DEVEXP-585 Can now configure 2-way SSL

Bumped the version to 6.4-SNAPSHOT as well so we can start using it in the Mule connector. 

The main value here is in TwoWaySSLTest, which can use these new properties instead of having to construct an SSLContext itself.

Author: rjrudin

gradle.properties

@@ -1,5 +1,5 @@
 group=com.marklogic
-version=6.3-SNAPSHOT
+version=6.4-SNAPSHOT
 describedName=MarkLogic Java Client API
 publishUrl=file:../marklogic-java/releases
 

marklogic-client-api/src/main/java/com/marklogic/client/DatabaseClientBuilder.java

@@ -259,6 +259,48 @@ public DatabaseClientBuilder withGzippedResponsesDisabled() {
 		props.put(PREFIX + "disableGzippedResponses", true);
 		return this;
 	}
+
+	/**
+	 * Enables 2-way SSL by creating an SSL context based on the given key store path.
+	 *
+	 * @param path
+	 * @return
+	 * @since 6.4.0
+	 */
+	public DatabaseClientBuilder withKeyStorePath(String path) {
+		props.put(PREFIX + "ssl.keystore.path", path);
+		return this;
+	}
+
+	/**
+	 * @param password optional password for a key store
+	 * @return
+	 * @since 6.4.0
+	 */
+	public DatabaseClientBuilder withKeyStorePassword(String password) {
+		props.put(PREFIX + "ssl.keystore.password", password);
+		return this;
+	}
+
+	/**
+	 * @param type e.g. "JKS"
+	 * @return
+	 * @since 6.4.0
+	 */
+	public DatabaseClientBuilder withKeyStoreType(String type) {
+		props.put(PREFIX + "ssl.keystore.type", type);
+		return this;
+	}
+
+	/**
+	 * @param algorithm e.g. "SunX509"
+	 * @return
+	 * @since 6.4.0
+	 */
+	public DatabaseClientBuilder withKeyStoreAlgorithm(String algorithm) {
+		props.put(PREFIX + "ssl.keystore.algorithm", algorithm);
+		return this;
+	}
 }
 
 

marklogic-client-api/src/main/java/com/marklogic/client/DatabaseClientFactory.java

@@ -1299,6 +1299,10 @@ public String getCertificatePassword() {
 	 *     a String with a value of either "any", "common", or "strict"</li>
 	 *     <li>marklogic.client.trustManager = must be an instance of {@code javax.net.ssl.X509TrustManager};
 	 *     if not specified and an SSL context is configured, an attempt will be made to use the JVM's default trust manager</li>
+	 *     <li>marklogic.client.ssl.keystore.path = must be a String; enables 2-way SSL if set; since 6.4.0.</li>
+	 *     <li>marklogic.client.ssl.keystore.password = must be a String; optional password for a key store; since 6.4.0.</li>
+	 *     <li>marklogic.client.ssl.keystore.type = must be a String; optional type for a key store, defaults to "JKS"; since 6.4.0.</li>
+	 *     <li>marklogic.client.ssl.keystore.algorithm = must be a String; optional algorithm for a key store, defaults to "SunX509"; since 6.4.0.</li>
 	 * </ol>
 	 *
 	 * @param propertySource

marklogic-client-api/src/main/java/com/marklogic/client/impl/DatabaseClientPropertySource.java

@@ -151,7 +151,7 @@ private DatabaseClientFactory.SecurityContext newSecurityContext() {
 		}
 		final String authType = (String) typeValue;
 
-		final SSLInputs sslInputs = buildSSLInputs(authType);
+		final SSLUtil.SSLInputs sslInputs = buildSSLInputs(authType);
 		DatabaseClientFactory.SecurityContext securityContext = newSecurityContext(authType, sslInputs);
 		if (sslInputs.getSslContext() != null) {
 			securityContext.withSSLContext(sslInputs.getSslContext(), sslInputs.getTrustManager());
@@ -160,7 +160,7 @@ private DatabaseClientFactory.SecurityContext newSecurityContext() {
 		return securityContext;
 	}
 
-	private DatabaseClientFactory.SecurityContext newSecurityContext(String type, SSLInputs sslInputs) {
+	private DatabaseClientFactory.SecurityContext newSecurityContext(String type, SSLUtil.SSLInputs sslInputs) {
 		switch (type.toLowerCase()) {
 			case DatabaseClientBuilder.AUTH_TYPE_BASIC:
 				return newBasicAuthContext();
@@ -188,11 +188,15 @@ private String getRequiredStringValue(String propertyName) {
 	}
 
 	private String getNullableStringValue(String propertyName) {
+		return getNullableStringValue(propertyName, null);
+	}
+
+	private String getNullableStringValue(String propertyName, String defaultValue) {
 		Object value = propertySource.apply(PREFIX + propertyName);
 		if (value != null && !(value instanceof String)) {
 			throw new IllegalArgumentException(propertyName + " must be of type String");
 		}
-		return (String) value;
+		return value != null ? (String) value : defaultValue;
 	}
 
 	private DatabaseClientFactory.SecurityContext newBasicAuthContext() {
@@ -221,7 +225,7 @@ private DatabaseClientFactory.SecurityContext newCloudAuthContext() {
 		return new DatabaseClientFactory.MarkLogicCloudAuthContext(apiKey, duration);
 	}
 
-	private DatabaseClientFactory.SecurityContext newCertificateAuthContext(SSLInputs sslInputs) {
+	private DatabaseClientFactory.SecurityContext newCertificateAuthContext(SSLUtil.SSLInputs sslInputs) {
 		String file = getNullableStringValue("certificate.file");
 		String password = getNullableStringValue("certificate.password");
 		if (file != null && file.trim().length() > 0) {
@@ -234,6 +238,9 @@ private DatabaseClientFactory.SecurityContext newCertificateAuthContext(SSLInput
 				throw new RuntimeException("Unable to create CertificateAuthContext; cause " + e.getMessage(), e);
 			}
 		}
+		if (sslInputs.getSslContext() == null) {
+			throw new RuntimeException("An SSLContext is required for certificate authentication.");
+		}
 		return new DatabaseClientFactory.CertificateAuthContext(sslInputs.getSslContext(), sslInputs.getTrustManager());
 	}
 
@@ -271,28 +278,34 @@ private DatabaseClientFactory.SSLHostnameVerifier determineHostnameVerifier() {
 	 *                 case the user does not define their own SSLContext or SSL protocol
 	 * @return
 	 */
-	private SSLInputs buildSSLInputs(String authType) {
+	private SSLUtil.SSLInputs buildSSLInputs(String authType) {
 		X509TrustManager userTrustManager = getTrustManager();
 
 		// Approach 1 - user provides an SSLContext object, in which case there's nothing further to check.
 		SSLContext sslContext = getSSLContext();
 		if (sslContext != null) {
-			return new SSLInputs(sslContext, userTrustManager);
+			return new SSLUtil.SSLInputs(sslContext, userTrustManager);
 		}
 
-		// Approaches 2 and 3 - user defines an SSL protocol.
-		// Approach 2 - "default" is a convenience for using the JVM's default SSLContext.
-		// Approach 3 - create a new SSLContext, and initialize it if the user-provided TrustManager is not null.
+		// Approach 2 - user wants two-way SSL via a keystore.
+		final String keyStorePath = getNullableStringValue("ssl.keystore.path");
+		if (keyStorePath != null && keyStorePath.trim().length() > 0) {
+			return useKeyStoreForTwoWaySSL(keyStorePath, userTrustManager);
+		}
+
+		// Approaches 3 and 4 - user defines an SSL protocol.
+		// Approach 3 - "default" is a convenience for using the JVM's default SSLContext.
+		// Approach 4 - create a new SSLContext, and initialize it if the user-provided TrustManager is not null.
 		final String sslProtocol = getSSLProtocol(authType);
 		if (sslProtocol != null) {
 			return "default".equalsIgnoreCase(sslProtocol) ?
 				useDefaultSSLContext(userTrustManager) :
 				useNewSSLContext(sslProtocol, userTrustManager);
 		}
 
-		// Approach 4 - still return the user-defined TrustManager as that may be needed for certificate authentication,
+		// Approach 5 - still return the user-defined TrustManager as that may be needed for certificate authentication,
 		// which has its own way of constructing an SSLContext from a PKCS12 file.
-		return new SSLInputs(null, userTrustManager);
+		return new SSLUtil.SSLInputs(null, userTrustManager);
 	}
 
 	private X509TrustManager getTrustManager() {
@@ -332,27 +345,36 @@ private String getSSLProtocol(String authType) {
 		return sslProtocol;
 	}
 
+	private SSLUtil.SSLInputs useKeyStoreForTwoWaySSL(String keyStorePath, X509TrustManager userTrustManager) {
+		final String password = getNullableStringValue("ssl.keystore.password");
+		final String keyStoreType = getNullableStringValue("ssl.keystore.type", "JKS");
+		final String algorithm = getNullableStringValue("ssl.keystore.algorithm", "SunX509");
+		final char[] charPassword = password != null ? password.toCharArray() : null;
+		final String sslProtocol = getNullableStringValue("sslProtocol", "TLSv1.2");
+		return SSLUtil.createSSLContextFromKeyStore(keyStorePath, charPassword, keyStoreType, algorithm, sslProtocol, userTrustManager);
+	}
+
 	/**
 	 * Uses the JVM's default SSLContext. Because OkHttp requires a separate TrustManager, this approach will either
 	 * user the user-provided TrustManager or it will assume that the JVM's default TrustManager should be used.
 	 */
-	private SSLInputs useDefaultSSLContext(X509TrustManager userTrustManager) {
+	private SSLUtil.SSLInputs useDefaultSSLContext(X509TrustManager userTrustManager) {
 		SSLContext sslContext;
 		try {
 			sslContext = SSLContext.getDefault();
 		} catch (NoSuchAlgorithmException e) {
 			throw new RuntimeException("Unable to obtain default SSLContext; cause: " + e.getMessage(), e);
 		}
 		X509TrustManager trustManager = userTrustManager != null ? userTrustManager : SSLUtil.getDefaultTrustManager();
-		return new SSLInputs(sslContext, trustManager);
+		return new SSLUtil.SSLInputs(sslContext, trustManager);
 	}
 
 	/**
 	 * Constructs a new SSLContext based on the given protocol (e.g. TLSv1.2). The SSLContext will be initialized if
 	 * the user's TrustManager is not null. Otherwise, OkHttpUtil will eventually initialize the SSLContext using the
 	 * JVM's default TrustManager.
 	 */
-	private SSLInputs useNewSSLContext(String sslProtocol, X509TrustManager userTrustManager) {
+	private SSLUtil.SSLInputs useNewSSLContext(String sslProtocol, X509TrustManager userTrustManager) {
 		SSLContext sslContext;
 		try {
 			sslContext = SSLContext.getInstance(sslProtocol);
@@ -368,27 +390,6 @@ private SSLInputs useNewSSLContext(String sslProtocol, X509TrustManager userTrus
 					sslProtocol, e.getMessage()), e);
 			}
 		}
-		return new SSLInputs(sslContext, userTrustManager);
-	}
-
-	/**
-	 * Captures the inputs provided by the caller that pertain to constructing an SSLContext.
-	 */
-	private static class SSLInputs {
-		private final SSLContext sslContext;
-		private final X509TrustManager trustManager;
-
-		public SSLInputs(SSLContext sslContext, X509TrustManager trustManager) {
-			this.sslContext = sslContext;
-			this.trustManager = trustManager;
-		}
-
-		public SSLContext getSslContext() {
-			return sslContext;
-		}
-
-		public X509TrustManager getTrustManager() {
-			return trustManager;
-		}
+		return new SSLUtil.SSLInputs(sslContext, userTrustManager);
 	}
 }