Skip to content

Commit

Permalink
fix: return empty array of accepted issuers in trust manager
Browse files Browse the repository at this point in the history
  • Loading branch information
benoitgravitee committed Sep 13, 2024
1 parent e070c0d commit 765bbbb
Show file tree
Hide file tree
Showing 2 changed files with 26 additions and 8 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,10 @@ public void checkServerTrusted(X509Certificate[] chain, String authType) throws
@Override
public X509Certificate[] getAcceptedIssuers() {
X509ExtendedTrustManager trustManager = this.delegate;
return trustManager != null ? trustManager.getAcceptedIssuers() : null;
if (trustManager != null) {
return trustManager.getAcceptedIssuers();
}
return new X509Certificate[] {};
}

@Override
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import io.gravitee.common.util.KeyStoreUtils;
import java.io.IOException;
import java.net.Socket;
import java.net.URL;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
Expand Down Expand Up @@ -61,12 +62,26 @@ public void before() {
cut = new RefreshableX509TrustManagerDelegator("http");
}

@Test
void should_not_fail_on_empty_truststore() {
assertThatCode(() -> cut.checkServerTrusted(null, null, (Socket) null)).doesNotThrowAnyException();
assertThatCode(() -> cut.checkServerTrusted(null, null, (SSLEngine) null)).doesNotThrowAnyException();
assertThatCode(() -> cut.checkServerTrusted(null, null)).doesNotThrowAnyException();
assertThatCode(() -> cut.checkClientTrusted(null, null, (Socket) null)).doesNotThrowAnyException();
assertThatCode(() -> cut.checkClientTrusted(null, null, (SSLEngine) null)).doesNotThrowAnyException();
assertThatCode(() -> cut.checkClientTrusted(null, null)).doesNotThrowAnyException();
assertThat(cut.getAcceptedIssuers()).isNotNull();
assertThat(cut.getAcceptedIssuers()).isEmpty();
}

@Test
void should_load_truststore_store_and_trust_certs() throws CertificateException, IOException {
KeyStore trustStore = loadTruststore();
cut.refresh(trustStore);
assertThat(cut.getAcceptedIssuers()).hasSize(2);
try (var is = this.getClass().getResource("/truststores/client2.crt").openStream();) {
URL resource = this.getClass().getResource("/truststores/client2.crt");
assertThat(resource).isNotNull();
try (var is = resource.openStream()) {
X509Certificate certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
assertThat(cut.getAcceptedIssuers()).contains(certificate);
X509Certificate[] chain = new X509Certificate[] { certificate };
Expand All @@ -84,7 +99,9 @@ void should_load_truststore_store_and_do_not_trust_certs() throws CertificateExc
KeyStore trustStore = loadTruststore();
cut.refresh(trustStore);
assertThat(cut.getAcceptedIssuers()).hasSize(2);
try (var is = this.getClass().getResource("/truststores/client1.crt").openStream();) {
URL resource = this.getClass().getResource("/truststores/client1.crt");
assertThat(resource).isNotNull();
try (var is = resource.openStream()) {
X509Certificate untrusted = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
assertThat(cut.getAcceptedIssuers()).doesNotContain(untrusted);
X509Certificate[] chain = new X509Certificate[] { untrusted };
Expand All @@ -104,10 +121,8 @@ void should_load_truststore_store_and_do_not_trust_certs() throws CertificateExc
}

private KeyStore loadTruststore() {
return KeyStoreUtils.initFromPath(
CERTIFICATE_FORMAT_PKCS12,
this.getClass().getResource("/truststores/truststore2-3.p12").getPath(),
PASSWORD
);
URL resource = this.getClass().getResource("/truststores/truststore2-3.p12");
assertThat(resource).isNotNull();
return KeyStoreUtils.initFromPath(CERTIFICATE_FORMAT_PKCS12, resource.getPath(), PASSWORD);
}
}

0 comments on commit 765bbbb

Please sign in to comment.