Make it easier to provide custom TrustManagers in SslManagerBundle

[ttddyy]

I would like to use a custom TrustManager, such as one that only accepts certain issuers, accept-all, etc.

With current SslManagerBundle, I need to write something like this to use a custom TrustManager:

     
TrustManager myTrustManager = ...

// Cannot use DefaultSslManagerBundle as it's package private
KeyManagerFactory keyManagerFactory = getDefaultKeyManagerFactory();
// using netty impl
TrustManagerFactory trustManagerFactory = new TrustManagerFactoryWrapper(myTrustManager);

SslManagerBundle sslManagerBundle = SslManagerBundle.of(keyManagerFactory, trustManagerFactory);
SslBundle sslBundle = SslBundle.of(SslStoreBundle.NONE, SslBundleKey.NONE, SslOptions.NONE,
		SslBundle.DEFAULT_PROTOCOL, sslManagerBundle);
...


private KeyManagerFactory getDefaultKeyManagerFactory() {
	String algorithm = KeyManagerFactory.getDefaultAlgorithm();
	try {
		return KeyManagerFactory.getInstance(algorithm);
	}
	catch (NoSuchAlgorithmException ex) {
		throw new IllegalStateException("Could not load key manager factory: " + ex.getMessage(), ex);
	}
}

This is a lot of boilerplate code just to use a custom TrustManager.

It would be great if the SslManagerBundle API could be improved to support custom TrustManager usage without requiring a KeyManagerFactory. This would simplify configuring SSL/TLS settings when custom TrustManager configurations are needed.

[mhalbritter]

So, something like this on SslManagerBundle?

	/**
	 * Factory method to create a new {@link SslManagerBundle} using the given
	 * {@link TrustManagerFactory} and the default {@link KeyManagerFactory}.
	 * @param trustManagerFactory the trust manager factory
	 * @return a new {@link SslManagerBundle} instance
	 * @since 3.5.0
	 */
	static SslManagerBundle from(TrustManagerFactory trustManagerFactory) {
		Assert.notNull(trustManagerFactory, "TrustManagerFactory must not be null");
		KeyManagerFactory defaultKeyManagerFactory = createDefaultKeyManagerFactory();
		return of(defaultKeyManagerFactory, trustManagerFactory);
	}

	/**
	 * Factory method to create a new {@link SslManagerBundle} using the given
	 * {@link TrustManager TrustManagers} and the default {@link KeyManagerFactory}.
	 * @param trustManagers the trust managers to use
	 * @return a new {@link SslManagerBundle} instance
	 * @since 3.5.0
	 */
	static SslManagerBundle from(TrustManager... trustManagers) {
		Assert.notNull(trustManagers, "TrustManagers must not be null");
		KeyManagerFactory defaultKeyManagerFactory = createDefaultKeyManagerFactory();
		TrustManagerFactory defaultTrustManagerFactory = createDefaultTrustManagerFactory();
		return of(defaultKeyManagerFactory, FixedTrustManagerFactory.of(defaultTrustManagerFactory, trustManagers));
	}

The FixedTrustManagerFactory just returns the given TrustManagers on the getTrustManagers call.

You can then invoke it like this:

SslBundle bundle = SslBundle.of(SslStoreBundle.NONE, SslBundleKey.NONE, SslOptions.NONE, SslBundle.DEFAULT_PROTOCOL, SslManagerBundle.from(myTrustManager));

You can play around with it here: https://github.com/mhalbritter/spring-boot/tree/mh/43064-provide-user-friendly-api-to-use-custom-trustmanager-in-ssl-manager-bundle

[ttddyy]

Thanks @mhalbritter
It looks great and makes it easy to set up a SslBundle with custom TrustManagers.

[ttddyy]

Hi @mhalbritter

I played around with multiple TrustManager and realized that when interacting with multiple trust-managers, I need to create a composite TrustManager which determines what to do when CertificateException is thrown - continue to check on the next trust-manager, etc.

Sample:

public class CompositeX509TrustManager implements X509TrustManager {

	private final X509TrustManager[] trustManagers;

	public CompositeX509TrustManager(X509TrustManager... trustManagers) {
		this.trustManagers = trustManagers;
	}

	@Override
	public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
		for (X509TrustManager trustManager : this.trustManagers) {
			try {
				trustManager.checkClientTrusted(chain, authType);
				return;
			}
			catch (CertificateException ex) {
				// Ignore and try the next trust manager
			}
		}
		throw new CertificateException("None of the trust managers could validate the certificate chain");
	}
  ...
}  

Therefore, the method here which accepts multiple trust-managers, doesn't really use them. The check only happened by the first trust-manager, and if it throws CertificateException, the rest of trust-managers are ignored and simply validation fails.

So, the new API on SslManagerBundle:

	static SslManagerBundle from(TrustManager... trustManagers) {

should be only accepting a single TrustManager.

	static SslManagerBundle from(TrustManager trustManager) {

[mhalbritter]

Hey @ttddyy,

the TrustManagerFactorySpi interface, which FixedTrustManagerFactory uses, has this method:

TrustManager[] engineGetTrustManagers()

So I think it makes sense to allow multiple TrustManagers passed into SslManagerBundle.from().