Allow specifying custom trust manager instance to SslContextBuilder

author: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-02-14 13:05:04 +0100
committer: Bjørn Christian Seime <bjorncs@verizonmedia.com> 2020-02-17 13:41:08 +0100
commit: ed4f40137e20e78c7e861aabf7814fb52c2d8a15 (patch)
tree: 5f91e182ca81df2a52cfbe5bd94718307d30d74a /security-utils
parent: 9584f5714832e9c7c73ba589b12dbee9bad8cde7 (diff)
1 files changed, 14 insertions, 3 deletions
diff --git a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
index d2b98fd20d9..f3932c84a17 100644
--- a/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
+++ b/security-utils/src/main/java/com/yahoo/security/SslContextBuilder.java
@@ -35,6 +35,7 @@ public class SslContextBuilder {
     private TrustManagerFactory trustManagerFactory = TrustManagerUtils::createDefaultX509TrustManager;
     private KeyManagerFactory keyManagerFactory = KeyManagerUtils::createDefaultX509KeyManager;
     private X509ExtendedKeyManager keyManager;
+    private X509ExtendedTrustManager trustManager;
 
     public SslContextBuilder() {}
 
@@ -121,15 +122,25 @@ public class SslContextBuilder {
         return this;
     }
 
+    /**
+     * Note: Callee is responsible for configuring the trust manager.
+     *       Any truststore configured by {@link #withTrustStore(KeyStore)} or the other overloads will be ignored.
+     */
+    public SslContextBuilder withTrustManager(X509ExtendedTrustManager trustManager) {
+        this.trustManager = trustManager;
+        return this;
+    }
+
     public SSLContext build() {
         try {
             SSLContext sslContext = SSLContext.getInstance(TlsContext.SSL_CONTEXT_VERSION);
-            TrustManager[] trustManagers = new TrustManager[] { trustManagerFactory.createTrustManager(trustStoreSupplier.get()) };
+            X509ExtendedTrustManager trustManager = this.trustManager != null
+                    ? this.trustManager
+                    : trustManagerFactory.createTrustManager(trustStoreSupplier.get());
             X509ExtendedKeyManager keyManager = this.keyManager != null
                     ? this.keyManager
                     : keyManagerFactory.createKeyManager(keyStoreSupplier.get(), keyStorePassword);
-            KeyManager[] keyManagers = new KeyManager[] {keyManager};
-            sslContext.init(keyManagers, trustManagers, null);
+            sslContext.init(new KeyManager[] {keyManager}, new TrustManager[] {trustManager}, null);
             return sslContext;
         } catch (GeneralSecurityException e) {
             throw new RuntimeException(e);
author	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-02-14 13:05:04 +0100
committer	Bjørn Christian Seime <bjorncs@verizonmedia.com>	2020-02-17 13:41:08 +0100
commit	ed4f40137e20e78c7e861aabf7814fb52c2d8a15 (patch)
tree	5f91e182ca81df2a52cfbe5bd94718307d30d74a /security-utils
parent	9584f5714832e9c7c73ba589b12dbee9bad8cde7 (diff)