fix: use BC trust managers when resolving SSL context

diegomarquezp · diegomarquezp · commit 977b9b4ed96d · 2026-05-26T00:21:22.000-04:00
diff --git a/google-http-client/src/main/java/com/google/api/client/util/SslUtils.java b/google-http-client/src/main/java/com/google/api/client/util/SslUtils.java
@@ -17,6 +17,7 @@
 import com.google.errorprone.annotations.CanIgnoreReturnValue;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
+import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.NoSuchProviderException;
 import java.security.Provider;
@@ -164,8 +165,8 @@ public static KeyManagerFactory getPkixKeyManagerFactory() throws NoSuchAlgorith
   public static SSLContext initSslContext(
       SSLContext sslContext, KeyStore trustStore, TrustManagerFactory trustManagerFactory)
       throws GeneralSecurityException {
-    trustManagerFactory.init(trustStore);
-    sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
+    sslContext.init(
+        null, getCompatibleTrustManagers(sslContext, trustStore, trustManagerFactory), null);
     return sslContext;
   }
 
@@ -195,13 +196,38 @@ public static SSLContext initSslContext(
       String mtlsKeyStorePassword,
       KeyManagerFactory keyManagerFactory)
       throws GeneralSecurityException {
-    trustManagerFactory.init(trustStore);
     keyManagerFactory.init(mtlsKeyStore, mtlsKeyStorePassword.toCharArray());
     sslContext.init(
-        keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
+        keyManagerFactory.getKeyManagers(),
+        getCompatibleTrustManagers(sslContext, trustStore, trustManagerFactory),
+        null);
     return sslContext;
   }
 
+  /**
+   * Resolves trust managers compatible with the active security provider. If the SSLContext is
+   * managed by the Bouncy Castle JJSSE provider, it retrieves Bouncy Castle's native trust managers
+   * instead of standard JDK trust managers. This prevents JCA trust manager wrapping mismatches and
+   * unresolved peer host certificate exceptions on strict JVMs (e.g., Java 8/21).
+   */
+  private static TrustManager[] getCompatibleTrustManagers(
+      SSLContext sslContext, KeyStore trustStore, TrustManagerFactory trustManagerFactory)
+      throws GeneralSecurityException {
+    if (sslContext.getProvider() instanceof BouncyCastleJsseProvider) {
+      try {
+        TrustManagerFactory bcTmf =
+            TrustManagerFactory.getInstance(
+                trustManagerFactory.getAlgorithm(), sslContext.getProvider());
+        bcTmf.init(trustStore);
+        return bcTmf.getTrustManagers();
+      } catch (KeyStoreException | NoSuchAlgorithmException e) {
+        // Fallback to default trust managers
+      }
+    }
+    trustManagerFactory.init(trustStore);
+    return trustManagerFactory.getTrustManagers();
+  }
+
   /**
    * {@link Beta} <br>
    * Returns an SSL context in which all X.509 certificates are trusted.
