Hello,
I need to use SSL with mutual authentication in my system. It consists of a server (using Jetty) which runs in secure and trusted environment, and a thick client deployed with JNLP (insecure - can be downloaded and unpacked by everyone). Both server and client have a keystore and a truststore. Authenticating the server to the client is clear, because the server basically can't be forged (again: keystore/truststore are in secured environment).
However, client authentication is much more problematic. The keystore and truststore that client uses need to be in its classpath (in a jar deployed from the same JNLP?), and the client needs to know the password to each of them. The naive approach is: pack the stores to the client jar and hard-code passwords somewhere in the code. But when a hacker lays hands on the jar (which everyone can get from our site), he can unpack it and get the information needed to authenticate his forged client.
The question is - how to perform secure client authentication in this case? How to fix the naive solution?
Thanks.
In case it was of any help, here's the relevant client code:
KeyStore keyStore = loadKeyStore(KEYSTORE_PATH, KEYSTORE_PASSWORD);
KeyStore trustStore = loadKeyStore(TRUSTSTORE_PATH, TRUSTSTORE_PASSWORD);
KeyManagerFactory keyFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyFactory.init(keyStore, "keystore".toCharArray());
KeyManager[] keyManagers = keyFactory.getKeyManagers();
TrustManagerFactory trustFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustFactory.init(trustStore);
TrustManager[] trustManagers = trustFactory.getTrustManagers();
SSLContext context = SSLContext.getInstance("TLS");
context.init(keyManagers, trustManagers, null);
HttpsURLConnection.setDefaultSSLSocketFactory(context.getSocketFactory());