Add ability to configure a trust store for self-signed Zulip server certificates

jamesnetherton · web-flow · commit e0a21ccbd2ac · 2026-03-19T12:56:34.000Z
Fixes #445
diff --git a/src/main/java/com/github/jamesnetherton/zulip/client/http/ZulipConfiguration.java b/src/main/java/com/github/jamesnetherton/zulip/client/http/ZulipConfiguration.java
@@ -16,6 +16,7 @@
 public class ZulipConfiguration {
 
     private String apiKey;
+    private String certBundle;
     private String email;
     private boolean insecure;
     private URL proxyUrl;
@@ -65,6 +66,19 @@ public void setApiKey(String apiKey) {
         this.apiKey = apiKey;
     }
 
+    /**
+     * The path to a PEM-format CA certificate bundle for connecting to a Zulip server that uses a self-signed certificate.
+     *
+     * @param certBundle The path to the PEM-format CA certificate bundle
+     */
+    public void setCertBundle(String certBundle) {
+        this.certBundle = certBundle;
+    }
+
+    public String getCertBundle() {
+        return certBundle;
+    }
+
     /**
      * Sets the email address to use for authenticating with the Zulip server
      *
@@ -201,6 +215,7 @@ public static ZulipConfiguration fromZuliprc(File zulipRcFile) {
         String email = (String) zulipProperties.get("email");
         String site = (String) zulipProperties.get("site");
         String insecureProperty = (String) zulipProperties.get("insecure");
+        String certBundleProperty = (String) zulipProperties.get("cert_bundle");
 
         if (email == null) {
             throw new IllegalArgumentException("email property is not present in zuliprc");
@@ -225,6 +240,9 @@ public static ZulipConfiguration fromZuliprc(File zulipRcFile) {
             configuration.setApiKey(key);
             configuration.setZulipUrl(ZulipUrlUtils.getZulipApiUrl(site));
             configuration.setInsecure(insecure);
+            if (certBundleProperty != null) {
+                configuration.setCertBundle(certBundleProperty);
+            }
             return configuration;
         } catch (MalformedURLException e) {
             throw new IllegalArgumentException("Site must be a valid URL");
diff --git a/src/main/java/com/github/jamesnetherton/zulip/client/http/commons/ZulipCommonsHttpClient.java b/src/main/java/com/github/jamesnetherton/zulip/client/http/commons/ZulipCommonsHttpClient.java
@@ -8,16 +8,23 @@
 import com.github.jamesnetherton.zulip.client.util.JsonUtils;
 import com.github.jamesnetherton.zulip.client.util.ZulipUrlUtils;
 import java.io.File;
+import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.URI;
 import java.net.URISyntaxException;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.security.KeyManagementException;
+import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
@@ -144,6 +151,33 @@ public void configure() throws ZulipClientException {
             } catch (NoSuchAlgorithmException | KeyStoreException | KeyManagementException e) {
                 throw new ZulipClientException(e);
             }
+        } else {
+            String certBundle = configuration.getCertBundle();
+            if (certBundle != null && !certBundle.isEmpty()) {
+                try (InputStream is = new FileInputStream(certBundle)) {
+                    CertificateFactory cf = CertificateFactory.getInstance("X.509");
+                    Collection<? extends Certificate> certs = cf.generateCertificates(is);
+                    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+                    ks.load(null, null);
+                    int i = 0;
+                    for (Certificate cert : certs) {
+                        ks.setCertificateEntry("cert" + i++, cert);
+                    }
+                    SSLContext sslContext = new SSLContextBuilder()
+                            .loadTrustMaterial(ks, null)
+                            .build();
+                    SSLConnectionSocketFactory sslConnectionSocketFactory = new SSLConnectionSocketFactory(sslContext,
+                            NoopHostnameVerifier.INSTANCE);
+                    HttpClientConnectionManager connectionManager = PoolingHttpClientConnectionManagerBuilder
+                            .create()
+                            .setSSLSocketFactory(sslConnectionSocketFactory)
+                            .build();
+                    builder.setConnectionManager(connectionManager);
+                } catch (CertificateException | IOException | NoSuchAlgorithmException | KeyStoreException
+                        | KeyManagementException e) {
+                    throw new ZulipClientException(e);
+                }
+            }
         }
 
         this.client = builder.useSystemProperties().build();
diff --git a/src/test/java/com/github/jamesnetherton/zulip/client/http/ZulipConfigurationTest.java b/src/test/java/com/github/jamesnetherton/zulip/client/http/ZulipConfigurationTest.java
@@ -2,6 +2,7 @@
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertInstanceOf;
+import static org.junit.jupiter.api.Assertions.assertNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
@@ -81,6 +82,20 @@ public void invalidFile() {
         assertThrows(IllegalArgumentException.class, () -> ZulipConfiguration.fromZuliprc(zuliprc));
     }
 
+    @Test
+    public void certBundle() throws IOException {
+        File zuliprc = createZuliprc(EMAIL, KEY, SITE, "/path/to/cert.pem");
+        ZulipConfiguration configuration = ZulipConfiguration.fromZuliprc(zuliprc);
+        assertEquals("/path/to/cert.pem", configuration.getCertBundle());
+    }
+
+    @Test
+    public void certBundleNotSet() throws IOException {
+        File zuliprc = createZuliprc(EMAIL, KEY, SITE);
+        ZulipConfiguration configuration = ZulipConfiguration.fromZuliprc(zuliprc);
+        assertNull(configuration.getCertBundle());
+    }
+
     @Test
     public void invalidHttpClientFactory() throws MalformedURLException {
         ZulipConfiguration configuration = new ZulipConfiguration(ZulipUrlUtils.getZulipApiUrl(SITE), KEY, EMAIL);
@@ -101,6 +116,10 @@ public void nullUserHome() {
     }
 
     private File createZuliprc(String email, String key, String site) throws IOException {
+        return createZuliprc(email, key, site, null);
+    }
+
+    private File createZuliprc(String email, String key, String site, String certBundle) throws IOException {
         Properties properties = new Properties();
 
         if (email != null) {
@@ -115,6 +134,10 @@ private File createZuliprc(String email, String key, String site) throws IOExcep
             properties.setProperty("site", site);
         }
 
+        if (certBundle != null) {
+            properties.setProperty("cert_bundle", certBundle);
+        }
+
         properties.setProperty("insecure", "true");
 
         Path path = Paths.get(System.getProperty("java.io.tmpdir"), "zuliprc");
diff --git a/src/test/java/com/github/jamesnetherton/zulip/client/http/commons/ZulipCommonsHttpClientTest.java b/src/test/java/com/github/jamesnetherton/zulip/client/http/commons/ZulipCommonsHttpClientTest.java
@@ -4,6 +4,7 @@
 import static com.github.tomakehurst.wiremock.client.WireMock.aResponse;
 import static com.github.tomakehurst.wiremock.client.WireMock.request;
 import static com.github.tomakehurst.wiremock.client.WireMock.urlPathEqualTo;
+import static com.github.tomakehurst.wiremock.core.WireMockConfiguration.options;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertThrows;
@@ -15,20 +16,31 @@
 import com.github.jamesnetherton.zulip.client.exception.ZulipClientException;
 import com.github.jamesnetherton.zulip.client.exception.ZulipRateLimitExceededException;
 import com.github.jamesnetherton.zulip.client.http.ZulipConfiguration;
+import com.github.tomakehurst.wiremock.WireMockServer;
 import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileWriter;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.URL;
 import java.nio.charset.StandardCharsets;
+import java.security.SecureRandom;
+import java.security.cert.Certificate;
+import java.security.cert.X509Certificate;
+import java.util.Base64;
 import java.util.Collections;
 import java.util.List;
 import java.util.concurrent.CountDownLatch;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.X509TrustManager;
 import org.junit.jupiter.api.Test;
 
 public class ZulipCommonsHttpClientTest extends ZulipApiTestBase {
@@ -135,6 +147,86 @@ public void ignoredParameters() throws Exception {
         }
     }
 
+    @Test
+    public void certBundle() throws Exception {
+        WireMockServer httpsServer = new WireMockServer(options().dynamicHttpsPort());
+        httpsServer.start();
+
+        try {
+            X509Certificate cert = getServerCertificate("localhost", httpsServer.httpsPort());
+            File certFile = writeCertToPem(cert);
+
+            httpsServer.stubFor(request("GET", urlPathEqualTo("/api/v1/messages"))
+                    .willReturn(aResponse()
+                            .withStatus(200)
+                            .withBody("{\"result\":\"success\",\"msg\":\"\"}")));
+
+            ZulipConfiguration configuration = new ZulipConfiguration(
+                    new URL("https://localhost:" + httpsServer.httpsPort()), "test@test.com", "abc123");
+            configuration.setCertBundle(certFile.getAbsolutePath());
+
+            ZulipCommonsHttpClient client = new ZulipCommonsHttpClient(configuration);
+            ZulipApiResponse response = client.get("messages", Collections.emptyMap(), ZulipApiResponse.class);
+            assertNotNull(response);
+        } finally {
+            httpsServer.stop();
+        }
+    }
+
+    @Test
+    public void certBundleWithUntrustedServer() throws Exception {
+        WireMockServer httpsServer = new WireMockServer(options().dynamicHttpsPort());
+        httpsServer.start();
+
+        try {
+            File emptyCertFile = File.createTempFile("empty-cert", ".pem");
+            emptyCertFile.deleteOnExit();
+
+            ZulipConfiguration configuration = new ZulipConfiguration(
+                    new URL("https://localhost:" + httpsServer.httpsPort()), "test@test.com", "abc123");
+            configuration.setCertBundle(emptyCertFile.getAbsolutePath());
+
+            ZulipCommonsHttpClient client = new ZulipCommonsHttpClient(configuration);
+            assertThrows(ZulipClientException.class, () -> {
+                client.get("messages", Collections.emptyMap(), ZulipApiResponse.class);
+            });
+        } finally {
+            httpsServer.stop();
+        }
+    }
+
+    private X509Certificate getServerCertificate(String host, int port) throws Exception {
+        SSLContext sslContext = SSLContext.getInstance("TLS");
+        sslContext.init(null, new TrustManager[] { new X509TrustManager() {
+            public X509Certificate[] getAcceptedIssuers() {
+                return new X509Certificate[0];
+            }
+
+            public void checkClientTrusted(X509Certificate[] certs, String authType) {
+            }
+
+            public void checkServerTrusted(X509Certificate[] certs, String authType) {
+            }
+        } }, new SecureRandom());
+
+        try (SSLSocket socket = (SSLSocket) sslContext.getSocketFactory().createSocket(host, port)) {
+            socket.startHandshake();
+            Certificate[] certs = socket.getSession().getPeerCertificates();
+            return (X509Certificate) certs[0];
+        }
+    }
+
+    private File writeCertToPem(X509Certificate cert) throws Exception {
+        File certFile = File.createTempFile("test-cert", ".pem");
+        certFile.deleteOnExit();
+        try (FileWriter fw = new FileWriter(certFile)) {
+            fw.write("-----BEGIN CERTIFICATE-----\n");
+            fw.write(Base64.getMimeEncoder(64, new byte[] { '\n' }).encodeToString(cert.getEncoded()));
+            fw.write("\n-----END CERTIFICATE-----\n");
+        }
+        return certFile;
+    }
+
     private class FakeServer {
         private final ServerSocket serverSocket;
         private final ExecutorService executor;
