Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add method for creating an SSLContext that merges both the trust store and custom certificates #2677

Open
wants to merge 7 commits into
base: develop
Choose a base branch
from
Open

Add method for creating an SSLContext that merges both the trust store and custom certificates #2677

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
e30bd71
Add method for creating an SSLContext that merges both the trust stor…
Aug 14, 2023
7ca0c78
Update doc
Aug 14, 2023
383385c
Revert top level SSLSocketFactories methods
Aug 14, 2023
33f6302
Make public
Aug 14, 2023
dc0c416
Revert "Make public"
Nov 7, 2023
87ce879
Revert "Revert top level SSLSocketFactories methods"
Nov 7, 2023
cb7961e
Update docs
Nov 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 6 additions & 2 deletions keystores/src/main/java/com/palantir/conjure/java/config/ssl/KeyStores.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -122,6 +122,12 @@ static KeyStore createTrustStoreFromCertificates(Map<String, PemX509Certificate>
KeyStore keyStore;
keyStore = createKeyStore();

addCertificatesToKeystore(certificatesByAlias, keyStore);

return keyStore;
}

static void addCertificatesToKeystore(Map<String, PemX509Certificate> certificatesByAlias, KeyStore keyStore) {
for (Map.Entry<String, PemX509Certificate> entry : certificatesByAlias.entrySet()) {
try (InputStream certIn =
new ByteArrayInputStream(entry.getValue().pemCertificate().getBytes(StandardCharsets.UTF_8))) {
Expand All @@ -135,8 +141,6 @@ static KeyStore createTrustStoreFromCertificates(Map<String, PemX509Certificate>
e);
}
}

return keyStore;
}

private static void addCertificatesToKeystore(
Expand Down
70 changes: 61 additions & 9 deletions keystores/src/main/java/com/palantir/conjure/java/config/ssl/SslSocketFactories.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@

import com.google.common.base.Throwables;
import com.palantir.conjure.java.api.config.ssl.SslConfiguration;
import com.palantir.conjure.java.api.config.ssl.SslConfiguration.StoreType;
import com.palantir.logsafe.SafeArg;
import com.palantir.logsafe.exceptions.SafeRuntimeException;
import java.nio.file.Path;
Expand Down Expand Up @@ -91,6 +92,20 @@ public static SSLSocketFactory createSslSocketFactory(
return sslContext.getSocketFactory();
}

/**
* Create a {@link SSLSocketFactory} by merging the provided certificates and configuration.
*
* @param trustCertificatesByAlias a map of X.509 certificate in PEM or DER format by the alias to load the
* certificate as.
* @param config an {@link SslConfiguration} describing the trust store configuration
* @param provider The preferred security {@link Provider}
*/
public static SSLSocketFactory createSslSocketFactory(
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed most of these methods aren't explicitly tested, do I need to add tests for my additions?

Map<String, PemX509Certificate> trustCertificatesByAlias, SslConfiguration config, Provider provider) {
SSLContext sslContext = createSslContext(config, trustCertificatesByAlias, provider);
return sslContext.getSocketFactory();
}

/**
* Create an {@link SSLContext} initialized from the provided configuration.
*
Expand Down Expand Up @@ -142,6 +157,20 @@ public static SSLContext createSslContext(
return createSslContext(trustManagers, new KeyManager[] {}, provider);
}

/**
* Create an {@link SSLContext} by merging the provided configuration and certificates.
*
* @param trustCertificatesByAlias a map of X.509 certificate in PEM or DER format by the alias to load the
* certificate as.
* @param config an {@link SslConfiguration} describing the trust store configuration
* @param provider The preferred security {@link Provider}
*/
public static SSLContext createSslContext(
SslConfiguration config, Map<String, PemX509Certificate> trustCertificatesByAlias, Provider provider) {
TrustManager[] trustManagers = createMergedTrustManagers(config, trustCertificatesByAlias);
return createSslContext(trustManagers, new KeyManager[] {}, provider);
}

/**
* Create an {@link SSLContext} initialized from the provided certificates.
* @see SSLContext#init(KeyManager[], TrustManager[], SecureRandom)
Expand Down Expand Up @@ -200,6 +229,20 @@ public static TrustManager[] createTrustManagers(Map<String, PemX509Certificate>
}
}

/**
* Create SSL socket factory and trust manager by merging the given certificates and configuration,
* see {@link #createX509TrustManager} and {@link #createSslSocketFactory}.
*/
public static TrustManager[] createMergedTrustManagers(
SslConfiguration config, Map<String, PemX509Certificate> trustCertificatesByAlias) {
KeyStore keystore = getCombinedTrustStoreAndDefaultCas(config.trustStorePath(), config.trustStoreType());

KeyStores.addCertificatesToKeystore(trustCertificatesByAlias, keystore);

return ConscryptCompatTrustManagers.wrap(
getTrustManagerFactory(keystore).getTrustManagers());
}

/**
* Create SSL socket factory and trust manager from the given configuration, see {@link #createX509TrustManager} and
* {@link #createSslSocketFactory}.
Expand Down Expand Up @@ -269,6 +312,23 @@ public static KeyManager[] createKeyManagers(SslConfiguration config) {

private static TrustManagerFactory createTrustManagerFactory(
Path trustStorePath, SslConfiguration.StoreType trustStoreType) {
KeyStore keyStore = getCombinedTrustStoreAndDefaultCas(trustStorePath, trustStoreType);

return getTrustManagerFactory(keyStore);
}

private static TrustManagerFactory getTrustManagerFactory(KeyStore keyStore) {
try {
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
return trustManagerFactory;
} catch (GeneralSecurityException e) {
throw Throwables.propagate(e);
}
}

private static KeyStore getCombinedTrustStoreAndDefaultCas(Path trustStorePath, StoreType trustStoreType) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be convenient if we made it public, this PR would not be necessary if this method was available.

KeyStore keyStore;
switch (trustStoreType) {
case JKS:
Expand Down Expand Up @@ -299,15 +359,7 @@ private static TrustManagerFactory createTrustManagerFactory(
"Unable to add certificate to store", e, SafeArg.of("certificateAlias", certAlias));
}
});

try {
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
return trustManagerFactory;
} catch (GeneralSecurityException e) {
throw Throwables.propagate(e);
}
return keyStore;
}

private static KeyManagerFactory createKeyManagerFactory(
Expand Down