in src/protocol/http/src/main/java/org/apache/jmeter/protocol/http/proxy/ProxyControl.java [1573:1643]
private void initDynamicKeyStore() throws IOException, GeneralSecurityException {
if (storePassword != null) { // Assume we have already created the store
try {
keyStore = getKeyStore(storePassword.toCharArray());
for(String alias : KeyToolUtils.getCAaliases()) {
X509Certificate caCert = (X509Certificate) keyStore.getCertificate(alias);
if (caCert == null) {
keyStore = null; // no CA key - probably the wrong store type.
break; // cannot continue
} else {
caCert.checkValidity(new Date(System.currentTimeMillis()+DateUtils.MILLIS_PER_DAY));
log.info("Valid alias found for {}", alias);
}
}
} catch (IOException e) { // store is faulty, we need to recreate it
keyStore = null; // if cert is not valid, flag up to recreate it
if (e.getCause() instanceof UnrecoverableKeyException) {
log.warn(
"Could not read key store {}; cause: {}, a new one will be created, ensure you install it in browser",
e.getMessage(), e.getCause().getMessage(), e);
} else {
log.warn(
"Could not open/read key store {}, a new one will be created, ensure you install it in browser",
e.getMessage(), e); // message includes the file name
}
} catch (CertificateExpiredException e) {
keyStore = null; // if cert is not valid, flag up to recreate it
log.warn(
"Existing ROOT Certificate has expired, a new one will be created, ensure you install it in browser, message: {}",
e.getMessage(), e);
} catch (CertificateNotYetValidException e) {
keyStore = null; // if cert is not valid, flag up to recreate it
log.warn(
"Existing ROOT Certificate is not yet valid, a new one will be created, ensure you install it in browser, message: {}",
e.getMessage(), e);
} catch (GeneralSecurityException e) {
keyStore = null; // if cert is not valid, flag up to recreate it
log.warn(
"Problem reading key store, a new one will be created, ensure you install it in browser, message: {}",
e.getMessage(), e);
}
}
if (keyStore == null) { // no existing file or not valid
storePassword = JOrphanUtils.generateRandomAlphanumericPassword(20); // Alphanum to avoid issues with command-line quoting
keyPassword = storePassword; // we use same password for both
setPassword(storePassword);
log.info(
"Creating HTTP(S) Test Script Recorder Root CA in {}, ensure you install certificate in your Browser for recording",
CERT_PATH_ABS);
KeyToolUtils.generateProxyCA(CERT_PATH, storePassword, CERT_VALIDITY);
log.info("Created keystore in {}", CERT_PATH_ABS);
keyStore = getKeyStore(storePassword.toCharArray()); // This should now work
}
final String sslDomains = getSslDomains().trim();
if (!sslDomains.isEmpty()) {
final String[] domains = sslDomains.split(",");
// The subject may be either a host or a domain
for (String subject : domains) {
if (isValid(subject)) {
if (!keyStore.containsAlias(subject)) {
log.info("Creating entry {} in {}", subject, CERT_PATH_ABS);
KeyToolUtils.generateHostCert(CERT_PATH, storePassword, subject, CERT_VALIDITY);
keyStore = getKeyStore(storePassword.toCharArray()); // reload to pick up new aliases
// reloading is very quick compared with creating an entry currently
}
} else {
log.warn("Attempt to create an invalid domain certificate: {}", subject);
}
}
}
}