diff --git a/example/src/main/java/io/netty/example/ocsp/OcspServerExample.java b/example/src/main/java/io/netty/example/ocsp/OcspServerExample.java
index e28578dac1..b94646cb54 100644
--- a/example/src/main/java/io/netty/example/ocsp/OcspServerExample.java
+++ b/example/src/main/java/io/netty/example/ocsp/OcspServerExample.java
@@ -54,7 +54,7 @@ import io.netty.util.CharsetUtil;
/**
* ATTENTION: This is an incomplete example! In order to provide a fully functional
- * end-to-end example we'd need a X.509 certificate and the matching PrivateKey.
+ * end-to-end example we'd need an X.509 certificate and the matching PrivateKey.
*/
@SuppressWarnings("unused")
public class OcspServerExample {
diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java b/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java
index c4cb8e5886..e75595ac17 100644
--- a/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslClientContext.java
@@ -17,6 +17,7 @@
package io.netty.handler.ssl;
import java.io.File;
+import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.cert.X509Certificate;
@@ -44,7 +45,7 @@ final class JdkSslClientContext extends JdkSslContext {
throws SSLException {
super(newSSLContext(provider, toX509CertificatesInternal(trustCertCollectionFile),
trustManagerFactory, null, null,
- null, null, sessionCacheSize, sessionTimeout), true,
+ null, null, sessionCacheSize, sessionTimeout, KeyStore.getDefaultType()), true,
ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
}
@@ -60,10 +61,11 @@ final class JdkSslClientContext extends JdkSslContext {
ApplicationProtocolConfig apn,
String[] protocols,
long sessionCacheSize,
- long sessionTimeout)
+ long sessionTimeout,
+ String keyStore)
throws SSLException {
super(newSSLContext(sslContextProvider, trustCertCollection, trustManagerFactory,
- keyCertChain, key, keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout),
+ keyCertChain, key, keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout, keyStore),
true, ciphers, cipherFilter, toNegotiator(apn, false), ClientAuth.NONE, protocols, false);
}
@@ -71,13 +73,14 @@ final class JdkSslClientContext extends JdkSslContext {
X509Certificate[] trustCertCollection,
TrustManagerFactory trustManagerFactory, X509Certificate[] keyCertChain,
PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
- long sessionCacheSize, long sessionTimeout) throws SSLException {
+ long sessionCacheSize, long sessionTimeout,
+ String keyStore) throws SSLException {
try {
if (trustCertCollection != null) {
- trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
+ trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory, keyStore);
}
if (keyCertChain != null) {
- keyManagerFactory = buildKeyManagerFactory(keyCertChain, key, keyPassword, keyManagerFactory);
+ keyManagerFactory = buildKeyManagerFactory(keyCertChain, key, keyPassword, keyManagerFactory, keyStore);
}
SSLContext ctx = sslContextProvider == null ? SSLContext.getInstance(PROTOCOL)
: SSLContext.getInstance(PROTOCOL, sslContextProvider);
diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
index 0fb02b8f0f..0c182d351b 100644
--- a/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslContext.java
@@ -25,6 +25,7 @@ import java.io.File;
import java.io.IOException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyException;
+import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Provider;
@@ -433,7 +434,29 @@ public class JdkSslContext extends SslContext {
/**
* Build a {@link KeyManagerFactory} based upon a key file, key file password, and a certificate chain.
- * @param certChainFile a X.509 certificate chain file in PEM format
+ * @param certChainFile an X.509 certificate chain file in PEM format
+ * @param keyFile a PKCS#8 private key file in PEM format
+ * @param keyPassword the password of the {@code keyFile}.
+ * {@code null} if it's not password-protected.
+ * @param kmf The existing {@link KeyManagerFactory} that will be used if not {@code null}
+ * @param keyStore the {@link KeyStore} that should be used in the {@link KeyManagerFactory}
+ * @return A {@link KeyManagerFactory} based upon a key file, key file password, and a certificate chain.
+ */
+ static KeyManagerFactory buildKeyManagerFactory(File certChainFile, File keyFile, String keyPassword,
+ KeyManagerFactory kmf, String keyStore)
+ throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException,
+ NoSuchPaddingException, InvalidKeySpecException, InvalidAlgorithmParameterException,
+ CertificateException, KeyException, IOException {
+ String algorithm = Security.getProperty("ssl.KeyManagerFactory.algorithm");
+ if (algorithm == null) {
+ algorithm = "SunX509";
+ }
+ return buildKeyManagerFactory(certChainFile, algorithm, keyFile, keyPassword, kmf, keyStore);
+ }
+
+ /**
+ * Build a {@link KeyManagerFactory} based upon a key file, key file password, and a certificate chain.
+ * @param certChainFile an X.509 certificate chain file in PEM format
* @param keyFile a PKCS#8 private key file in PEM format
* @param keyPassword the password of the {@code keyFile}.
* {@code null} if it's not password-protected.
@@ -443,23 +466,43 @@ public class JdkSslContext extends SslContext {
*/
@Deprecated
protected static KeyManagerFactory buildKeyManagerFactory(File certChainFile, File keyFile, String keyPassword,
- KeyManagerFactory kmf)
- throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException,
- NoSuchPaddingException, InvalidKeySpecException, InvalidAlgorithmParameterException,
- CertificateException, KeyException, IOException {
- String algorithm = Security.getProperty("ssl.KeyManagerFactory.algorithm");
- if (algorithm == null) {
- algorithm = "SunX509";
- }
- return buildKeyManagerFactory(certChainFile, algorithm, keyFile, keyPassword, kmf);
+ KeyManagerFactory kmf)
+ throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException,
+ NoSuchPaddingException, InvalidKeySpecException, InvalidAlgorithmParameterException,
+ CertificateException, KeyException, IOException {
+ return buildKeyManagerFactory(certChainFile, keyFile, keyPassword, kmf, KeyStore.getDefaultType());
}
/**
* Build a {@link KeyManagerFactory} based upon a key algorithm, key file, key file password,
* and a certificate chain.
- * @param certChainFile a X.509 certificate chain file in PEM format
+ * @param certChainFile an X.509 certificate chain file in PEM format
* @param keyAlgorithm the standard name of the requested algorithm. See the Java Secure Socket Extension
- * Reference Guide for information about standard algorithm names.
+ * Reference Guide for information about standard algorithm names.
+ * @param keyFile a PKCS#8 private key file in PEM format
+ * @param keyPassword the password of the {@code keyFile}.
+ * {@code null} if it's not password-protected.
+ * @param kmf The existing {@link KeyManagerFactory} that will be used if not {@code null}
+ * @param keyStore the {@link KeyStore} that should be used in the {@link KeyManagerFactory}
+ * @return A {@link KeyManagerFactory} based upon a key algorithm, key file, key file password,
+ * and a certificate chain.
+ */
+ static KeyManagerFactory buildKeyManagerFactory(File certChainFile,
+ String keyAlgorithm, File keyFile, String keyPassword, KeyManagerFactory kmf,
+ String keyStore)
+ throws KeyStoreException, NoSuchAlgorithmException, NoSuchPaddingException,
+ InvalidKeySpecException, InvalidAlgorithmParameterException, IOException,
+ CertificateException, KeyException, UnrecoverableKeyException {
+ return buildKeyManagerFactory(toX509Certificates(certChainFile), keyAlgorithm,
+ toPrivateKey(keyFile, keyPassword), keyPassword, kmf, keyStore);
+ }
+
+ /**
+ * Build a {@link KeyManagerFactory} based upon a key algorithm, key file, key file password,
+ * and a certificate chain.
+ * @param certChainFile an buildKeyManagerFactory X.509 certificate chain file in PEM format
+ * @param keyAlgorithm the standard name of the requested algorithm. See the Java Secure Socket Extension
+ * Reference Guide for information about standard algorithm names.
* @param keyFile a PKCS#8 private key file in PEM format
* @param keyPassword the password of the {@code keyFile}.
* {@code null} if it's not password-protected.
@@ -470,11 +513,12 @@ public class JdkSslContext extends SslContext {
*/
@Deprecated
protected static KeyManagerFactory buildKeyManagerFactory(File certChainFile,
- String keyAlgorithm, File keyFile, String keyPassword, KeyManagerFactory kmf)
- throws KeyStoreException, NoSuchAlgorithmException, NoSuchPaddingException,
- InvalidKeySpecException, InvalidAlgorithmParameterException, IOException,
- CertificateException, KeyException, UnrecoverableKeyException {
+ String keyAlgorithm, File keyFile,
+ String keyPassword, KeyManagerFactory kmf)
+ throws KeyStoreException, NoSuchAlgorithmException, NoSuchPaddingException,
+ InvalidKeySpecException, InvalidAlgorithmParameterException, IOException,
+ CertificateException, KeyException, UnrecoverableKeyException {
return buildKeyManagerFactory(toX509Certificates(certChainFile), keyAlgorithm,
- toPrivateKey(keyFile, keyPassword), keyPassword, kmf);
+ toPrivateKey(keyFile, keyPassword), keyPassword, kmf, KeyStore.getDefaultType());
}
}
diff --git a/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java b/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java
index aaa452f2be..4b5ebfc6af 100644
--- a/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/JdkSslServerContext.java
@@ -17,6 +17,7 @@
package io.netty.handler.ssl;
import java.io.File;
+import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.Provider;
import java.security.cert.X509Certificate;
@@ -45,7 +46,7 @@ final class JdkSslServerContext extends JdkSslContext {
throws SSLException {
super(newSSLContext(provider, null, null,
toX509CertificatesInternal(certChainFile), toPrivateKeyInternal(keyFile, keyPassword),
- keyPassword, null, sessionCacheSize, sessionTimeout), false,
+ keyPassword, null, sessionCacheSize, sessionTimeout, KeyStore.getDefaultType()), false,
ciphers, cipherFilter, apn, ClientAuth.NONE, null, false);
}
@@ -63,17 +64,18 @@ final class JdkSslServerContext extends JdkSslContext {
long sessionTimeout,
ClientAuth clientAuth,
String[] protocols,
- boolean startTls)
+ boolean startTls,
+ String keyStore)
throws SSLException {
super(newSSLContext(provider, trustCertCollection, trustManagerFactory, keyCertChain, key,
- keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout), false,
+ keyPassword, keyManagerFactory, sessionCacheSize, sessionTimeout, keyStore), false,
ciphers, cipherFilter, toNegotiator(apn, true), clientAuth, protocols, startTls);
}
private static SSLContext newSSLContext(Provider sslContextProvider, X509Certificate[] trustCertCollection,
TrustManagerFactory trustManagerFactory, X509Certificate[] keyCertChain,
PrivateKey key, String keyPassword, KeyManagerFactory keyManagerFactory,
- long sessionCacheSize, long sessionTimeout)
+ long sessionCacheSize, long sessionTimeout, String keyStore)
throws SSLException {
if (key == null && keyManagerFactory == null) {
throw new NullPointerException("key, keyManagerFactory");
@@ -81,10 +83,10 @@ final class JdkSslServerContext extends JdkSslContext {
try {
if (trustCertCollection != null) {
- trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory);
+ trustManagerFactory = buildTrustManagerFactory(trustCertCollection, trustManagerFactory, keyStore);
}
if (key != null) {
- keyManagerFactory = buildKeyManagerFactory(keyCertChain, key, keyPassword, keyManagerFactory);
+ keyManagerFactory = buildKeyManagerFactory(keyCertChain, key, keyPassword, keyManagerFactory, null);
}
// Initialize the SSLContext to work with our key managers.
diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java
index d0cfa1dae8..6c12f8ea45 100644
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslClientContext.java
@@ -46,7 +46,8 @@ final class OpenSslClientContext extends OpenSslContext {
String[] protocols,
long sessionCacheSize,
long sessionTimeout,
- boolean enableOcsp)
+ boolean enableOcsp,
+ String keyStore)
throws SSLException {
super(ciphers, cipherFilter, apn, sessionCacheSize, sessionTimeout, SSL.SSL_MODE_CLIENT, keyCertChain,
ClientAuth.NONE, protocols, false, enableOcsp);
@@ -54,7 +55,7 @@ final class OpenSslClientContext extends OpenSslContext {
try {
OpenSslKeyMaterialProvider.validateKeyMaterialSupported(keyCertChain, key, keyPassword);
sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
- keyCertChain, key, keyPassword, keyManagerFactory);
+ keyCertChain, key, keyPassword, keyManagerFactory, keyStore);
success = true;
} finally {
if (!success) {
diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
index be1f94d643..ffa49d2459 100644
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslServerContext.java
@@ -48,7 +48,8 @@ final class OpenSslServerContext extends OpenSslContext {
ClientAuth clientAuth,
String[] protocols,
boolean startTls,
- boolean enableOcsp)
+ boolean enableOcsp,
+ String keyStore)
throws SSLException {
super(ciphers, cipherFilter, toNegotiator(apn), sessionCacheSize, sessionTimeout, SSL.SSL_MODE_SERVER,
keyCertChain, clientAuth, protocols, startTls, enableOcsp);
@@ -57,7 +58,7 @@ final class OpenSslServerContext extends OpenSslContext {
try {
OpenSslKeyMaterialProvider.validateKeyMaterialSupported(keyCertChain, key, keyPassword);
sessionContext = newSessionContext(this, ctx, engineMap, trustCertCollection, trustManagerFactory,
- keyCertChain, key, keyPassword, keyManagerFactory);
+ keyCertChain, key, keyPassword, keyManagerFactory, keyStore);
success = true;
} finally {
if (!success) {
diff --git a/handler/src/main/java/io/netty/handler/ssl/OpenSslX509KeyManagerFactory.java b/handler/src/main/java/io/netty/handler/ssl/OpenSslX509KeyManagerFactory.java
index a8a58bc6c2..3d5505f2d4 100644
--- a/handler/src/main/java/io/netty/handler/ssl/OpenSslX509KeyManagerFactory.java
+++ b/handler/src/main/java/io/netty/handler/ssl/OpenSslX509KeyManagerFactory.java
@@ -53,6 +53,8 @@ import java.util.Map;
* Special {@link KeyManagerFactory} that pre-compute the keymaterial used when {@link SslProvider#OPENSSL} or
* {@link SslProvider#OPENSSL_REFCNT} is used and so will improve handshake times and its performance.
*
+ *
+ *
* Because the keymaterial is pre-computed any modification to the {@link KeyStore} is ignored after
* {@link #init(KeyStore, char[])} is called.
*
diff --git a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java
index 0aff7e7ca0..3301d12e91 100644
--- a/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java
+++ b/handler/src/main/java/io/netty/handler/ssl/ReferenceCountedOpenSslClientContext.java
@@ -62,13 +62,13 @@ public final class ReferenceCountedOpenSslClientContext extends ReferenceCounted
KeyManagerFactory keyManagerFactory, Iterable
- * A X.509 certificate file and a RSA private key file are generated in a system's temporary directory using + * An X.509 certificate file and a RSA private key file are generated in a system's temporary directory using * {@link java.io.File#createTempFile(String, String)}, and they are deleted when the JVM exits using * {@link java.io.File#deleteOnExit()}. *
diff --git a/handler/src/test/java/io/netty/handler/ssl/JdkSslEngineTest.java b/handler/src/test/java/io/netty/handler/ssl/JdkSslEngineTest.java index bc8786534e..db63b30b29 100644 --- a/handler/src/test/java/io/netty/handler/ssl/JdkSslEngineTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/JdkSslEngineTest.java @@ -19,7 +19,6 @@ import io.netty.handler.ssl.ApplicationProtocolConfig.Protocol; import io.netty.handler.ssl.ApplicationProtocolConfig.SelectedListenerFailureBehavior; import io.netty.handler.ssl.ApplicationProtocolConfig.SelectorFailureBehavior; import io.netty.handler.ssl.JdkApplicationProtocolNegotiator.ProtocolSelector; -import io.netty.handler.ssl.JdkApplicationProtocolNegotiator.ProtocolSelectorFactory; import io.netty.handler.ssl.util.InsecureTrustManagerFactory; import io.netty.handler.ssl.util.SelfSignedCertificate; import java.security.Provider; @@ -34,7 +33,6 @@ import org.junit.runner.RunWith; import org.junit.runners.Parameterized; import java.util.List; -import java.util.Set; import java.util.concurrent.TimeUnit; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLHandshakeException; diff --git a/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java b/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java index 6e25e8e513..280d0acd2e 100644 --- a/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/SSLEngineTest.java @@ -2915,7 +2915,7 @@ public abstract class SSLEngineTest { SelfSignedCertificate ssc = new SelfSignedCertificate(); KeyManagerFactory kmf = useKeyManagerFactory ? SslContext.buildKeyManagerFactory( - new java.security.cert.X509Certificate[] { ssc.cert()}, ssc.key(), null, null) : null; + new java.security.cert.X509Certificate[] { ssc.cert()}, ssc.key(), null, null, null) : null; SslContextBuilder clientContextBuilder = SslContextBuilder.forClient(); if (mutualAuth) { @@ -3261,7 +3261,7 @@ public abstract class SSLEngineTest { throws UnrecoverableKeyException, KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException { return SslContext.buildKeyManagerFactory( - new java.security.cert.X509Certificate[] { ssc.cert() }, ssc.key(), null, null); + new java.security.cert.X509Certificate[] { ssc.cert() }, ssc.key(), null, null, null); } private final class TestTrustManagerFactory extends X509ExtendedTrustManager { diff --git a/handler/src/test/java/io/netty/handler/ssl/SniClientJava8TestUtil.java b/handler/src/test/java/io/netty/handler/ssl/SniClientJava8TestUtil.java index 50bdeac8ed..5c0f797e81 100644 --- a/handler/src/test/java/io/netty/handler/ssl/SniClientJava8TestUtil.java +++ b/handler/src/test/java/io/netty/handler/ssl/SniClientJava8TestUtil.java @@ -264,7 +264,7 @@ final class SniClientJava8TestUtil { IOException, CertificateException { return new SniX509KeyManagerFactory( new SNIHostName(hostname), SslContext.buildKeyManagerFactory( - new X509Certificate[] { cert.cert() }, cert.key(), null, null)); + new X509Certificate[] { cert.cert() }, cert.key(), null, null, null)); } private static final class SniX509KeyManagerFactory extends KeyManagerFactory { diff --git a/handler/src/test/java/io/netty/handler/ssl/SniClientTest.java b/handler/src/test/java/io/netty/handler/ssl/SniClientTest.java index d01dd65e3a..33f3092aa0 100644 --- a/handler/src/test/java/io/netty/handler/ssl/SniClientTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/SniClientTest.java @@ -107,8 +107,7 @@ public class SniClientTest { } else { // The used OpenSSL version does support a KeyManagerFactory, so use it. KeyManagerFactory kmf = SniClientJava8TestUtil.newSniX509KeyManagerFactory(cert, sniHostName); - - sslServerContext = SslContextBuilder.forServer(kmf) + sslServerContext = SslContextBuilder.forServer(kmf) .sslProvider(sslServerProvider) .build(); } diff --git a/handler/src/test/java/io/netty/handler/ssl/SslContextBuilderTest.java b/handler/src/test/java/io/netty/handler/ssl/SslContextBuilderTest.java index f573855472..ee53f97ed2 100644 --- a/handler/src/test/java/io/netty/handler/ssl/SslContextBuilderTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/SslContextBuilderTest.java @@ -52,6 +52,17 @@ public class SslContextBuilderTest { testClientContext(SslProvider.OPENSSL); } + @Test + public void testKeyStoreTypeJdk() throws Exception { + testKeyStoreType(SslProvider.JDK); + } + + @Test + public void testKeyStoreTypeOpenssl() throws Exception { + Assume.assumeTrue(OpenSsl.isAvailable()); + testKeyStoreType(SslProvider.OPENSSL); + } + @Test public void testServerContextFromFileJdk() throws Exception { testServerContextFromFile(SslProvider.JDK); @@ -141,6 +152,17 @@ public class SslContextBuilderTest { } } + private static void testKeyStoreType(SslProvider provider) throws Exception { + SelfSignedCertificate cert = new SelfSignedCertificate(); + SslContextBuilder builder = SslContextBuilder.forServer(cert.certificate(), cert.privateKey()) + .sslProvider(provider) + .keyStoreType("PKCS12"); + SslContext context = builder.build(); + SSLEngine engine = context.newEngine(UnpooledByteBufAllocator.DEFAULT); + engine.closeInbound(); + engine.closeOutbound(); + } + private static void testInvalidCipher(SslProvider provider) throws Exception { SelfSignedCertificate cert = new SelfSignedCertificate(); SslContextBuilder builder = SslContextBuilder.forClient() diff --git a/handler/src/test/java/io/netty/handler/ssl/SslContextTrustManagerTest.java b/handler/src/test/java/io/netty/handler/ssl/SslContextTrustManagerTest.java index 97b90f2e90..04b6a8e08b 100644 --- a/handler/src/test/java/io/netty/handler/ssl/SslContextTrustManagerTest.java +++ b/handler/src/test/java/io/netty/handler/ssl/SslContextTrustManagerTest.java @@ -110,7 +110,7 @@ public class SslContextTrustManagerTest { throws Exception { X509Certificate[] certCollection = loadCertCollection(resourceNames); TrustManagerFactory tmf = SslContext.buildTrustManagerFactory( - certCollection, null); + certCollection, null, null); for (TrustManager tm : tmf.getTrustManagers()) { if (tm instanceof X509TrustManager) {