Re: [PR] KNOX-3094 - Update CM API swagger to 7.13.1 [knox]

Thu, 20 Feb 2025 08:56:18 -0800 


bonampak commented on code in PR #992:
URL: https://github.com/apache/knox/pull/992#discussion_r1964009173


##########
gateway-spi/src/main/java/org/apache/knox/gateway/util/TruststoreSSLContextUtils.java:
##########
@@ -48,4 +52,25 @@ public static SSLContext getTruststoreSSLContext(KeyStore 
truststore) {
     return sslContext;
   }
 
+  public static X509TrustManager getTrustManager(KeyStore truststore) {
+    try {
+      if (truststore != null) {
+        TrustManagerFactory trustManagerFactory = 
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        trustManagerFactory.init(truststore);
+        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+        if (trustManagers != null) {
+          for (TrustManager tm : trustManagers) {
+            if (tm instanceof X509TrustManager) {
+              return (X509TrustManager) tm;
+            }
+          }
+        }
+        throw new IllegalStateException("Unexpected default trust managers:" + 
Arrays.toString(trustManagers));

Review Comment:
   I took this part of the migration from here:
   
   
https://square.github.io/okhttp/5.x/okhttp/okhttp3/-ok-http-client/-builder/ssl-socket-factory.html
   I would expect this to work in a standard setup (and it's the case with JDK 
8-17).
   I have not tested it on a FIPS-enabled cluster though.
   
   I throw and catch IllegalStateException and return null if the trust manager 
for the default algorithm and trust store is not an instance of 
X509TrustManager. The `getTruststoreSSLContext()` method also uses the same 
methods by calling SSLContextBuilder.loadTrustMaterial(): uses the default 
TrustManagerFactory algorithm, initializes and gets the trust managers; it does 
not check the instance type. But the okhttp API expects an implementation of 
javax.net.ssl.X509TrustManager to validate the server's certificates.
   
   The deprecated method variant does not require it, okhttp would use 
reflection to get one from `sun.security.ssl.SSLContextImpl`:
   
   
https://github.com/square/okhttp/blob/4984568367caaf359b82c452bd28b5e192824d1c/okhttp/src/main/kotlin/okhttp3/internal/platform/Platform.kt#L88
   But this was removed in Okhttp 5.
   
   
   
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@knox.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org

Reply via email to