03 May 2021
blog java javamail x509 truststore
Lorsque l'on utiliser javamail pour acceder à un dossier imap distant, il faut activer la sécurité d'une manière ou d'une autre.
Lorsque le serveur distant n'est pas identifié, la connexion échoue. L'approche est donc d'ajouter le certificat dans le keystore de la machine.
Mais pour cela, il faut récupérer le certificat imap...
Si l'on en croit l'exemple suivant :
openssl s_client -crlf -connect imap.gmail.com:993
Essayons avec outlook :
openssl s_client -crlf -connect outlook.office.com:993
CONNECTED(00000003)
depth=1 OU = generated by Avast Antivirus for SSL/TLS scanning, O = Avast Web/Mail Shield, CN = Avast Web/Mail Shield Root
verify error:num=19:self signed certificate in certificate chain
verify return:1
depth=1 OU = generated by Avast Antivirus for SSL/TLS scanning, O = Avast Web/Mail Shield, CN = Avast Web/Mail Shield Root
verify return:1
depth=0 C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
verify return:1
---
Certificate chain
0 s:C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
i:OU = generated by Avast Antivirus for SSL/TLS scanning, O = Avast Web/Mail Shield, CN = Avast Web/Mail Shield Root
1 s:OU = generated by Avast Antivirus for SSL/TLS scanning, O = Avast Web/Mail Shield, CN = Avast Web/Mail Shield Root
i:OU = generated by Avast Antivirus for SSL/TLS scanning, O = Avast Web/Mail Shield, CN = Avast Web/Mail Shield Root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIGDTCCBPWgAwIBAgIQf2v1kM3g30qn0VeY2wBgMjANBgkqhkiG9w0BAQsFADCB
gTE6MDgGA1UECwwxZ2VuZXJhdGVkIGJ5IEF2YXN0IEFudGl2aXJ1cyBmb3IgU1NM
L1RMUyBzY2FubmluZzEeMBwGA1UECgwVQXZhc3QgV2ViL01haWwgU2hpZWxkMSMw
IQYDVQQDDBpBdmFzdCBXZWIvTWFpbCBTaGllbGQgUm9vdDAeFw0yMTAxMjIwMDAw
MDBaFw0yMjAxMjEyMzU5NTlaMGoxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNo
aW5ndG9uMRAwDgYDVQQHEwdSZWRtb25kMR4wHAYDVQQKExVNaWNyb3NvZnQgQ29y
cG9yYXRpb24xFDASBgNVBAMTC291dGxvb2suY29tMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAmqIKpn8LB0Ua8T0vvcQsjtNrnMeu2OVHIr/zmeUzX3Lg
B2+PJ1xW15XQVo/hbePRx8MJTgf8RZyNWpPE+449aINjPWWH6qwRugvEmk5l0e1B
KxGUOVf+2IelHvTHuehrQVkooHiea3yxraBmwTv6VTBflw0teiLJeTmOd+yEgS0i
4XN4EMfsMm7xfXbRtjjO51yjpA0+yNnNRVABa1dDSqP5KpQMA7MAOEq6CpHB9Q0V
9qWLleJ7eNalEi9xtL4qYymtu5Uxw4hZnK7vBbKnJ82+3luympijt1a1J7G9xkhP
0pdJ7/zVWsFjDDbC4v97gYRQcMrHBxXqT6cLkLRrbwIDAQABo4IClTCCApEwHwYD
VR0jBBgwFoAUt09vaMwWcAlSJiKYlingDONaai8wHQYDVR0OBBYEFMLvNs1nc3bR
D1Upvc7JxzoO5Y85MIICEAYDVR0RBIICBzCCAgOCFiouY2xvLmZvb3RwcmludGRu
cy5jb22CDSouaG90bWFpbC5jb22CFiouaW50ZXJuYWwub3V0bG9vay5jb22CCiou
bGl2ZS5jb22CFioubnJiLmZvb3RwcmludGRucy5jb22CDCoub2ZmaWNlLmNvbYIP
Ki5vZmZpY2UzNjUuY29tgg0qLm91dGxvb2suY29tghcqLm91dGxvb2sub2ZmaWNl
MzY1LmNvbYIbYXR0YWNobWVudC5vdXRsb29rLmxpdmUubmV0gh1hdHRhY2htZW50
Lm91dGxvb2sub2ZmaWNlLm5ldIIgYXR0YWNobWVudC5vdXRsb29rLm9mZmljZXBw
ZS5uZXSCFmF0dGFjaG1lbnRzLm9mZmljZS5uZXSCGmF0dGFjaG1lbnRzLXNkZi5v
ZmZpY2UubmV0gh1jY3MubG9naW4ubWljcm9zb2Z0b25saW5lLmNvbYIhY2NzLXNk
Zi5sb2dpbi5taWNyb3NvZnRvbmxpbmUuY29tggtob3RtYWlsLmNvbYIWbWFpbC5z
ZXJ2aWNlcy5saXZlLmNvbYINb2ZmaWNlMzY1LmNvbYILb3V0bG9vay5jb22CEm91
dGxvb2sub2ZmaWNlLmNvbYIUc3Vic3RyYXRlLm9mZmljZS5jb22CGHN1YnN0cmF0
ZS1zZGYub2ZmaWNlLmNvbTAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYIKwYB
BQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcNAQELBQADggEB
AJtb5K4fD3BipH4w0gxVHnR/RxLNpEEUlhjizsKaBm0uUzc10/lbcSAq6j5J8Dfy
IyUBPCrJN2f51+mL5Aw5YkHjk/mCQS8ShzTuCWPaInn3zZJrL98KiOYcKPwSdBI8
NJN7+O1H75t/oENT1UOK4H/MFQ5DCFe+sk56fw+euAaGjyqM93pMF+k4NcSvBOMG
n2P32OLDyGICoCTuszN6DIUPPYtdywQprdu7RS9+URYxmkVp9PQK7BQnGTv/KAMr
bKfwrFHRex5AvqptawNvOYAw9aeva5hbWZBzdiQGsKkvCqlVQaV057iy80CfSM7M
SE6ytc9O4Sv+7V2nNO170G0=
-----END CERTIFICATE-----
subject=C = US, ST = Washington, L = Redmond, O = Microsoft Corporation, CN = outlook.com
issuer=OU = generated by Avast Antivirus for SSL/TLS scanning, O = Avast Web/Mail Shield, CN = Avast Web/Mail Shield Root
---
No client certificate CA names sent
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 3209 bytes and written 403 bytes
Verification error: self signed certificate in certificate chain
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: 88DC133498F921EA0F3F9D79A946273A720DEE347C0DF7605F00B03DD085A9E3
Session-ID-ctx:
Master-Key: 68AEE9B356E250BF04BCA2175F4731D2B36796AAB76617B7BAC884B6C39ADAA345A873D1A1A93762EE4629EAD391F022
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - b9 b6 03 65 96 07 f0 aa-05 f2 c0 33 dc 82 c8 aa ...e.......3....
0010 - 2b 7d be 6e 84 9d e4 1e-d7 49 68 cd 52 3a 3d 4c +}.n.....Ih.R:=L
0020 - d1 55 60 7e f2 fc fc 83-59 fa 76 6c 31 7b fb e6 .U`~....Y.vl1{..
0030 - bb c1 88 43 a2 29 2d 8b-b7 68 22 84 5d cc 1a 74 ...C.)-..h".]..t
0040 - b2 32 2c 0b 25 ab 32 82-ea b6 58 45 c2 52 e9 19 .2,.%.2...XE.R..
0050 - 38 25 24 30 9d 97 cb 1b-b0 a3 b1 09 a7 c4 cc 74 8%$0...........t
0060 - d6 18 43 a3 0e d6 b3 a6-01 5a ed ec 5f 36 5d 1f ..C......Z.._6].
0070 - e1 b5 cd f7 1c 47 62 03-ea 9f 8e 6d 1a fc c5 cd .....Gb....m....
0080 - 53 53 31 7c 9d c2 bf bc-7f 2e aa dc e6 83 a7 95 SS1|............
0090 - 2e a7 bf f0 21 ac fc 8f-ef 29 91 ca 33 d7 91 61 ....!....)..3..a
Start Time: 1620054924
Timeout : 7200 (sec)
Verify return code: 19 (self signed certificate in certificate chain)
Extended master secret: yes
---
* OK The Microsoft Exchange IMAP4 service is ready. [UABSADMAUAAxADkAMwBDAEEAMAAwADMANgAuAEUAVQBSAFAAMQA5ADMALgBQAFIATwBEAC4ATwBVAFQATABPAE8ASwAuAEMATwBNAA==]
Ici on remarque que la sécurité est interceptées par l'antivirus Avast, qui substitue son propre certificat.
Pour l'exemple d'outlook.office.com, il faut noter que la requete fonctionne sur le port 993, mais pas sur le port 587.
La réponse SO suivante donne une solution
echo | openssl s_client -connect yoursever:port 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > yourcert.pem
keytool -keystore cacerts -importcert -alias youralias -file yourcert.pem
C'est manifestement celle reprise par MA dans le README.md
Ensuite, soit l'on créé un fichier local, et il faut le faire connaitre au programme java, soit on utilise le keystore de la machine.
Attention, le fichier keystore n'existe pas forcement.