Describe the bug
Quarkus Version: 1.6.0
Configuring a trustStore for a mp-rest client via config.properties is no longer possible in native mode.
I think the problem is related to
extensions/rest-client/runtime/src/main/java/io/quarkus/restclient/runtime/graal/ClientHttpEngineBuilder43Replacement.java
If no sslcontext is provided, the default context is used, which does not respect trustStore configuration.
Also creating a REST-Client like this:
val store = KeyStore.getInstance("JKS").apply {
this.load(File("path/to/trustStore").inputStream(), "changeit".toCharArray())
}
restClient = RestClientBuilder.newBuilder()
.baseUri(URI("https://<rest-service>/"))
.trustStore(store)
.build(RestService::class.java)
is not working.
But creating a REST-Service like this is working:
val store = KeyStore.getInstance("JKS").apply {
this.load(File("path/to/trustStore").inputStream(), "changeit".toCharArray())
}
val tmf = TrustManagerFactory.getInstance("X509")
val instance = SSLContext.getInstance("TLSv1.2")
tmf.init(store)
instance.init(null, tmf.trustManagers, SecureRandom.getInstanceStrong())
restClient = RestClientBuilder.newBuilder()
.baseUri(URI("https://<rest-service>/"))
.sslContext(instance)
.build(RestService::class.java)
Expected behavior
Successful connection to a rest endpoint with a ca certificate not contained in the default truststore of the client
Actual behavior
No connection is established because of:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:445)
... 55 more
To Reproduce
Steps to reproduce the behavior:
Create a simple REST Server which uses a self signed certificate
Create a simple Quarkus application with a rest client to said REST server
Describe the bug Quarkus Version: 1.6.0 Configuring a trustStore for a mp-rest client via config.properties is no longer possible in native mode.
I think the problem is related to extensions/rest-client/runtime/src/main/java/io/quarkus/restclient/runtime/graal/ClientHttpEngineBuilder43Replacement.java
If no sslcontext is provided, the default context is used, which does not respect trustStore configuration.
Also creating a REST-Client like this:
is not working.
But creating a REST-Service like this is working:
Expected behavior Successful connection to a rest endpoint with a ca certificate not contained in the default truststore of the client
Actual behavior No connection is established because of: Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141) at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126) at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280) at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:445) ... 55 more
To Reproduce Steps to reproduce the behavior:
Configuration
Environment (please complete the following information): Native Image build via default docker builder.
https://github.com/quarkusio/quarkus/issues/10877
$upstream:10877$