add ssl dir support

Signed-off-by: Bala.FA <[email protected]>

Author: balamurugana

api/src/main/java/io/minio/Http.java

@@ -27,20 +27,21 @@
 import java.nio.channels.Channels;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
+import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.security.GeneralSecurityException;
 import java.security.KeyManagementException;
 import java.security.KeyStore;
+import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
-import java.security.cert.Certificate;
+import java.security.SecureRandom;
 import java.security.cert.CertificateException;
 import java.security.cert.CertificateFactory;
 import java.security.cert.X509Certificate;
 import java.time.ZonedDateTime;
 import java.util.AbstractMap;
 import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.Collection;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -54,9 +55,9 @@
 import java.util.concurrent.TimeUnit;
 import java.util.regex.Matcher;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 import javax.annotation.Nonnull;
 import javax.net.ssl.HostnameVerifier;
-import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLSession;
@@ -354,6 +355,137 @@ public static MediaType mediaType(String value) {
     return mediaType;
   }
 
+  private static X509TrustManager createCompositeTrustManager(
+      List<X509TrustManager> trustManagers) {
+    return new X509TrustManager() {
+      @Override
+      public void checkClientTrusted(X509Certificate[] chain, String authType)
+          throws CertificateException {
+        for (X509TrustManager tm : trustManagers) {
+          try {
+            tm.checkClientTrusted(chain, authType);
+            return;
+          } catch (CertificateException ignored) {
+          }
+        }
+        throw new CertificateException(
+            "None of the TrustManagers trust this client certificate chain");
+      }
+
+      @Override
+      public void checkServerTrusted(X509Certificate[] chain, String authType)
+          throws CertificateException {
+        for (X509TrustManager tm : trustManagers) {
+          try {
+            tm.checkServerTrusted(chain, authType);
+            return;
+          } catch (CertificateException ignored) {
+          }
+        }
+        throw new CertificateException(
+            "None of the TrustManagers trust this server certificate chain");
+      }
+
+      @Override
+      public X509Certificate[] getAcceptedIssuers() {
+        return trustManagers.stream()
+            .flatMap(tm -> Arrays.stream(tm.getAcceptedIssuers()))
+            .toArray(X509Certificate[]::new);
+      }
+    };
+  }
+
+  private static X509TrustManager buildTrustManagerFromKeyStore(KeyStore ks)
+      throws KeyStoreException, NoSuchAlgorithmException {
+    TrustManagerFactory factory =
+        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+    factory.init(ks);
+    for (TrustManager tm : factory.getTrustManagers()) {
+      if (tm instanceof X509TrustManager) {
+        return (X509TrustManager) tm;
+      }
+    }
+    return null;
+  }
+
+  private static int setCertificateEntry(
+      CertificateFactory cf, KeyStore ks, Path file, String namePrefix)
+      throws CertificateException, IOException, KeyStoreException {
+    try (InputStream in = Files.newInputStream(file)) {
+      int index = 0;
+      while (in.available() > 0) {
+        X509Certificate cert = (X509Certificate) cf.generateCertificate(in);
+        ks.setCertificateEntry(namePrefix + (index++), cert);
+      }
+      // } catch (Exception e) {
+      //   System.err.println(
+      //       "Skipping invalid TLS certificate from file " + filePath + ";" + e.getMessage());
+      //   return null;
+      return index;
+    }
+  }
+
+  private static X509TrustManager getTrustManagerFromFile(String filePath)
+      throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException {
+    CertificateFactory cf = CertificateFactory.getInstance("X.509");
+    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+    ks.load(null);
+    if (setCertificateEntry(cf, ks, Paths.get(filePath), "cert-file-") == 0) return null;
+    return buildTrustManagerFromKeyStore(ks);
+  }
+
+  private static X509TrustManager getTrustManagerFromDir(String dirPath)
+      throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException {
+    CertificateFactory cf = CertificateFactory.getInstance("X.509");
+    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
+    ks.load(null);
+
+    int index = 0;
+    try (Stream<Path> paths = Files.walk(Paths.get(dirPath))) {
+      int number = 0;
+      for (Path file : (Iterable<Path>) paths.filter(Files::isRegularFile)::iterator) {
+        index += setCertificateEntry(cf, ks, file, "cert-dir-file-" + (number++) + "-");
+      }
+    }
+
+    if (index == 0) return null;
+
+    return buildTrustManagerFromKeyStore(ks);
+  }
+
+  private static X509TrustManager getDefaultTrustManager()
+      throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException {
+    TrustManagerFactory factory =
+        TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+    factory.init((KeyStore) null);
+    for (TrustManager tm : factory.getTrustManagers()) {
+      if (tm instanceof X509TrustManager) return (X509TrustManager) tm;
+    }
+    return null;
+  }
+
+  private static X509TrustManager getCompositeTrustManager(String filePath, String dirPath)
+      throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException {
+    List<X509TrustManager> trustManagers = new ArrayList<>();
+
+    X509TrustManager defaultTm = getDefaultTrustManager();
+    if (defaultTm != null) trustManagers.add(defaultTm);
+
+    if (dirPath != null && !dirPath.isEmpty()) {
+      X509TrustManager dirTm = getTrustManagerFromDir(dirPath);
+      if (dirTm != null) trustManagers.add(dirTm);
+    }
+
+    if (filePath != null && !filePath.isEmpty()) {
+      X509TrustManager fileTm = getTrustManagerFromFile(filePath);
+      if (fileTm != null) trustManagers.add(fileTm);
+    }
+
+    if (trustManagers.isEmpty()) return null;
+
+    return createCompositeTrustManager(trustManagers);
+  }
+
   private static OkHttpClient enableJKSPKCS12Certificates(
       OkHttpClient httpClient,
       String trustStorePath,
@@ -430,77 +562,46 @@ public static OkHttpClient enablePKCS12Certificates(
         httpClient, trustStorePath, trustStorePassword, keyStorePath, keyStorePassword, "PKCS12");
   }
 
-  /**
-   * copied logic from
-   * https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/CustomTrust.java
-   */
-  public static OkHttpClient enableExternalCertificates(OkHttpClient httpClient, String filename)
-      throws MinioException {
+  /** Enable external TLS certificates from given file path and all valid files from dir path. */
+  public static OkHttpClient enableExternalCertificates(
+      OkHttpClient client, String filePath, String dirPath) throws MinioException {
     try {
-      Collection<? extends Certificate> certificates = null;
-      try (InputStream inputStream = Files.newInputStream(Paths.get(filename))) {
-        certificates = CertificateFactory.getInstance("X.509").generateCertificates(inputStream);
-      }
-
-      if (certificates == null || certificates.isEmpty()) {
-        throw new IllegalArgumentException("expected non-empty set of trusted certificates");
-      }
-
-      char[] password = "password".toCharArray(); // Any password will work.
-
-      // Put the certificates a key store.
-      KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
-      // By convention, 'null' creates an empty key store.
-      keyStore.load(null, password);
-
-      int index = 0;
-      for (Certificate certificate : certificates) {
-        String certificateAlias = Integer.toString(index++);
-        keyStore.setCertificateEntry(certificateAlias, certificate);
-      }
-
-      // Use it to build an X509 trust manager.
-      KeyManagerFactory keyManagerFactory =
-          KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
-      keyManagerFactory.init(keyStore, password);
-      TrustManagerFactory trustManagerFactory =
-          TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-      trustManagerFactory.init(keyStore);
-
-      final KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
-      final TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
+      X509TrustManager tm = getCompositeTrustManager(filePath, dirPath);
+      if (tm == null) return client;
 
       SSLContext sslContext = SSLContext.getInstance("TLS");
-      sslContext.init(keyManagers, trustManagers, null);
-      SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
-
-      return httpClient
-          .newBuilder()
-          .sslSocketFactory(sslSocketFactory, (X509TrustManager) trustManagers[0])
-          .build();
-    } catch (GeneralSecurityException | IOException e) {
+      sslContext.init(null, new TrustManager[] {tm}, new SecureRandom());
+      return client.newBuilder().sslSocketFactory(sslContext.getSocketFactory(), tm).build();
+    } catch (CertificateException
+        | IOException
+        | KeyManagementException
+        | KeyStoreException
+        | NoSuchAlgorithmException e) {
       throw new MinioException(e);
     }
   }
 
+  /** Enable external TLS certificates from environment variable SSL_CERT_FILE and SSL_CERT_DIR. */
+  public static OkHttpClient enableExternalCertificatesFromEnv(OkHttpClient client)
+      throws MinioException {
+    return enableExternalCertificates(
+        client, System.getenv("SSL_CERT_FILE"), System.getenv("SSL_CERT_DIR"));
+  }
+
   public static OkHttpClient newDefaultClient() {
-    OkHttpClient httpClient =
+    OkHttpClient client =
         new OkHttpClient()
             .newBuilder()
             .connectTimeout(DEFAULT_TIMEOUT, TimeUnit.MILLISECONDS)
             .writeTimeout(DEFAULT_TIMEOUT, TimeUnit.MILLISECONDS)
             .readTimeout(DEFAULT_TIMEOUT, TimeUnit.MILLISECONDS)
             .protocols(Arrays.asList(Protocol.HTTP_1_1))
             .build();
-    String filename = System.getenv("SSL_CERT_FILE");
-    if (filename != null && !filename.isEmpty()) {
-      try {
-        httpClient = enableExternalCertificates(httpClient, filename);
-      } catch (MinioException e) {
-        throw new RuntimeException(e);
-      }
+    try {
+      return enableExternalCertificatesFromEnv(client);
+    } catch (MinioException e) {
+      throw new RuntimeException(e);
     }
-    return httpClient;
   }
 
   @edu.umd.cs.findbugs.annotations.SuppressFBWarnings(