Add default trusted certs to ssl context

author: Morten Tokle <mortent@vespa.ai> 2024-05-29 10:54:46 +0200
committer: Morten Tokle <mortent@vespa.ai> 2024-05-29 12:17:26 +0200
commit: b1b4c187cab9350600342613f97a7ac5bd1f1825 (patch)
tree: 472e417ddfec9d5fd64d8f8617493f766a0719be /vespa-athenz/src
parent: aac9deea8c67e8c5ce132c27f72a14d2188998bd (diff)
3 files changed, 17 insertions, 29 deletions
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
index 2f344004780..085e9973cab 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identity/SiaIdentityProvider.java
@@ -42,28 +42,25 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde
         this(new AthenzService(config.athenzDomain(), config.athenzService()),
              SiaUtils.getPrivateKeyFile(Paths.get(config.keyPathPrefix()), new AthenzService(config.athenzDomain(), config.athenzService())),
              SiaUtils.getCertificateFile(Paths.get(config.keyPathPrefix()), new AthenzService(config.athenzDomain(), config.athenzService())),
-             Paths.get(config.trustStorePath()), config.publicSystem());
+             Paths.get(config.trustStorePath()));
     }
 
     public SiaIdentityProvider(AthenzIdentity service,
                                Path siaPath,
-                               Path clientTruststoreFile,
-                               boolean publicSystem) {
+                               Path clientTruststoreFile) {
         this(service,
                 SiaUtils.getPrivateKeyFile(siaPath, service),
                 SiaUtils.getCertificateFile(siaPath, service),
-                clientTruststoreFile,
-                publicSystem);
+                clientTruststoreFile);
     }
 
     public SiaIdentityProvider(AthenzIdentity service,
                                Path privateKeyFile,
                                Path certificateFile,
-                               Path clientTruststoreFile,
-                               boolean publicSystem) {
+                               Path clientTruststoreFile) {
         this.service = service;
         this.keyManager = AutoReloadingX509KeyManager.fromPemFiles(privateKeyFile, certificateFile);
-        this.sslContext = createIdentitySslContext(keyManager, clientTruststoreFile, publicSystem);
+        this.sslContext = createIdentitySslContext(keyManager, clientTruststoreFile);
         this.certificateFile = certificateFile;
         this.privateKeyFile = privateKeyFile;
     }
@@ -83,30 +80,23 @@ public class SiaIdentityProvider extends AbstractComponent implements ServiceIde
     @Override public Path privateKeyPath() { return privateKeyFile; }
 
     public SSLContext createIdentitySslContextWithTrustStore(Path trustStoreFile) {
-        return createIdentitySslContext(keyManager, trustStoreFile, false);
-    }
-
-    public SSLContext createIdentitySslContextWithTrustStore(Path trustStoreFile, boolean includeDefaultTruststore) {
-        return createIdentitySslContext(keyManager, trustStoreFile, includeDefaultTruststore);
+        return createIdentitySslContext(keyManager, trustStoreFile);
     }
 
     /**
      * Create an SSL context with the given trust store and the key manager from this provider.
-     * If the {code includeDefaultTruststore} is true, the default trust store will be included.
+     * Include default trust store
      *
      * @param keyManager the key manager
      * @param trustStoreFile the trust store file
-     * @param includeDefaultTruststore whether to include the default trust store
      */
-    private static SSLContext createIdentitySslContext(AutoReloadingX509KeyManager keyManager, Path trustStoreFile, boolean includeDefaultTruststore) {
-        List<X509Certificate> defaultTrustStore = List.of();
-        if (includeDefaultTruststore) {
-            try {
-                // load the default java trust store and extract the certificates
-                defaultTrustStore = Stream.of(TrustManagerUtils.createDefaultX509TrustManager().getAcceptedIssuers()).toList();
-            } catch (Exception e) {
-                throw new RuntimeException("Failed to load default trust store", e);
-            }
+    private static SSLContext createIdentitySslContext(AutoReloadingX509KeyManager keyManager, Path trustStoreFile) {
+        List<X509Certificate> defaultTrustStore;
+        try {
+            // load the default java trust store and extract the certificates
+            defaultTrustStore = Stream.of(TrustManagerUtils.createDefaultX509TrustManager().getAcceptedIssuers()).toList();
+        } catch (Exception e) {
+            throw new RuntimeException("Failed to load default trust store", e);
         }
         try {
             List<X509Certificate> caCertList = Stream.concat(
diff --git a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/LegacyAthenzIdentityProviderImpl.java b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/LegacyAthenzIdentityProviderImpl.java
index 34324ef18e6..c00149e0e4b 100644
--- a/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/LegacyAthenzIdentityProviderImpl.java
+++ b/vespa-athenz/src/main/java/com/yahoo/vespa/athenz/identityprovider/client/LegacyAthenzIdentityProviderImpl.java
@@ -362,7 +362,7 @@ public final class LegacyAthenzIdentityProviderImpl extends AbstractComponent im
 
     private static SiaIdentityProvider createNodeIdentityProvider(IdentityConfig config) {
         return new SiaIdentityProvider(
-                new AthenzService(config.nodeIdentityName()), SiaUtils.DEFAULT_SIA_DIRECTORY, CLIENT_TRUST_STORE, false);
+                new AthenzService(config.nodeIdentityName()), SiaUtils.DEFAULT_SIA_DIRECTORY, CLIENT_TRUST_STORE);
     }
 
     private boolean isExpired(AthenzCredentials credentials) {
diff --git a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java
index 19a81691b76..5ca6a53a4c7 100644
--- a/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java
+++ b/vespa-athenz/src/test/java/com/yahoo/vespa/athenz/identity/SiaIdentityProviderTest.java
@@ -49,8 +49,7 @@ public class SiaIdentityProviderTest {
                         new AthenzService("domain", "service-name"),
                         keyFile.toPath(),
                         certificateFile.toPath(),
-                        trustStoreFile.toPath(),
-                        false);
+                        trustStoreFile.toPath());
 
         assertNotNull(provider.getIdentitySslContext());
     }
@@ -73,8 +72,7 @@ public class SiaIdentityProviderTest {
                         new AthenzService("domain", "service-name"),
                         keyFile.toPath(),
                         certificateFile.toPath(),
-                        trustStoreFile.toPath(),
-                        false);
+                        trustStoreFile.toPath());
 
         assertNotNull(provider.getIdentitySslContext());
     }
author	Morten Tokle <mortent@vespa.ai>	2024-05-29 10:54:46 +0200
committer	Morten Tokle <mortent@vespa.ai>	2024-05-29 12:17:26 +0200
commit	b1b4c187cab9350600342613f97a7ac5bd1f1825 (patch)
tree	472e417ddfec9d5fd64d8f8617493f766a0719be /vespa-athenz/src
parent	aac9deea8c67e8c5ce132c27f72a14d2188998bd (diff)