Proper defaulting to system truststore for downstream connections

Author: dajudge

proxybase/src/main/java/com/dajudge/proxybase/DownstreamSslHandlerFactory.java

@@ -24,17 +24,16 @@
 import io.netty.channel.Channel;
 import io.netty.channel.ChannelHandler;
 import io.netty.handler.ssl.SslContext;
-import io.netty.handler.ssl.SslContextBuilder;
 
-import javax.net.ssl.*;
+import javax.net.ssl.SSLException;
 import java.security.KeyManagementException;
 import java.security.NoSuchAlgorithmException;
 import java.util.Optional;
 import java.util.function.Function;
 import java.util.function.Supplier;
 
 import static com.dajudge.proxybase.HostnameCheck.NULL_VERIFIER;
-import static com.dajudge.proxybase.SslUtils.*;
+import static com.dajudge.proxybase.SslUtils.createClientSslContext;
 import static com.dajudge.proxybase.certs.ReloadingKeyStoreManager.createReloader;
 
 public class DownstreamSslHandlerFactory {
@@ -50,46 +49,23 @@ public static Function<Channel, ChannelHandler> createDownstreamSslHandler(
         return createDownstreamSslHandler(
                 hostnameCheck,
                 createReloader(config.getTrustStore(), clock, filesystem),
-                config.getKeyStore().map(it -> createReloader(it, clock, filesystem)),
-                Optional.of(downstreamEndpoint)
+                createReloader(config.getKeyStore(), clock, filesystem),
+                downstreamEndpoint
         );
     }
 
     public static Function<Channel, ChannelHandler> createDownstreamSslHandler(
             final HostnameCheck hostnameCheck,
-            final KeyStoreManager trustStoreManager,
-            final Optional<KeyStoreManager> keyStoreManager,
-            final Optional<Endpoint> peerEndpoint
+            final Optional<? extends KeyStoreManager> trustStoreManager,
+            final Optional<? extends KeyStoreManager> keyStoreManager,
+            final Endpoint peerEndpoint
     ) {
         try {
-            final SSLContext clientContext = SSLContext.getInstance("TLS");
-            final HostCheckingTrustManager trustManager = new HostCheckingTrustManager(
-                    createTrustManagers(trustStoreManager),
-                    hostnameCheck
-            );
-            final X509TrustManager[] trustManagers = {
-                    trustManager
-            };
-            final X509KeyManager[] keyManagers = createKeyManagers(keyStoreManager);
-            clientContext.init(keyManagers, trustManagers, null);
-            final SSLEngine engine = peerEndpoint
-                    .map(it -> clientContext.createSSLEngine(it.getHost(), it.getPort()))
-                    .orElse(clientContext.createSSLEngine());
-            engine.setUseClientMode(true);
-            final SslContext context = SslContextBuilder.forClient()
-                    .keyManager(createKeyManagerFactory(keyStoreManager))
-                    .trustManager(trustManager)
-                    .build();
-            if (peerEndpoint.isPresent()) {
-                return ch -> {
-                    final Endpoint endpoint = peerEndpoint.get();
-                    return context.newHandler(ch.alloc(), endpoint.getHost(), endpoint.getPort());
-                };
-            } else {
-                return ch -> context.newHandler(ch.alloc());
-            }
+            final SslContext context = createClientSslContext(hostnameCheck, trustStoreManager, keyStoreManager);
+            return ch -> context.newHandler(ch.alloc(), peerEndpoint.getHost(), peerEndpoint.getPort());
         } catch (final NoSuchAlgorithmException | KeyManagementException | SSLException e) {
             throw new RuntimeException("Failed to initialize downstream SSL handler", e);
         }
     }
+
 }

proxybase/src/main/java/com/dajudge/proxybase/SslUtils.java

@@ -19,32 +19,36 @@
 
 import com.dajudge.proxybase.certs.KeyStoreManager;
 import com.dajudge.proxybase.certs.KeyStoreWrapper;
+import com.dajudge.proxybase.config.Endpoint;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslContextBuilder;
 
-import javax.net.ssl.KeyManagerFactory;
-import javax.net.ssl.TrustManagerFactory;
-import javax.net.ssl.X509KeyManager;
-import javax.net.ssl.X509TrustManager;
-import java.security.KeyStoreException;
-import java.security.NoSuchAlgorithmException;
-import java.security.UnrecoverableKeyException;
+import javax.net.ssl.*;
+import java.security.*;
 import java.util.Arrays;
+import java.util.List;
 import java.util.Optional;
 
+import static java.util.Arrays.asList;
+import static java.util.Arrays.stream;
 import static javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm;
 
 class SslUtils {
     static X509TrustManager[] createTrustManagers(final KeyStoreManager trustStoreManager) {
         return createTrustManagers(Optional.of(trustStoreManager));
     }
 
-    static X509TrustManager[] createTrustManagers(final Optional<KeyStoreManager> trustStoreManager) {
+    static X509TrustManager[] createTrustManagers(final Optional<? extends KeyStoreManager> trustStoreManager) {
         try {
+            final TrustManagerFactory factory = TrustManagerFactory.getInstance(getDefaultAlgorithm());
             if (!trustStoreManager.isPresent()) {
-                return new X509TrustManager[]{};
+                factory.init((KeyStore) null);
+                return stream(factory.getTrustManagers())
+                        .map(it -> (X509TrustManager) it)
+                        .toArray(X509TrustManager[]::new);
             }
-            final TrustManagerFactory factory = TrustManagerFactory.getInstance(getDefaultAlgorithm());
             factory.init(trustStoreManager.get().getKeyStore().getKeyStore());
-            return Arrays.stream(factory.getTrustManagers())
+            return stream(factory.getTrustManagers())
                     .filter(it -> it instanceof X509TrustManager)
                     .map(it -> (X509TrustManager) it)
                     .toArray(X509TrustManager[]::new);
@@ -57,17 +61,17 @@ static X509KeyManager[] createKeyManagers(final KeyStoreManager keyStoreManager)
         return createKeyManagers(Optional.of(keyStoreManager));
     }
 
-    static X509KeyManager[] createKeyManagers(final Optional<KeyStoreManager> keyStoreManager) {
+    static X509KeyManager[] createKeyManagers(final Optional<? extends KeyStoreManager> keyStoreManager) {
         if (!keyStoreManager.isPresent()) {
             return new X509KeyManager[]{};
         }
-        return Arrays.stream(createKeyManagerFactory(keyStoreManager).getKeyManagers())
+        return stream(createKeyManagerFactory(keyStoreManager).getKeyManagers())
                 .filter(it -> it instanceof X509KeyManager)
                 .map(it -> (X509KeyManager) it)
                 .toArray(X509KeyManager[]::new);
     }
 
-    public static KeyManagerFactory createKeyManagerFactory(final Optional<KeyStoreManager> keyStoreManager) {
+    static KeyManagerFactory createKeyManagerFactory(final Optional<? extends KeyStoreManager> keyStoreManager) {
         try {
             final KeyManagerFactory factory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
             if (keyStoreManager.isPresent()) {
@@ -82,4 +86,25 @@ public static KeyManagerFactory createKeyManagerFactory(final Optional<KeyStoreM
             throw new RuntimeException("Failed to setup key manager", e);
         }
     }
+
+    static SslContext createClientSslContext(
+            final HostnameCheck hostnameCheck,
+            final Optional<? extends KeyStoreManager> trustStoreManager,
+            final Optional<? extends KeyStoreManager> keyStoreManager
+    ) throws NoSuchAlgorithmException, KeyManagementException, SSLException {
+        final SSLContext clientContext = SSLContext.getInstance("TLS");
+        final HostCheckingTrustManager trustManager = new HostCheckingTrustManager(
+                createTrustManagers(trustStoreManager),
+                hostnameCheck
+        );
+        final X509TrustManager[] trustManagers = {
+                trustManager
+        };
+        final X509KeyManager[] keyManagers = createKeyManagers(keyStoreManager);
+        clientContext.init(keyManagers, trustManagers, null);
+        return SslContextBuilder.forClient()
+                .keyManager(createKeyManagerFactory(keyStoreManager))
+                .trustManager(trustManager)
+                .build();
+    }
 }

proxybase/src/main/java/com/dajudge/proxybase/certs/ReloadingKeyStoreManager.java

@@ -24,6 +24,7 @@
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
+import java.util.Optional;
 import java.util.concurrent.atomic.AtomicBoolean;
 import java.util.function.Supplier;
 
@@ -48,6 +49,14 @@ public ReloadingKeyStoreManager(
         this.updateIntervalMsecs = updateIntervalMsecs;
     }
 
+    public static Optional<ReloadingKeyStoreManager> createReloader(
+            final Optional<KeyStoreConfig> keystore,
+            final Supplier<Long> clock,
+            final Filesystem filesystem
+    ) {
+        return keystore.map(it -> createReloader(it, clock, filesystem));
+    }
+
     public static ReloadingKeyStoreManager createReloader(
             final KeyStoreConfig keystore,
             final Supplier<Long> clock,

proxybase/src/main/java/com/dajudge/proxybase/config/DownstreamSslConfig.java

@@ -22,12 +22,12 @@
 import java.util.Optional;
 
 public class DownstreamSslConfig {
-    private final KeyStoreConfig trustStore;
+    private final Optional<KeyStoreConfig> trustStore;
     private final Optional<KeyStoreConfig> keyStore;
     private final boolean hostnameVerificationEnabled;
 
     public DownstreamSslConfig(
-            final KeyStoreConfig trustStore,
+            final Optional<KeyStoreConfig> trustStore,
             final Optional<KeyStoreConfig> keyStore,
             final boolean hostnameVerificationEnabled
     ) {
@@ -36,7 +36,7 @@ public DownstreamSslConfig(
         this.hostnameVerificationEnabled = hostnameVerificationEnabled;
     }
 
-    public KeyStoreConfig getTrustStore() {
+    public Optional<KeyStoreConfig> getTrustStore() {
         return trustStore;
     }
 

proxybase/src/test/java/com/dajudge/proxybase/BaseProxyTest.java

@@ -123,17 +123,19 @@ protected void withProxy(
         withDownstreamServer(downstreamSslConfig, downstreamServer -> {
             final int port = freePort();
             try (final ProxyApplication ignored = new ProxyApplication(factory -> {
+                final Endpoint upstreamEndpoint = new Endpoint("127.0.0.1", port);
+                final Endpoint downstreamEndpoint = new Endpoint("127.0.0.1", downstreamServer.getLocalPort());
                 final ProxyChannelInitializer initializer = (upstreamChannel, downstreamChannel) -> {
                     upstreamChannel.pipeline()
                             .addLast(new RelayingChannelInboundHandler("downstream", downstreamChannel));
                     upstreamSslConfig.configureUpstreamPipeline(upstreamChannel.pipeline());
                     downstreamChannel.pipeline()
                             .addLast(new RelayingChannelInboundHandler("upstream", upstreamChannel));
-                    downstreamSslConfig.configureDownstreamPipeline(downstreamChannel.pipeline());
+                    downstreamSslConfig.configureDownstreamPipeline(downstreamChannel.pipeline(), downstreamEndpoint);
                 };
                 factory.createProxyChannel(
-                        new Endpoint("127.0.0.1", port),
-                        new Endpoint("127.0.0.1", downstreamServer.getLocalPort()),
+                        upstreamEndpoint,
+                        downstreamEndpoint,
                         initializer
                 );
             })) {

proxybase/src/test/java/com/dajudge/proxybase/DownstreamSslContextTest.java

@@ -0,0 +1,116 @@
+package com.dajudge.proxybase;
+
+import io.netty.bootstrap.Bootstrap;
+import io.netty.channel.*;
+import io.netty.channel.nio.NioEventLoopGroup;
+import io.netty.channel.socket.SocketChannel;
+import io.netty.channel.socket.nio.NioSocketChannel;
+import io.netty.handler.codec.DecoderException;
+import io.netty.handler.codec.http.*;
+import io.netty.handler.ssl.SslContext;
+import io.netty.handler.ssl.SslHandler;
+import org.junit.Test;
+
+import javax.net.ssl.SSLException;
+import java.security.KeyManagementException;
+import java.security.NoSuchAlgorithmException;
+import java.util.Optional;
+import java.util.concurrent.atomic.AtomicReference;
+import java.util.function.Function;
+
+import static com.dajudge.proxybase.HostnameCheck.NULL_VERIFIER;
+import static com.dajudge.proxybase.SslUtils.createClientSslContext;
+import static io.netty.buffer.Unpooled.EMPTY_BUFFER;
+import static io.netty.handler.codec.http.HttpMethod.GET;
+import static io.netty.handler.codec.http.HttpVersion.HTTP_1_1;
+import static org.junit.Assert.*;
+
+public class DownstreamSslContextTest {
+
+    @Test
+    public void default_accepts_valid_certificate() throws Throwable {
+        httpsGet("www.example.com", 443);
+    }
+
+    @Test(expected = DecoderException.class)
+    public void default_rejects_invalid_certificate() throws Throwable {
+        httpsGet("self-signed.badssl.com", 443);
+    }
+
+    private static void httpsGet(final String hostname, final int port) throws Throwable {
+        final Function<Channel, SslHandler> handlerFactory = chan -> createContext()
+                .newHandler(chan.alloc(), hostname, port);
+        httpGet(handlerFactory, hostname, port);
+    }
+
+    private static void httpGet(
+            final Function<Channel, SslHandler> sslHandlerFactory,
+            final String host,
+            final int port
+    ) throws Throwable {
+        final AtomicReference<Throwable> channelThrowable = new AtomicReference<>();
+        final ChannelHandler clientHandler = new SimpleChannelInboundHandler<HttpObject>() {
+            @Override
+            protected void channelRead0(final ChannelHandlerContext ctx, final HttpObject msg) {
+                if (msg instanceof HttpResponse) {
+                    final HttpResponse response = (HttpResponse) msg;
+                    assertEquals(200, response.status().code());
+                }
+                if (msg instanceof HttpContent) {
+                    final HttpContent content = (HttpContent) msg;
+                    if (content instanceof LastHttpContent) {
+                        ctx.close();
+                    }
+                }
+            }
+
+            @Override
+            public void exceptionCaught(final ChannelHandlerContext ctx, final Throwable cause) {
+                channelThrowable.set(cause);
+            }
+        };
+        final ChannelInitializer<SocketChannel> initializer = new ChannelInitializer<SocketChannel>() {
+            @Override
+            protected void initChannel(final SocketChannel ch) {
+                final ChannelPipeline p = ch.pipeline();
+                p.addLast(sslHandlerFactory.apply(ch));
+                p.addLast(new HttpClientCodec());
+                p.addLast(new HttpContentDecompressor());
+                p.addLast(clientHandler);
+            }
+        };
+        final EventLoopGroup group = new NioEventLoopGroup();
+        try {
+            final Channel ch = new Bootstrap()
+                    .group(group)
+                    .channel(NioSocketChannel.class)
+                    .handler(initializer)
+                    .connect(host, port)
+                    .sync()
+                    .channel();
+            final HttpRequest request = new DefaultFullHttpRequest(HTTP_1_1, GET, "/", EMPTY_BUFFER);
+            request.headers().set(HttpHeaderNames.HOST, host);
+            request.headers().set(HttpHeaderNames.CONNECTION, HttpHeaderValues.CLOSE);
+            ch.writeAndFlush(request);
+            ch.closeFuture().sync();
+        } finally {
+            group.shutdownGracefully();
+        }
+
+        if (channelThrowable.get() != null) {
+            throw channelThrowable.get();
+        }
+    }
+
+    private static SslContext createContext() {
+        try {
+            return createClientSslContext(
+                    NULL_VERIFIER,
+                    Optional.empty(),
+                    Optional.empty()
+            );
+        } catch (final NoSuchAlgorithmException | KeyManagementException | SSLException e) {
+            throw new RuntimeException(e);
+        }
+    }
+}