[
https://issues.apache.org/jira/browse/KNOX-3094?focusedWorklogId=957994&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-957994
]
ASF GitHub Bot logged work on KNOX-3094:
----------------------------------------
Author: ASF GitHub Bot
Created on: 20/Feb/25 16:56
Start Date: 20/Feb/25 16:56
Worklog Time Spent: 10m
Work Description: bonampak commented on code in PR #992:
URL: https://github.com/apache/knox/pull/992#discussion_r1964009173
##########
gateway-spi/src/main/java/org/apache/knox/gateway/util/TruststoreSSLContextUtils.java:
##########
@@ -48,4 +52,25 @@ public static SSLContext getTruststoreSSLContext(KeyStore
truststore) {
return sslContext;
}
+ public static X509TrustManager getTrustManager(KeyStore truststore) {
+ try {
+ if (truststore != null) {
+ TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+ trustManagerFactory.init(truststore);
+ TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+ if (trustManagers != null) {
+ for (TrustManager tm : trustManagers) {
+ if (tm instanceof X509TrustManager) {
+ return (X509TrustManager) tm;
+ }
+ }
+ }
+ throw new IllegalStateException("Unexpected default trust managers:" +
Arrays.toString(trustManagers));
Review Comment:
I took this part of the migration from here:
https://square.github.io/okhttp/5.x/okhttp/okhttp3/-ok-http-client/-builder/ssl-socket-factory.html
I would expect this to work in a standard setup (and it's the case with JDK
8-17).
I have not tested it on a FIPS-enabled cluster though.
I throw and catch IllegalStateException and return null if the trust manager
for the default algorithm and trust store is not an instance of
X509TrustManager. The `getTruststoreSSLContext()` method also uses the same
methods by calling SSLContextBuilder.loadTrustMaterial(): uses the default
TrustManagerFactory algorithm, initializes and gets the trust managers; it does
not check the instance type. But the okhttp API expects an implementation of
javax.net.ssl.X509TrustManager to validate the server's certificates.
The deprecated method variant does not require it, okhttp would use
reflection to get one from `sun.security.ssl.SSLContextImpl`:
https://github.com/square/okhttp/blob/4984568367caaf359b82c452bd28b5e192824d1c/okhttp/src/main/kotlin/okhttp3/internal/platform/Platform.kt#L88
But this was removed in Okhttp 5.
Issue Time Tracking
-------------------
Worklog Id: (was: 957994)
Time Spent: 40m (was: 0.5h)
> Update CM API swagger to 7.13.1
> -------------------------------
>
> Key: KNOX-3094
> URL: https://issues.apache.org/jira/browse/KNOX-3094
> Project: Apache Knox
> Issue Type: Task
> Components: cm-discovery
> Affects Versions: 2.1.0
> Reporter: Tamás Marcinkovics
> Assignee: Tamás Marcinkovics
> Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> As a pre-requisite for the CM service discovery update task KNOX-3084, we
> need to update com.cloudera.api.swagger:cloudera-manager-api-swagger to
> 7.13.1.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
