diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/config/ConfigHolder.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/config/ConfigHolder.java index 3dc2349d5d..444ecc1506 100644 --- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/config/ConfigHolder.java +++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/config/ConfigHolder.java @@ -18,6 +18,7 @@ package org.wso2.choreo.connect.enforcer.config; +import org.apache.commons.lang3.RandomStringUtils; import org.apache.commons.lang3.StringUtils; import org.apache.logging.log4j.LogManager; import org.apache.logging.log4j.Logger; @@ -80,6 +81,7 @@ import java.security.NoSuchAlgorithmException; import java.security.cert.Certificate; import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; import java.util.ArrayList; import java.util.Arrays; import java.util.List; @@ -87,7 +89,9 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; +import javax.net.ssl.TrustManager; import javax.net.ssl.TrustManagerFactory; +import javax.net.ssl.X509TrustManager; /** * Configuration holder class for Microgateway. @@ -376,17 +380,58 @@ private void populateTMBinaryConfig(BinaryPublisher binary) { private void loadTrustStore() { try { + trustStore = KeyStore.getInstance(KeyStore.getDefaultType()); trustStore.load(null); - String truststoreFilePath = getEnvVarConfig().getTrustedAdapterCertsPath(); - TLSUtils.addCertsToTruststore(trustStore, truststoreFilePath); + + if (getEnvVarConfig().isTrustDefaultCerts()) { + loadDefaultCertsToTrustStore(); + } + loadTrustedCertsToTrustStore(); + trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()); trustManagerFactory.init(trustStore); + } catch (KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException e) { logger.error("Error in loading certs to the trust store.", e); } } + private void loadTrustedCertsToTrustStore() throws IOException { + String truststoreFilePath = getEnvVarConfig().getTrustedAdapterCertsPath(); + TLSUtils.addCertsToTruststore(trustStore, truststoreFilePath); + } + + private void loadDefaultCertsToTrustStore() throws NoSuchAlgorithmException, KeyStoreException { + TrustManagerFactory tmf = TrustManagerFactory + .getInstance(TrustManagerFactory.getDefaultAlgorithm()); + // Using null here initialises the TMF with the default trust store. + tmf.init((KeyStore) null); + + // Get hold of the default trust manager + X509TrustManager defaultTm = null; + for (TrustManager tm : tmf.getTrustManagers()) { + if (tm instanceof X509TrustManager) { + defaultTm = (X509TrustManager) tm; + break; + } + } + + // Get the certs from defaultTm and add them to our trustStore + if (defaultTm != null) { + X509Certificate[] trustedCerts = defaultTm.getAcceptedIssuers(); + Arrays.stream(trustedCerts) + .forEach(cert -> { + try { + trustStore.setCertificateEntry(RandomStringUtils.random(10, true, false), + cert); + } catch (KeyStoreException e) { + logger.error("Error while adding default trusted ca cert", e); + } + }); + } + } + private void loadOpaClientKeyStore() { String certPath = getEnvVarConfig().getOpaClientPublicKeyPath(); String keyPath = getEnvVarConfig().getOpaClientPrivateKeyPath(); diff --git a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/config/EnvVarConfig.java b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/config/EnvVarConfig.java index a5cb246a4a..041b42e3fb 100644 --- a/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/config/EnvVarConfig.java +++ b/enforcer-parent/enforcer/src/main/java/org/wso2/choreo/connect/enforcer/config/EnvVarConfig.java @@ -26,6 +26,7 @@ */ public class EnvVarConfig { private static final String TRUSTED_CA_CERTS_PATH = "TRUSTED_CA_CERTS_PATH"; + private static final String TRUST_DEFAULT_CERTS = "TRUST_DEFAULT_CERTS"; private static final String ADAPTER_HOST_NAME = "ADAPTER_HOST_NAME"; private static final String ENFORCER_PRIVATE_KEY_PATH = "ENFORCER_PRIVATE_KEY_PATH"; private static final String ENFORCER_PUBLIC_CERT_PATH = "ENFORCER_PUBLIC_CERT_PATH"; @@ -42,6 +43,7 @@ public class EnvVarConfig { // Since the container is running in linux container, path separator is not needed. private static final String DEFAULT_TRUSTED_CA_CERTS_PATH = "/home/wso2/security/truststore"; + private static final String DEFAULT_TRUST_DEFAULT_CERTS = "true"; private static final String DEFAULT_ADAPTER_HOST_NAME = "adapter"; private static final String DEFAULT_ENFORCER_PRIVATE_KEY_PATH = "/home/wso2/security/keystore/mg.key"; private static final String DEFAULT_ENFORCER_PUBLIC_CERT_PATH = "/home/wso2/security/keystore/mg.pem"; @@ -56,6 +58,7 @@ public class EnvVarConfig { private static EnvVarConfig instance; private final String trustedAdapterCertsPath; + private final String trustDefaultCerts; private final String enforcerPrivateKeyPath; private final String enforcerPublicKeyPath; private final String opaClientPrivateKeyPath; @@ -75,6 +78,8 @@ public class EnvVarConfig { private EnvVarConfig() { trustedAdapterCertsPath = retrieveEnvVarOrDefault(TRUSTED_CA_CERTS_PATH, DEFAULT_TRUSTED_CA_CERTS_PATH); + trustDefaultCerts = retrieveEnvVarOrDefault(TRUST_DEFAULT_CERTS, + DEFAULT_TRUST_DEFAULT_CERTS); enforcerPrivateKeyPath = retrieveEnvVarOrDefault(ENFORCER_PRIVATE_KEY_PATH, DEFAULT_ENFORCER_PRIVATE_KEY_PATH); enforcerPublicKeyPath = retrieveEnvVarOrDefault(ENFORCER_PUBLIC_CERT_PATH, @@ -119,6 +124,10 @@ public String getTrustedAdapterCertsPath() { return trustedAdapterCertsPath; } + public boolean isTrustDefaultCerts() { + return Boolean.valueOf(trustDefaultCerts); + } + public String getEnforcerPrivateKeyPath() { return enforcerPrivateKeyPath; }