Skip to content

Commit

Permalink
Revert top level SSLSocketFactories methods
Browse files Browse the repository at this point in the history
  • Loading branch information
Eric Alvarez committed Nov 7, 2023
1 parent 7ca0c78 commit 383385c
Show file tree
Hide file tree
Showing 2 changed files with 45 additions and 81 deletions.
44 changes: 44 additions & 0 deletions keystores/src/main/java/com/palantir/conjure/java/config/ssl/KeyStores.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,9 @@
import com.github.benmanes.caffeine.cache.Caffeine;
import com.google.common.base.Throwables;
import com.google.common.io.BaseEncoding;
import com.palantir.conjure.java.api.config.ssl.SslConfiguration.StoreType;
import com.palantir.conjure.java.config.ssl.pkcs1.Pkcs1PrivateKeyReader;
import com.palantir.logsafe.SafeArg;
import com.palantir.logsafe.exceptions.SafeRuntimeException;
import java.io.BufferedInputStream;
import java.io.ByteArrayInputStream;
Expand Down Expand Up @@ -321,6 +323,48 @@ static KeyStore newKeyStoreWithEntry(KeyStore original, Optional<String> passwor
}
}

/**
* Return a new {@link KeyStore} that contains the contents of the trust store and all default ca certificates.
*
* @param trustStorePath The path to the trust store.
* @param trustStoreType The type of trust store.
* @return a newly constructed key store of the type trustStoreType that contains the contents of the trust store
* and all default ca certificates.
*/
static KeyStore getCombinedTrustStoreAndDefaultCas(Path trustStorePath, StoreType trustStoreType) {
KeyStore keyStore;
switch (trustStoreType) {
case JKS:
case PKCS12:
keyStore = loadKeyStore(trustStoreType.name(), trustStorePath, Optional.empty());
break;
case PEM:
keyStore = createTrustStoreFromCertificates(trustStorePath);
break;
case PUPPET:
Path puppetCertsDir = trustStorePath.resolve("certs");
if (!puppetCertsDir.toFile().isDirectory()) {
throw new IllegalStateException(
String.format("Puppet certs directory did not exist at path \"%s\"", puppetCertsDir));
}
keyStore = createTrustStoreFromCertificates(puppetCertsDir);
break;
default:
throw new IllegalStateException("Unrecognized trust store type: " + trustStoreType);
}

// Add globally trusted root CAs
DefaultCas.getCertificates().forEach((certAlias, cert) -> {
try {
keyStore.setCertificateEntry(certAlias, cert);
} catch (KeyStoreException e) {
throw new SafeRuntimeException(
"Unable to add certificate to store", e, SafeArg.of("certificateAlias", certAlias));
}
});
return keyStore;
}

private static KeyStore createKeyStore() {
KeyStore keyStore;
try {
Expand Down
82 changes: 1 addition & 81 deletions keystores/src/main/java/com/palantir/conjure/java/config/ssl/SslSocketFactories.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,6 @@

import com.google.common.base.Throwables;
import com.palantir.conjure.java.api.config.ssl.SslConfiguration;
import com.palantir.conjure.java.api.config.ssl.SslConfiguration.StoreType;
import com.palantir.logsafe.SafeArg;
import com.palantir.logsafe.exceptions.SafeRuntimeException;
import java.nio.file.Path;
Expand Down Expand Up @@ -92,20 +91,6 @@ public static SSLSocketFactory createSslSocketFactory(
return sslContext.getSocketFactory();
}

/**
* Create a {@link SSLSocketFactory} from the provided certificates and configuration.
*
* @param trustCertificatesByAlias a map of X.509 certificate in PEM or DER format by the alias to load the
* certificate as.
* @param config an {@link SslConfiguration} describing the trust store configuration
* @param provider The preferred security {@link Provider}
*/
public static SSLSocketFactory createSslSocketFactory(
Map<String, PemX509Certificate> trustCertificatesByAlias, SslConfiguration config, Provider provider) {
SSLContext sslContext = createSslContext(config, trustCertificatesByAlias, provider);
return sslContext.getSocketFactory();
}

/**
* Create an {@link SSLContext} initialized from the provided configuration.
*
Expand Down Expand Up @@ -157,19 +142,6 @@ public static SSLContext createSslContext(
return createSslContext(trustManagers, new KeyManager[] {}, provider);
}

/**
* Create an {@link SSLContext} initialized from the provided configuration and certificates.
*
* @param trustCertificatesByAlias a map of X.509 certificate in PEM or DER format by the alias to load the
* certificate as.
* @param config an {@link SslConfiguration} describing the trust store configuration
*/
public static SSLContext createSslContext(
SslConfiguration config, Map<String, PemX509Certificate> trustCertificatesByAlias, Provider provider) {
TrustManager[] trustManagers = createMergedTrustManagers(config, trustCertificatesByAlias);
return createSslContext(trustManagers, new KeyManager[] {}, provider);
}

/**
* Create an {@link SSLContext} initialized from the provided certificates.
* @see SSLContext#init(KeyManager[], TrustManager[], SecureRandom)
Expand Down Expand Up @@ -228,20 +200,6 @@ public static TrustManager[] createTrustManagers(Map<String, PemX509Certificate>
}
}

/**
* Create SSL socket factory and trust manager from the given certificates, see {@link #createX509TrustManager} and
* {@link #createSslSocketFactory}.
*/
public static TrustManager[] createMergedTrustManagers(
SslConfiguration config, Map<String, PemX509Certificate> trustCertificatesByAlias) {
KeyStore keystore = getCombinedTrustStoreAndDefaultCas(config.trustStorePath(), config.trustStoreType());

KeyStores.addCertificatesToKeystore(trustCertificatesByAlias, keystore);

return ConscryptCompatTrustManagers.wrap(
getTrustManagerFactory(keystore).getTrustManagers());
}

/**
* Create SSL socket factory and trust manager from the given configuration, see {@link #createX509TrustManager} and
* {@link #createSslSocketFactory}.
Expand Down Expand Up @@ -311,12 +269,8 @@ public static KeyManager[] createKeyManagers(SslConfiguration config) {

private static TrustManagerFactory createTrustManagerFactory(
Path trustStorePath, SslConfiguration.StoreType trustStoreType) {
KeyStore keyStore = getCombinedTrustStoreAndDefaultCas(trustStorePath, trustStoreType);
KeyStore keyStore = KeyStores.getCombinedTrustStoreAndDefaultCas(trustStorePath, trustStoreType);

return getTrustManagerFactory(keyStore);
}

private static TrustManagerFactory getTrustManagerFactory(KeyStore keyStore) {
try {
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
Expand All @@ -327,40 +281,6 @@ private static TrustManagerFactory getTrustManagerFactory(KeyStore keyStore) {
}
}

private static KeyStore getCombinedTrustStoreAndDefaultCas(Path trustStorePath, StoreType trustStoreType) {
KeyStore keyStore;
switch (trustStoreType) {
case JKS:
case PKCS12:
keyStore = KeyStores.loadKeyStore(trustStoreType.name(), trustStorePath, Optional.empty());
break;
case PEM:
keyStore = KeyStores.createTrustStoreFromCertificates(trustStorePath);
break;
case PUPPET:
Path puppetCertsDir = trustStorePath.resolve("certs");
if (!puppetCertsDir.toFile().isDirectory()) {
throw new IllegalStateException(
String.format("Puppet certs directory did not exist at path \"%s\"", puppetCertsDir));
}
keyStore = KeyStores.createTrustStoreFromCertificates(puppetCertsDir);
break;
default:
throw new IllegalStateException("Unrecognized trust store type: " + trustStoreType);
}

// Add globally trusted root CAs
DefaultCas.getCertificates().forEach((certAlias, cert) -> {
try {
keyStore.setCertificateEntry(certAlias, cert);
} catch (KeyStoreException e) {
throw new SafeRuntimeException(
"Unable to add certificate to store", e, SafeArg.of("certificateAlias", certAlias));
}
});
return keyStore;
}

private static KeyManagerFactory createKeyManagerFactory(
Path keyStorePath,
Optional<String> keyStorePassword,
Expand Down

0 comments on commit 383385c

Please sign in to comment.