[GitHub] [knox] rlevas commented on a change in pull request #74: KNOX-1111 - 2-way SSL Truststore and Keystore Improvements

Fri, 15 Mar 2019 08:13:36 -0700 

rlevas commented on a change in pull request #74: KNOX-1111 - 2-way SSL 
Truststore and Keystore Improvements
URL: https://github.com/apache/knox/pull/74#discussion_r266024463
 
 

 ##########
 File path: 
gateway-spi/src/main/java/org/apache/knox/gateway/dispatch/DefaultHttpClientFactory.java
 ##########
 @@ -76,28 +77,14 @@ public HttpClient createHttpClient(FilterConfig 
filterConfig) {
     } else {
       builder = HttpClients.custom();
     }
-    if (Boolean.parseBoolean(filterConfig.getInitParameter("useTwoWaySsl"))) {
-      AliasService as = services.getService(GatewayServices.ALIAS_SERVICE);
-      KeystoreService ks = 
services.getService(GatewayServices.KEYSTORE_SERVICE);
-      final SSLContext sslcontext;
-      try {
-        KeyStore identityKeystore = ks.getKeystoreForGateway();
-        char[] identityKeyPassphrase = as.getGatewayIdentityPassphrase();
 
-        // The trustKeystore will be the same as the identityKeystore if a 
truststore was not explicitly
-        // configured in gateway-site (gateway.truststore.password.alias, 
gateway.truststore.path, gateway.truststore.type)
-        // This was the behavior before KNOX-1812
-        KeyStore trustKeystore = ks.getTruststoreForHttpClient();
-
-        sslcontext = SSLContexts.custom()
-            .loadTrustMaterial(trustKeystore, new TrustSelfSignedStrategy())
-            .loadKeyMaterial(identityKeystore, identityKeyPassphrase)
-            .build();
-      } catch (Exception e) {
-        throw new IllegalArgumentException("Unable to create SSLContext", e);
-      }
-      builder.setSSLSocketFactory(new SSLConnectionSocketFactory(sslcontext));
+    // Conditionally set a custom SSLContext
+    boolean useTwoWaySsl = 
Boolean.parseBoolean(filterConfig.getInitParameter("useTwoWaySsl"));
+    SSLContext sslContext = createSSLContext(services, useTwoWaySsl);
 
 Review comment:
   Sure... I can do that.  
   
   But if we need to make changes to `createSSLContext` in the future, changing 
the args to passing the filterConfig could be done then.  `createSSLContext` is 
basically a private method, so changing its signature later should be a minor 
task.  If `createSSLContext` was part of an interface (or just public) that may 
be another story. 
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

Reply via email to