Comments (4)
Sorry to hear that this has been a problem for you. Slipping in a breaking change was a mistake, and was not intentional; I should have caught it before shipping.
That said, I'm hesitant to make ApnsClientConfiguration
public. Can you tell me more about your use case? Can you tell me more about the need for a "dynamic trust manager" or why the default cipher suite isn't appropriate for you?
from pushy.
So far, we were able to extend the ApnsClient to modify its behaviour.
Now that the constructor only accepts a package-private ApnsClientConfiguration instance, it's no longer the case.
We have IT security policies where some cipher suites are stongly recommended for example.
Regarding the dynamic trust manager, we can update trusted certificates for all our services from a central service, so for us, statically adding trusted certificates is not enough.
What we have acutally done is that we extended the ApnsClientBuilder to add the capability to configure a trust manager directly and then we simply modified the build() method to take this into account when constructing the SSLContext.
} else if (this.trustedServerCertificates != null) {
sslContextBuilder.trustManager(this.trustedServerCertificates);
/*
Customization for our project.
*/
} else if (this.trustManager != null) {
sslContextBuilder.trustManager(this.trustManager);
}
sslContext = sslContextBuilder.build();
Letting users set their own trust manager would equally solve this for us.
/**
* Customization for our project.
*/
public ExtendedApnsClientBuilder setTrustManager(final TrustManager trustManager) {
this.trustedServerCertificatePemFile = null;
this.trustedServerCertificateInputStream = null;
this.trustedServerCertificates = null;
this.trustManager = trustManager;
return this;
}
from pushy.
Okay; thanks for the added context. Let me think on this a bit. I think this is fundamentally incompatible with some of what we're trying to do to get multi-credential clients in play, but maybe not.
I hesitate to expose TrustManager
in the general case because (seemingly) the most common advice for "I am having certificate problems in Java" is "copy/paste this magic spell that creates a TrustManager
that trusts everything."
Like I said, though: let me think about it and see what I can come up with.
from pushy.
We do have a magic TrustManager, which actually reloads trusted certificates from a central service, creating an in-memory KeyStore from them and instantiating a matching TrustManager every time there is a change.
Here's a generic example:
import java.io.IOException;
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Supplier;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import com.google.common.collect.ImmutableSet;
import org.jetbrains.annotations.NotNull;
/**
* Dynamic {@link X509ExtendedTrustManager} which permits reloading trusted certificates provided by a cache of
* certificates.
* <p>
* Staleness is determined by reference equality so the cache has to provide the same cached instance until it becomes
* stale.
*/
public final class DynamicX509ExtendedTrustManager extends X509ExtendedTrustManager {
static final class AtomicState {
@NotNull
private final ImmutableSet<X509Certificate> trustedCertificates;
@NotNull
private final X509ExtendedTrustManager trustManager;
AtomicState(@NotNull ImmutableSet<X509Certificate> trustedCertificates) {
this.trustedCertificates = trustedCertificates;
trustManager = newTrustManager(this.trustedCertificates);
}
@SuppressWarnings("ReferenceEquality")
boolean isStale(@NotNull ImmutableSet<X509Certificate> currentCertificates) {
return trustedCertificates != currentCertificates;
}
@NotNull
X509ExtendedTrustManager getTrustManager() {
return trustManager;
}
}
@NotNull
static TrustManagerFactory newTrustManagerFactory(@NotNull Iterable<X509Certificate> trustedCertificates) {
try {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null, null);
int i = 0;
for (final X509Certificate trustedCertificate : trustedCertificates) {
String alias = Integer.toString(++i);
keyStore.setCertificateEntry(alias, trustedCertificate);
}
// Set up trust manager factory to use our key store.
TrustManagerFactory trustManagerFactory =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
return trustManagerFactory;
} catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException ex) {
throw new IllegalStateException("Unable to create new TrustManagerFactory: " + ex, ex);
}
}
@NotNull
static X509ExtendedTrustManager newTrustManager(@NotNull Iterable<X509Certificate> trustedCertificates) {
TrustManagerFactory trustManagerFactory = newTrustManagerFactory(trustedCertificates);
return (X509ExtendedTrustManager) trustManagerFactory.getTrustManagers()[0];
}
@NotNull
private final Supplier<ImmutableSet<X509Certificate>> cachedCertificateSupplier;
@NotNull
private final AtomicReference<AtomicState> stateRef = new AtomicReference<>(new AtomicState(ImmutableSet.of()));
public DynamicX509ExtendedTrustManager(@NotNull Supplier<ImmutableSet<X509Certificate>> cachedCertificateSupplier) {
this.cachedCertificateSupplier = cachedCertificateSupplier;
}
@NotNull
private X509ExtendedTrustManager getTrustManager() {
while (true) {
AtomicState currentState = stateRef.get();
ImmutableSet<X509Certificate> currentCertificates = cachedCertificateSupplier.get();
if (!currentState.isStale(currentCertificates)) {
return currentState.getTrustManager();
}
AtomicState updatedState = new AtomicState(currentCertificates);
if (stateRef.compareAndSet(currentState, updatedState)) {
return updatedState.getTrustManager();
}
}
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String authType, Socket socket)
throws CertificateException {
getTrustManager().checkClientTrusted(x509Certificates, authType, socket);
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String authType, Socket socket)
throws CertificateException {
getTrustManager().checkServerTrusted(x509Certificates, authType, socket);
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String authType, SSLEngine sslEngine)
throws CertificateException {
getTrustManager().checkClientTrusted(x509Certificates, authType, sslEngine);
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String authType, SSLEngine sslEngine)
throws CertificateException {
getTrustManager().checkServerTrusted(x509Certificates, authType, sslEngine);
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String authType) throws CertificateException {
getTrustManager().checkClientTrusted(x509Certificates, authType);
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String authType) throws CertificateException {
getTrustManager().checkServerTrusted(x509Certificates, authType);
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return getTrustManager().getAcceptedIssuers();
}
}
from pushy.
Related Issues (20)
- I use Pushy to push the message,then I get "success=true",but the phone not responding HOT 2
- couple of Live Activity issues: stale-date is missing, and relevance-score can now have a value greater than 1.0 HOT 2
- Native SSL provider is available; will use native provider. HOT 4
- ApnsChannelPool java.io.IOException "Failed to create channel - Connection reset by peer" HOT 2
- Network is unreachable: `api.push.apple.com/2620:149:208:4308:0:0:0:a:443` HOT 13
- Missing "start" enumeration com.eatthepath.pushy.apns.util.LiveActivityEvent HOT 2
- add attributes-type and attributes to the payloadbuilder HOT 2
- Not able to use LiveActivityEvent class in the depenedcy HOT 2
- The issue of not being able to recognize PushType and DeliveryPriority from version 0.15.3 and onwards. HOT 1
- Connection exception occurred, but Pushy still used it HOT 2
- 如果连接时抛出 SslHandshakeTimeoutException 异常,那么 ApnsChannelPool pendingCreateChannelFutures 会一直被占有 HOT 7
- Wrong serialization of the object in JsonSerializer HOT 3
- Memory Leak HOT 1
- io.netty.handler.codec.http2.Http2Exception$StreamException: Stream closed before write could take place HOT 1
- Allow methods to not require passing a privateKeyPassword HOT 1
- 0.15.4 with jdk 8 error HOT 2
- UnknownHostException (Not caused by IPv6) jdk17 pushy 0.15.4 Dig can be resolved to. HOT 4
- How to implement VoIP Notification using Pushy HOT 4
- Request spending a long time when the certificate expires HOT 4
- Add support for broadcast push notifications
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pushy.