Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it easier to provide custom TrustManagers in SslManagerBundle #43064

Open
ttddyy opened this issue Nov 8, 2024 · 2 comments
Open

Make it easier to provide custom TrustManagers in SslManagerBundle #43064

ttddyy opened this issue Nov 8, 2024 · 2 comments
Assignees
@mhalbritter
Labels
type: enhancement A general enhancement
Milestone
3.5.x

Comments

@ttddyy
Copy link
Contributor

ttddyy commented Nov 8, 2024

I would like to use a custom TrustManager, such as one that only accepts certain issuers, accept-all, etc.

With current SslManagerBundle, I need to write something like this to use a custom TrustManager:

     
TrustManager myTrustManager = ...

// Cannot use DefaultSslManagerBundle as it's package private
KeyManagerFactory keyManagerFactory = getDefaultKeyManagerFactory();
// using netty impl
TrustManagerFactory trustManagerFactory = new TrustManagerFactoryWrapper(myTrustManager);

SslManagerBundle sslManagerBundle = SslManagerBundle.of(keyManagerFactory, trustManagerFactory);
SslBundle sslBundle = SslBundle.of(SslStoreBundle.NONE, SslBundleKey.NONE, SslOptions.NONE,
		SslBundle.DEFAULT_PROTOCOL, sslManagerBundle);
...


private KeyManagerFactory getDefaultKeyManagerFactory() {
	String algorithm = KeyManagerFactory.getDefaultAlgorithm();
	try {
		return KeyManagerFactory.getInstance(algorithm);
	}
	catch (NoSuchAlgorithmException ex) {
		throw new IllegalStateException("Could not load key manager factory: " + ex.getMessage(), ex);
	}
}

This is a lot of boilerplate code just to use a custom TrustManager.

It would be great if the SslManagerBundle API could be improved to support custom TrustManager usage without requiring a KeyManagerFactory. This would simplify configuring SSL/TLS settings when custom TrustManager configurations are needed.
@spring-projects-issues spring-projects-issues added the status: waiting-for-triage An issue we've not yet triaged label Nov 8, 2024
@mhalbritter mhalbritter self-assigned this Nov 8, 2024
@mhalbritter
Copy link
Contributor

mhalbritter commented Nov 8, 2024
edited
Loading

So, something like this on SslManagerBundle?

	/**
	 * Factory method to create a new {@link SslManagerBundle} using the given
	 * {@link TrustManagerFactory} and the default {@link KeyManagerFactory}.
	 * @param trustManagerFactory the trust manager factory
	 * @return a new {@link SslManagerBundle} instance
	 * @since 3.5.0
	 */
	static SslManagerBundle from(TrustManagerFactory trustManagerFactory) {
		Assert.notNull(trustManagerFactory, "TrustManagerFactory must not be null");
		KeyManagerFactory defaultKeyManagerFactory = createDefaultKeyManagerFactory();
		return of(defaultKeyManagerFactory, trustManagerFactory);
	}

	/**
	 * Factory method to create a new {@link SslManagerBundle} using the given
	 * {@link TrustManager TrustManagers} and the default {@link KeyManagerFactory}.
	 * @param trustManagers the trust managers to use
	 * @return a new {@link SslManagerBundle} instance
	 * @since 3.5.0
	 */
	static SslManagerBundle from(TrustManager... trustManagers) {
		Assert.notNull(trustManagers, "TrustManagers must not be null");
		KeyManagerFactory defaultKeyManagerFactory = createDefaultKeyManagerFactory();
		TrustManagerFactory defaultTrustManagerFactory = createDefaultTrustManagerFactory();
		return of(defaultKeyManagerFactory, FixedTrustManagerFactory.of(defaultTrustManagerFactory, trustManagers));
	}

The FixedTrustManagerFactory just returns the given TrustManagers on the getTrustManagers call.

You can then invoke it like this:

SslBundle bundle = SslBundle.of(SslStoreBundle.NONE, SslBundleKey.NONE, SslOptions.NONE, SslBundle.DEFAULT_PROTOCOL, SslManagerBundle.from(myTrustManager));

You can play around with it here: https://github.com/mhalbritter/spring-boot/tree/mh/43064-provide-user-friendly-api-to-use-custom-trustmanager-in-ssl-manager-bundle

@mhalbritter mhalbritter added the status: waiting-for-feedback We need additional information before we can continue label Nov 8, 2024
@ttddyy
Copy link
Contributor Author

ttddyy commented Nov 9, 2024

Thanks @mhalbritter
It looks great and makes it easy to set up a SslBundle with custom TrustManagers.

@spring-projects-issues spring-projects-issues added status: feedback-provided Feedback has been provided and removed status: waiting-for-feedback We need additional information before we can continue labels Nov 9, 2024
@mhalbritter mhalbritter changed the title Provide user-friendly API to use custom TrustManager in SSL (Manager) bundle Make it easier to provide custom TrustManagers in SslManagerBundle Nov 11, 2024
@mhalbritter mhalbritter added type: enhancement A general enhancement and removed status: waiting-for-triage An issue we've not yet triaged status: feedback-provided Feedback has been provided labels Nov 11, 2024
@mhalbritter mhalbritter added this to the 3.5.x milestone Nov 11, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@mhalbritter mhalbritter

Labels
type: enhancement A general enhancement
Projects
None yet
Milestone
3.5.x
Development

No branches or pull requests
3 participants
@ttddyy @spring-projects-issues @mhalbritter