[GitHub] [netbeans] asbachb commented on a change in pull request #3207: NETBEANS-5956: Adding default java trust store to xml retriever

Mon, 04 Oct 2021 14:30:54 -0700 


asbachb commented on a change in pull request #3207:
URL: https://github.com/apache/netbeans/pull/3207#discussion_r721731509



##########
File path: 
ide/xml.retriever/src/org/netbeans/modules/xml/retriever/impl/SecureURLResourceRetriever.java
##########
@@ -119,45 +139,48 @@ public void checkServerTrusted(X509Certificate[] certs, 
String authType)
                 }
             }
         };
+        TrustManager[] combinedTrustManagers = (TrustManager[]) 
Stream.of(defaultTrustManagers, trustAllCerts)
+                .flatMap(Stream::of)
+                .toArray(size -> new TrustManager[size]);
+
+        KeyManager[] keyManagersFromSystemProperties = null;
+        try {
+            KeyStore keyStoreFromSystemProperties = null;
+            char[] keyStorePassword = 
System.getProperty("javax.net.ssl.keyStorePassword", "").toCharArray();
+            if (System.getProperty("javax.net.ssl.keyStore") != null) {
+                File keyStoreFile = new 
File(System.getProperty("javax.net.ssl.keyStore"));
+                if (keyStoreFile.exists()) {
+                    KeyStore keyStore = 
KeyStore.getInstance(System.getProperty("javax.net.ssl.keyStoreType", 
KeyStore.getDefaultType()));
+                    try ( InputStream keyStoreStream = new 
FileInputStream(keyStoreFile)) {
+                        keyStore.load(keyStoreStream, keyStorePassword);
+                    }
 
-        // #208324: proper key managers need to be passed, so let's configure 
at least the defaults...
-        KeyManager[] mgrs;
-        if (System.getProperty("javax.net.ssl.keyStorePassword") != null &&  
// NOI18N
-            System.getProperty("javax.net.ssl.keyStore") != null) { // NOI18N
-            try {
-                KeyStore ks = KeyStore.getInstance("JKS"); // NOI18N
-                    ks.load(new 
FileInputStream(System.getProperty("javax.net.ssl.keyStore")), //NOI18N
-                    
System.getProperty("javax.net.ssl.keyStorePassword").toCharArray() //NOI18N
-                );
-                // Set up key manager factory to use our key store
-                KeyManagerFactory kmf = 
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-                
kmf.init(ks,System.getProperty("javax.net.ssl.keyStorePassword").toCharArray());
 // NOI18N
-                mgrs = kmf.getKeyManagers();
-            } catch (IOException ex) {
-                // this is somewhat expected, i.e. JKS file not present
-                mgrs = null;
-            } catch (java.security.GeneralSecurityException e) {
-                ErrorManager.getDefault().notify(e);
-                return;
+                    keyStoreFromSystemProperties = keyStore;
+                }
             }
-        } else {
-            mgrs = null;
+
+            KeyManagerFactory keyManagerFactory = 
KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+            keyManagerFactory.init(keyStoreFromSystemProperties, 
keyStorePassword);
+            keyManagersFromSystemProperties = 
keyManagerFactory.getKeyManagers();
+        } catch (GeneralSecurityException | IOException ex) {
+            keyManagersFromSystemProperties = new KeyManager[0];
         }
+
         try {
             SSLContext sslContext = SSLContext.getInstance("SSL"); //NOI18N
-            sslContext.init(mgrs, trustAllCerts, new 
java.security.SecureRandom());
+            sslContext.init(keyManagersFromSystemProperties, 
combinedTrustManagers, new java.security.SecureRandom());
             con.setSSLSocketFactory(sslContext.getSocketFactory());
-            con.setHostnameVerifier(new HostnameVerifier() {
-                public boolean verify(String string, SSLSession sSLSession) {
-                    // accept all hosts
-                    return true;
-                }
-            });
-        } catch (java.security.GeneralSecurityException e) {
+            con.setHostnameVerifier(this::acceptAllHosts);
+        } catch (GeneralSecurityException e) {
             ErrorManager.getDefault().notify(e);
         }
     }
-    
+
+    private boolean acceptAllHosts(String host, SSLSession sslSession) {
+        return true;

Review comment:
       @matthiasblaesing  Maybe it makes more sense to open up a up a follow up 
bug to change this behavior?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

For further information about the NetBeans mailing lists, visit:
https://cwiki.apache.org/confluence/display/NETBEANS/Mailing+lists

Reply via email to