fix: added CompositeX509ExtendedTrustManager, removed ext one (redhat…

…-developer#212) Signed-off-by: Andre Dietisheim <[email protected]>
adietish · Mar 25, 2024 · d90c44d · d90c44d
1 parent c9630d8
commit d90c44d
Show file tree

Hide file tree

Showing 2 changed files with 98 additions and 2 deletions.
diff --git a/src/main/java/com/redhat/devtools/intellij/common/ssl/CompositeX509ExtendedTrustManager.java b/src/main/java/com/redhat/devtools/intellij/common/ssl/CompositeX509ExtendedTrustManager.java
@@ -0,0 +1,97 @@
+/*******************************************************************************
+ * Copyright (c) 2024 Red Hat, Inc.
+ * Distributed under license by Red Hat, Inc. All rights reserved.
+ * This program is made available under the terms of the
+ * Eclipse Public License v2.0 which accompanies this distribution,
+ * and is available at http://www.eclipse.org/legal/epl-v20.html
+ *
+ * Contributors:
+ * Based on nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager at https://github.com/Hakky54/sslcontext-kickstart
+ * Red Hat, Inc. - initial API and implementation
+ ******************************************************************************/
+package com.redhat.devtools.intellij.common.ssl;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedTrustManager;
+import javax.net.ssl.X509TrustManager;
+import java.net.Socket;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.List;
+
+public class CompositeX509ExtendedTrustManager extends X509ExtendedTrustManager {
+
+    private static final String CERTIFICATE_EXCEPTION_MESSAGE = "None of the TrustManagers trust this certificate chain";
+
+    private final List<X509ExtendedTrustManager> innerTrustManagers;
+    private final X509Certificate[] acceptedIssuers;
+
+    public CompositeX509ExtendedTrustManager(List<X509ExtendedTrustManager> trustManagers) {
+        this.innerTrustManagers = Collections.unmodifiableList(trustManagers);
+        this.acceptedIssuers = (X509Certificate[]) trustManagers.stream()
+                .map(X509TrustManager::getAcceptedIssuers)
+                .flatMap(Arrays::stream)
+                .toArray();
+    }
+
+    @Override
+    public X509Certificate[] getAcceptedIssuers() {
+        return Arrays.copyOf(acceptedIssuers, acceptedIssuers.length);
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        checkTrusted((trustManager) -> trustManager.checkClientTrusted(chain, authType));
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType) throws CertificateException {
+        checkTrusted((trustManager) -> trustManager.checkServerTrusted(chain, authType));
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        checkTrusted((trustManager) -> trustManager.checkClientTrusted(chain, authType, socket));
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) throws CertificateException {
+        checkTrusted((trustManager) -> trustManager.checkServerTrusted(chain, authType, socket));
+    }
+
+    @Override
+    public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
+        checkTrusted((trustManager) -> trustManager.checkClientTrusted(chain, authType, engine));
+    }
+
+    @Override
+    public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) throws CertificateException {
+        checkTrusted((trustManager) -> trustManager.checkServerTrusted(chain, authType, engine));
+    }
+
+    public List<X509ExtendedTrustManager> getInnerTrustManagers() {
+        return innerTrustManagers;
+    }
+
+    private void checkTrusted(TrustManagerConsumer consumer) throws CertificateException {
+        List<CertificateException> certificateExceptions = new ArrayList<>();
+        for (X509ExtendedTrustManager trustManager : innerTrustManagers) {
+            try {
+                consumer.checkTrusted(trustManager);
+                return;
+            } catch (CertificateException e) {
+                certificateExceptions.add(e);
+            }
+        }
+        CertificateException certificateException = new CertificateException(CERTIFICATE_EXCEPTION_MESSAGE);
+        certificateExceptions.forEach(certificateException::addSuppressed);
+        throw certificateException;
+    }
+
+    interface TrustManagerConsumer {
+        void checkTrusted(X509ExtendedTrustManager var1) throws CertificateException;
+    }
+}
diff --git a/src/main/java/com/redhat/devtools/intellij/common/ssl/IDEATrustManager.java b/src/main/java/com/redhat/devtools/intellij/common/ssl/IDEATrustManager.java
@@ -12,7 +12,6 @@
 
 import com.intellij.openapi.diagnostic.Logger;
 import com.intellij.util.net.ssl.CertificateManager;
-import nl.altindag.ssl.trustmanager.CompositeX509ExtendedTrustManager;
 import org.apache.commons.lang3.reflect.FieldUtils;
 
 import javax.net.ssl.X509ExtendedTrustManager;
@@ -140,4 +139,4 @@ private void addCompositeManager(
         managers.addAll(nonCompositeManagers);
         managers.add(clientTrustManager);
     }
-}
+}