#128 Can now construct SSLContext using default keystore

Author: rjrudin

src/main/java/com/marklogic/client/ext/DatabaseClientConfig.java

@@ -17,14 +17,19 @@ public class DatabaseClientConfig {
 	private String username;
 	private String password;
 	private String database;
+
 	private SSLContext sslContext;
+	private String sslProtocol;
+	private String trustManagementAlgorithm;
 	private SSLHostnameVerifier sslHostnameVerifier;
+
 	private String certFile;
 	private String certPassword;
 	private String externalName;
 	private X509TrustManager trustManager;
 	private DatabaseClient.ConnectionType connectionType;
 
+
 	public DatabaseClientConfig() {
 	}
 
@@ -148,4 +153,20 @@ public DatabaseClient.ConnectionType getConnectionType() {
 	public void setConnectionType(DatabaseClient.ConnectionType connectionType) {
 		this.connectionType = connectionType;
 	}
+
+	public String getSslProtocol() {
+		return sslProtocol;
+	}
+
+	public void setSslProtocol(String sslProtocol) {
+		this.sslProtocol = sslProtocol;
+	}
+
+	public String getTrustManagementAlgorithm() {
+		return trustManagementAlgorithm;
+	}
+
+	public void setTrustManagementAlgorithm(String trustManagementAlgorithm) {
+		this.trustManagementAlgorithm = trustManagementAlgorithm;
+	}
 }

src/main/java/com/marklogic/client/ext/DefaultConfiguredDatabaseClientFactory.java

@@ -2,8 +2,8 @@
 
 import com.marklogic.client.DatabaseClient;
 import com.marklogic.client.DatabaseClientFactory;
-import com.marklogic.client.ext.ConfiguredDatabaseClientFactory;
-import com.marklogic.client.ext.DatabaseClientConfig;
+import com.marklogic.client.ext.ssl.SslConfig;
+import com.marklogic.client.ext.ssl.SslUtil;
 
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.X509TrustManager;
@@ -31,17 +31,17 @@ public DatabaseClient newDatabaseClient(DatabaseClientConfig config) {
 			securityContext = new DatabaseClientFactory.KerberosAuthContext(config.getExternalName());
 		} else if (SecurityContextType.NONE.equals(securityContextType)) {
 			securityContext = null;
-		}
-		else {
+		} else {
 			throw new IllegalArgumentException("Unsupported SecurityContextType: " + securityContextType);
 		}
 
 		if (securityContext != null) {
-			SSLContext sslContext = config.getSslContext();
-			DatabaseClientFactory.SSLHostnameVerifier verifier = config.getSslHostnameVerifier();
-			if (sslContext != null) {
-				securityContext = securityContext.withSSLContext(sslContext, config.getTrustManager());
+			final SslConfig sslConfig = determineSslConfig(config);
+			if (sslConfig != null) {
+				securityContext = securityContext.withSSLContext(sslConfig.getSslContext(), sslConfig.getTrustManager());
 			}
+
+			DatabaseClientFactory.SSLHostnameVerifier verifier = config.getSslHostnameVerifier();
 			if (verifier != null) {
 				securityContext = securityContext.withSSLHostnameVerifier(verifier);
 			}
@@ -62,8 +62,7 @@ public DatabaseClient newDatabaseClient(DatabaseClientConfig config) {
 				return DatabaseClientFactory.newClient(host, port, securityContext);
 			}
 			return DatabaseClientFactory.newClient(host, port, database, securityContext);
-		}
-		else {
+		} else {
 			if (securityContext == null) {
 				if (database == null) {
 					return DatabaseClientFactory.newClient(host, port, null, connectionType);
@@ -77,7 +76,6 @@ public DatabaseClient newDatabaseClient(DatabaseClientConfig config) {
 		}
 	}
 
-
 	protected DatabaseClientFactory.SecurityContext buildCertificateAuthContent(DatabaseClientConfig config) {
 		X509TrustManager trustManager = config.getTrustManager();
 
@@ -93,12 +91,23 @@ protected DatabaseClientFactory.SecurityContext buildCertificateAuthContent(Data
 			}
 		}
 
+		SslConfig sslConfig = determineSslConfig(config);
 		DatabaseClientFactory.SSLHostnameVerifier verifier = config.getSslHostnameVerifier();
+		return verifier != null ?
+			new DatabaseClientFactory.CertificateAuthContext(sslConfig.getSslContext(), verifier, sslConfig.getTrustManager()) :
+			new DatabaseClientFactory.CertificateAuthContext(sslConfig.getSslContext(), sslConfig.getTrustManager());
+	}
 
-		if (verifier != null) {
-			return new DatabaseClientFactory.CertificateAuthContext(config.getSslContext(), verifier, trustManager);
+	protected SslConfig determineSslConfig(DatabaseClientConfig config) {
+		SSLContext sslContext = config.getSslContext();
+		X509TrustManager trustManager = config.getTrustManager();
+		if (sslContext != null && trustManager != null) {
+			return new SslConfig(sslContext, trustManager);
 		}
 
-		return new DatabaseClientFactory.CertificateAuthContext(config.getSslContext(), trustManager);
+		final String protocol = config.getSslProtocol();
+		return protocol != null && protocol.trim().length() > 0 ?
+			SslUtil.configureUsingTrustManagerFactory(protocol, config.getTrustManagementAlgorithm()) :
+			null;
 	}
 }

src/main/java/com/marklogic/client/ext/modulesloader/ssl/SimpleX509TrustManager.java

@@ -1,5 +1,7 @@
 package com.marklogic.client.ext.modulesloader.ssl;
 
+import com.marklogic.client.ext.ssl.SslUtil;
+
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.X509TrustManager;
@@ -11,36 +13,36 @@
  */
 public class SimpleX509TrustManager implements X509TrustManager {
 
-    /**
-     * Factory method for creating a simple SSLContext that uses this class as its TrustManager.
-     *
-     * @return
-     */
-    public static SSLContext newSSLContext() {
-    	return newSSLContext("TLSv1.2");
-    }
+	/**
+	 * Factory method for creating a simple SSLContext that uses this class as its TrustManager.
+	 *
+	 * @return
+	 */
+	public static SSLContext newSSLContext() {
+		return newSSLContext(SslUtil.DEFAULT_SSL_PROTOCOL);
+	}
 
 	public static SSLContext newSSLContext(String protocol) {
 		try {
 			SSLContext sslContext = SSLContext.getInstance(protocol);
-			sslContext.init(null, new TrustManager[] { new SimpleX509TrustManager() }, null);
+			sslContext.init(null, new TrustManager[]{new SimpleX509TrustManager()}, null);
 			return sslContext;
 		} catch (Exception e) {
 			throw new RuntimeException(e);
 		}
 	}
 
-    @Override
-    public void checkClientTrusted(X509Certificate[] chain, String authType) {
-    }
+	@Override
+	public void checkClientTrusted(X509Certificate[] chain, String authType) {
+	}
 
-    @Override
-    public void checkServerTrusted(X509Certificate[] chain, String authType) {
-    }
+	@Override
+	public void checkServerTrusted(X509Certificate[] chain, String authType) {
+	}
 
-    @Override
-    public X509Certificate[] getAcceptedIssuers() {
-        return new X509Certificate[0];
-    }
+	@Override
+	public X509Certificate[] getAcceptedIssuers() {
+		return new X509Certificate[0];
+	}
 
 }

src/main/java/com/marklogic/client/ext/ssl/SslConfig.java

@@ -0,0 +1,27 @@
+package com.marklogic.client.ext.ssl;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.X509TrustManager;
+
+/**
+ * Captures the output of functions in SslUtil so that they can be easily used when constructing a DatabaseClient,
+ * which requires the X509TrustManager to be an input separate from the SSLContext.
+ */
+public class SslConfig {
+
+	private SSLContext sslContext;
+	private X509TrustManager trustManager;
+
+	public SslConfig(SSLContext sslContext, X509TrustManager trustManager) {
+		this.sslContext = sslContext;
+		this.trustManager = trustManager;
+	}
+
+	public SSLContext getSslContext() {
+		return sslContext;
+	}
+
+	public X509TrustManager getTrustManager() {
+		return trustManager;
+	}
+}

src/main/java/com/marklogic/client/ext/ssl/SslUtil.java

@@ -0,0 +1,80 @@
+package com.marklogic.client.ext.ssl;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
+import java.security.KeyManagementException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+
+public abstract class SslUtil {
+
+	public final static String DEFAULT_SSL_PROTOCOL = "TLSv1.2";
+
+	/**
+	 * Configure an SSLContext and X509TrustManager with TLSv1.2 as the default protocol and the default algorithm of
+	 * TrustManagerFactory.
+	 *
+	 * @return
+	 */
+	public static SslConfig configureUsingTrustManagerFactory() {
+		return configureUsingTrustManagerFactory(DEFAULT_SSL_PROTOCOL, null);
+	}
+
+	/**
+	 * Configure an SSLContext and X509TrustManager with the given inputs.
+	 *
+	 * @param protocol  the protocol to use when getting an instance of an SSLContext
+	 * @param algorithm an optional algorithm to use for getting an instance of TrustManagerFactory; if not specified,
+	 *                  the default algorithm of TrustManagerFactory is used
+	 * @return
+	 */
+	public static SslConfig configureUsingTrustManagerFactory(String protocol, String algorithm) {
+		SSLContext sslContext;
+		try {
+			sslContext = SSLContext.getInstance(protocol);
+		} catch (NoSuchAlgorithmException e) {
+			throw new RuntimeException("Unable to instantiate SSLContext with protocol: " + protocol + "; cause: " + e.getMessage(), e);
+		}
+
+		if (algorithm == null || algorithm.trim().length() < 1) {
+			algorithm = TrustManagerFactory.getDefaultAlgorithm();
+		}
+		TrustManagerFactory trustManagerFactory;
+		try {
+			trustManagerFactory = TrustManagerFactory.getInstance(algorithm);
+		} catch (NoSuchAlgorithmException e) {
+			throw new RuntimeException("Unable to instantiate TrustManagerFactory, cause: " + e.getMessage(), e);
+		}
+
+		try {
+			trustManagerFactory.init((KeyStore) null);
+		} catch (KeyStoreException e) {
+			throw new RuntimeException("Unable to initialize TrustManagerFactory, cause: " + e.getMessage(), e);
+		}
+
+		X509TrustManager x509TrustManager = null;
+		for (TrustManager tm : trustManagerFactory.getTrustManagers()) {
+			if (tm instanceof X509TrustManager) {
+				x509TrustManager = (X509TrustManager) tm;
+				break;
+			}
+		}
+		if (x509TrustManager == null) {
+			throw new RuntimeException("Could not initialize an SSLContext; unable to find an X509TrustManager in the " +
+				"TrustManagerFactory instantiated with algorithm: " + algorithm);
+		}
+
+		try {
+			sslContext.init(null, new TrustManager[]{x509TrustManager}, null);
+		} catch (KeyManagementException e) {
+			throw new RuntimeException("Unable to initialize SSLContext, cause: " + e.getMessage(), e);
+		}
+
+		return new SslConfig(sslContext, x509TrustManager);
+	}
+
+}
+

src/test/java/com/marklogic/client/ext/ssl/SslUtilTest.java

@@ -0,0 +1,47 @@
+package com.marklogic.client.ext.ssl;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import javax.net.ssl.SSLContext;
+import java.security.cert.X509Certificate;
+
+public class SslUtilTest extends Assert {
+
+	@Test
+	public void configureWithDefaults() {
+		SslConfig config = SslUtil.configureUsingTrustManagerFactory();
+		X509Certificate[] certs = config.getTrustManager().getAcceptedIssuers();
+		assertTrue(certs.length > 0);
+
+		SSLContext context = config.getSslContext();
+		assertEquals("TLSv1.2", context.getProtocol());
+	}
+
+	@Test
+	public void configureWithCustomProtocol() {
+		SslConfig config = SslUtil.configureUsingTrustManagerFactory("SSLv3", null);
+		assertEquals("SSLv3", config.getSslContext().getProtocol());
+	}
+
+	@Test
+	public void invalidProtocol() {
+		try {
+			SslUtil.configureUsingTrustManagerFactory("invalid", null);
+			fail("An exception should have been thrown due to an invalid SSL protocol being passed in");
+		} catch (Exception ex) {
+			System.out.println("Caught expected exception: " + ex.getMessage());
+		}
+	}
+
+	@Test
+	public void invalidAlgorithm() {
+		try {
+			SslUtil.configureUsingTrustManagerFactory("TLSv1.2", "invalid");
+			fail("An exception should have been thrown due to an invalid algorithm being passed in");
+		} catch (Exception ex) {
+			System.out.println("Caught expected exception: " + ex.getMessage());
+		}
+	}
+
+}