Skip to content

feat: support adding multiple certificates to the keystore #240

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
yndu13 merged 1 commit into from
Dec 24, 2024
Merged

feat: support adding multiple certificates to the keystore #240

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 39 additions & 4 deletions src/main/java/com/aliyun/tea/okhttp/OkHttpClientBuilder.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,13 +16,17 @@
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;

public class OkHttpClientBuilder {
private static final String charset = "UTF-8";
private final OkHttpClient.Builder builder;
public static final String PEM_BEGIN = "-----BEGIN CERTIFICATE-----";
public static final String PEM_END = "-----END CERTIFICATE-----";

public OkHttpClientBuilder() {
builder = new OkHttpClient().newBuilder();
Expand Down Expand Up @@ -84,6 +88,33 @@ public OkHttpClientBuilder connectionPool(Map<String, Object> map) {
return this;
}

private List<String> splitPemCertificates(String pemData) throws Exception {
List<String> certificates = new ArrayList<String>();

if (null != pemData && pemData.contains(PEM_BEGIN) && pemData.contains(PEM_END)) {
StringBuilder sb = null;
BufferedReader reader = new BufferedReader(new StringReader(pemData));

String line;
while ((line = reader.readLine()) != null) {
if (line.contains(PEM_BEGIN)) {
sb = new StringBuilder();
sb.append(PEM_BEGIN).append('\n');
} else if (null != sb && line.contains(PEM_END)) {
sb.append(PEM_END).append('\n');
certificates.add(sb.toString());
sb = null;
} else if (null != sb) {
sb.append(line).append('\n');
}
}
} else if (null != pemData) {
certificates.add(pemData);
}

return certificates;
}

public OkHttpClientBuilder certificate(Map<String, Object> map) {
try {
if (null != map.get("ignoreSSL") && Boolean.parseBoolean(String.valueOf(map.get("ignoreSSL")))) {
Expand All @@ -107,12 +138,16 @@ public OkHttpClientBuilder certificate(Map<String, Object> map) {
KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
trustStore.load(null);
String ca = String.valueOf(map.get("ca"));
List<String> pemCerts = splitPemCertificates(ca);
CertificateFactory certFactory = CertificateFactory.getInstance("X.509");
Certificate certificate;
try (InputStream is = new ByteArrayInputStream(ca.getBytes(charset))) {
certificate = certFactory.generateCertificate(is);
int certIndex = 0;
// Process each certificate and add to the keystore
for (String pemCert : pemCerts) {
try (InputStream is = new ByteArrayInputStream(pemCert.getBytes(charset))) {
Certificate certificate = certFactory.generateCertificate(is);
trustStore.setCertificateEntry("ca" + certIndex++, certificate);
}
}
trustStore.setCertificateEntry("server-ca", certificate);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
X509TrustManager trustManager = (X509TrustManager) trustManagerFactory.getTrustManagers()[0];
Expand Down
8 changes: 8 additions & 0 deletions src/test/java/com/aliyun/tea/okhttp/OkHttpClientBuilderTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,14 @@ public void certificateTest() throws IOException {
Assert.assertTrue(e.getMessage().contains("Unable to initialize"));
}

map.put("ca", "-----BEGIN CERTIFICATE-----\nwrong ca-----END CERTIFICATE-----\n\n-----BEGIN CERTIFICATE-----\nwrong ca-----END CERTIFICATE-----");
try {
new OkHttpClientBuilder().certificate(map);
Assert.fail();
} catch (TeaException e) {
Assert.assertTrue(e.getMessage().contains("Unable to initialize"));
}

map.put("ca", null);
new OkHttpClientBuilder().certificate(map);
map.put("ca", "");
Expand Down