LDEV-5571 Custom truststore for SSL certs

Author: zspitzer

core/src/main/java/lucee/commons/net/http/HTTPDownloader.java

@@ -191,7 +191,7 @@ public static InputStream get( URL url, String username, String password, long c
 
 		try {
 			// Get configured HttpClientBuilder (with connection pooling, true = use pooling)
-			HttpClientBuilder builder = HTTPEngine4Impl.getHttpClientBuilder( true, null, null, "true" );
+			HttpClientBuilder builder = HTTPEngine4Impl.getHttpClientBuilder( true, null, null, null, null, true, "true" );
 
 			// Create HTTP GET request
 			HttpGet request = new HttpGet( url.toString() );
@@ -240,7 +240,7 @@ public static HTTPResponse head( URL url, long connectTimeout, long readTimeout,
 
 		try {
 			// Get configured HttpClientBuilder (with connection pooling, true = use pooling)
-			HttpClientBuilder builder = HTTPEngine4Impl.getHttpClientBuilder( true, null, null, "true" );
+			HttpClientBuilder builder = HTTPEngine4Impl.getHttpClientBuilder( true, null, null, null, null, true, "true" );
 
 			// Create HTTP HEAD request
 			HttpHead request = new HttpHead( url.toString() );
@@ -283,7 +283,7 @@ public static boolean exists( URL url ) {
 	public static boolean exists( URL url, long connectTimeout, long readTimeout ) {
 		try {
 			// Get configured HttpClientBuilder (with connection pooling, true = use pooling)
-			HttpClientBuilder builder = HTTPEngine4Impl.getHttpClientBuilder( true, null, null, "true" );
+			HttpClientBuilder builder = HTTPEngine4Impl.getHttpClientBuilder( true, null, null, null, null, true, "true" );
 
 			// Create HTTP HEAD request
 			HttpHead request = new HttpHead( url.toString() );

core/src/main/java/lucee/commons/net/http/httpclient/HTTPEngine4Impl.java

@@ -18,19 +18,13 @@
  **/
 package lucee.commons.net.http.httpclient;
 
-import java.io.File;
-import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.lang.reflect.Field;
 import java.net.URL;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.security.GeneralSecurityException;
-import java.security.KeyManagementException;
-import java.security.KeyStore;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.UnrecoverableKeyException;
-import java.security.cert.CertificateException;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.Iterator;
@@ -41,7 +35,7 @@
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
 
-import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.SSLContext;
 
 import org.apache.http.Header;
@@ -73,6 +67,7 @@
 import org.apache.http.conn.HttpClientConnectionManager;
 import org.apache.http.conn.socket.ConnectionSocketFactory;
 import org.apache.http.conn.socket.PlainConnectionSocketFactory;
+import org.apache.http.conn.ssl.NoopHostnameVerifier;
 import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
 import org.apache.http.entity.ByteArrayEntity;
 import org.apache.http.entity.ContentType;
@@ -109,6 +104,7 @@
 import lucee.runtime.PageContextImpl;
 import lucee.runtime.engine.ThreadLocalPageContext;
 import lucee.runtime.net.http.ReqRspUtil;
+import lucee.runtime.net.http.SSLUtil;
 import lucee.runtime.net.http.sni.DefaultHostnameVerifierImpl;
 import lucee.runtime.net.http.sni.DefaultHttpClientConnectionOperatorImpl;
 import lucee.runtime.net.http.sni.SSLConnectionSocketFactoryImpl;
@@ -271,9 +267,9 @@ private static Header toHeader(lucee.commons.net.http.Header header) {
 		return new HeaderImpl(header.getName(), header.getValue());
 	}
 
-	public static HttpClientBuilder getHttpClientBuilder(boolean pooling, String clientCert, String clientCertPassword, String redirect) throws GeneralSecurityException, IOException {
-		String key = clientCert + ":" + clientCertPassword;
-		Registry<ConnectionSocketFactory> reg = StringUtil.isEmpty(clientCert, true) ? createRegistry() : createRegistry(clientCert, clientCertPassword);
+	public static HttpClientBuilder getHttpClientBuilder(boolean pooling, String clientCert, String clientCertPassword, String trustStore, String trustStorePassword, boolean sslVerify, String redirect) throws GeneralSecurityException {
+		String key = clientCert + ":" + clientCertPassword + ":" + trustStore + ":" + trustStorePassword + ":" + sslVerify;
+		Registry<ConnectionSocketFactory> reg = createRegistry( clientCert, clientCertPassword, trustStore, trustStorePassword, sslVerify );
 
 		if (!pooling) {
 			HttpClientBuilder builder = HttpClients.custom();
@@ -328,31 +324,43 @@ public static void setTimeout(HttpClientBuilder builder, TimeSpan timeout) {
 		builder.setDefaultRequestConfig(rcBuilder.build());
 	}
 
-	private static Registry<ConnectionSocketFactory> createRegistry() throws GeneralSecurityException {
-		SSLContext sslcontext = SSLContext.getInstance("TLS");
-		sslcontext.init(null, null, new java.security.SecureRandom());
-		SSLConnectionSocketFactory defaultsslsf = new SSLConnectionSocketFactoryImpl(sslcontext, new DefaultHostnameVerifierImpl());
-		/* Register connection handlers */
-		return RegistryBuilder.<ConnectionSocketFactory>create().register("http", PlainConnectionSocketFactory.getSocketFactory()).register("https", defaultsslsf).build();
+	private static Registry<ConnectionSocketFactory> createRegistry( String clientCert, String clientCertPassword, String trustStore, String trustStorePassword, boolean sslVerify ) throws GeneralSecurityException {
+		SSLContext sslContext;
+		HostnameVerifier hostnameVerifier;
 
-	}
+		try {
+			Path clientCertPath = StringUtil.isEmpty( clientCert, true ) ? null : Paths.get( clientCert );
+			char[] clientPassword = clientCertPassword != null ? clientCertPassword.toCharArray() : null;
+
+			if ( !sslVerify ) {
+				// Disable all SSL verification (like curl -k)
+				sslContext = SSLUtil.createUnsafeSSLContext( clientCertPath, clientPassword );
+				hostnameVerifier = NoopHostnameVerifier.INSTANCE;
+			}
+			else if ( !StringUtil.isEmpty( trustStore, true ) ) {
+				// Use custom trust store
+				Path trustStorePath = Paths.get( trustStore );
+				char[] trustPassword = trustStorePassword != null ? trustStorePassword.toCharArray() : "changeit".toCharArray();
+				List<SSLUtil.TrustStoreConfig> additionalTrustStores = new ArrayList<>();
+				additionalTrustStores.add( new SSLUtil.TrustStoreConfig( trustStorePath, trustPassword ) );
+				sslContext = SSLUtil.createSSLContext( clientCertPath, clientPassword, additionalTrustStores );
+				hostnameVerifier = new DefaultHostnameVerifierImpl();
+			}
+			else {
+				// Standard mode with JVM + custom-cacerts
+				sslContext = SSLUtil.createSSLContext( clientCertPath, clientPassword );
+				hostnameVerifier = new DefaultHostnameVerifierImpl();
+			}
+		}
+		catch ( IOException e ) {
+			throw new GeneralSecurityException( "Failed to create SSL context", e );
+		}
 
-	private static Registry<ConnectionSocketFactory> createRegistry(String clientCert, String clientCertPassword)
-			throws IOException, KeyStoreException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException, KeyManagementException {
-		// Currently, clientCert force usePool to being ignored
-		if (clientCertPassword == null) clientCertPassword = "";
-		// Load the client cert
-		File ksFile = new File(clientCert);
-		KeyStore clientStore = KeyStore.getInstance("PKCS12");
-		clientStore.load(new FileInputStream(ksFile), clientCertPassword.toCharArray());
-		// Prepare the keys
-		KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-		kmf.init(clientStore, clientCertPassword.toCharArray());
-		SSLContext sslcontext = SSLContext.getInstance("TLS");
-		// Configure the socket factory
-		sslcontext.init(kmf.getKeyManagers(), null, new java.security.SecureRandom());
-		SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactoryImpl(sslcontext, new DefaultHostnameVerifierImpl());
-		return RegistryBuilder.<ConnectionSocketFactory>create().register("http", PlainConnectionSocketFactory.getSocketFactory()).register("https", sslsf).build();
+		SSLConnectionSocketFactory sslsf = new SSLConnectionSocketFactoryImpl( sslContext, hostnameVerifier );
+		return RegistryBuilder.<ConnectionSocketFactory>create()
+			.register( "http", PlainConnectionSocketFactory.getSocketFactory() )
+			.register( "https", sslsf )
+			.build();
 	}
 
 	public static void releaseConnectionManager() {
@@ -392,7 +400,7 @@ private static HTTPResponse invoke(URL url, HttpUriRequest request, String usern
 		CloseableHttpClient client;
 		proxy = ProxyDataImpl.validate(proxy, url.getHost());
 
-		HttpClientBuilder builder = getHttpClientBuilder(pooling, null, null, String.valueOf(redirect));
+		HttpClientBuilder builder = getHttpClientBuilder(pooling, null, null, null, null, true, String.valueOf(redirect));
 
 		HttpHost hh = new HttpHost(url.getHost(), url.getPort());
 		setHeader(request, headers);

core/src/main/java/lucee/runtime/config/ConfigFactoryImpl.java

@@ -27,6 +27,7 @@
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.nio.charset.Charset;
+import java.nio.file.Paths;
 import java.security.NoSuchAlgorithmException;
 import java.sql.SQLException;
 import java.util.ArrayList;
@@ -158,6 +159,7 @@
 import lucee.runtime.monitor.RequestMonitorProImpl;
 import lucee.runtime.monitor.RequestMonitorWrap;
 import lucee.runtime.net.http.ReqRspUtil;
+import lucee.runtime.net.http.SSLUtil;
 import lucee.runtime.net.mail.Server;
 import lucee.runtime.net.mail.ServerImpl;
 import lucee.runtime.net.proxy.ProxyData;
@@ -328,6 +330,7 @@ public static ConfigServerImpl newInstanceServer(CFMLEngineImpl engine, Map<Stri
 			config.setRoot(root);
 			// admin mode
 			load(config, root, false, doNew, essentialOnly);
+			SSLUtil.init( Paths.get( config.getConfigDir().getAbsolutePath(), "security" ) );
 
 			if (!essentialOnly) {
 				createContextFiles(configDir, config, doNew);

core/src/main/java/lucee/runtime/functions/other/SSLCertificateInstall.java

@@ -18,47 +18,46 @@
  **/
 package lucee.runtime.functions.other;
 
-import lucee.commons.io.SystemUtil;
+import lucee.commons.io.res.Resource;
+import lucee.commons.net.http.httpclient.HTTPEngine4Impl;
 import lucee.runtime.PageContext;
-import lucee.runtime.exp.ApplicationException;
 import lucee.runtime.exp.PageException;
 import lucee.runtime.ext.function.Function;
-import lucee.commons.io.res.Resource;
 import lucee.runtime.net.http.CertificateInstaller;
 import lucee.runtime.op.Caster;
 
 public final class SSLCertificateInstall implements Function {
 
 	private static final long serialVersionUID = -831759073098524176L;
 
-	public static String call(PageContext pc, String host) throws PageException {
-		return call(pc, host, 443);
+	public static String call( PageContext pc, String host ) throws PageException {
+		return call( pc, host, 443 );
 	}
 
-	public static String call(PageContext pc, String host, Number port) throws PageException {
-		return call(pc, host, port, null, null);
+	public static String call( PageContext pc, String host, Number port ) throws PageException {
+		return call( pc, host, port, null, null );
 	}
 
-	public static String call(PageContext pc, String host, Number port, Object cacerts) throws PageException {
-		return call(pc, host, port, cacerts, null);
+	public static String call( PageContext pc, String host, Number port, Object cacerts ) throws PageException {
+		return call( pc, host, port, cacerts, null );
 	}
 
-	public static String call(PageContext pc, String host, Number port, Object cacerts, String password) throws PageException {
-		CertificateInstaller installer;
-		Resource _cacerts;
+	public static String call( PageContext pc, String host, Number port, Object cacerts, String password ) throws PageException {
 		try {
-			if (cacerts == null) {
-				if (!SystemUtil.getSystemPropOrEnvVar("lucee.use.lucee.SSL.TrustStore", "").equalsIgnoreCase("true"))
-					throw new ApplicationException("Using JVM cacerts, set lucee.use.lucee.SSL.TrustStore=true to enable"); // LDEV-917
-				_cacerts = pc.getConfig().getSecurityDirectory();
-			} else {
-				_cacerts = Caster.toResource(pc, cacerts, true);
+			if ( cacerts == null ) {
+				CertificateInstaller.installToCustomCaCerts( host, Caster.toIntValue( port ) );
 			}
-			if (password == null) installer = new CertificateInstaller(_cacerts, host, Caster.toIntValue(port)); // use default password changeit
-			else installer = new CertificateInstaller(_cacerts, host, Caster.toIntValue(port), password.toCharArray());
-			installer.installAll(true);
-		} catch (Exception e){
-			throw Caster.toPageException(e);
+			else {
+				Resource keystore = Caster.toResource( pc, cacerts, true );
+				CertificateInstaller installer = password == null
+					? new CertificateInstaller( keystore, host, Caster.toIntValue( port ) )
+					: new CertificateInstaller( keystore, host, Caster.toIntValue( port ), password.toCharArray() );
+				installer.installAll( true );
+			}
+			HTTPEngine4Impl.releaseConnectionManager();
+		}
+		catch ( Exception e ) {
+			throw Caster.toPageException( e );
 		}
 		return "";
 	}

core/src/main/java/lucee/runtime/functions/other/SSLCertificateRemove.java

@@ -0,0 +1,57 @@
+package lucee.runtime.functions.other;
+
+import java.io.OutputStream;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.security.KeyStore;
+
+import lucee.commons.net.http.httpclient.HTTPEngine4Impl;
+import lucee.runtime.PageContext;
+import lucee.runtime.exp.ApplicationException;
+import lucee.runtime.exp.PageException;
+import lucee.runtime.ext.function.Function;
+import lucee.runtime.net.http.SSLUtil;
+import lucee.runtime.op.Caster;
+
+public final class SSLCertificateRemove implements Function {
+
+	private static final long serialVersionUID = 1L;
+	private static final char[] DEFAULT_PASSWORD = "changeit".toCharArray();
+
+	public static boolean call( PageContext pc, String alias ) throws PageException {
+		if ( !SSLUtil.isCustomCaCertsEnabled() ) {
+			throw new ApplicationException( "custom-cacerts is disabled. Set lucee.ssl.customcacerts.enabled=true to enable." );
+		}
+
+		Path customCaCertsPath = SSLUtil.getCustomCaCertsPath();
+		if ( customCaCertsPath == null || !Files.exists( customCaCertsPath ) ) {
+			throw new ApplicationException( "custom-cacerts keystore does not exist." );
+		}
+
+		try {
+			KeyStore ks = SSLUtil.loadKeyStore( customCaCertsPath, DEFAULT_PASSWORD );
+
+			if ( !ks.containsAlias( alias ) ) {
+				throw new ApplicationException( "Certificate with alias [" + alias + "] not found in custom-cacerts." );
+			}
+
+			ks.deleteEntry( alias );
+
+			try ( OutputStream os = Files.newOutputStream( customCaCertsPath ) ) {
+				ks.store( os, DEFAULT_PASSWORD );
+			}
+
+			// Invalidate connection managers so new connections use updated trust material
+			HTTPEngine4Impl.releaseConnectionManager();
+
+			return true;
+		}
+		catch ( ApplicationException ae ) {
+			throw ae;
+		}
+		catch ( Exception e ) {
+			throw Caster.toPageException( e );
+		}
+	}
+
+}