Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rest-Client TrustStore Configuration no longer possible via properties in native (regression) #10877

Closed
antonwiens opened this issue Jul 21, 2020 · 2 comments · Fixed by #10883
Closed

Rest-Client TrustStore Configuration no longer possible via properties in native (regression) #10877

antonwiens opened this issue Jul 21, 2020 · 2 comments · Fixed by #10883
Assignees
@geoand
Labels
area/rest-client kind/bug Something isn't working
Milestone
1.7.0.CR1

Comments

@antonwiens
Copy link

antonwiens commented Jul 21, 2020
edited
Loading

Describe the bug
Quarkus Version: 1.6.0
Configuring a trustStore for a mp-rest client via config.properties is no longer possible in native mode.

I think the problem is related to
extensions/rest-client/runtime/src/main/java/io/quarkus/restclient/runtime/graal/ClientHttpEngineBuilder43Replacement.java

If no sslcontext is provided, the default context is used, which does not respect trustStore configuration.

Also creating a REST-Client like this:

    val store = KeyStore.getInstance("JKS").apply {
        this.load(File("path/to/trustStore").inputStream(), "changeit".toCharArray())
    }
    restClient = RestClientBuilder.newBuilder()
            .baseUri(URI("https://<rest-service>/"))
            .trustStore(store)
            .build(RestService::class.java)

is not working.

But creating a REST-Service like this is working:

    val store = KeyStore.getInstance("JKS").apply {
        this.load(File("path/to/trustStore").inputStream(), "changeit".toCharArray())
    }
    val tmf = TrustManagerFactory.getInstance("X509")
    val instance = SSLContext.getInstance("TLSv1.2")
    tmf.init(store)
    instance.init(null, tmf.trustManagers, SecureRandom.getInstanceStrong())
    restClient = RestClientBuilder.newBuilder()
            .baseUri(URI("https://<rest-service>/"))
            .sslContext(instance)
            .build(RestService::class.java)

Expected behavior
Successful connection to a rest endpoint with a ca certificate not contained in the default truststore of the client

Actual behavior
No connection is established because of:
Caused by: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
at sun.security.provider.certpath.SunCertPathBuilder.build(SunCertPathBuilder.java:141)
at sun.security.provider.certpath.SunCertPathBuilder.engineBuild(SunCertPathBuilder.java:126)
at java.security.cert.CertPathBuilder.build(CertPathBuilder.java:280)
at sun.security.validator.PKIXValidator.doBuild(PKIXValidator.java:445)
... 55 more

To Reproduce
Steps to reproduce the behavior:

  1. Create a simple REST Server which uses a self signed certificate
  2. Create a simple Quarkus application with a rest client to said REST server
  3. Let the REST-Client connect to the REST server

Configuration

...
test-service/mp-rest/trustStore=path/to/trustStore.jks
test-service/mp-rest/trustStoreType=JKS
test-service/mp-rest/trustStorePassword=changeit
...

Environment (please complete the following information):
Native Image build via default docker builder.
@antonwiens antonwiens added the kind/bug Something isn't working label Jul 21, 2020
@antonwiens
Copy link
Author

Actually this might also affect keyStore configuration

@geoand geoand self-assigned this Jul 21, 2020
@snowdrop-bot snowdrop-bot mentioned this issue Jul 21, 2020
Closed
geoand added a commit to geoand/quarkus that referenced this issue Jul 21, 2020
@geoand
Fix broken trustStore usage in RestClient
4094fc3 
Before this change, when a user setup a trustStore
or keyStore for REST Client programmatically,
then in native mode that setting was being discarded
due to how ClientHttpEngineBuilder43 uses the
properties.

Fixes: quarkusio#10877
@geoand geoand mentioned this issue Jul 21, 2020
Merged
@geoand
Copy link
Contributor

geoand commented Jul 21, 2020

Thanks for reporting this.

#10883 fixes the issue

geoand added a commit that referenced this issue Jul 21, 2020
@geoand
Merge pull request #10883 from geoand/#10877
cc50ba1 
Fix broken trustStore usage in RestClient in native mode
@gsmet gsmet added this to the 1.7.0 - master milestone Jul 28, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@geoand geoand

Labels
area/rest-client kind/bug Something isn't working
Projects
None yet
Milestone
1.7.0.CR1
Development

Successfully merging a pull request may close this issue.

Fix broken trustStore usage in RestClient in native mode geoand/quarkus
3 participants
@gsmet @geoand @antonwiens