Java: how to add SSL client-side authentication

Question

588.96K viewsSeptember 16, 2022authentication java ssl

12

naxo September 13, 2022 0 Comments

I have this code to connect the server with a client using SSL, and now I want to add client-side authentication:

(I have a server keystore (JCEKS type) and a client keystore (JKS type), the server uses a truststore (cacerts) where I imported both certificates because I also want to use this truststore for client authentication)

Client code:

System.setProperty("javax.net.ssl.trustStore", cerServer);
System.setProperty("javax.net.ssl.trustStoreType","JCEKS");
System.setProperty("javax.net.ssl.trustStorePassword", pwdCacerts);

SSLSocketFactory sslsocketfactory = (SSLSocketFactory)  SSLSocketFactory.getDefault();
SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("localhost", port);

Server Code:

KeyStore ks = LoadKeyStore(new File(serverKeyStore), pwdKeyStore, "JCEKS");
KeyManagerFactory kmf; 
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, pwdKeyStore.toCharArray());

SSLContext sc = SSLContext.getInstance("SSL");
sc.init(kmf.getKeyManagers(),null, null);   

SSLServerSocketFactory ssf = sc.getServerSocketFactory(); 
sslserversocket = (SSLServerSocket) ssf.createServerSocket(port);

thanks in advance for any help.

edit:
I add this code in the server side:

System.setProperty("javax.net.ssl.trustStore", cacerts);
System.setProperty("javax.net.ssl.trustStoreType","JKS");
System.setProperty("javax.net.ssl.trustStorePassword", pwdCacerts);

but if I delete the client certificate in cacerts, the connection doesn’t give me error and for that I think it’s wrong that way

1 Answer

score 18 · Answer 1 · 2022-09-13T07:04:04+00:00

If you want your system to use client-certificate authentication, you’ll need

the server to request (or require) a client certificate. This is done by setting setWantClientAuth(true) on the server socket (or setNeedClientAuth, respectively). You’ll also need the server to advertise the CA it accepts, which is normally done by using a truststore on the server that contains the CA by which the client-certificate chain was issued (this seems to be what you’ve done by setting javax.net.ssl.trustStore* on the server).
the client to be configured with a keystore containing the client certificate (possible the chain if there are intermediate CAs) and its private key. This can be done by setting the javax.net.ssl.keyStore* (which may affect other connections) or by using a KeyManagerFactory in the same way as you’ve done it on the server side.

If you use setWantClientAuth(true), you might still not get an error, since the server will accept connections that don’t have a client-certificate (the server would then check the SSLSession‘s peer certificates to see whether there was a cert or not). setNeedClientAuth(true) would break the connection when the client doesn’t present a certificate.