javax.net.ssl.trustStore System Property

This section provides a tutorial example on how Java uses the default trusted KeyStore file, if the system property, javax.net.ssl.trustStore, is not specified.

In the previous tutorial, we learned that the openStream() method on an java.net.URL object can be used to communicate with an HTTPS server.

The next step is to find out if the openStream() method validates the server certificate or not.

By reading the Java Secure Socket Extension (JSSE) Reference Guide, I found these rules on how Java uses the TrustManagerFactory to manage root CA certificates:

Now, let's verify these rules.

1. To find out if I have default KeyStore files or not, run this command:

C:\herong>dir \local\jdk\jre\lib\security

                92 blacklist
            80,122 cacerts
             2,221 java.policy
             9,979 java.security
               132 javaws.policy
             2,940 local_policy.jar
            14,189 trusted.libraries
             2,469 US_export_policy.jar

Ok. Looks like JDK was using the default KeyStore file, "cacerts", to verify server certificates, since I did not specify javax.net.ssl.trustStore in my previous tests.

2. To find out what will happen if I specify javax.net.ssl.trustStore with a non exist file, run this command:

C:\herong>\local\jdk\bin\java -Djavax.net.ssl.trustStore=non_exist_file
   HttpsUrlReader https://login.yahoo.com

javax.net.ssl.SSLException: java.lang.RuntimeException: 
Unexpected error: java.security.InvalidAlgorithmParameterException: 
the trustAnchors parameter must be non-empty
 at com.sun.net.ssl.internal.ssl.Alerts.getSSLException(Alerts.java...
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl....
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.fatal(SSLSocketImpl....
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.handleException(SSLS...
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSo...
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSo...
 at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient...
 at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.c...
 at sun.net.www.protocol.http.HttpURLConnection.getInputStream(Http...
 at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStrea...
 at java.net.URL.openStream(URL.java:1010)
 at HttpsUrlReader.main(HttpsUrlReader.java:11)

Caused by: java.lang.RuntimeException: 
Unexpected error: java.security.InvalidAlgorithmParameterException: 
the trustAnchors parameter must be non-empty
 at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:...
 at sun.security.validator.Validator.getInstance(Validator.java:161...
 at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.getValidator(...
 at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTr...
 at com.sun.net.ssl.internal.ssl.X509TrustManagerImpl.checkServerTr...
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate...
 at com.sun.net.ssl.internal.ssl.ClientHandshaker.processMessage(Cl...
 at com.sun.net.ssl.internal.ssl.Handshaker.processLoop(Handshaker....
 at com.sun.net.ssl.internal.ssl.Handshaker.process_record(Handshak...
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocket...
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandsh...
 at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(SSLSo...
 ... 7 more

Caused by: java.security.InvalidAlgorithmParameterException: 
the trustAnchors parameter must be non-empty
 at java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameter...
 at java.security.cert.PKIXParameters.<init>(PKIXParameters.java:10...
 at java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderPara...
 at sun.security.validator.PKIXValidator.<init>(PKIXValidator.java:...
 ... 18 more

Obviously, JSSE does not like a non exist KeyStore file. It throughs SSLException and InvalidAlgorithmParameterException on you.

Last update: 2011.

Table of Contents

 About This Book

 Introduction of PKI (Public Key Infrastructure)

 Introduction of HTTPS (Hypertext Transfer Protocol Secure)

 Using HTTPS with IE (Internet Explorer) 10

 Using HTTPS with Chrome 40

 Using HTTPS with Firefox 35

 Perl Scripts Communicating with HTTPS Servers

 PHP Scripts Communicating with HTTPS Servers

Java Programs Communicating with HTTPS Servers

 Java Secure Socket Extension (JSSE)

 Using openStream() Method in java.net.URL Class

javax.net.ssl.trustStore System Property

 Default Trusted KeyStore File - cacerts

 PKIX Path Building Failed - No CA Certificate

 Using openConnection() Method in java.net.URL Class

 Certificate Stores and Certificate Console

 .NET Programs Communicating with HTTPS Servers

 CAcert.org - Root CA Offering Free Certificates

 PKI CA Administration - Issuing Certificates

 Digital Signature - Microsoft Word 2007

 Digital Signature - OpenOffice.org 3

 S/MIME and Email Security

 PKI (Public Key Infrastructure) Terminology

 Outdated Tutorials

 References

 PDF Printing Version