JAVA-2514: Enable configuration of a custom SSLContext

Author: jyemin

build.gradle

@@ -194,15 +194,15 @@ configure(subprojects.findAll { it.name != 'util' && it.name != 'mongo-java-driv
         maxParallelForks = 1
 
         systemProperties(
-                'org.mongodb.test.uri': System.getProperty('org.mongodb.test.uri', null),
+                'org.mongodb.test.uri': System.getProperty('org.mongodb.test.uri'),
                 'org.mongodb.useSocket': System.getProperty('org.mongodb.useSocket', 'false'),
                 'org.mongodb.disableAsync': System.getProperty('org.mongodb.disableAsync', 'false'),
                 'org.mongodb.async.type': System.getProperty('org.mongodb.async.type', 'nio2'),
 
-                'javax.net.ssl.trustStore': System.getProperty('javax.net.ssl.trustStore', "${System.getProperty('user.home')}/.keystore"),
-                'javax.net.ssl.keyStore': System.getProperty('javax.net.ssl.keyStore', "${System.getProperty('user.home')}/.keystore"),
-                'javax.net.ssl.keyStorePassword': System.getProperty('javax.net.ssl.keyStorePassword', 'changeit'),
-                'javax.net.ssl.trustStorePassword': System.getProperty('javax.net.ssl.trustStorePassword', 'changeit')
+                'javax.net.ssl.trustStore': System.getProperty('javax.net.ssl.trustStore'),
+                'javax.net.ssl.keyStore': System.getProperty('javax.net.ssl.keyStore'),
+                'javax.net.ssl.keyStorePassword': System.getProperty('javax.net.ssl.keyStorePassword'),
+                'javax.net.ssl.trustStorePassword': System.getProperty('javax.net.ssl.trustStorePassword')
         )
 
         if (project.buildingWith('ssl.enabled')) {

driver-core/src/main/com/mongodb/connection/SocketStreamFactory.java

@@ -16,11 +16,13 @@
 
 package com.mongodb.connection;
 
+import com.mongodb.MongoClientException;
 import com.mongodb.ServerAddress;
 import com.mongodb.internal.connection.PowerOfTwoBufferPool;
 
 import javax.net.SocketFactory;
-import javax.net.ssl.SSLSocketFactory;
+import javax.net.ssl.SSLContext;
+import java.security.NoSuchAlgorithmException;
 
 import static com.mongodb.assertions.Assertions.notNull;
 
@@ -64,7 +66,7 @@ public Stream create(final ServerAddress serverAddress) {
         if (socketFactory != null) {
             stream = new SocketStream(serverAddress, settings, sslSettings, socketFactory, bufferProvider);
         } else if (sslSettings.isEnabled()) {
-            stream = new SocketStream(serverAddress, settings, sslSettings, SSLSocketFactory.getDefault(), bufferProvider);
+            stream = new SocketStream(serverAddress, settings, sslSettings, getSslContext().getSocketFactory(), bufferProvider);
         } else if (System.getProperty("org.mongodb.useSocket", "false").equals("true")) {
             stream = new SocketStream(serverAddress, settings, sslSettings, SocketFactory.getDefault(), bufferProvider);
         } else {
@@ -74,4 +76,11 @@ public Stream create(final ServerAddress serverAddress) {
         return stream;
     }
 
+    private SSLContext getSslContext() {
+        try {
+            return (sslSettings.getContext() == null) ? SSLContext.getDefault() : sslSettings.getContext();
+        } catch (NoSuchAlgorithmException e) {
+            throw new MongoClientException("Unable to create default SSLContext", e);
+        }
+    }
 }

driver-core/src/main/com/mongodb/connection/SslSettings.java

@@ -21,6 +21,8 @@
 import com.mongodb.annotations.Immutable;
 import com.mongodb.annotations.NotThreadSafe;
 
+import javax.net.ssl.SSLContext;
+
 /**
  * Settings for connecting to MongoDB via SSL.
  *
@@ -30,6 +32,7 @@
 public class SslSettings {
     private final boolean enabled;
     private final boolean invalidHostNameAllowed;
+    private final SSLContext context;
 
     /**
      * Gets a Builder for creating a new SSLSettings instance.
@@ -47,6 +50,7 @@ public static Builder builder() {
     public static class Builder {
         private boolean enabled;
         private boolean invalidHostNameAllowed;
+        private SSLContext context;
 
         /**
          * Define whether SSL should be enabled.
@@ -71,6 +75,18 @@ public Builder invalidHostNameAllowed(final boolean invalidHostNameAllowed) {
             return this;
         }
 
+        /**
+         * Sets the SSLContext for use when SSL is enabled.
+         *
+         * @param context the SSLContext to use for connections.  Ignored if SSL is not enabled.
+         * @return this
+         * @since 3.5
+         */
+        public Builder context(final SSLContext context) {
+            this.context = context;
+            return this;
+        }
+
         /**
          * Take the settings from the given ConnectionString and set them in this builder.
          *
@@ -118,6 +134,18 @@ public boolean isInvalidHostNameAllowed() {
         return invalidHostNameAllowed;
     }
 
+    /**
+     * Gets the SSLContext configured for use with SSL connections.
+     *
+     * @return the SSLContext, which defaults to null if not configured.  In that case {@code SSLContext.getDefault()} will be used if SSL
+     * is enabled.
+     * @since 3.5
+     * @see SSLContext#getDefault()
+     */
+    public SSLContext getContext() {
+        return context;
+    }
+
     SslSettings(final Builder builder) {
         enabled = builder.enabled;
         invalidHostNameAllowed = builder.invalidHostNameAllowed;
@@ -126,6 +154,7 @@ public boolean isInvalidHostNameAllowed() {
                                              + "must run on Java 6, you must set the SslSettings.invalidHostNameAllowed property to "
                                              + "true");
         }
+        context = builder.context;
     }
 
     @Override
@@ -145,14 +174,14 @@ public boolean equals(final Object o) {
         if (invalidHostNameAllowed != that.invalidHostNameAllowed) {
             return false;
         }
-
-        return true;
+        return context != null ? context.equals(that.context) : that.context == null;
     }
 
     @Override
     public int hashCode() {
         int result = (enabled ? 1 : 0);
         result = 31 * result + (invalidHostNameAllowed ? 1 : 0);
+        result = 31 * result + (context != null ? context.hashCode() : 0);
         return result;
     }
 
@@ -161,6 +190,7 @@ public String toString() {
         return "SslSettings{"
                + "enabled=" + enabled
                + ", invalidHostNameAllowed=" + invalidHostNameAllowed
+               + ", context=" + context
                + '}';
     }
 }

driver-core/src/main/com/mongodb/connection/netty/NettyStream.java

@@ -16,6 +16,7 @@
 
 package com.mongodb.connection.netty;
 
+import com.mongodb.MongoClientException;
 import com.mongodb.MongoException;
 import com.mongodb.MongoInternalException;
 import com.mongodb.MongoInterruptedException;
@@ -49,6 +50,7 @@
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLParameters;
 import java.io.IOException;
+import java.security.NoSuchAlgorithmException;
 import java.util.Iterator;
 import java.util.LinkedList;
 import java.util.List;
@@ -121,7 +123,7 @@ public void openAsync(final AsyncCompletionHandler<Void> handler) {
             @Override
             public void initChannel(final SocketChannel ch) throws Exception {
                 if (sslSettings.isEnabled()) {
-                    SSLEngine engine = SSLContext.getDefault().createSSLEngine(address.getHost(), address.getPort());
+                    SSLEngine engine = getSslContext().createSSLEngine(address.getHost(), address.getPort());
                     engine.setUseClientMode(true);
                     SSLParameters sslParameters = engine.getSSLParameters();
                     enableSni(address, sslParameters);
@@ -308,6 +310,14 @@ public ByteBufAllocator getAllocator() {
         return allocator;
     }
 
+    private SSLContext getSslContext() {
+        try {
+            return (sslSettings.getContext() == null) ? SSLContext.getDefault() : sslSettings.getContext();
+        } catch (NoSuchAlgorithmException e) {
+            throw new MongoClientException("Unable to create default SSLContext", e);
+        }
+    }
+
     private class InboundBufferHandler extends SimpleChannelInboundHandler<io.netty.buffer.ByteBuf> {
         @Override
         protected void channelRead0(final ChannelHandlerContext ctx, final io.netty.buffer.ByteBuf buffer) throws Exception {

driver-core/src/test/unit/com/mongodb/connection/SslSettingsSpecification.groovy

@@ -21,6 +21,8 @@ import com.mongodb.MongoInternalException
 import spock.lang.IgnoreIf
 import spock.lang.Specification
 
+import javax.net.ssl.SSLContext
+
 import static com.mongodb.ClusterFixture.isNotAtLeastJava7
 import static com.mongodb.connection.SslSettings.builder
 
@@ -47,6 +49,16 @@ class SslSettingsSpecification extends Specification {
         builder().invalidHostNameAllowed(true).build().invalidHostNameAllowed
     }
 
+    def 'should default to null SSLContext'() {
+        expect:
+        builder().build().getContext() == null
+    }
+
+    def 'should set SSLContext'() {
+        expect:
+        builder().context(SSLContext.getDefault()).build().getContext() == SSLContext.getDefault()
+    }
+
     def 'should not allow invalid host name on Java 6'() {
         given:
         String javaVersion = System.getProperty('java.version')
@@ -96,15 +108,25 @@ class SslSettingsSpecification extends Specification {
         expect:
         builder().build() == builder().build()
         builder().build().hashCode() == builder().build().hashCode()
-        builder().enabled(true).invalidHostNameAllowed(true).build() == builder().enabled(true).invalidHostNameAllowed(true).build()
+        builder().enabled(true).invalidHostNameAllowed(true).build() ==
+                builder().enabled(true).invalidHostNameAllowed(true).build()
         builder().enabled(true).invalidHostNameAllowed(true).build().hashCode() ==
-        builder().enabled(true).invalidHostNameAllowed(true).build().hashCode()
+                builder().enabled(true).invalidHostNameAllowed(true).build().hashCode()
+        builder().enabled(true).invalidHostNameAllowed(true).context(SSLContext.getDefault()).build() ==
+                builder().enabled(true).invalidHostNameAllowed(true)
+                        .context(SSLContext.getDefault()).build()
+        builder().enabled(true).invalidHostNameAllowed(true)
+                .context(SSLContext.getDefault()).build().hashCode() ==
+                builder().enabled(true).invalidHostNameAllowed(true)
+                        .context(SSLContext.getDefault()).build().hashCode()
+
     }
 
     @IgnoreIf({ isNotAtLeastJava7() })
     def 'unequivalent settings should not be equal or have the same hash code'() {
         expect:
         builder().build() != builder().enabled(true).build()
         builder().build() != builder().invalidHostNameAllowed(true).build()
+        builder().build() != builder().context(SSLContext.getDefault()).build()
     }
 }

driver/src/main/com/mongodb/MongoClientOptions.java

@@ -29,6 +29,7 @@
 import org.bson.codecs.configuration.CodecRegistry;
 
 import javax.net.SocketFactory;
+import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSocketFactory;
 import java.nio.charset.Charset;
 import java.util.ArrayList;
@@ -74,6 +75,7 @@ public class MongoClientOptions {
     private final boolean socketKeepAlive;
     private final boolean sslEnabled;
     private final boolean sslInvalidHostNameAllowed;
+    private final SSLContext sslContext;
     private final boolean alwaysUseMBeans;
     private final int heartbeatFrequency;
     private final int minHeartbeatFrequency;
@@ -115,6 +117,7 @@ private MongoClientOptions(final Builder builder) {
         codecRegistry = builder.codecRegistry;
         sslEnabled = builder.sslEnabled;
         sslInvalidHostNameAllowed = builder.sslInvalidHostNameAllowed;
+        sslContext = builder.sslContext;
         alwaysUseMBeans = builder.alwaysUseMBeans;
         heartbeatFrequency = builder.heartbeatFrequency;
         minHeartbeatFrequency = builder.minHeartbeatFrequency;
@@ -169,6 +172,7 @@ private MongoClientOptions(final Builder builder) {
             sslSettings = SslSettings.builder()
                                      .enabled(sslEnabled)
                                      .invalidHostNameAllowed(sslInvalidHostNameAllowed)
+                                     .context(sslContext)
                                      .build();
         } catch (MongoInternalException e) {
             // The error message from SslSettings needs to be translated to make sense for users of MongoClientOptions
@@ -460,6 +464,16 @@ public boolean isSslInvalidHostNameAllowed() {
         return sslInvalidHostNameAllowed;
     }
 
+    /**
+     * Returns the SSLContext.  This property is ignored when either sslEnabled is false or socketFactory is non-null.
+     *
+     * @return the configured SSLContext, which may be null.  In that case {@code SSLContext.getDefault()} will be used when SSL is enabled.
+     * @since 3.5
+     */
+    public SSLContext getSslContext() {
+        return sslContext;
+    }
+
     /**
      * <p>The read preference to use for queries, map-reduce, aggregation, and count.</p>
      *
@@ -598,7 +612,7 @@ public SocketFactory getSocketFactory() {
         if (socketFactory != null) {
             return socketFactory;
         } else if (getSslSettings().isEnabled()) {
-            return DEFAULT_SSL_SOCKET_FACTORY;
+            return sslContext == null ? DEFAULT_SSL_SOCKET_FACTORY : sslContext.getSocketFactory();
         } else {
             return DEFAULT_SOCKET_FACTORY;
         }
@@ -703,6 +717,9 @@ public boolean equals(final Object o) {
         if (sslInvalidHostNameAllowed != that.sslInvalidHostNameAllowed) {
             return false;
         }
+        if (sslContext != null ? !sslContext.equals(that.sslContext) : that.sslContext != null) {
+            return false;
+        }
         if (threadsAllowedToBlockForConnectionMultiplier != that.threadsAllowedToBlockForConnectionMultiplier) {
             return false;
         }
@@ -777,6 +794,7 @@ public int hashCode() {
         result = 31 * result + (socketKeepAlive ? 1 : 0);
         result = 31 * result + (sslEnabled ? 1 : 0);
         result = 31 * result + (sslInvalidHostNameAllowed ? 1 : 0);
+        result = 31 * result + (sslContext != null ? sslContext.hashCode() : 0);
         result = 31 * result + (alwaysUseMBeans ? 1 : 0);
         result = 31 * result + heartbeatFrequency;
         result = 31 * result + minHeartbeatFrequency;
@@ -816,6 +834,7 @@ public String toString() {
                + ", socketKeepAlive=" + socketKeepAlive
                + ", sslEnabled=" + sslEnabled
                + ", sslInvalidHostNamesAllowed=" + sslInvalidHostNameAllowed
+               + ", sslContext=" + sslContext
                + ", alwaysUseMBeans=" + alwaysUseMBeans
                + ", heartbeatFrequency=" + heartbeatFrequency
                + ", minHeartbeatFrequency=" + minHeartbeatFrequency
@@ -864,6 +883,7 @@ public static class Builder {
         private boolean socketKeepAlive = false;
         private boolean sslEnabled = false;
         private boolean sslInvalidHostNameAllowed = false;
+        private SSLContext sslContext;
         private boolean alwaysUseMBeans = false;
 
         private int heartbeatFrequency = 10000;
@@ -913,6 +933,7 @@ public Builder(final MongoClientOptions options) {
             codecRegistry = options.getCodecRegistry();
             sslEnabled = options.isSslEnabled();
             sslInvalidHostNameAllowed = options.isSslInvalidHostNameAllowed();
+            sslContext = options.getSslContext();
             alwaysUseMBeans = options.isAlwaysUseMBeans();
             heartbeatFrequency = options.getHeartbeatFrequency();
             minHeartbeatFrequency = options.getMinHeartbeatFrequency();
@@ -1135,6 +1156,18 @@ public Builder sslInvalidHostNameAllowed(final boolean sslInvalidHostNameAllowed
             return this;
         }
 
+        /**
+         * Sets the SSLContext to be used with SSL is enabled.  This property is ignored when either sslEnabled is false or socketFactory is
+         * non-null.
+         *
+         * @param sslContext the SSLContext to be used for SSL connections
+         * @return {@code this}
+         * @since 3.5
+         */
+        public Builder sslContext(final SSLContext sslContext) {
+            this.sslContext = sslContext;
+            return this;
+        }
 
         /**
          * Sets the read preference.