Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Breaking change in 0.15.1 regarding ApnsClient, ApnsClientBuilder #951

Open
lauredogit opened this issue Mar 8, 2022 · 4 comments
Open

Comments

@lauredogit
Copy link

Hi,

We tried upgrading from 0.15.0 to 0.15.1 and we are observing a breaking change in the API of the ApnsClientBuilder / ApnsClient.

We extended these classes to be able to configure our own SSLContext, which is allowing us to use a dynamic trust manager or the cipher suites of our own choice.

In 0.15.1, the way to pass an SSLContext to the ApnsClient is via the new ApnsClientConfiguration which is package-private.

Would it be possible to make ApnsClientConfiguration public instead so that our code can keep working?

Thanks.

@jchambers
Copy link
Owner

Sorry to hear that this has been a problem for you. Slipping in a breaking change was a mistake, and was not intentional; I should have caught it before shipping.

That said, I'm hesitant to make ApnsClientConfiguration public. Can you tell me more about your use case? Can you tell me more about the need for a "dynamic trust manager" or why the default cipher suite isn't appropriate for you?

@lauredogit
Copy link
Author

lauredogit commented Mar 8, 2022

So far, we were able to extend the ApnsClient to modify its behaviour.

Now that the constructor only accepts a package-private ApnsClientConfiguration instance, it's no longer the case.

We have IT security policies where some cipher suites are stongly recommended for example.

Regarding the dynamic trust manager, we can update trusted certificates for all our services from a central service, so for us, statically adding trusted certificates is not enough.

What we have acutally done is that we extended the ApnsClientBuilder to add the capability to configure a trust manager directly and then we simply modified the build() method to take this into account when constructing the SSLContext.

            } else if (this.trustedServerCertificates != null) {
                sslContextBuilder.trustManager(this.trustedServerCertificates);
            /*
              Customization for our project.
             */
            } else if (this.trustManager != null) {
                sslContextBuilder.trustManager(this.trustManager);
            }

            sslContext = sslContextBuilder.build();

Letting users set their own trust manager would equally solve this for us.

   /**
     * Customization for our project.
     */
    public ExtendedApnsClientBuilder setTrustManager(final TrustManager trustManager) {
        this.trustedServerCertificatePemFile = null;
        this.trustedServerCertificateInputStream = null;
        this.trustedServerCertificates = null;
        this.trustManager = trustManager;

        return this;
    }

@jchambers
Copy link
Owner

Okay; thanks for the added context. Let me think on this a bit. I think this is fundamentally incompatible with some of what we're trying to do to get multi-credential clients in play, but maybe not.

I hesitate to expose TrustManager in the general case because (seemingly) the most common advice for "I am having certificate problems in Java" is "copy/paste this magic spell that creates a TrustManager that trusts everything."

Like I said, though: let me think about it and see what I can come up with.

@lauredogit
Copy link
Author

We do have a magic TrustManager, which actually reloads trusted certificates from a central service, creating an in-memory KeyStore from them and instantiating a matching TrustManager every time there is a change.

Here's a generic example:

import java.io.IOException;
import java.net.Socket;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.concurrent.atomic.AtomicReference;
import java.util.function.Supplier;

import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;

import com.google.common.collect.ImmutableSet;

import org.jetbrains.annotations.NotNull;

/**
 * Dynamic {@link X509ExtendedTrustManager} which permits reloading trusted certificates provided by a cache of
 * certificates.
 * <p>
 * Staleness is determined by reference equality so the cache has to provide the same cached instance until it becomes
 * stale.
 */
public final class DynamicX509ExtendedTrustManager extends X509ExtendedTrustManager {

    static final class AtomicState {

        @NotNull
        private final ImmutableSet<X509Certificate> trustedCertificates;

        @NotNull
        private final X509ExtendedTrustManager trustManager;

        AtomicState(@NotNull ImmutableSet<X509Certificate> trustedCertificates) {
            this.trustedCertificates = trustedCertificates;
            trustManager = newTrustManager(this.trustedCertificates);
        }

        @SuppressWarnings("ReferenceEquality")
        boolean isStale(@NotNull ImmutableSet<X509Certificate> currentCertificates) {
            return trustedCertificates != currentCertificates;
        }

        @NotNull
        X509ExtendedTrustManager getTrustManager() {
            return trustManager;
        }
    }

    @NotNull
    static TrustManagerFactory newTrustManagerFactory(@NotNull Iterable<X509Certificate> trustedCertificates) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);

            int i = 0;
            for (final X509Certificate trustedCertificate : trustedCertificates) {
                String alias = Integer.toString(++i);
                keyStore.setCertificateEntry(alias, trustedCertificate);
            }

            // Set up trust manager factory to use our key store.
            TrustManagerFactory trustManagerFactory =
                    TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

            trustManagerFactory.init(keyStore);

            return trustManagerFactory;
        } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException ex) {
            throw new IllegalStateException("Unable to create new TrustManagerFactory: " + ex, ex);
        }
    }

    @NotNull
    static X509ExtendedTrustManager newTrustManager(@NotNull Iterable<X509Certificate> trustedCertificates) {
        TrustManagerFactory trustManagerFactory = newTrustManagerFactory(trustedCertificates);
        return (X509ExtendedTrustManager) trustManagerFactory.getTrustManagers()[0];
    }

    @NotNull
    private final Supplier<ImmutableSet<X509Certificate>> cachedCertificateSupplier;

    @NotNull
    private final AtomicReference<AtomicState> stateRef = new AtomicReference<>(new AtomicState(ImmutableSet.of()));

    public DynamicX509ExtendedTrustManager(@NotNull Supplier<ImmutableSet<X509Certificate>> cachedCertificateSupplier) {
        this.cachedCertificateSupplier = cachedCertificateSupplier;
    }

    @NotNull
    private X509ExtendedTrustManager getTrustManager() {
        while (true) {
            AtomicState currentState = stateRef.get();
            ImmutableSet<X509Certificate> currentCertificates = cachedCertificateSupplier.get();
            if (!currentState.isStale(currentCertificates)) {
                return currentState.getTrustManager();
            }
            AtomicState updatedState = new AtomicState(currentCertificates);
            if (stateRef.compareAndSet(currentState, updatedState)) {
                return updatedState.getTrustManager();
            }
        }
    }

    @Override
    public void checkClientTrusted(X509Certificate[] x509Certificates, String authType, Socket socket)
            throws CertificateException {
        getTrustManager().checkClientTrusted(x509Certificates, authType, socket);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] x509Certificates, String authType, Socket socket)
            throws CertificateException {
        getTrustManager().checkServerTrusted(x509Certificates, authType, socket);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] x509Certificates, String authType, SSLEngine sslEngine)
            throws CertificateException {
        getTrustManager().checkClientTrusted(x509Certificates, authType, sslEngine);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] x509Certificates, String authType, SSLEngine sslEngine)
            throws CertificateException {
        getTrustManager().checkServerTrusted(x509Certificates, authType, sslEngine);
    }

    @Override
    public void checkClientTrusted(X509Certificate[] x509Certificates, String authType) throws CertificateException {
        getTrustManager().checkClientTrusted(x509Certificates, authType);
    }

    @Override
    public void checkServerTrusted(X509Certificate[] x509Certificates, String authType) throws CertificateException {
        getTrustManager().checkServerTrusted(x509Certificates, authType);
    }

    @Override
    public X509Certificate[] getAcceptedIssuers() {
        return getTrustManager().getAcceptedIssuers();
    }
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants