Reputation: 2221
Can checkServerTrusted result be cached for X509TrustManager?
In my JavaFX client application, I'm implementing my own TrustManager that relies on Platform TrustManager.
Basically, I'm always calling the Platform trustManager and if the connection is not trusted, I'm able to pop a warning Dialog asking the user if he wants to trust the certificate (just like a browser would do).
I'm facing an issue where a certificate has specified several URL in order to retrieve intermediary certificate using AIA (authority information access) and some of them are not responding.
Therefore, each time the checkServerTrusted method is called, the response can be quite long because Java is trying to reach URL that are not reachable. When the timeout happens, Java tries another URL and finally, one of them is finally responding.
During my client session, can I cache the result of a checkServerTrusted given the certificate chain and authType and return the cached value rather that call the TrustManager? Or is it a bad idea or not reliable?
Upvotes: 3
Views: 947
Answers (1)
Reputation: 2221
I've ended up by indeed caching the chain certificate during session time in order to respond faster.
//Cache validated certificate's chain during session
private final Set<UUID> chainCache;
/*
* Delegate to the default trust manager.
*/
@Override
public void checkClientTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
checkTrusted(chain, authType, false);
}
/*
* Delegate to the default trust manager.
*/
@Override
public void checkServerTrusted(X509Certificate[] chain, String authType)
throws CertificateException {
checkTrusted(chain, authType, true);
}
private void checkTrusted(X509Certificate[] chain, String authType, boolean server) throws CertificateException {
// Internal class but Arrays.hashcode can be used in the same manner
Digester digester = new Digester();
//Digester will run through the array
digester.digest(chain);
digester.digest(authType);
digester.digest(server);
UUID uuid = digester.getUUID();
//If the chain has been validated, no need top check again.
if (chainCache.contains(uuid)) {
return;
}
//Do stuff
}
Upvotes: 1
Related Questions
- Implementing X509TrustManager - passing on part of the verification to existing verifier
- X509TrustManager checkServerTrusted with TLSv1.3
- Trustmanager not used when application is packaged
- Load java trust store at runtime - after jvm have been launched?
- Implementing X509TrustManager
- Restore SSL X509TrustManager in Java
- Does X509TrustManagerImpl.checkServerTrusted() handle OCSP by itself if the appropriate properties are set?
- When a TrustManagerFactory is not a TrustManagerFactory (Java)
- X509Certificates Lifecycle
- X509TrustManager Override without allowing ALL certs?