This is an automated email from the ASF dual-hosted git repository. davsclaus pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/camel.git
commit f98222800dd4cea345873d3c868737e157170d50 Author: Saravanakumar Selvaraj <[email protected]> AuthorDate: Wed Oct 16 02:53:53 2024 +0530 CAMEL-21128: camel-core - Add trust all certificate for easier TLS/SSL development Please review the PR for CAMEL-21128 --- .../main/camel-main-configuration-metadata.json | 1 + .../camel/component/vertx/common/VertxHelper.java | 282 +++++++++++---------- .../camel/support/jsse/TrustAllTrustManager.java | 59 +++++ .../main/SSLConfigurationPropertiesConfigurer.java | 7 + .../camel-main-configuration-metadata.json | 1 + core/camel-main/src/main/docs/main.adoc | 1 + .../org/apache/camel/main/BaseMainSupport.java | 8 +- .../camel/main/SSLConfigurationProperties.java | 25 ++ .../java/org/apache/camel/main/MainSSLTest.java | 36 +++ 9 files changed, 282 insertions(+), 138 deletions(-) diff --git a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/main/camel-main-configuration-metadata.json b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/main/camel-main-configuration-metadata.json index caa7c733bca..934f069bb93 100644 --- a/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/main/camel-main-configuration-metadata.json +++ b/catalog/camel-catalog/src/generated/resources/org/apache/camel/catalog/main/camel-main-configuration-metadata.json @@ -300,6 +300,7 @@ { "name": "camel.ssl.secureRandomProvider", "description": "To use a specific provider for creating SecureRandom. The list of available providers returned by java.security.Security.getProviders() or null to use the highest priority provider implementing the secure socket protocol.", "sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type": "string", "javaType": "java.lang.String" }, { "name": "camel.ssl.secureSocketProtocol", "description": "The protocol for the secure sockets created by the SSLContext. See https:\/\/docs.oracle.com\/en\/java\/javase\/17\/docs\/specs\/security\/standard-names.html", "sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type": "string", "javaType": "java.lang.String", "defaultValue": "TLSv1.3" }, { "name": "camel.ssl.sessionTimeout", "description": "Timeout in seconds to use for SSLContext. The default is 24 hours.", "sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type": "integer", "javaType": "int", "defaultValue": 86400 }, + { "name": "camel.ssl.trustAllCertificates", "description": "Allows to trust all SSL certificates without performing certificate validation. This can be used in development environment but may expose the system to security risks. Notice that if the trustAllCertificates option is set to true then the trustStore\/trustStorePassword options are not in use..", "sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type": "boolean", "javaType": "boolean", "defaultValue": "false" }, { "name": "camel.ssl.trustStore", "description": "The trust store to load. The trust store is by default loaded from classpath. If you must load from file system, then use file: as prefix. file:nameOfFile (to refer to the file system) classpath:nameOfFile (to refer to the classpath; default) http:uri (to load the resource using HTTP) ref:nameOfBean (to lookup an existing KeyStore instance from the registry, for example for testing and development).", "sourceType": "org.apache.camel.m [...] { "name": "camel.ssl.trustStorePassword", "description": "Sets the SSL Truststore password.", "sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type": "string", "javaType": "java.lang.String" }, { "name": "camel.threadpool.allowCoreThreadTimeOut", "description": "Sets default whether to allow core threads to timeout", "sourceType": "org.apache.camel.main.ThreadPoolConfigurationProperties", "type": "boolean", "javaType": "java.lang.Boolean", "defaultValue": "false" }, diff --git a/components/camel-vertx/camel-vertx-common/src/main/java/org/apache/camel/component/vertx/common/VertxHelper.java b/components/camel-vertx/camel-vertx-common/src/main/java/org/apache/camel/component/vertx/common/VertxHelper.java index 357173d3c72..6c68675817c 100644 --- a/components/camel-vertx/camel-vertx-common/src/main/java/org/apache/camel/component/vertx/common/VertxHelper.java +++ b/components/camel-vertx/camel-vertx-common/src/main/java/org/apache/camel/component/vertx/common/VertxHelper.java @@ -1,137 +1,145 @@ -/* - * Licensed to the Apache Software Foundation (ASF) under one or more - * contributor license agreements. See the NOTICE file distributed with - * this work for additional information regarding copyright ownership. - * The ASF licenses this file to You under the Apache License, Version 2.0 - * (the "License"); you may not use this file except in compliance with - * the License. You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ -package org.apache.camel.component.vertx.common; - -import java.security.KeyStore; - -import javax.net.ssl.KeyManagerFactory; -import javax.net.ssl.TrustManagerFactory; - -import io.vertx.core.net.TCPSSLOptions; -import org.apache.camel.CamelContext; -import org.apache.camel.support.jsse.KeyManagersParameters; -import org.apache.camel.support.jsse.SSLContextParameters; -import org.apache.camel.support.jsse.TrustManagersParameters; - -public final class VertxHelper { - - private VertxHelper() { - // Utility class - } - - /** - * Configures key store and trust store options for the given TCPSSLOptions from the configuration specified on - * SSLContextParameters - * - * @param camelContext the CamelContext - * @param sslContextParameters the SSL configuration to use for the KeyManagerFactory & TrustManagerFactory - * @param tcpsslOptions the TCPSSLOptions instance to configure - */ - public static void setupSSLOptions( - CamelContext camelContext, SSLContextParameters sslContextParameters, TCPSSLOptions tcpsslOptions) - throws Exception { - - if (camelContext == null) { - throw new IllegalArgumentException("camelContext cannot be null"); - } - - if (sslContextParameters == null) { - throw new IllegalArgumentException("sslContextParameters cannot be null"); - } - - if (tcpsslOptions == null) { - throw new IllegalArgumentException("tcpsslOptions cannot be null"); - } - - tcpsslOptions.setSsl(true); - - KeyManagerFactory keyManagerFactory = createKeyManagerFactory(camelContext, sslContextParameters); - tcpsslOptions.setKeyCertOptions(new KeyManagerFactoryOptions(keyManagerFactory)); - - TrustManagerFactory trustManagerFactory = createTrustManagerFactory(camelContext, sslContextParameters); - tcpsslOptions.setTrustOptions(new TrustManagerFactoryOptions(trustManagerFactory)); - } - - private static KeyManagerFactory createKeyManagerFactory( - CamelContext camelContext, SSLContextParameters sslContextParameters) - throws Exception { - final KeyManagersParameters keyManagers = sslContextParameters.getKeyManagers(); - if (keyManagers == null) { - return null; - } - keyManagers.setCamelContext(camelContext); - if (keyManagers.getKeyStore() != null) { - keyManagers.getKeyStore().setCamelContext(camelContext); - } - - String kmfAlgorithm = camelContext.resolvePropertyPlaceholders(keyManagers.getAlgorithm()); - if (kmfAlgorithm == null) { - kmfAlgorithm = KeyManagerFactory.getDefaultAlgorithm(); - } - - KeyManagerFactory kmf; - if (keyManagers.getProvider() == null) { - kmf = KeyManagerFactory.getInstance(kmfAlgorithm); - } else { - kmf = KeyManagerFactory.getInstance(kmfAlgorithm, - camelContext.resolvePropertyPlaceholders(keyManagers.getProvider())); - } - - char[] kmfPassword = null; - if (keyManagers.getKeyPassword() != null) { - kmfPassword = camelContext.resolvePropertyPlaceholders(keyManagers.getKeyPassword()).toCharArray(); - } - - KeyStore ks = keyManagers.getKeyStore() == null ? null : keyManagers.getKeyStore().createKeyStore(); - - kmf.init(ks, kmfPassword); - return kmf; - } - - private static TrustManagerFactory createTrustManagerFactory( - CamelContext camelContext, SSLContextParameters sslContextParameters) - throws Exception { - final TrustManagersParameters trustManagers = sslContextParameters.getTrustManagers(); - if (trustManagers == null) { - return null; - } - trustManagers.setCamelContext(camelContext); - if (trustManagers.getKeyStore() != null) { - trustManagers.getKeyStore().setCamelContext(camelContext); - } - - TrustManagerFactory tmf = null; - - if (trustManagers.getKeyStore() != null) { - String tmfAlgorithm = camelContext.resolvePropertyPlaceholders(trustManagers.getAlgorithm()); - if (tmfAlgorithm == null) { - tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); - } - - if (trustManagers.getProvider() == null) { - tmf = TrustManagerFactory.getInstance(tmfAlgorithm); - } else { - tmf = TrustManagerFactory.getInstance(tmfAlgorithm, - camelContext.resolvePropertyPlaceholders(trustManagers.getProvider())); - } - - KeyStore ks = trustManagers.getKeyStore() == null ? null : trustManagers.getKeyStore().createKeyStore(); - tmf.init(ks); - } - return tmf; - } -} +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.component.vertx.common; + +import java.security.KeyStore; + +import javax.net.ssl.KeyManagerFactory; +import javax.net.ssl.TrustManagerFactory; + +import io.vertx.core.net.TCPSSLOptions; +import io.vertx.core.net.TrustOptions; +import org.apache.camel.CamelContext; +import org.apache.camel.support.jsse.KeyManagersParameters; +import org.apache.camel.support.jsse.SSLContextParameters; +import org.apache.camel.support.jsse.TrustAllTrustManager; +import org.apache.camel.support.jsse.TrustManagersParameters; + +public final class VertxHelper { + + private VertxHelper() { + // Utility class + } + + /** + * Configures key store and trust store options for the given TCPSSLOptions from the configuration specified on + * SSLContextParameters + * + * @param camelContext the CamelContext + * @param sslContextParameters the SSL configuration to use for the KeyManagerFactory & TrustManagerFactory + * @param tcpsslOptions the TCPSSLOptions instance to configure + */ + public static void setupSSLOptions( + CamelContext camelContext, SSLContextParameters sslContextParameters, TCPSSLOptions tcpsslOptions) + throws Exception { + + if (camelContext == null) { + throw new IllegalArgumentException("camelContext cannot be null"); + } + + if (sslContextParameters == null) { + throw new IllegalArgumentException("sslContextParameters cannot be null"); + } + + if (tcpsslOptions == null) { + throw new IllegalArgumentException("tcpsslOptions cannot be null"); + } + + tcpsslOptions.setSsl(true); + + KeyManagerFactory keyManagerFactory = createKeyManagerFactory(camelContext, sslContextParameters); + tcpsslOptions.setKeyCertOptions(new KeyManagerFactoryOptions(keyManagerFactory)); + + TrustManagerFactory trustManagerFactory = createTrustManagerFactory(camelContext, sslContextParameters); + tcpsslOptions.setTrustOptions(new TrustManagerFactoryOptions(trustManagerFactory)); + + if (sslContextParameters.getTrustManagers() != null && + sslContextParameters.getTrustManagers().getTrustManager() == TrustAllTrustManager.INSTANCE) { + tcpsslOptions.setTrustOptions(TrustOptions.wrap(TrustAllTrustManager.INSTANCE)); + } + + } + + private static KeyManagerFactory createKeyManagerFactory( + CamelContext camelContext, SSLContextParameters sslContextParameters) + throws Exception { + final KeyManagersParameters keyManagers = sslContextParameters.getKeyManagers(); + if (keyManagers == null) { + return null; + } + keyManagers.setCamelContext(camelContext); + if (keyManagers.getKeyStore() != null) { + keyManagers.getKeyStore().setCamelContext(camelContext); + } + + String kmfAlgorithm = camelContext.resolvePropertyPlaceholders(keyManagers.getAlgorithm()); + if (kmfAlgorithm == null) { + kmfAlgorithm = KeyManagerFactory.getDefaultAlgorithm(); + } + + KeyManagerFactory kmf; + if (keyManagers.getProvider() == null) { + kmf = KeyManagerFactory.getInstance(kmfAlgorithm); + } else { + kmf = KeyManagerFactory.getInstance(kmfAlgorithm, + camelContext.resolvePropertyPlaceholders(keyManagers.getProvider())); + } + + char[] kmfPassword = null; + if (keyManagers.getKeyPassword() != null) { + kmfPassword = camelContext.resolvePropertyPlaceholders(keyManagers.getKeyPassword()).toCharArray(); + } + + KeyStore ks = keyManagers.getKeyStore() == null ? null : keyManagers.getKeyStore().createKeyStore(); + + kmf.init(ks, kmfPassword); + return kmf; + } + + private static TrustManagerFactory createTrustManagerFactory( + CamelContext camelContext, SSLContextParameters sslContextParameters) + throws Exception { + final TrustManagersParameters trustManagers = sslContextParameters.getTrustManagers(); + if (trustManagers == null) { + return null; + } + trustManagers.setCamelContext(camelContext); + if (trustManagers.getKeyStore() != null) { + trustManagers.getKeyStore().setCamelContext(camelContext); + } + + TrustManagerFactory tmf = null; + + if (trustManagers.getKeyStore() != null) { + String tmfAlgorithm = camelContext.resolvePropertyPlaceholders(trustManagers.getAlgorithm()); + if (tmfAlgorithm == null) { + tmfAlgorithm = TrustManagerFactory.getDefaultAlgorithm(); + } + + if (trustManagers.getProvider() == null) { + tmf = TrustManagerFactory.getInstance(tmfAlgorithm); + } else { + tmf = TrustManagerFactory.getInstance(tmfAlgorithm, + camelContext.resolvePropertyPlaceholders(trustManagers.getProvider())); + } + + KeyStore ks = trustManagers.getKeyStore() == null ? null : trustManagers.getKeyStore().createKeyStore(); + tmf.init(ks); + } + return tmf; + } +} diff --git a/core/camel-api/src/main/java/org/apache/camel/support/jsse/TrustAllTrustManager.java b/core/camel-api/src/main/java/org/apache/camel/support/jsse/TrustAllTrustManager.java new file mode 100644 index 00000000000..bdce9ee26d3 --- /dev/null +++ b/core/camel-api/src/main/java/org/apache/camel/support/jsse/TrustAllTrustManager.java @@ -0,0 +1,59 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.camel.support.jsse; + +import java.security.cert.X509Certificate; + +import javax.net.ssl.X509TrustManager; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +/** + * A TrustManager that accepts all X509 certificates without any validation. + * + * <p> + * WARNING: This implementation should only be used in a controlled environment, such as testing or development, as it + * completely bypasses SSL certificate verification. Using this in production can expose the application to + * man-in-the-middle attacks. + * </p> + */ +public class TrustAllTrustManager implements X509TrustManager { + + private static final Logger LOG = LoggerFactory.getLogger(TrustAllTrustManager.class); + + public static TrustAllTrustManager INSTANCE = new TrustAllTrustManager(); + + private TrustAllTrustManager() { + } + + @Override + public void checkClientTrusted(X509Certificate[] certs, String authType) { + LOG.warn("Trusting client certificate: {}", certs); + } + + @Override + public void checkServerTrusted(X509Certificate[] certs, String authType) { + LOG.warn("Trusting server certificate: {}", certs); + } + + @Override + public X509Certificate[] getAcceptedIssuers() { + return new X509Certificate[0]; + } + +} diff --git a/core/camel-main/src/generated/java/org/apache/camel/main/SSLConfigurationPropertiesConfigurer.java b/core/camel-main/src/generated/java/org/apache/camel/main/SSLConfigurationPropertiesConfigurer.java index b2ea32ad8df..7659588cf01 100644 --- a/core/camel-main/src/generated/java/org/apache/camel/main/SSLConfigurationPropertiesConfigurer.java +++ b/core/camel-main/src/generated/java/org/apache/camel/main/SSLConfigurationPropertiesConfigurer.java @@ -39,6 +39,7 @@ public class SSLConfigurationPropertiesConfigurer extends org.apache.camel.suppo map.put("SecureRandomProvider", java.lang.String.class); map.put("SecureSocketProtocol", java.lang.String.class); map.put("SessionTimeout", int.class); + map.put("TrustAllCertificates", boolean.class); map.put("TrustStore", java.lang.String.class); map.put("TrustStorePassword", java.lang.String.class); ALL_OPTIONS = map; @@ -81,6 +82,8 @@ public class SSLConfigurationPropertiesConfigurer extends org.apache.camel.suppo case "secureSocketProtocol": target.setSecureSocketProtocol(property(camelContext, java.lang.String.class, value)); return true; case "sessiontimeout": case "sessionTimeout": target.setSessionTimeout(property(camelContext, int.class, value)); return true; + case "trustallcertificates": + case "trustAllCertificates": target.setTrustAllCertificates(property(camelContext, boolean.class, value)); return true; case "truststore": case "trustStore": target.setTrustStore(property(camelContext, java.lang.String.class, value)); return true; case "truststorepassword": @@ -133,6 +136,8 @@ public class SSLConfigurationPropertiesConfigurer extends org.apache.camel.suppo case "secureSocketProtocol": return java.lang.String.class; case "sessiontimeout": case "sessionTimeout": return int.class; + case "trustallcertificates": + case "trustAllCertificates": return boolean.class; case "truststore": case "trustStore": return java.lang.String.class; case "truststorepassword": @@ -177,6 +182,8 @@ public class SSLConfigurationPropertiesConfigurer extends org.apache.camel.suppo case "secureSocketProtocol": return target.getSecureSocketProtocol(); case "sessiontimeout": case "sessionTimeout": return target.getSessionTimeout(); + case "trustallcertificates": + case "trustAllCertificates": return target.isTrustAllCertificates(); case "truststore": case "trustStore": return target.getTrustStore(); case "truststorepassword": diff --git a/core/camel-main/src/generated/resources/META-INF/camel-main-configuration-metadata.json b/core/camel-main/src/generated/resources/META-INF/camel-main-configuration-metadata.json index caa7c733bca..934f069bb93 100644 --- a/core/camel-main/src/generated/resources/META-INF/camel-main-configuration-metadata.json +++ b/core/camel-main/src/generated/resources/META-INF/camel-main-configuration-metadata.json @@ -300,6 +300,7 @@ { "name": "camel.ssl.secureRandomProvider", "description": "To use a specific provider for creating SecureRandom. The list of available providers returned by java.security.Security.getProviders() or null to use the highest priority provider implementing the secure socket protocol.", "sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type": "string", "javaType": "java.lang.String" }, { "name": "camel.ssl.secureSocketProtocol", "description": "The protocol for the secure sockets created by the SSLContext. See https:\/\/docs.oracle.com\/en\/java\/javase\/17\/docs\/specs\/security\/standard-names.html", "sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type": "string", "javaType": "java.lang.String", "defaultValue": "TLSv1.3" }, { "name": "camel.ssl.sessionTimeout", "description": "Timeout in seconds to use for SSLContext. The default is 24 hours.", "sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type": "integer", "javaType": "int", "defaultValue": 86400 }, + { "name": "camel.ssl.trustAllCertificates", "description": "Allows to trust all SSL certificates without performing certificate validation. This can be used in development environment but may expose the system to security risks. Notice that if the trustAllCertificates option is set to true then the trustStore\/trustStorePassword options are not in use..", "sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type": "boolean", "javaType": "boolean", "defaultValue": "false" }, { "name": "camel.ssl.trustStore", "description": "The trust store to load. The trust store is by default loaded from classpath. If you must load from file system, then use file: as prefix. file:nameOfFile (to refer to the file system) classpath:nameOfFile (to refer to the classpath; default) http:uri (to load the resource using HTTP) ref:nameOfBean (to lookup an existing KeyStore instance from the registry, for example for testing and development).", "sourceType": "org.apache.camel.m [...] { "name": "camel.ssl.trustStorePassword", "description": "Sets the SSL Truststore password.", "sourceType": "org.apache.camel.main.SSLConfigurationProperties", "type": "string", "javaType": "java.lang.String" }, { "name": "camel.threadpool.allowCoreThreadTimeOut", "description": "Sets default whether to allow core threads to timeout", "sourceType": "org.apache.camel.main.ThreadPoolConfigurationProperties", "type": "boolean", "javaType": "java.lang.Boolean", "defaultValue": "false" }, diff --git a/core/camel-main/src/main/docs/main.adoc b/core/camel-main/src/main/docs/main.adoc index d9c7e718d9e..8113596ff97 100644 --- a/core/camel-main/src/main/docs/main.adoc +++ b/core/camel-main/src/main/docs/main.adoc @@ -272,6 +272,7 @@ The camel.ssl supports 19 options, which are listed below. | *camel.ssl.secureRandomProvider* | To use a specific provider for creating SecureRandom. The list of available providers returned by java.security.Security.getProviders() or null to use the highest priority provider implementing the secure socket protocol. | | String | *camel.ssl.secureSocketProtocol* | The protocol for the secure sockets created by the SSLContext. See \https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html | TLSv1.3 | String | *camel.ssl.sessionTimeout* | Timeout in seconds to use for SSLContext. The default is 24 hours. | 86400 | int +| *camel.ssl.trustAllCertificates* | Allows to trust all SSL certificates without performing certificate validation. This can be used in development environment but may expose the system to security risks. Notice that if the trustAllCertificates option is set to true then the trustStore/trustStorePassword options are not in use.. | false | boolean | *camel.ssl.trustStore* | The trust store to load. The trust store is by default loaded from classpath. If you must load from file system, then use file: as prefix. file:nameOfFile (to refer to the file system) classpath:nameOfFile (to refer to the classpath; default) http:uri (to load the resource using HTTP) ref:nameOfBean (to lookup an existing KeyStore instance from the registry, for example for testing and development). | | String | *camel.ssl.trustStorePassword* | Sets the SSL Truststore password. | | String |=== diff --git a/core/camel-main/src/main/java/org/apache/camel/main/BaseMainSupport.java b/core/camel-main/src/main/java/org/apache/camel/main/BaseMainSupport.java index 5033604f804..ad6bd7f5b30 100644 --- a/core/camel-main/src/main/java/org/apache/camel/main/BaseMainSupport.java +++ b/core/camel-main/src/main/java/org/apache/camel/main/BaseMainSupport.java @@ -96,6 +96,7 @@ import org.apache.camel.support.jsse.KeyStoreParameters; import org.apache.camel.support.jsse.SSLContextParameters; import org.apache.camel.support.jsse.SSLContextServerParameters; import org.apache.camel.support.jsse.SecureRandomParameters; +import org.apache.camel.support.jsse.TrustAllTrustManager; import org.apache.camel.support.jsse.TrustManagersParameters; import org.apache.camel.support.scan.PackageScanHelper; import org.apache.camel.support.service.BaseService; @@ -1716,7 +1717,12 @@ public abstract class BaseMainSupport extends BaseService { SSLConfigurationProperties sslConfig, KeyManagersParameters kmp) { TrustManagersParameters tmp = null; - if (sslConfig.getTrustStore() != null) { + if (sslConfig.isTrustAllCertificates()) { + tmp = new TrustManagersParameters(); + tmp.setCamelContext(camelContext); + tmp.setTrustManager(TrustAllTrustManager.INSTANCE); + LOG.warn("Application is vulnerable: Trusting all certificates!"); + } else if (sslConfig.getTrustStore() != null) { KeyStoreParameters tsp = new KeyStoreParameters(); String store = sslConfig.getTrustStore(); if (store != null && store.startsWith("#bean:")) { diff --git a/core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java b/core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java index d572db76b6d..e140ad657f8 100644 --- a/core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java +++ b/core/camel-main/src/main/java/org/apache/camel/main/SSLConfigurationProperties.java @@ -56,6 +56,8 @@ public class SSLConfigurationProperties implements BootstrapCloseable { private String trustStore; @Metadata private String trustStorePassword; + @Metadata + private boolean trustAllCertificates; @Metadata(label = "advanced") private String keyManagerAlgorithm; @Metadata(label = "advanced") @@ -266,6 +268,19 @@ public class SSLConfigurationProperties implements BootstrapCloseable { this.trustStorePassword = trustStorePassword; } + public boolean isTrustAllCertificates() { + return trustAllCertificates; + } + + /** + * Allows to trust all SSL certificates without performing certificate validation. This can be used in development + * environment but may expose the system to security risks. Notice that if the trustAllCertificates option is set to + * true then the trustStore/trustStorePassword options are not in use.. + */ + public void setTrustAllCertificates(boolean trustAllCertificates) { + this.trustAllCertificates = trustAllCertificates; + } + public String getKeyManagerAlgorithm() { return keyManagerAlgorithm; } @@ -475,6 +490,16 @@ public class SSLConfigurationProperties implements BootstrapCloseable { return this; } + /** + * Allows to trust all SSL certificates without performing certificate validation. This can be used in development + * environment but may expose the system to security risks. Notice that if the trustAllCertificates option is set to + * true then the trustStore/trustStorePassword options are not in use. + */ + public SSLConfigurationProperties withTrustAllCertificates(boolean trustAllCertificates) { + this.trustAllCertificates = trustAllCertificates; + return this; + } + /** * Algorithm name used for creating the KeyManagerFactory. * <p> diff --git a/core/camel-main/src/test/java/org/apache/camel/main/MainSSLTest.java b/core/camel-main/src/test/java/org/apache/camel/main/MainSSLTest.java index 9068331a4f1..9a7e34965b8 100644 --- a/core/camel-main/src/test/java/org/apache/camel/main/MainSSLTest.java +++ b/core/camel-main/src/test/java/org/apache/camel/main/MainSSLTest.java @@ -22,6 +22,7 @@ import org.apache.camel.support.jsse.KeyManagersParameters; import org.apache.camel.support.jsse.KeyStoreParameters; import org.apache.camel.support.jsse.SSLContextParameters; import org.apache.camel.support.jsse.SSLContextServerParameters; +import org.apache.camel.support.jsse.TrustAllTrustManager; import org.apache.camel.support.jsse.TrustManagersParameters; import org.junit.jupiter.api.Assertions; import org.junit.jupiter.api.Test; @@ -120,4 +121,39 @@ public class MainSSLTest { main.stop(); } + + @Test + public void testMainSSLTrustAll() { + Main main = new Main(); + + main.addInitialProperty("camel.ssl.enabled", "true"); + main.addInitialProperty("camel.ssl.trustAllCertificates", "true"); + + main.start(); + + CamelContext context = main.getCamelContext(); + SSLContextParameters sslParams = context.getSSLContextParameters(); + TrustManagersParameters tmp = sslParams.getTrustManagers(); + Assertions.assertEquals(tmp.getTrustManager(), TrustAllTrustManager.INSTANCE); + + main.stop(); + } + + @Test + public void testMainSSLTrustAllFluent() { + Main main = new Main(); + + main.configure().sslConfig() + .withEnabled(true) + .withTrustAllCertificates(true); + + main.start(); + + CamelContext context = main.getCamelContext(); + SSLContextParameters sslParams = context.getSSLContextParameters(); + TrustManagersParameters tmp = sslParams.getTrustManagers(); + Assertions.assertEquals(tmp.getTrustManager(), TrustAllTrustManager.INSTANCE); + + main.stop(); + } }
