From be10897295f33fd860a791628dc5cfb050c6087f Mon Sep 17 00:00:00 2001 From: Benoit Bordigoni Date: Thu, 12 Sep 2024 16:41:39 +0200 Subject: [PATCH] fix: return empty array of accepted issuers in trust manager --- .../RefreshableX509TrustManagerDelegator.java | 5 +++- ...reshableX509TrustManagerDelegatorTest.java | 29 ++++++++++++++----- 2 files changed, 26 insertions(+), 8 deletions(-) diff --git a/gravitee-node-certificates/src/main/java/io/gravitee/node/certificates/x509/RefreshableX509TrustManagerDelegator.java b/gravitee-node-certificates/src/main/java/io/gravitee/node/certificates/x509/RefreshableX509TrustManagerDelegator.java index d654f9ea3..b6fd1ef5c 100644 --- a/gravitee-node-certificates/src/main/java/io/gravitee/node/certificates/x509/RefreshableX509TrustManagerDelegator.java +++ b/gravitee-node-certificates/src/main/java/io/gravitee/node/certificates/x509/RefreshableX509TrustManagerDelegator.java @@ -79,7 +79,10 @@ public void checkServerTrusted(X509Certificate[] chain, String authType) throws @Override public X509Certificate[] getAcceptedIssuers() { X509ExtendedTrustManager trustManager = this.delegate; - return trustManager != null ? trustManager.getAcceptedIssuers() : null; + if (trustManager != null) { + return trustManager.getAcceptedIssuers(); + } + return new X509Certificate[] {}; } @Override diff --git a/gravitee-node-certificates/src/test/java/io/gravitee/node/certificates/x509/RefreshableX509TrustManagerDelegatorTest.java b/gravitee-node-certificates/src/test/java/io/gravitee/node/certificates/x509/RefreshableX509TrustManagerDelegatorTest.java index ff57d9c42..c50b2fadd 100644 --- a/gravitee-node-certificates/src/test/java/io/gravitee/node/certificates/x509/RefreshableX509TrustManagerDelegatorTest.java +++ b/gravitee-node-certificates/src/test/java/io/gravitee/node/certificates/x509/RefreshableX509TrustManagerDelegatorTest.java @@ -25,6 +25,7 @@ import io.gravitee.common.util.KeyStoreUtils; import java.io.IOException; import java.net.Socket; +import java.net.URL; import java.security.KeyStore; import java.security.cert.CertificateException; import java.security.cert.CertificateFactory; @@ -61,12 +62,26 @@ public void before() { cut = new RefreshableX509TrustManagerDelegator("http"); } + @Test + void should_not_fail_on_empty_truststore() { + assertThatCode(() -> cut.checkServerTrusted(null, null, (Socket) null)).doesNotThrowAnyException(); + assertThatCode(() -> cut.checkServerTrusted(null, null, (SSLEngine) null)).doesNotThrowAnyException(); + assertThatCode(() -> cut.checkServerTrusted(null, null)).doesNotThrowAnyException(); + assertThatCode(() -> cut.checkClientTrusted(null, null, (Socket) null)).doesNotThrowAnyException(); + assertThatCode(() -> cut.checkClientTrusted(null, null, (SSLEngine) null)).doesNotThrowAnyException(); + assertThatCode(() -> cut.checkClientTrusted(null, null)).doesNotThrowAnyException(); + assertThat(cut.getAcceptedIssuers()).isNotNull(); + assertThat(cut.getAcceptedIssuers()).isEmpty(); + } + @Test void should_load_truststore_store_and_trust_certs() throws CertificateException, IOException { KeyStore trustStore = loadTruststore(); cut.refresh(trustStore); assertThat(cut.getAcceptedIssuers()).hasSize(2); - try (var is = this.getClass().getResource("/truststores/client2.crt").openStream();) { + URL resource = this.getClass().getResource("/truststores/client2.crt"); + assertThat(resource).isNotNull(); + try (var is = resource.openStream()) { X509Certificate certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is); assertThat(cut.getAcceptedIssuers()).contains(certificate); X509Certificate[] chain = new X509Certificate[] { certificate }; @@ -84,7 +99,9 @@ void should_load_truststore_store_and_do_not_trust_certs() throws CertificateExc KeyStore trustStore = loadTruststore(); cut.refresh(trustStore); assertThat(cut.getAcceptedIssuers()).hasSize(2); - try (var is = this.getClass().getResource("/truststores/client1.crt").openStream();) { + URL resource = this.getClass().getResource("/truststores/client1.crt"); + assertThat(resource).isNotNull(); + try (var is = resource.openStream()) { X509Certificate untrusted = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is); assertThat(cut.getAcceptedIssuers()).doesNotContain(untrusted); X509Certificate[] chain = new X509Certificate[] { untrusted }; @@ -104,10 +121,8 @@ void should_load_truststore_store_and_do_not_trust_certs() throws CertificateExc } private KeyStore loadTruststore() { - return KeyStoreUtils.initFromPath( - CERTIFICATE_FORMAT_PKCS12, - this.getClass().getResource("/truststores/truststore2-3.p12").getPath(), - PASSWORD - ); + URL resource = this.getClass().getResource("/truststores/truststore2-3.p12"); + assertThat(resource).isNotNull(); + return KeyStoreUtils.initFromPath(CERTIFICATE_FORMAT_PKCS12, resource.getPath(), PASSWORD); } }