Merge pull request #67 from cqse/ts/38828_jna_custom_trust_store

TS-38828 skip certificate loading in insecure mode
cqse · May 22, 2024 · bfd8387 · bfd8387
2 parents a5a6f92 + 5a1c145
commit bfd8387
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 10 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,10 @@ We use [semantic versioning](http://semver.org/):
 - PATCH version when you make backwards compatible bug fixes.
 
 # Next Release
+- ...
+
+# 2.9.3
+- [fix] Using the `--insecure` flag now skips loading any custom certificates from OS trust stores
 
 # 2.9.2
 - [fix] more readable error message when connection to host is refused
@@ -13,10 +17,10 @@ We use [semantic versioning](http://semver.org/):
 # 2.9.1
 - [feature] added jlink-based executable distributions
 - [fix] added support for more connection-security algorithms
-  
+
 # 2.8.2
 - [fix] fixed potential vulnerability to a zipslip attack (by malicious tar files in xcode reports)
-  
+
 # 2.8.1
 - [fix] Use TLSv1.2
 - [fix] Use versioned API endpoints to be more robust in case of API changes

diff --git a/src/main/java/com/teamscale/upload/utils/OkHttpUtils.java b/src/main/java/com/teamscale/upload/utils/OkHttpUtils.java
@@ -67,9 +67,8 @@ public static OkHttpClient createClient(boolean validateSsl, String trustStorePa
 		setTimeouts(builder, timeoutInSeconds);
 		builder.followRedirects(false).followSslRedirects(false);
 
-		configureTrustStore(builder, trustStorePath, trustStorePassword);
-		if (!validateSsl) {
-			disableSslValidation(builder);
+		if (validateSsl || !disableSslValidation(builder)) {
+			configureTrustStore(builder, trustStorePath, trustStorePassword);
 		}
 
 		return builder.build();
@@ -92,7 +91,7 @@ private static void configureTrustStore(OkHttpClient.Builder builder, String tru
 
 			MultiTrustManager multiTrustManager = new MultiTrustManager(trustManagers);
 
-			sslContext.init(null, new TrustManager[]{multiTrustManager}, new SecureRandom());
+			sslContext.init(null, new TrustManager[] {multiTrustManager}, new SecureRandom());
 			builder.sslSocketFactory(sslContext.getSocketFactory(), multiTrustManager);
 		} catch (NoSuchAlgorithmException e) {
 			LogUtils.failWithStackTrace(e, "Failed to instantiate an SSLContext or TrustManagerFactory.");
@@ -220,19 +219,21 @@ private static Collection<X509Certificate> getCustomOsTrustedCertificates() {
 		}
 	}
 
-	private static void disableSslValidation(OkHttpClient.Builder builder) {
+	/** Tries to disable SSL validation. Returns {@code true} if validation was successfully disabled. */
+	private static boolean disableSslValidation(OkHttpClient.Builder builder) {
 		SSLSocketFactory sslSocketFactory;
 		try {
 			SSLContext sslContext = SSLContext.getInstance(PROTOCOL);
 			sslContext.init(null, new TrustManager[] { TrustAllCertificatesManager.INSTANCE }, new SecureRandom());
 			sslSocketFactory = sslContext.getSocketFactory();
 		} catch (GeneralSecurityException e) {
 			LogUtils.warn("Could not disable SSL certificate validation. Leaving it enabled", e);
-			return;
+			return false;
 		}
 
 		builder.sslSocketFactory(sslSocketFactory, TrustAllCertificatesManager.INSTANCE);
 		builder.hostnameVerifier((hostName, session) -> true);
+		return true;
 	}
 
 	private static void setTimeouts(okhttp3.OkHttpClient.Builder builder, long timeoutInSeconds) {
@@ -275,7 +276,6 @@ public X509Certificate[] getAcceptedIssuers() {
 			return trustManagers.stream().flatMap(manager -> Arrays.stream(manager.getAcceptedIssuers())).toArray(X509Certificate[]::new);
 		}
 
-
 		@Override
 		public void checkClientTrusted(X509Certificate[] chain, String authType) throws CertificateException {
 			checkAll(manager -> manager.checkClientTrusted(chain, authType));

diff --git a/src/test/java/com/teamscale/upload/IntegrationTestBase.java b/src/test/java/com/teamscale/upload/IntegrationTestBase.java
@@ -226,7 +226,6 @@ public void selfSignedCertificateShouldBeAcceptedWithInsecureFlag() {
 					new TeamscaleUploadArguments().withUrl("https://localhost:" + MOCK_TEAMSCALE_PORT).withInsecure());
 			assertThat(result.exitCode).describedAs("Stderr and stdout: " + result.getOutputAndErrorOutput()).isZero();
 			assertThat(server.sessions).hasSize(1);
-			assertThatOSCertificatesWereImported(result);
 		}
 	}