[GitHub] [maven-wagon] mthmulders commented on a change in pull request #67: Feature/MNG-5583 per endpoint support for PKI authentication

Mon, 18 May 2020 23:08:18 -0700 


mthmulders commented on a change in pull request #67:
URL: https://github.com/apache/maven-wagon/pull/67#discussion_r427050406



##########
File path: 
wagon-providers/wagon-http-shared/src/main/java/org/apache/maven/wagon/shared/http/AbstractHttpClientWagon.java
##########
@@ -593,13 +603,189 @@ private static CloseableHttpClient createClient()
      */
     private BasicAuthScope proxyAuth;
 
+    /**
+     * initializes a custom http client given user specified 
keystore/truststore
+     * information from settings.xml
+     * see httsp://issues.apache.org/jira/browser/MNG-5583
+     * @return a client
+     * @throws SSLInitializationException if there's an issue loading 
keystore/truststore
+     */
+    private CloseableHttpClient 
initilaizeLocalHttpClientWithCustomSslSocketFactory() throws 
SSLInitializationException 
+    {
+        String sslProtocolsStr = System.getProperty( "https.protocols" );
+        String cipherSuitesStr = System.getProperty( "https.cipherSuites" );
+        String[] sslProtocols = sslProtocolsStr != null ? 
sslProtocolsStr.split( " *, *" ) : null;
+        String[] cipherSuites = cipherSuitesStr != null ? 
cipherSuitesStr.split( " *, *" ) : null;
+
+        SSLSocketFactory socketFactory = null;
+        TrustManager[] trustManagers = null;
+        KeyManager[] keyManagers = null;
+        try 
+        {
+            if ( authenticationInfo.getTrustStore() != null ) 
+            {
+                KeyStore keystore = KeyStore.getInstance( 
authenticationInfo.getTrustStoreType() == null ? "JKS"
+                        : authenticationInfo.getTrustStoreType() );
+                FileInputStream fis = null;
+                //on windows platforms, the truststoreType of "WINDOWS" mounts
+                //to the windows certificate store, so a null input stream is 
just fine
+                File file = new File( ( authenticationInfo.getTrustStore() ) );
+                if ( file.exists() ) 
+                {
+                    fis = new FileInputStream( file );
+                } 
+                //also a null password is fine with windows and even with JKS 
files
+                char[] keyPass = authenticationInfo.getTrustStorePassword() != 
null
+                        ? 
authenticationInfo.getTrustStorePassword().toCharArray()
+                        : null;
+                keystore.load( fis, keyPass );
+                if ( keyPass != null ) 
+                {
+                    for ( int i = 0; i < keyPass.length; i++ ) 
+                    {
+                        keyPass[i] = 0;
+                    }
+                }
+                if ( fis != null ) 
+                {
+                    fis.close();
+                }
+                String alg = KeyManagerFactory.getDefaultAlgorithm();
+                TrustManagerFactory fac = TrustManagerFactory.getInstance( alg 
);
+                fac.init( keystore );
+                trustManagers = fac.getTrustManagers();
+            }
+
+            if ( authenticationInfo.getKeyStore() != null ) 
+            {
+                KeyStore keystore = KeyStore.getInstance( 
authenticationInfo.getKeyStoreType() == null ? "JKS"
+                        : authenticationInfo.getKeyStoreType() );
+                FileInputStream fis = null;
+                //on windows platforms, the truststoreType of "WINDOWS" mounts
+                //to the windows certificate store, so a null input stream is 
just fine
+                File file = new File( ( authenticationInfo.getTrustStore() ) );
+                if ( file.exists() ) 
+                {
+                    fis = new FileInputStream( file );
+                }
+                String alg = KeyManagerFactory.getDefaultAlgorithm();
+                char[] keyStorePass = authenticationInfo.getKeyStorePassword() 
!= null
+                        ? 
authenticationInfo.getKeyStorePassword().toCharArray()
+                        : null;
+                char[] keyPass = authenticationInfo.getKeyPassword() != null
+                        ? authenticationInfo.getKeyPassword().toCharArray()
+                        : null;
+                KeyManagerFactory fac = KeyManagerFactory.getInstance( alg );
+                keystore.load( fis, keyStorePass );
+                fac.init( keystore, keyPass );
+                if ( keyPass != null ) 
+                {
+                    for ( int i = 0; i < keyPass.length; i++ ) 
+                    {
+                        keyPass[i] = 0;
+                    }
+                }
+                keyPass = null;
+                String alias = authenticationInfo.getKeyAlias();
+                if ( alias != null )
+                {
+                    //borrowed from tomcat's code
+                    //user has explicitly specified a key alias, great.
+                    //let's make sure it exists in the key store that it has a 
+                    //key pair
+                    if ( keystore.containsAlias( alias ) ) 
+                    {
+                        if ( !keystore.isKeyEntry( alias ) ) 
+                        {
+                            alias = null;
+                        }
+                    } 
+                    else if ( keystore.containsAlias( alias.toLowerCase() ) ) 

Review comment:
       Why this additional check on the lower-cased variant?




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to