Skip to content
Merged
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,32 @@ public static X509KeyManager keyManager(byte[] privateKeyPem, byte[] certificate
}
}

/** Returns the platform default {@link X509TrustManager}. */
public static X509TrustManager defaultTrustManager() throws SSLException {
try {
TrustManagerFactory tmf =
TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());

// Initialize with the platform default trust store.
tmf.init((KeyStore) null);

return defaultTrustManager(tmf);
} catch (KeyStoreException | NoSuchAlgorithmException e) {
throw new SSLException("Could not build default TrustManager.", e);
}
}

// Visible for testing
static X509TrustManager defaultTrustManager(TrustManagerFactory tmf) throws SSLException {
for (TrustManager trustManager : tmf.getTrustManagers()) {
if (trustManager instanceof X509TrustManager) {
return (X509TrustManager) trustManager;
}
}

throw new SSLException("No X509TrustManager found");
}

// Visible for testing
static PrivateKey generatePrivateKey(PKCS8EncodedKeySpec keySpec, List<KeyFactory> keyFactories)
throws SSLException {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@

package io.opentelemetry.exporter.internal;

import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatCode;

import com.linecorp.armeria.internal.common.util.SelfSignedCertificate;
Expand All @@ -15,13 +16,19 @@
import java.nio.file.Path;
import java.nio.file.StandardOpenOption;
import java.security.KeyFactory;
import java.security.KeyStore;
import java.security.cert.CertificateException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.time.Instant;
import java.util.Collections;
import java.util.Date;
import java.util.stream.Stream;
import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.SSLException;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.TrustManagerFactorySpi;
import javax.net.ssl.X509TrustManager;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;
Expand Down Expand Up @@ -79,6 +86,41 @@ void generatePrivateKey_Invalid() {
.hasMessage("Unable to generate key from supported algorithms: [EC]");
}

@Test
void defaultTrustManager() {
assertThatCode(TlsUtil::defaultTrustManager).doesNotThrowAnyException();
}

@Test
Comment thread
psx95 marked this conversation as resolved.
void defaultTrustManager_returnsX509TrustManager() throws Exception {
assertThat(TlsUtil.defaultTrustManager()).isInstanceOf(X509TrustManager.class);
}

private static TrustManagerFactory trustManagerFactory(TrustManager[] trustManagers) {
return new TrustManagerFactory(
new TrustManagerFactorySpi() {
@Override
protected void engineInit(KeyStore keyStore) {}

@Override
protected void engineInit(ManagerFactoryParameters spec) {}

@Override
protected TrustManager[] engineGetTrustManagers() {
return trustManagers;
}
},
null,
"test") {};
}

@Test
void defaultTrustManager_NoX509TrustManagerFound() {
assertThatCode(() -> TlsUtil.defaultTrustManager(trustManagerFactory(new TrustManager[0])))
.isInstanceOf(SSLException.class)
.hasMessage("No X509TrustManager found");
}
Comment thread
Debashismitra01 marked this conversation as resolved.

/**
* Append <a href="https://datatracker.ietf.org/doc/html/rfc7468#section-5.2">explanatory text</a>
* prefix and verify {@link TlsUtil#keyManager(byte[], byte[])} succeeds.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@

import io.opentelemetry.api.impl.InstrumentationUtil;
import io.opentelemetry.exporter.internal.RetryUtil;
import io.opentelemetry.exporter.internal.TlsUtil;
import io.opentelemetry.sdk.common.CompletableResultCode;
import io.opentelemetry.sdk.common.export.Compressor;
import io.opentelemetry.sdk.common.export.HttpResponse;
Expand All @@ -29,6 +30,7 @@
import java.util.logging.Logger;
import javax.annotation.Nullable;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.X509TrustManager;
import okhttp3.Call;
import okhttp3.Callback;
Expand Down Expand Up @@ -109,8 +111,17 @@ public OkHttpHttpSender(
boolean isPlainHttp = endpoint.getScheme().equals("http");
if (isPlainHttp) {
builder.connectionSpecs(Collections.singletonList(ConnectionSpec.CLEARTEXT));
} else if (sslContext != null && trustManager != null) {
builder.sslSocketFactory(sslContext.getSocketFactory(), trustManager);
} else if (sslContext != null) {
X509TrustManager effectiveTrustManager = trustManager;

if (effectiveTrustManager == null) {
try {
effectiveTrustManager = TlsUtil.defaultTrustManager();
} catch (SSLException e) {
throw new IllegalStateException("Unable to initialize default trust manager", e);
}
}
builder.sslSocketFactory(sslContext.getSocketFactory(), effectiveTrustManager);
}

this.client = builder.build();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,8 @@
package io.opentelemetry.exporter.sender.okhttp.internal;

import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.Assertions.assertThatCode;
import static org.assertj.core.api.Assertions.assertThatThrownBy;
import static org.junit.jupiter.api.Assertions.assertFalse;
import static org.junit.jupiter.api.Assertions.assertTrue;

Expand All @@ -15,6 +17,7 @@
import java.io.OutputStream;
import java.net.ServerSocket;
import java.net.URI;
import java.security.Security;
import java.time.Duration;
import java.util.Collections;
import java.util.concurrent.CountDownLatch;
Expand All @@ -25,6 +28,8 @@
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import javax.annotation.Nullable;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import org.junit.jupiter.api.Test;

class OkHttpHttpSenderTest {
Expand Down Expand Up @@ -223,4 +228,61 @@ public int getContentLength() {
return 0;
}
}

@Test
void constructor_usesDefaultTrustManagerWhenTrustManagerIsNull() throws Exception {
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, null, null);

assertThatCode(
() ->
new OkHttpHttpSender(
URI.create("https://localhost"),
"text/plain",
null,
Duration.ofSeconds(10),
Duration.ofSeconds(10),
Collections::emptyMap,
null,
null,
sslContext,
null,
null,
Long.MAX_VALUE))
.doesNotThrowAnyException();
}

@Test
void constructor_wrapsDefaultTrustManagerFailure() throws Exception {
String originalAlgorithm = Security.getProperty("ssl.TrustManagerFactory.algorithm");

try {
Security.setProperty("ssl.TrustManagerFactory.algorithm", "invalid");

SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, null, null);

assertThatThrownBy(
() ->
new OkHttpHttpSender(
URI.create("https://localhost"),
"text/plain",
null,
Duration.ofSeconds(10),
Duration.ofSeconds(10),
Collections::emptyMap,
null,
null,
sslContext,
null,
null,
Long.MAX_VALUE))
.isInstanceOf(IllegalStateException.class)
.hasMessage("Unable to initialize default trust manager")
.hasCauseInstanceOf(SSLException.class);

} finally {
Security.setProperty("ssl.TrustManagerFactory.algorithm", originalAlgorithm);
}
}
}
Loading