create a builder using a trustmanager

Author: mkleene

cmdline/src/main/java/io/opentdf/platform/Command.java

@@ -10,6 +10,7 @@
 import com.google.gson.GsonBuilder;
 import com.google.gson.reflect.TypeToken;
 
+import java.security.cert.X509Certificate;
 import java.text.ParseException;
 import com.google.gson.JsonSyntaxException;
 import io.opentdf.platform.sdk.AssertionConfig;
@@ -18,11 +19,11 @@
 import io.opentdf.platform.sdk.KeyType;
 import io.opentdf.platform.sdk.SDK;
 import io.opentdf.platform.sdk.SDKBuilder;
-import io.opentdf.platform.sdk.TrustProvider;
 import picocli.CommandLine;
 import picocli.CommandLine.HelpCommand;
 import picocli.CommandLine.Option;
 
+import javax.net.ssl.X509TrustManager;
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.File;
@@ -263,7 +264,12 @@ private SDK buildSDK() {
         SDKBuilder builder = new SDKBuilder();
         if (insecure) {
             // Trust all certificates
-            builder.sslFactory(TrustProvider.insecure().getSslSocketFactory());
+            X509TrustManager insecureTrustManager = new X509TrustManager() {
+                @Override public void checkClientTrusted(X509Certificate[] chain, String authType) {}
+                @Override public void checkServerTrusted(X509Certificate[] chain, String authType) {}
+                @Override public X509Certificate[] getAcceptedIssuers() { return new X509Certificate[0]; }
+            };
+            builder.sslFactoryFromTrustManager(insecureTrustManager);
         }
 
         return builder.platformEndpoint(platformEndpoint)

sdk/src/main/java/io/opentdf/platform/sdk/SDKBuilder.java

@@ -7,7 +7,6 @@
 import com.connectrpc.impl.ProtocolClient;
 import com.connectrpc.okhttp.ConnectOkHttpClient;
 import com.connectrpc.protocols.GETConfiguration;
-import com.connectrpc.protocols.NetworkProtocol;
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.jwk.KeyUse;
 import com.nimbusds.jose.jwk.RSAKey;
@@ -45,6 +44,7 @@
 import javax.net.ssl.X509TrustManager;
 import java.io.IOException;
 import java.nio.file.Path;
+import java.security.GeneralSecurityException;
 import java.util.Collections;
 import java.util.List;
 import java.util.UUID;
@@ -77,15 +77,18 @@ public static SDKBuilder newBuilder() {
     }
 
     /**
-     * Configure the SDK to use the supplied {@link SSLSocketFactory} for outbound TLS connections.
-     * Callers using this overload bring their own pre-built socket factory; cert-chain trust
-     * material is whatever the supplied factory was built with. For full PKIX validation under a
-     * matching {@link X509TrustManager}, use {@link #sslFactoryFromDirectory(String)} or
-     * {@link #sslFactoryFromKeyStore(String, String)} which build both via {@link TrustProvider}.
+     * The SDK will trust the certs that this TrustManager trusts
+     * @param trustManager
      */
-    public SDKBuilder sslFactory(SSLSocketFactory sslSocketFactory) {
-        this.sslSocketFactory = sslSocketFactory;
-        this.trustManager = null;
+    public SDKBuilder sslFactoryFromTrustManager(X509TrustManager trustManager) {
+        TrustProvider trustProvider;
+        try {
+            trustProvider = TrustProvider.fromTrustManager(trustManager);
+        } catch (IOException | GeneralSecurityException e) {
+            throw new SDKException("error creating trust provider", e);
+        }
+        this.trustManager = trustManager;
+        this.sslSocketFactory = trustProvider.getSslSocketFactory();
         return this;
     }
 

sdk/src/main/java/io/opentdf/platform/sdk/TrustProvider.java

@@ -6,6 +6,7 @@
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509ExtendedTrustManager;
+import javax.net.ssl.X509TrustManager;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.IOException;
@@ -36,19 +37,19 @@
  * work is fulfilled by whichever {@link java.security.Provider} is registered with the JVM,
  * including FIPS-mode providers.
  */
-public final class TrustProvider {
+final class TrustProvider {
 
     private final SSLSocketFactory sslSocketFactory;
-    private final X509ExtendedTrustManager trustManager;
+    private final X509TrustManager trustManager;
     private final SSLContext sslContext;
 
-    private TrustProvider(SSLContext sslContext, X509ExtendedTrustManager trustManager) {
+    private TrustProvider(SSLContext sslContext, X509TrustManager trustManager) {
         this.sslContext = sslContext;
         this.trustManager = trustManager;
         this.sslSocketFactory = sslContext.getSocketFactory();
     }
 
-    public X509ExtendedTrustManager getTrustManager() {
+    public X509TrustManager getTrustManager() {
         return trustManager;
     }
 
@@ -91,6 +92,12 @@ public static TrustProvider fromDirectory(String certsDirPath) throws IOExceptio
         return builder.build();
     }
 
+    public static TrustProvider fromTrustManager(X509TrustManager trustManager) throws IOException, GeneralSecurityException {
+        SSLContext sslContext = SSLContext.getInstance("TLS");
+        sslContext.init(new KeyManager[0], new TrustManager[]{trustManager}, new SecureRandom());
+        return new TrustProvider(sslContext, trustManager);
+    }
+
     /**
      * Builds a {@link TrustProvider} that trusts JVM default cacerts plus the trusted-certificate
      * entries in the supplied keystore.
@@ -106,21 +113,6 @@ public static TrustProvider fromKeyStore(Path keystorePath, char[] password) thr
         return builder().withDefaultTrustMaterial().withTrustMaterial(ks).build();
     }
 
-    /**
-     * Builds a {@link TrustProvider} that accepts every server certificate. Intended only for
-     * tests and {@code --insecure} CLI flows.
-     */
-    public static TrustProvider insecure() {
-        try {
-            SSLContext ctx = SSLContext.getInstance("TLS");
-            X509ExtendedTrustManager trustAll = new InsecureTrustManager();
-            ctx.init(new KeyManager[0], new TrustManager[]{trustAll}, new SecureRandom());
-            return new TrustProvider(ctx, trustAll);
-        } catch (GeneralSecurityException e) {
-            throw new IllegalStateException("failed to build insecure TrustProvider", e);
-        }
-    }
-
     private static KeyStore loadKeyStore(InputStream in, char[] password)
             throws IOException, GeneralSecurityException {
         // Try JKS first since it remains the JVM default; fall back to PKCS12 which is portable
@@ -179,13 +171,6 @@ public Builder withTrustMaterial(X509Certificate... certs) {
             return this;
         }
 
-        public Builder withTrustMaterial(Collection<X509Certificate> certs) {
-            if (certs != null) {
-                this.certificates.addAll(certs);
-            }
-            return this;
-        }
-
         public Builder withTrustMaterial(KeyStore keyStore) {
             if (keyStore != null) {
                 this.keyStores.add(keyStore);
@@ -250,16 +235,4 @@ private static KeyStore newEmptyKeyStore() throws GeneralSecurityException, IOEx
             return ks;
         }
     }
-
-    private static final class InsecureTrustManager extends X509ExtendedTrustManager {
-        private static final X509Certificate[] EMPTY = new X509Certificate[0];
-
-        @Override public void checkClientTrusted(X509Certificate[] chain, String authType) { }
-        @Override public void checkClientTrusted(X509Certificate[] chain, String authType, java.net.Socket socket) { }
-        @Override public void checkClientTrusted(X509Certificate[] chain, String authType, javax.net.ssl.SSLEngine engine) { }
-        @Override public void checkServerTrusted(X509Certificate[] chain, String authType) { }
-        @Override public void checkServerTrusted(X509Certificate[] chain, String authType, java.net.Socket socket) { }
-        @Override public void checkServerTrusted(X509Certificate[] chain, String authType, javax.net.ssl.SSLEngine engine) { }
-        @Override public X509Certificate[] getAcceptedIssuers() { return EMPTY; }
-    }
 }

sdk/src/test/java/io/opentdf/platform/sdk/SDKBuilderTest.java

@@ -41,6 +41,8 @@
 import java.security.KeyStore;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
 import java.util.Arrays;
 import java.util.Base64;
 import java.util.Collections;
@@ -100,6 +102,38 @@ void testKeystoreSSLContext() throws Exception {
 
     }
 
+    @Test
+    void testTrustManagerSetsSslFactory() throws Exception {
+        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
+        keystore.load(null, null);
+        X509Certificate cert = (X509Certificate) CertificateFactory.getInstance("X.509")
+                .generateCertificate(new ByteArrayInputStream(EXAMPLE_COM_PEM.getBytes(StandardCharsets.UTF_8)));
+        keystore.setCertificateEntry("example.com", cert);
+
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        tmf.init(keystore);
+        X509TrustManager suppliedTrustManager = null;
+        for (TrustManager tm : tmf.getTrustManagers()) {
+            if (tm instanceof X509TrustManager) {
+                suppliedTrustManager = (X509TrustManager) tm;
+                break;
+            }
+        }
+        assertNotNull(suppliedTrustManager);
+
+        SDKBuilder builder = SDKBuilder.newBuilder().sslFactoryFromTrustManager(suppliedTrustManager);
+
+        SSLSocketFactory sslSocketFactory = builder.getSslFactory();
+        assertNotNull(sslSocketFactory);
+
+        // the builder should retain the exact trust manager the caller supplied
+        assertSame(suppliedTrustManager, builder.getTrustManager());
+
+        X509Certificate[] acceptedIssuers = builder.getTrustManager().getAcceptedIssuers();
+        assertEquals(1, Arrays.stream(acceptedIssuers).filter(x -> x.getIssuerX500Principal().getName()
+                .equals("CN=example.com")).count());
+    }
+
     @Test
     public void testPlatformPlainTextAndIDPWithSSL() throws Exception {
         sdkServicesSetup(false, true);