed it to ks.load (and then close it; try-resource can do this for you). If you don't know the password use null and you can still access certs (but not privatekeys, and only for JKS)

    • use .aliases() to get a list of all entries in the store

    • if there can be both trustedcerts and privatekeys in this file (i.e. it isn't just a truststore file) check each alias with .isCertificateEntry(alias)

    • you now have the aliases, which are the names specified when you (or someone) imported each cert to the truststore, but is not necessarily the same as client's actual name in the cert

    • If you want (any of) the name field(s) in each cert, call .getCertificateEntry(alias), cast to X509Certificate, and call .getSubjectX500Principal() then .toString() or one of the .getName() overloads and parse or examine the results as desired

    Finally, since you want to track requests using each cert by alias, for each request get the certs used as in Read out incoming certificate in Tomcat then look up the leaf cert i.e. chain[0] with .getCertificateAlias(Certificate). Keep track for each alias the time of the last request and you can identify any "missing" ones.

    Javadoc for KeyStore is at http://docs.oracle.com/javase/8/docs/api/java/security/KeyStore.html