Merge pull request #10883 from geoand/#10877

Fix broken trustStore usage in RestClient in native mode

extensions/rest-client/runtime/src/main/java/io/quarkus/restclient/runtime/graal/ClientHttpEngineBuilder43Replacement.java

@@ -24,7 +24,8 @@ public final class ClientHttpEngineBuilder43Replacement {
     @Substitute
     public ClientHttpEngineBuilder43Replacement resteasyClientBuilder(ResteasyClientBuilder resteasyClientBuilder) {
         that = resteasyClientBuilder;
-        if (that.getSSLContext() == null) {
+        // make sure we only set a context if there is none or one wouldn't be created implicitly
+        if ((that.getSSLContext() == null) && (that.getTrustStore() == null) && (that.getKeyStore() == null)) {
             try {
                 that.sslContext(SSLContext.getDefault());
             } catch (NoSuchAlgorithmException e) {

integration-tests/rest-client/generate-trust-store-for-self-signed.sh → integration-tests/rest-client/generate-trust-store-for-bad-ssl.sh

@@ -8,3 +8,8 @@
 echo -n | openssl s_client -connect self-signed.badssl.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > self-signed.cert
 keytool -importcert -file self-signed.cert -alias self-signed -keystore self-signed -storepass changeit -noprompt
 rm self-signed.cert
+
+
+echo -n | openssl s_client -connect wrong.host.badssl.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > wrong-host.cert
+keytool -importcert -file wrong-host.cert -alias wrong-host -keystore wrong-host -storepass changeit -noprompt
+rm wrong-host.cert

integration-tests/rest-client/pom.xml

@@ -14,6 +14,10 @@
 
 	<properties>
 		<maven.compiler.parameters>true</maven.compiler.parameters>
+		<self-signed.trust-store>${project.basedir}/self-signed</self-signed.trust-store>
+		<self-signed.trust-store-password>changeit</self-signed.trust-store-password>
+		<wrong-host.trust-store>${project.basedir}/wrong-host</wrong-host.trust-store>
+		<wrong-host.trust-store-password>changeit</wrong-host.trust-store-password>
 	</properties>
 
 	<dependencies>
@@ -70,8 +74,10 @@
 					<systemPropertyVariables>
 						<!-- force the locale as we want to explicitly test message interpolation -->
 						<user.language>en</user.language>
-						<javax.net.ssl.trustStore>${project.basedir}/self-signed</javax.net.ssl.trustStore>
-						<javax.net.ssl.trustStorePassword>changeit</javax.net.ssl.trustStorePassword>
+						<javax.net.ssl.trustStore>${self-signed.trust-store}</javax.net.ssl.trustStore>
+						<javax.net.ssl.trustStorePassword>${self-signed.trust-store-password}</javax.net.ssl.trustStorePassword>
+						<rest-client.trustStore>${wrong-host.trust-store}</rest-client.trustStore>
+						<rest-client.trustStorePassword>${wrong-host.trust-store-password}</rest-client.trustStorePassword>
 					</systemPropertyVariables>
 				</configuration>
 			</plugin>
@@ -102,6 +108,8 @@
 										<!-- force the locale as we want to explicitly test message interpolation -->
 										<user.language>en</user.language>
 										<native.image.path>${project.build.directory}/${project.build.finalName}-runner</native.image.path>
+										<rest-client.trustStore>${wrong-host.trust-store}</rest-client.trustStore>
+										<rest-client.trustStorePassword>${wrong-host.trust-store-password}</rest-client.trustStorePassword>
 									</systemPropertyVariables>
 								</configuration>
 							</execution>
@@ -125,7 +133,8 @@
 									<enableServer>false</enableServer>
 									<dumpProxies>false</dumpProxies>
 									<graalvmHome>${graalvmHome}</graalvmHome>
-									<additionalBuildArgs>-J-Djavax.net.ssl.trustStore=${project.basedir}/self-signed, -J-Djavax.net.ssl.trustStorePassword=changeit</additionalBuildArgs>
+									<additionalBuildArgs>-J-Djavax.net.ssl.trustStore=${self-signed.trust-store},
+										-J-Djavax.net.ssl.trustStorePassword=${self-signed.trust-store-password}</additionalBuildArgs>
 								</configuration>
 							</execution>
 						</executions>

integration-tests/rest-client/src/main/java/io/quarkus/it/rest/client/wronghost/WrongHostClient.java

@@ -0,0 +1,14 @@
+package io.quarkus.it.rest.client.wronghost;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+@Path("/")
+public interface WrongHostClient {
+
+    @GET
+    @Produces(MediaType.TEXT_PLAIN)
+    String root();
+}

integration-tests/rest-client/src/main/java/io/quarkus/it/rest/client/wronghost/WrongHostResource.java

@@ -0,0 +1,33 @@
+package io.quarkus.it.rest.client.wronghost;
+
+import java.io.FileInputStream;
+import java.net.URL;
+import java.security.KeyStore;
+
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.MediaType;
+
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
+import org.eclipse.microprofile.rest.client.RestClientBuilder;
+
+@Path("/wrong-host")
+public class WrongHostResource {
+
+    @GET
+    @Path("/rest-client")
+    @Produces(MediaType.TEXT_PLAIN)
+    public String restClient() throws Exception {
+        KeyStore ks = KeyStore.getInstance("JKS");
+
+        // the system props are set in pom.xml and made available for native tests via RestClientTestResource
+        ks.load(new FileInputStream(System.getProperty("rest-client.trustStore")),
+                System.getProperty("rest-client.trustStorePassword").toCharArray());
+
+        return RestClientBuilder.newBuilder().baseUrl(new URL("https://wrong.host.badssl.com/")).trustStore(ks)
+                .hostnameVerifier(NoopHostnameVerifier.INSTANCE)
+                .build(WrongHostClient.class)
+                .root();
+    }
+}

integration-tests/rest-client/src/test/java/io/quarkus/it/rest/client/RestClientTestResource.java

@@ -0,0 +1,25 @@
+package io.quarkus.it.rest.client;
+
+import java.util.HashMap;
+import java.util.Map;
+
+import io.quarkus.test.common.QuarkusTestResourceLifecycleManager;
+
+/**
+ * The only point of this class is to propagate the properties when running the native tests
+ */
+public class RestClientTestResource implements QuarkusTestResourceLifecycleManager {
+
+    @Override
+    public Map<String, String> start() {
+        Map<String, String> result = new HashMap<>();
+        result.put("rest-client.trustStore", System.getProperty("rest-client.trustStore"));
+        result.put("rest-client.trustStorePassword", System.getProperty("rest-client.trustStorePassword"));
+        return result;
+    }
+
+    @Override
+    public void stop() {
+
+    }
+}

integration-tests/rest-client/src/test/java/io/quarkus/it/rest/client/wronghost/ExternalWrongHostIT.java

@@ -0,0 +1,7 @@
+package io.quarkus.it.rest.client.wronghost;
+
+import io.quarkus.test.junit.NativeImageTest;
+
+@NativeImageTest
+public class ExternalWrongHostIT extends ExternalWrongHostTestCase {
+}

integration-tests/rest-client/src/test/java/io/quarkus/it/rest/client/wronghost/ExternalWrongHostTestCase.java

@@ -0,0 +1,26 @@
+package io.quarkus.it.rest.client.wronghost;
+
+import static org.hamcrest.Matchers.empty;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.not;
+
+import org.junit.jupiter.api.Test;
+
+import io.quarkus.it.rest.client.RestClientTestResource;
+import io.quarkus.test.common.QuarkusTestResource;
+import io.quarkus.test.junit.QuarkusTest;
+import io.restassured.RestAssured;
+
+@QuarkusTest
+@QuarkusTestResource(RestClientTestResource.class)
+public class ExternalWrongHostTestCase {
+
+    @Test
+    public void restClient() {
+        RestAssured.when()
+                .get("/wrong-host/rest-client")
+                .then()
+                .statusCode(200)
+                .body(is(not(empty())));
+    }
+}