Revert "Azure keyvault trust manager with multiple keystores." (Azure#21230)

* Revert "Azure keyvault trust manager with multiple keystores. (Azure#20548)"

* use log instead of printstacktrace

Co-authored-by: Yi Liu <yiliu6@microsoft.com>

Author: Rujun Chen

sdk/keyvault/azure-security-keyvault-jca/pom.xml

@@ -205,6 +205,6 @@
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <jacoco.min.branchcoverage>0</jacoco.min.branchcoverage>
-        <jacoco.min.linecoverage>0</jacoco.min.linecoverage>
+        <jacoco.min.linecoverage>0.05</jacoco.min.linecoverage>
     </properties>
 </project>

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultTrustManager.java

@@ -3,11 +3,8 @@
 
 package com.azure.security.keyvault.jca;
 
-import javax.net.ssl.X509TrustManager;
-import javax.net.ssl.X509ExtendedTrustManager;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.SSLEngine;
 import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 import java.io.IOException;
 import java.net.Socket;
 import java.security.KeyStore;
@@ -17,29 +14,25 @@
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.logging.Logger;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedTrustManager;
 
 import static java.util.logging.Level.WARNING;
-import static java.util.logging.Level.INFO;
 
 /**
  * The Azure Key Vault variant of the X509TrustManager.
  */
 public class KeyVaultTrustManager extends X509ExtendedTrustManager {
 
-
     /**
      * Stores the logger.
      */
     private static final Logger LOGGER = Logger.getLogger(KeyVaultTrustManager.class.getName());
-    /**
-     * Trust manager that employs local JRE keystore.
-     */
-    private X509TrustManager defaultTrustManager;
 
     /**
-     * Trust manager that employs KeyVault keystore or other 3rd party keystore.
+     * Stores the default trust manager.
      */
-    private X509TrustManager trustManager;
+    private X509TrustManager defaultTrustManager;
 
     /**
      * Stores the keystore.
@@ -52,71 +45,31 @@ public class KeyVaultTrustManager extends X509ExtendedTrustManager {
      * @param keyStore the keystore.
      */
     public KeyVaultTrustManager(KeyStore keyStore) {
-
-        if (keyStore != null) {
-            if (keyStore.getType().equals(KeyVaultKeyStore.KEY_STORE_TYPE)) {
-                this.keyStore = keyStore;
-                addTrustManager(this.keyStore);
-            } else {
-                addKeyVaultKeystore();
-                addTrustManager(keyStore);
+        this.keyStore = keyStore;
+        if (this.keyStore == null) {
+            try {
+                this.keyStore = KeyStore.getInstance(KeyVaultKeyStore.KEY_STORE_TYPE);
+                this.keyStore.load(null, null);
+            } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException ex) {
+                LOGGER.log(WARNING, "Unable to get AzureKeyVault keystore.", ex);
             }
         }
-        addDefaultTrustManager();
-
-    }
-
-    /**
-     * Constructor
-     * @param trustManager The passed-in trust manager.
-     */
-    public KeyVaultTrustManager(TrustManager trustManager) {
-
-        this.trustManager = (X509TrustManager) trustManager;
-        addKeyVaultKeystore();
-        addDefaultTrustManager();
-
-    }
-
-    private void addKeyVaultKeystore() {
-        try {
-            this.keyStore = KeyStore.getInstance(KeyVaultKeyStore.KEY_STORE_TYPE);
-            this.keyStore.load(null, null);
-        } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException ex) {
-            LOGGER.log(WARNING, "Unable to get the keyvault keystore.", ex);
-        }
-    }
-
-    private void addTrustManager(KeyStore keyStore) {
         try {
             TrustManagerFactory factory = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
             factory.init(keyStore);
-            trustManager = (X509TrustManager) factory.getTrustManagers()[0];
-        } catch (NoSuchAlgorithmException | NoSuchProviderException | KeyStoreException ex) {
-            LOGGER.log(WARNING, "Unable to get the trust manager factory.", ex);
-        }
-
-    }
-
-    private void addDefaultTrustManager() {
-        try {
-            TrustManagerFactory factory = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
-            factory.init((KeyStore) null);
             defaultTrustManager = (X509TrustManager) factory.getTrustManagers()[0];
         } catch (NoSuchAlgorithmException | NoSuchProviderException | KeyStoreException ex) {
-            LOGGER.log(WARNING, "Unable to get the default trust manager factory.", ex);
+            LOGGER.log(WARNING, "Unable to get the trust manager factory.", ex);
         }
-
         if (defaultTrustManager == null) {
             try {
                 TrustManagerFactory factory = TrustManagerFactory.getInstance("PKIX", "IbmJSSE");
-                factory.init((KeyStore) null);
+                factory.init(keyStore);
                 defaultTrustManager = (X509TrustManager) factory.getTrustManagers()[0];
             } catch (NoSuchAlgorithmException | NoSuchProviderException | KeyStoreException ex) {
-                LOGGER.log(WARNING, "Unable to get the default trust manager factory.", ex);
+                LOGGER.log(WARNING, "Unable to get the trust manager factory.", ex);
             }
         }
-
     }
 
     @Override
@@ -131,11 +84,7 @@ public void checkClientTrusted(X509Certificate[] chain, String authType)
         try {
             defaultTrustManager.checkClientTrusted(chain, authType);
         } catch (CertificateException ce) {
-            try {
-                trustManager.checkClientTrusted(chain, authType);
-            } catch (CertificateException ce1) {
-                pass = false;
-            }
+            pass = false;
         }
 
         /*
@@ -146,7 +95,7 @@ public void checkClientTrusted(X509Certificate[] chain, String authType)
             try {
                 alias = keyStore.getCertificateAlias(chain[0]);
             } catch (KeyStoreException kse) {
-                LOGGER.log(INFO, "Unable to get the certificate in keyvault keystore.", kse);
+                LOGGER.log(WARNING, "Unable to get the certificate in AzureKeyVault keystore.", kse);
             }
             if (alias == null) {
                 throw new CertificateException("Unable to verify in keystore");
@@ -166,12 +115,9 @@ public void checkServerTrusted(X509Certificate[] chain, String authType)
         try {
             defaultTrustManager.checkServerTrusted(chain, authType);
         } catch (CertificateException ce) {
-            try {
-                trustManager.checkServerTrusted(chain, authType);
-            } catch (CertificateException ce1) {
-                pass = false;
-            }
+            pass = false;
         }
+
         /*
          * Step 2 - see if the certificate exists in the keystore.
          */
@@ -180,7 +126,7 @@ public void checkServerTrusted(X509Certificate[] chain, String authType)
             try {
                 alias = keyStore.getCertificateAlias(chain[0]);
             } catch (KeyStoreException kse) {
-                LOGGER.log(INFO, "Unable to get the certificate in keyvault keystore.", kse);
+                LOGGER.log(WARNING, "Unable to get the certificate in AzureKeyVault keystore.", kse);
             }
             if (alias == null) {
                 throw new CertificateException("Unable to verify in keystore");

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultTrustManagerFactory.java

@@ -5,15 +5,10 @@
 
 import javax.net.ssl.ManagerFactoryParameters;
 import javax.net.ssl.TrustManager;
-import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.TrustManagerFactorySpi;
 import java.security.KeyStore;
-import java.security.NoSuchAlgorithmException;
-import java.security.NoSuchProviderException;
-import java.security.InvalidAlgorithmParameterException;
 import java.util.ArrayList;
 import java.util.List;
-import java.util.logging.Level;
 import java.util.logging.Logger;
 
 /**
@@ -33,26 +28,13 @@ public class KeyVaultTrustManagerFactory extends TrustManagerFactorySpi {
 
     @Override
     protected void engineInit(KeyStore keystore) {
-        LOGGER.entering("KeyVaultTrustManagerFactory", "engineInit", keystore);
+        LOGGER.entering("KeyVaultKeyManagerFactory", "engineInit", keystore);
         trustManagers.add(new KeyVaultTrustManager(keystore));
     }
 
     @Override
     protected void engineInit(ManagerFactoryParameters spec) {
-        /**
-         * At least, Tomcat initialises its ssl context's trust manager in this way.
-         * If we don't implement this method, the server side "overrideTrustManagerFactory: true" does not work.
-         */
-        LOGGER.entering("KeyVaultTrustManagerFactory", "engineInit", spec);
-        if (spec != null) {
-            try {
-                TrustManagerFactory factory = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
-                factory.init(spec);
-                trustManagers.add(new KeyVaultTrustManager(factory.getTrustManagers()[0]));
-            } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidAlgorithmParameterException e) {
-                LOGGER.log(Level.WARNING, "Unable to get the KeyVaultTrustManagerFactory", e);
-            }
-        }
+        LOGGER.entering("KeyVaultKeyManagerFactory", "engineInit", spec);
     }
 
     @Override

sdk/spring/azure-spring-boot-starter-keyvault-certificates/README.md

@@ -286,7 +286,7 @@ To configure Spring Cloud Gateway for outbound SSL, add the following configurat
 azure:
   keyvault:
     uri: <the URI of the Azure Key Vault to use>
-    jca:
+    jca: 
       overrideTrustManagerFactory: true
 ```