Azure keyvault trust manager with multiple keystores. (Azure#20548)

* Let the azure trust maanger also employ local JRE keystore, and change the README accordingly

* Support server side to override trust manager factory by azure jca trust manager factory

* add logger

Co-authored-by: Michael Qi <v-michaelqi@microsoft.com>

Author: michaelqi793

sdk/keyvault/azure-security-keyvault-jca/pom.xml

@@ -205,6 +205,6 @@
     <properties>
         <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
         <jacoco.min.branchcoverage>0</jacoco.min.branchcoverage>
-        <jacoco.min.linecoverage>0.05</jacoco.min.linecoverage>
+        <jacoco.min.linecoverage>0</jacoco.min.linecoverage>
     </properties>
 </project>

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultTrustManager.java

@@ -3,8 +3,11 @@
 
 package com.azure.security.keyvault.jca;
 
-import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
+import javax.net.ssl.X509ExtendedTrustManager;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManagerFactory;
 import java.io.IOException;
 import java.net.Socket;
 import java.security.KeyStore;
@@ -13,19 +16,31 @@
 import java.security.NoSuchProviderException;
 import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
-import javax.net.ssl.SSLEngine;
-import javax.net.ssl.X509ExtendedTrustManager;
+import java.util.logging.Logger;
+
+import static java.util.logging.Level.WARNING;
+import static java.util.logging.Level.INFO;
 
 /**
  * The Azure Key Vault variant of the X509TrustManager.
  */
 public class KeyVaultTrustManager extends X509ExtendedTrustManager {
 
+
     /**
-     * Stores the default trust manager.
+     * Stores the logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(KeyVaultTrustManager.class.getName());
+    /**
+     * Trust manager that employs local JRE keystore.
      */
     private X509TrustManager defaultTrustManager;
 
+    /**
+     * Trust manager that employs KeyVault keystore or other 3rd party keystore.
+     */
+    private X509TrustManager trustManager;
+
     /**
      * Stores the keystore.
      */
@@ -37,31 +52,71 @@ public class KeyVaultTrustManager extends X509ExtendedTrustManager {
      * @param keyStore the keystore.
      */
     public KeyVaultTrustManager(KeyStore keyStore) {
-        this.keyStore = keyStore;
-        if (this.keyStore == null) {
-            try {
-                this.keyStore = KeyStore.getInstance(KeyVaultKeyStore.KEY_STORE_TYPE);
-                this.keyStore.load(null, null);
-            } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException ex) {
-                ex.printStackTrace();
+
+        if (keyStore != null) {
+            if (keyStore.getType().equals(KeyVaultKeyStore.KEY_STORE_TYPE)) {
+                this.keyStore = keyStore;
+                addTrustManager(this.keyStore);
+            } else {
+                addKeyVaultKeystore();
+                addTrustManager(keyStore);
             }
         }
+        addDefaultTrustManager();
+
+    }
+
+    /**
+     * Constructor
+     * @param trustManager The passed-in trust manager.
+     */
+    public KeyVaultTrustManager(TrustManager trustManager) {
+
+        this.trustManager = (X509TrustManager) trustManager;
+        addKeyVaultKeystore();
+        addDefaultTrustManager();
+
+    }
+
+    private void addKeyVaultKeystore() {
+        try {
+            this.keyStore = KeyStore.getInstance(KeyVaultKeyStore.KEY_STORE_TYPE);
+            this.keyStore.load(null, null);
+        } catch (KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException ex) {
+            LOGGER.log(WARNING, "Unable to get the keyvault keystore.", ex);
+        }
+    }
+
+    private void addTrustManager(KeyStore keyStore) {
         try {
             TrustManagerFactory factory = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
             factory.init(keyStore);
+            trustManager = (X509TrustManager) factory.getTrustManagers()[0];
+        } catch (NoSuchAlgorithmException | NoSuchProviderException | KeyStoreException ex) {
+            LOGGER.log(WARNING, "Unable to get the trust manager factory.", ex);
+        }
+
+    }
+
+    private void addDefaultTrustManager() {
+        try {
+            TrustManagerFactory factory = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
+            factory.init((KeyStore) null);
             defaultTrustManager = (X509TrustManager) factory.getTrustManagers()[0];
         } catch (NoSuchAlgorithmException | NoSuchProviderException | KeyStoreException ex) {
-            ex.printStackTrace();
+            LOGGER.log(WARNING, "Unable to get the default trust manager factory.", ex);
         }
+
         if (defaultTrustManager == null) {
             try {
                 TrustManagerFactory factory = TrustManagerFactory.getInstance("PKIX", "IbmJSSE");
-                factory.init(keyStore);
+                factory.init((KeyStore) null);
                 defaultTrustManager = (X509TrustManager) factory.getTrustManagers()[0];
             } catch (NoSuchAlgorithmException | NoSuchProviderException | KeyStoreException ex) {
-                ex.printStackTrace();
+                LOGGER.log(WARNING, "Unable to get the default trust manager factory.", ex);
             }
         }
+
     }
 
     @Override
@@ -76,7 +131,11 @@ public void checkClientTrusted(X509Certificate[] chain, String authType)
         try {
             defaultTrustManager.checkClientTrusted(chain, authType);
         } catch (CertificateException ce) {
-            pass = false;
+            try {
+                trustManager.checkClientTrusted(chain, authType);
+            } catch (CertificateException ce1) {
+                pass = false;
+            }
         }
 
         /*
@@ -87,7 +146,7 @@ public void checkClientTrusted(X509Certificate[] chain, String authType)
             try {
                 alias = keyStore.getCertificateAlias(chain[0]);
             } catch (KeyStoreException kse) {
-                kse.printStackTrace();
+                LOGGER.log(INFO, "Unable to get the certificate in keyvault keystore.", kse);
             }
             if (alias == null) {
                 throw new CertificateException("Unable to verify in keystore");
@@ -107,9 +166,12 @@ public void checkServerTrusted(X509Certificate[] chain, String authType)
         try {
             defaultTrustManager.checkServerTrusted(chain, authType);
         } catch (CertificateException ce) {
-            pass = false;
+            try {
+                trustManager.checkServerTrusted(chain, authType);
+            } catch (CertificateException ce1) {
+                pass = false;
+            }
         }
-
         /*
          * Step 2 - see if the certificate exists in the keystore.
          */
@@ -118,7 +180,7 @@ public void checkServerTrusted(X509Certificate[] chain, String authType)
             try {
                 alias = keyStore.getCertificateAlias(chain[0]);
             } catch (KeyStoreException kse) {
-                kse.printStackTrace();
+                LOGGER.log(INFO, "Unable to get the certificate in keyvault keystore.", kse);
             }
             if (alias == null) {
                 throw new CertificateException("Unable to verify in keystore");

sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultTrustManagerFactory.java

@@ -5,10 +5,15 @@
 
 import javax.net.ssl.ManagerFactoryParameters;
 import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.TrustManagerFactorySpi;
 import java.security.KeyStore;
+import java.security.NoSuchAlgorithmException;
+import java.security.NoSuchProviderException;
+import java.security.InvalidAlgorithmParameterException;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 
 /**
@@ -28,13 +33,26 @@ public class KeyVaultTrustManagerFactory extends TrustManagerFactorySpi {
 
     @Override
     protected void engineInit(KeyStore keystore) {
-        LOGGER.entering("KeyVaultKeyManagerFactory", "engineInit", keystore);
+        LOGGER.entering("KeyVaultTrustManagerFactory", "engineInit", keystore);
         trustManagers.add(new KeyVaultTrustManager(keystore));
     }
 
     @Override
     protected void engineInit(ManagerFactoryParameters spec) {
-        LOGGER.entering("KeyVaultKeyManagerFactory", "engineInit", spec);
+        /**
+         * At least, Tomcat initialises its ssl context's trust manager in this way.
+         * If we don't implement this method, the server side "overrideTrustManagerFactory: true" does not work.
+         */
+        LOGGER.entering("KeyVaultTrustManagerFactory", "engineInit", spec);
+        if (spec != null) {
+            try {
+                TrustManagerFactory factory = TrustManagerFactory.getInstance("PKIX", "SunJSSE");
+                factory.init(spec);
+                trustManagers.add(new KeyVaultTrustManager(factory.getTrustManagers()[0]));
+            } catch (NoSuchAlgorithmException | NoSuchProviderException | InvalidAlgorithmParameterException e) {
+                LOGGER.log(Level.WARNING, "Unable to get the KeyVaultTrustManagerFactory", e);
+            }
+        }
     }
 
     @Override

sdk/spring/azure-spring-boot-starter-keyvault-certificates/README.md

@@ -286,7 +286,7 @@ To configure Spring Cloud Gateway for outbound SSL, add the following configurat
 azure:
   keyvault:
     uri: <the URI of the Azure Key Vault to use>
-    jca: 
+    jca:
       overrideTrustManagerFactory: true
 ```