PKIX TrustManager Support

In SDK Version 8, the default trust manager algorithm is PKIX. You can change this default by editing the ssl.TrustMangerFactory.algorithm property in the java.security file.

The PKIX trust manager factory uses the CertPath PKIX implementation from an installed security provider; an IBM CertPath provider is supplied with the SDK Version 8 Development Kit. The trust manager factory can be initialized using the normal init(KeyStore ks) method, or by passing CertPath parameters to the PKIX trust manager using the newly introduced class javax.net.ssl.CertPathTrustManagerParameters.

Here is an example of how to get the trust manager to use a particular LDAP certificate store and enable revocation checking.

import javax.net.ssl.*;
import java.security.cert.*;
import java.security.KeyStore;
...

// Create PKIX parameters
KeyStore anchors = KeyStore.getInstance("JKS");
anchors.load(new FileInputStream(anchorsFile));
CertPathParameters pkixParams = new PKIXBuilderParameters(anchors, new X509CertSelector());

// Specify LDAP certificate store to use
LDAPCertStoreParameters lcsp = new LDAPCertStoreParameters("ldap.imc.org", 389);
pkixParams.addCertStore(CertStore.getInstance("LDAP", lcsp));
// Specify that revocation checking is to be enabled
pkixParams.setRevocationEnabled(true);

// Wrap them as trust manager parameters
ManagerFactoryParameters trustParams = new CertPathTrustManagerParameters(pkixParams);

// Create TrustManagerFactory for PKIX-compliant trust managers
TrustManagerFactory factory = TrustManagerFactory.getInstance("PKIX");

// Pass parameters to factory to be passed to CertPath implementation
factory.init(trustParams);

// Use factory
SSLContext ctx = SSLContext.getInstance("SSL_TLS");
ctx.init(null, factory.getTrustManagers(), null);

If the init(KeyStore ks) method is used, default PKIXParameters are used with the exception that revocation checking is disabled. It can be enabled by setting the system property com.ibm.net.ssl.checkRevocation to true. Note that this setting requires that the CertPath implementation can locate revocation information by itself. The PKIX implementation in the IBM provider can do this in many cases but requires that the system property com.ibm.security.enableCRLDP be set to true.

More information about PKIX and the CertPath API can be found in the Java Certificate Path API Programming Guide.