TrustStoreTrustManager supported file formats?

[Modusmundi]

Hi there,

I'm using 6.0.6, and have the following code block:

    AggregateTrustManager trustManager = new AggregateTrustManager(false,
            JVMDefaultTrustManager.getInstance(),
            new TrustStoreTrustManager("C:\\SomeLocation\\Somecert.bcfks", "somepin".toCharArray(),
                    "BCFKS", true));
    SSLUtil sslUtil = new SSLUtil(trustManager);

Which is a part of some of the "quick start" documentation you have, except it doesn't use BCFKS.

When I run it, I get the following-

(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server serverExample.local/192.168.1.142:636: SSLHandshakeException(Certificate Certificate(subject='CN=serverExample.local', serialNumber=2064661017, notBefore=, notAfter=, signatureAlgorithm='SHA256withRSA', signatureBytes='<Pretend something is here>', issuerSubject='CN=serverExample.local') was not trusted by any of the configured trust managers. The trust manager messages were: The presented certificate chain containing certificates 'CN=serverExample.local' cannot be trusted because none of the certificates in that chain were found in the JVM's default set of trusted issuers. Unsupported trust store format 'BCFKS'.), ldapSDKVersion=6.0.6, revision=b8c6c463def55758ed8ec0d914c84268c944251c'))')

Which, fair. What I'm trying to understand is what TrustStoreTrustManager is expecting in terms of cert store values- BCFKS isn't a java-specific implementation (It's Bouncy Castle's FIPS Keystore). Looking at the class itself wasn't helpful on what was supported. Can I get some guidance here, and potentially can the javadoc be updated to note the boundaries?

Thanks!

[dirmgr]

What you're asking isn't necessarily specific to the LDAP SDK, but rather it's the nature of using an alternative security provider that overrides the JVM's default providers.

The LDAP SDK does have the ability to use BCFKS key and trust stores, but it requires that the appropriate providers (BCFIPS and BCJSSE) to be loaded into the JVM. That can be done in a few ways, including:

• You can manually edit your JVM's java.security file to add the necessary providers. Consult the Bouncy Castle FIPS-compliant provider documentation for the best way to do this.
• You can enable them programmatically through the LDAP SDK's com.unboundid.util.CryptoHelper.setUseFIPSMode method. If you use this approach, then you really need to do this as early as possible in the course of bootstrapping your application so that all cryptographic functionality goes through the Bouncy Castle provider and you don't accidentally use any non-FIPS-compliant calls.

In either case, the necessary Bouncy Castle JAR files need to be in the JVM's classpath. But once you have the provider loaded in the JVM, then components supported by that provider (including the BCFKS key store type) should be automatically be made available for use.

Also, I strongly recommend that you only use CryptoHelper methods for getting access to objects for performing cryptographic processing so that you make sure that you'll get FIPS-compliant versions when that mode is enabled.

[Modusmundi]

Oh this is perfect- I'm kind of a noob to Java, this is a great direction. Thank you, sorry for being a pain. Will close.