Skip to content

Make it easier to provide custom TrustManagers in SslManagerBundle #43064

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ttddyy opened this issue Nov 8, 2024 · 4 comments
Closed

Make it easier to provide custom TrustManagers in SslManagerBundle #43064

ttddyy opened this issue Nov 8, 2024 · 4 comments
Assignees
@mhalbritter
Labels
type: enhancement A general enhancement
Milestone
3.5.0-M2

Comments

@ttddyy
Copy link
Contributor

ttddyy commented Nov 8, 2024

I would like to use a custom TrustManager, such as one that only accepts certain issuers, accept-all, etc.

With current SslManagerBundle, I need to write something like this to use a custom TrustManager:

     
TrustManager myTrustManager = ...

// Cannot use DefaultSslManagerBundle as it's package private
KeyManagerFactory keyManagerFactory = getDefaultKeyManagerFactory();
// using netty impl
TrustManagerFactory trustManagerFactory = new TrustManagerFactoryWrapper(myTrustManager);

SslManagerBundle sslManagerBundle = SslManagerBundle.of(keyManagerFactory, trustManagerFactory);
SslBundle sslBundle = SslBundle.of(SslStoreBundle.NONE, SslBundleKey.NONE, SslOptions.NONE,
		SslBundle.DEFAULT_PROTOCOL, sslManagerBundle);
...


private KeyManagerFactory getDefaultKeyManagerFactory() {
	String algorithm = KeyManagerFactory.getDefaultAlgorithm();
	try {
		return KeyManagerFactory.getInstance(algorithm);
	}
	catch (NoSuchAlgorithmException ex) {
		throw new IllegalStateException("Could not load key manager factory: " + ex.getMessage(), ex);
	}
}

This is a lot of boilerplate code just to use a custom TrustManager.

It would be great if the SslManagerBundle API could be improved to support custom TrustManager usage without requiring a KeyManagerFactory. This would simplify configuring SSL/TLS settings when custom TrustManager configurations are needed.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 8, 2024
@mhalbritter mhalbritter self-assigned this Nov 8, 2024
@mhalbritter
Copy link
Contributor

mhalbritter commented Nov 8, 2024
edited
Loading

So, something like this on SslManagerBundle?

	/**
	 * Factory method to create a new {@link SslManagerBundle} using the given
	 * {@link TrustManagerFactory} and the default {@link KeyManagerFactory}.
	 * @param trustManagerFactory the trust manager factory
	 * @return a new {@link SslManagerBundle} instance
	 * @since 3.5.0
	 */
	static SslManagerBundle from(TrustManagerFactory trustManagerFactory) {
		Assert.notNull(trustManagerFactory, "TrustManagerFactory must not be null");
		KeyManagerFactory defaultKeyManagerFactory = createDefaultKeyManagerFactory();
		return of(defaultKeyManagerFactory, trustManagerFactory);
	}

	/**
	 * Factory method to create a new {@link SslManagerBundle} using the given
	 * {@link TrustManager TrustManagers} and the default {@link KeyManagerFactory}.
	 * @param trustManagers the trust managers to use
	 * @return a new {@link SslManagerBundle} instance
	 * @since 3.5.0
	 */
	static SslManagerBundle from(TrustManager... trustManagers) {
		Assert.notNull(trustManagers, "TrustManagers must not be null");
		KeyManagerFactory defaultKeyManagerFactory = createDefaultKeyManagerFactory();
		TrustManagerFactory defaultTrustManagerFactory = createDefaultTrustManagerFactory();
		return of(defaultKeyManagerFactory, FixedTrustManagerFactory.of(defaultTrustManagerFactory, trustManagers));
	}

The FixedTrustManagerFactory just returns the given TrustManagers on the getTrustManagers call.

You can then invoke it like this:

SslBundle bundle = SslBundle.of(SslStoreBundle.NONE, SslBundleKey.NONE, SslOptions.NONE, SslBundle.DEFAULT_PROTOCOL, SslManagerBundle.from(myTrustManager));

You can play around with it here: https://github.com/mhalbritter/spring-boot/tree/mh/43064-provide-user-friendly-api-to-use-custom-trustmanager-in-ssl-manager-bundle

@mhalbritter mhalbritter added the status: waiting-for-feedback We need additional information before we can continue label Nov 8, 2024
@ttddyy
Copy link
Contributor Author

ttddyy commented Nov 9, 2024

Thanks @mhalbritter
It looks great and makes it easy to set up a SslBundle with custom TrustManagers.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Nov 9, 2024
@mhalbritter mhalbritter changed the title Provide user-friendly API to use custom TrustManager in SSL (Manager) bundle Make it easier to provide custom TrustManagers in SslManagerBundle Nov 11, 2024
@mhalbritter mhalbritter added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged status: feedback-provided Feedback has been provided labels Nov 11, 2024
@mhalbritter mhalbritter added this to the 3.5.x milestone Nov 11, 2024
@ttddyy
Copy link
Contributor Author

ttddyy commented Nov 23, 2024

Hi @mhalbritter

I played around with multiple TrustManager and realized that when interacting with multiple trust-managers, I need to create a composite TrustManager which determines what to do when CertificateException is thrown - continue to check on the next trust-manager, etc.

Sample:

public class CompositeX509TrustManager implements X509TrustManager {

	private final X509TrustManager[] trustManagers;

	public CompositeX509TrustManager(X509TrustManager... trustManagers) {
		this.trustManagers = trustManagers;
	}

	@Override
	public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
		for (X509TrustManager trustManager : this.trustManagers) {
			try {
				trustManager.checkClientTrusted(chain, authType);
				return;
			}
			catch (CertificateException ex) {
				// Ignore and try the next trust manager
			}
		}
		throw new CertificateException("None of the trust managers could validate the certificate chain");
	}
  ...
}

Therefore, the method here which accepts multiple trust-managers, doesn't really use them. The check only happened by the first trust-manager, and if it throws CertificateException, the rest of trust-managers are ignored and simply validation fails.

So, the new API on SslManagerBundle:

	static SslManagerBundle from(TrustManager... trustManagers) {

should be only accepting a single TrustManager.

	static SslManagerBundle from(TrustManager trustManager) {

@mhalbritter
Copy link
Contributor

mhalbritter commented Jan 27, 2025
edited
Loading

Hey @ttddyy,

the TrustManagerFactorySpi interface, which FixedTrustManagerFactory uses, has this method:

TrustManager[] engineGetTrustManagers()

So I think it makes sense to allow multiple TrustManagers passed into SslManagerBundle.from().

@mhalbritter mhalbritter modified the milestones: 3.5.x, 3.5.0-M2 Jan 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mhalbritter mhalbritter

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
3.5.0-M2
Development

No branches or pull requests
3 participants
@ttddyy @spring-projects-issues @mhalbritter