Code Monkey home page Code Monkey logo

Comments (4)

jchambers avatar jchambers commented on September 24, 2024

Sorry to hear that this has been a problem for you. Slipping in a breaking change was a mistake, and was not intentional; I should have caught it before shipping.

That said, I'm hesitant to make ApnsClientConfiguration public. Can you tell me more about your use case? Can you tell me more about the need for a "dynamic trust manager" or why the default cipher suite isn't appropriate for you?

from pushy.

lauredogit avatar lauredogit commented on September 24, 2024

So far, we were able to extend the ApnsClient to modify its behaviour.

Now that the constructor only accepts a package-private ApnsClientConfiguration instance, it's no longer the case.

We have IT security policies where some cipher suites are stongly recommended for example.

Regarding the dynamic trust manager, we can update trusted certificates for all our services from a central service, so for us, statically adding trusted certificates is not enough.

What we have acutally done is that we extended the ApnsClientBuilder to add the capability to configure a trust manager directly and then we simply modified the build() method to take this into account when constructing the SSLContext.

            } else if (this.trustedServerCertificates != null) {
                sslContextBuilder.trustManager(this.trustedServerCertificates);
            /*
              Customization for our project.
             */
            } else if (this.trustManager != null) {
                sslContextBuilder.trustManager(this.trustManager);
            }

            sslContext = sslContextBuilder.build();

Letting users set their own trust manager would equally solve this for us.

   /**
     * Customization for our project.
     */
    public ExtendedApnsClientBuilder setTrustManager(final TrustManager trustManager) {
        this.trustedServerCertificatePemFile = null;
        this.trustedServerCertificateInputStream = null;
        this.trustedServerCertificates = null;
        this.trustManager = trustManager;

        return this;
    }

from pushy.

jchambers avatar jchambers commented on September 24, 2024

Okay; thanks for the added context. Let me think on this a bit. I think this is fundamentally incompatible with some of what we're trying to do to get multi-credential clients in play, but maybe not.

I hesitate to expose TrustManager in the general case because (seemingly) the most common advice for "I am having certificate problems in Java" is "copy/paste this magic spell that creates a TrustManager that trusts everything."

Like I said, though: let me think about it and see what I can come up with.

from pushy.

lauredogit avatar lauredogit commented on September 24, 2024

We do have a magic TrustManager, which actually reloads trusted certificates from a central service, creating an in-memory KeyStore from them and instantiating a matching TrustManager every time there is a change.

Here's a generic example:

import java.io.IOException;
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Supplier;

import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;

import com.google.common.collect.ImmutableSet;

import org.jetbrains.annotations.NotNull;

/**
 * Dynamic {@link X509ExtendedTrustManager} which permits reloading trusted certificates provided by a cache of
 * certificates.
 * <p>
 * Staleness is determined by reference equality so the cache has to provide the same cached instance until it becomes
 * stale.
 */
public final class DynamicX509ExtendedTrustManager extends X509ExtendedTrustManager {

    static final class AtomicState {

        @NotNull
        private final ImmutableSet<X509Certificate> trustedCertificates;

        @NotNull
        private final X509ExtendedTrustManager trustManager;

        AtomicState(@NotNull ImmutableSet<X509Certificate> trustedCertificates) {
            this.trustedCertificates = trustedCertificates;
            trustManager = newTrustManager(this.trustedCertificates);
        }

        @SuppressWarnings("ReferenceEquality")
        boolean isStale(@NotNull ImmutableSet<X509Certificate> currentCertificates) {
            return trustedCertificates != currentCertificates;
        }

        @NotNull
        X509ExtendedTrustManager getTrustManager() {
            return trustManager;
        }
    }

    @NotNull
    static TrustManagerFactory newTrustManagerFactory(@NotNull Iterable<X509Certificate> trustedCertificates) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);

            int i = 0;
            for (final X509Certificate trustedCertificate : trustedCertificates) {
                String alias = Integer.toString(++i);
                keyStore.setCertificateEntry(alias, trustedCertificate);
            }

            // Set up trust manager factory to use our key store.
            TrustManagerFactory trustManagerFactory =
                    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

            trustManagerFactory.init(keyStore);

            return trustManagerFactory;
        } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException ex) {
            throw new IllegalStateException("Unable to create new TrustManagerFactory: " + ex, ex);
        }
    }

    @NotNull
    static X509ExtendedTrustManager newTrustManager(@NotNull Iterable<X509Certificate> trustedCertificates) {
        TrustManagerFactory trustManagerFactory = newTrustManagerFactory(trustedCertificates);
        return (X509ExtendedTrustManager) trustManagerFactory.getTrustManagers()[0];
    }

    @NotNull
    private final Supplier<ImmutableSet<X509Certificate>> cachedCertificateSupplier;

    @NotNull
    private final AtomicReference<AtomicState> stateRef = new AtomicReference<>(new AtomicState(ImmutableSet.of()));

    public DynamicX509ExtendedTrustManager(@NotNull Supplier<ImmutableSet<X509Certificate>> cachedCertificateSupplier) {
        this.cachedCertificateSupplier = cachedCertificateSupplier;
    }

    @NotNull
    private X509ExtendedTrustManager getTrustManager() {
        while (true) {
            AtomicState currentState = stateRef.get();
            ImmutableSet<X509Certificate> currentCertificates = cachedCertificateSupplier.get();
            if (!currentState.isStale(currentCertificates)) {
                return currentState.getTrustManager();
            }
            AtomicState updatedState = new AtomicState(currentCertificates);
            if (stateRef.compareAndSet(currentState, updatedState)) {
                return updatedState.getTrustManager();
            }
        }
    }

    @Override
    public void checkClientTrusted(X509Certificate[] x509Certificates, String authType, Socket socket)
            throws CertificateException {
        getTrustManager().checkClientTrusted(x509Certificates, authType, socket);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] x509Certificates, String authType, Socket socket)
            throws CertificateException {
        getTrustManager().checkServerTrusted(x509Certificates, authType, socket);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] x509Certificates, String authType, SSLEngine sslEngine)
            throws CertificateException {
        getTrustManager().checkClientTrusted(x509Certificates, authType, sslEngine);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] x509Certificates, String authType, SSLEngine sslEngine)
            throws CertificateException {
        getTrustManager().checkServerTrusted(x509Certificates, authType, sslEngine);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] x509Certificates, String authType) throws CertificateException {
        getTrustManager().checkClientTrusted(x509Certificates, authType);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] x509Certificates, String authType) throws CertificateException {
        getTrustManager().checkServerTrusted(x509Certificates, authType);
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return getTrustManager().getAcceptedIssuers();
    }
}

from pushy.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.