the alias of CertificateEntry

manbucy commented 2 years ago

Describe the bug Hello, I am going to create an SSLContext with the following code, but the resulting SSLContext does not appear to be complete and its trustedCerts is empty.

    SSLFactory sslFactory = SSLFactory.builder()
            .withTrustMaterial(CertificateUtils.loadCertificate("ca.crt"))
            .build();
    SSLContext sslContext = sslFactory.getSslContext();

the content of ca.crt

Environmental Data:

Java Version 1.8.0_202
sslcontext-kickstart Version 7.3.0
OS: Windows

Additional context I found out the cause of the problem, when create X509TrustManagerImpl, its trustedCerts is already empty. sun.security.ssl.X509TrustManagerImpl

sun.security.validator.KeyStores.getTrustedCerts(KeyStore var0)

java.security.KeyStore.isCertificateEntry(String alias)

sun.security.pkcs12.PKCS12KeyStore.engineIsCertificateEntry(String var1) the entries keys has the capital letters, but the parameter var1 is lowercase letters

Can you consider changing alias to lowercase in the nl.altindag.ssl.util.KeyStoreUtils.createTrustStore(List<T> certificates) or nl.altindag.ssl.util.CertificateUtils.generateAlias(Certificate certificate)

Hakky54 commented 2 years ago

Hi @manbucy

Thank you for the very detailed issue description. It is very helpful when investigating this issue, I really appreciate it! I have tried this out locally and for me this issue is not happening, see below for the screenshot:

As you can see one certificate is loaded and also visible within the trustmanager of the sslcontext. I think this issue is caused by CertificateUtils not being able to find the certificate on your classpath, but to be sure I need to ask if you can retry something on your side. Can you put the statement of CertificateUtils on a separate line and check whether the list is empty or has elements? So basically the following snippet:

List<Certificate> certificates = CertificateUtils.loadCertificate("ca.crt");

SSLFactory sslFactory = SSLFactory.builder()
        .withTrustMaterial(certificates)
        .build();

manbucy commented 2 years ago

@Hakky54 Thank you for your reply， i have put the statement of CertificateUtils on a separate line, but the trustedCerts is still emply.

but when i use jdk11, I found the sslcontext become correct. sun.security.pkcs12.PKCS12KeyStore.setCertEntry(String alias, Certificate cert, Set<Attribute> attributes)

manbucy commented 2 years ago

JDK-10+0 and previous versions are entries.put(alias, certEntry); source code

JDK-10+1 and later versions are entries.put(alias.toLowerCase(Locale.ENGLISH), certEntry); source code

Hakky54 commented 2 years ago

I tried jdk 1.8.0_302 which did not have this issue. I currently don't have my dev environment next to me, so i will come back to you in 4 hours and try out with jdk 1.8.0_202 locally

Hakky54 commented 2 years ago

I have retried it with jdk 1.8.0_202 and indeed that issue is present over there and your PR changes fixes it. Very well investigated! I am amazed for your detailed research. Thank you very much for this issue and pull request. I have approved the PR and merged it.

Just out of curiosity, why are you using jdk 1.8.0_202 and not using the latest version of jdk 1.8?

manbucy commented 2 years ago

Just out of curiosity, why are you using jdk 1.8.0_202 and not using the latest version of jdk 1.8?

This JDK1.8.0_202 was installed in 2019 when it was the latest version and I haven't updated it since. Jdk1.8.0_202, on the other hand, is the last OTN License release that many companies will choose.

Hakky54 commented 2 years ago

Yes, very understandable and I didn't know about the OTN license! I have just released your fix which is now available at version 7.4.1. Good luck, please let me know if you have any other improvements 😄

Hakky54 / sslcontext-kickstart

the alias of CertificateEntry #166