[client] Try even more trust managers; always use shipped one

1 files changed, 91 insertions, 39 deletions

diff --git a/dozentenmodul/src/main/java/org/openslx/dozmod/util/FallbackTrustManager.java b/dozentenmodul/src/main/java/org/openslx/dozmod/util/FallbackTrustManager.java
index f927bdca..3d652ba0 100644
--- a/dozentenmodul/src/main/java/org/openslx/dozmod/util/FallbackTrustManager.java
+++ b/dozentenmodul/src/main/java/org/openslx/dozmod/util/FallbackTrustManager.java
@@ -4,6 +4,11 @@ import java.io.FileInputStream;
 import java.io.InputStream;
 import java.security.KeyStore;
 import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
 
 import javax.net.ssl.HttpsURLConnection;
 import javax.net.ssl.SSLContext;
@@ -15,21 +20,24 @@ import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
 public class FallbackTrustManager {
-	
+
 	private final static Logger LOGGER = LogManager.getLogger(FallbackTrustManager.class);
-	
+
 	private static SSLContext sslContext = null;
 
 	private static FallbackX509TrustManager delegatingTrustManager = null;
 
 	public static void install() {
 		// On Windows, use system store in addition to the Java one
+		List<X509TrustManager> managers = new ArrayList<>();
+		char[] password = "changeit".toCharArray();
+
 		LOGGER.info("Installing Fallback X509 truster");
+
 		try {
 			// --- Load Java default trust store (cacerts) ---
 			String javaHome = System.getProperty("java.home");
 			String cacertsPath = javaHome + "/lib/security/cacerts";
-			char[] password = "changeit".toCharArray();
 
 			KeyStore javaTrustStore = KeyStore.getInstance("JKS");
 			try (FileInputStream fis = new FileInputStream(cacertsPath)) {
@@ -41,42 +49,77 @@ public class FallbackTrustManager {
 			javaTMF.init(javaTrustStore);
 			LOGGER.info("Java entries: " + javaTrustStore.size());
 			X509TrustManager javaTrustManager = getX509TrustManager(javaTMF);
+			managers.add(javaTrustManager);
+		} catch (Exception e) {
+			LOGGER.warn("Error adding java certificate store", e);
+		}
 
-			// --- Load Windows root store ---
-			KeyStore systemRoot;
-			if (OsHelper.isWindows()) {
-				systemRoot = KeyStore.getInstance("Windows-ROOT");
+		if (OsHelper.isWindows()) {
+			try {
+				// --- Load Windows root store ---
+				KeyStore systemRoot = KeyStore.getInstance("Windows-ROOT");
 				systemRoot.load(null, null);
-			} else {
-				systemRoot = KeyStore.getInstance("JKS");
-				try (InputStream is = ResourceLoader.getStream("/data/truststore.jks")) {
-					systemRoot.load(is, password);
-				}
+				TrustManagerFactory windowsTMF = TrustManagerFactory.getInstance(
+						TrustManagerFactory.getDefaultAlgorithm());
+				windowsTMF.init(systemRoot);
+				LOGGER.info("System entries: " + systemRoot.size());
+				X509TrustManager windowsTrustManager = getX509TrustManager(windowsTMF);
+				managers.add(windowsTrustManager);
+			} catch (Exception e) {
+				LOGGER.warn("Error adding Windows-ROOT certificate store", e);
+			}
+			try {
+				// --- Load Windows root store ---
+				KeyStore systemRoot = KeyStore.getInstance("Windows-MY");
+				systemRoot.load(null, null);
+				TrustManagerFactory windowsTMF = TrustManagerFactory.getInstance(
+						TrustManagerFactory.getDefaultAlgorithm());
+				windowsTMF.init(systemRoot);
+				LOGGER.info("User entries: " + systemRoot.size());
+				X509TrustManager windowsTrustManager = getX509TrustManager(windowsTMF);
+				managers.add(windowsTrustManager);
+			} catch (Exception e) {
+				LOGGER.warn("Error adding Windows-MY certificate store", e);
 			}
+		}
 
+		try {
+			KeyStore systemRoot = KeyStore.getInstance("JKS");
+			try (InputStream is = ResourceLoader.getStream("/data/truststore.jks")) {
+				systemRoot.load(is, password);
+			}
 			TrustManagerFactory windowsTMF = TrustManagerFactory.getInstance(
 					TrustManagerFactory.getDefaultAlgorithm());
 			windowsTMF.init(systemRoot);
-			LOGGER.info("System entries: " + systemRoot.size());
+			LOGGER.info("Shipped entries: " + systemRoot.size());
 			X509TrustManager windowsTrustManager = getX509TrustManager(windowsTMF);
+			managers.add(windowsTrustManager);
+		} catch (Exception e) {
+			LOGGER.warn("Error adding shipped certificate store", e);
+		}
+
+		if (managers.isEmpty()) {
+			LOGGER.warn("Couldn't load any trust manager - using default one");
+			return;
+		}
 
+		try {
 			// --- Combine using delegating trust manager ---
-			delegatingTrustManager = new FallbackX509TrustManager(
-					javaTrustManager, windowsTrustManager);
+			delegatingTrustManager = new FallbackX509TrustManager(managers);
 
 			sslContext = SSLContext.getInstance("TLS");
 			sslContext.init(null, getTrustManagers(), null);
 			SSLContext.setDefault(sslContext);
 			HttpsURLConnection.setDefaultSSLSocketFactory(sslContext.getSocketFactory());
 		} catch (Exception e) {
-			LOGGER.warn("Cannot use fallback SSL context with system store", e);
+			LOGGER.warn("Error installing custom trust manager", e);
 		}
 	}
-	
+
 	public static TrustManager getTrustManager() {
 		return delegatingTrustManager;
 	}
-	
+
 	public static TrustManager[] getTrustManagers() {
 		if (delegatingTrustManager == null)
 			return null;
@@ -95,44 +138,53 @@ public class FallbackTrustManager {
 
 	// Delegating trust manager implementation
 	public static class FallbackX509TrustManager implements X509TrustManager {
-		private final X509TrustManager primary;
-		private final X509TrustManager fallback;
+		private final List<X509TrustManager> managers;
+		private X509Certificate[] issuers = null;
 
-		public FallbackX509TrustManager(X509TrustManager primary, X509TrustManager fallback) {
-			this.primary = primary;
-			this.fallback = fallback;
+		public FallbackX509TrustManager(List<X509TrustManager> managers) {
+			this.managers = managers;
 		}
 
 		@Override
 		public void checkClientTrusted(X509Certificate[] chain, String authType)
 				throws java.security.cert.CertificateException {
-			try {
-				primary.checkClientTrusted(chain, authType);
-			} catch (java.security.cert.CertificateException e) {
-				LOGGER.warn("Using fallback client truster");
-				fallback.checkClientTrusted(chain, authType);
+			java.security.cert.CertificateException cached = null;
+			for (X509TrustManager tm : managers) {
+				try {
+					tm.checkClientTrusted(chain, authType);
+					return;
+				} catch (java.security.cert.CertificateException e) {
+					cached = e;
+				}
 			}
+			throw cached;
 		}
 
 		@Override
 		public void checkServerTrusted(X509Certificate[] chain, String authType)
 				throws java.security.cert.CertificateException {
-			try {
-				primary.checkServerTrusted(chain, authType);
-			} catch (java.security.cert.CertificateException e) {
-				LOGGER.warn("Using fallback server truster");
-				fallback.checkServerTrusted(chain, authType);
+			java.security.cert.CertificateException cached = null;
+			for (X509TrustManager tm : managers) {
+				try {
+					tm.checkServerTrusted(chain, authType);
+					return;
+				} catch (java.security.cert.CertificateException e) {
+					cached = e;
+				}
 			}
+			throw cached;
 		}
 
 		@Override
 		public X509Certificate[] getAcceptedIssuers() {
-			X509Certificate[] primaryIssuers = primary.getAcceptedIssuers();
-			X509Certificate[] fallbackIssuers = fallback.getAcceptedIssuers();
-			X509Certificate[] combined = new X509Certificate[primaryIssuers.length + fallbackIssuers.length];
-			System.arraycopy(primaryIssuers, 0, combined, 0, primaryIssuers.length);
-			System.arraycopy(fallbackIssuers, 0, combined, primaryIssuers.length, fallbackIssuers.length);
-			return combined;
+			if (issuers == null) {
+				Set<X509Certificate> certs = new HashSet<>();
+				for (X509TrustManager tm : managers) {
+					certs.addAll(Arrays.asList(tm.getAcceptedIssuers()));
+				}
+				issuers = certs.toArray(new X509Certificate[certs.size()]);
+			}
+			return issuers;
 		}
 	}