Add method for creating an SSLContext that merges both the trust store and custom certificates #2677
Conversation
Generate changelog in
|
| * @param config an {@link SslConfiguration} describing the trust store configuration | ||
| * @param provider The preferred security {@link Provider} | ||
| */ | ||
| public static SSLSocketFactory createSslSocketFactory( |
There was a problem hiding this comment.
I noticed most of these methods aren't explicitly tested, do I need to add tests for my additions?
| } | ||
| } | ||
|
|
||
| private static KeyStore getCombinedTrustStoreAndDefaultCas(Path trustStorePath, StoreType trustStoreType) { |
There was a problem hiding this comment.
This would be convenient if we made it public, this PR would not be necessary if this method was available.
Eric-Alvarez
requested review from
carterkozak
and removed request for
carterkozak
There was a problem hiding this comment.
I would prefer not to add these methods.
The use case seems very niche and they introduce a fairly large footgun. I don't want to implicitly endorse adding custom certificates to truststore. Doing so makes it very hard to reason about the security of our services because can no longer be sure that the truststore being used by the application matches what is rendered by our production infrastructure.
For your use case, I'd recommend just writing this yourself.
|
@pkoenig10 I'm happy to not add the top level methods, but exposing the ability to load a keystore from a truststore with default ca certs is innocuous and very useful for handling these edge cases. |
|
@pkoenig10 Could you take a look at the update? Making this method accessible will eliminate the need to copy paste a lot of code for loading truststores and default ca certs (although the latter can be handled with adding the jvm_certs into the trust store). I'd rather not copy paste the method for loading truststores as it will become out of date and might fail in the future. |
| * @return a newly constructed key store of the type trustStoreType that contains the contents of the trust store | ||
| * and all default ca certificates. | ||
| */ | ||
| public static KeyStore getCombinedTrustStoreAndDefaultCas(Path trustStorePath, StoreType trustStoreType) { |
There was a problem hiding this comment.
Unsure if it would be preferred to put this in a different class rather than making this class public.
|
I'd like to better understand why we think this behavior should be provided by this library. This library is intended to be a utility to create Conjure clients, not a general keystore library. APIs live forever and can be (ab)used in unexpected ways, so I generally hold a pretty high bar when adding new APIs. I'm not convinced that this behavior crosses that threshold. This behavior is fairly niche and I don't think it's unreasonable to require consumers who want this behavior to implement it themselves. Addressing some specific comments:
What is the problem with duplicating this code? Duplicating code is generally preferable to providing API that we are unsure about or may later regret.
Can you explain what you mean by "out of date"? What specific failure modes are you concerned about? |
|
Security vulnerabilities, performance improvements, and adding/removing keystore types are all areas that could be a concern with duplicating the code. We have a standard truststore format, it would be nice if we were able to load it without copy pasting code from another repo that could break or become insecure. Loading a truststore or keystore seems like a pretty normal use-case that could be re-used in many places. Taking a hard line that we're not allowed to iterate on or use any keystore utilities and everything needs to be copy pasted seems like an objectively worse state of the world. |
Eric-Alvarez
force-pushed
the
ealvarez/mergedssl
branch
from
27585d4
to
33f6302
Compare
Before this PR
After this PR
==COMMIT_MSG==
==COMMIT_MSG==
Possible downsides?