GoogleCloudPlatform · hessjcg · May 24, 2024 · May 20, 2024 · enocom · May 23, 2024
@@ -229,5 +229,23 @@
       </plugin>
     </plugins>
   </build>
+  <profiles>
+    <profile>
+      <id>google-conscript</id>
+      <dependencies>
+        <dependency>
+          <groupId>org.conscrypt</groupId>
+          <artifactId>conscrypt-openjdk-uber</artifactId>
+          <version>2.5.2</version>
+        </dependency>
+        <dependency>
+          <groupId>org.bouncycastle</groupId>
+          <artifactId>bcpkix-jdk15on</artifactId>
+          <version>1.70</version>
+          <scope>provided</scope>
+        </dependency>
+      </dependencies>
+    </profile>
+  </profiles>
 
 </project>
@@ -0,0 +1,89 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.cloud.sql.core;
+
+import java.net.Socket;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509ExtendedTrustManager;
+
+/**
+ * This is a workaround for a known bug in Conscrypt crypto in how it handles X509 auth type.
+ * OpenJDK interpres the X509 certificate auth type as "UNKNOWN" while Conscrypt interpret the same
+ * certificate as auth type "GENERIC". This incompatibility causes problems in the JDK.
+ *
+ * <p>This adapter works around the issue by creating wrappers around all TrustManager instances. It
+ * replaces "GENERIC" auth type with "UNKNOWN" auth type before delegating calls.
+ *
+ * <p>See https://github.com/google/conscrypt/issues/1033#issuecomment-982701272
+ */
+class ConscryptWorkaroundDelegatingTrustManger extends X509ExtendedTrustManager {
+  private final X509ExtendedTrustManager tm;
+
+  ConscryptWorkaroundDelegatingTrustManger(X509ExtendedTrustManager tm) {
+    this.tm = tm;
+  }
+
+  @Override
+  public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket)
+      throws CertificateException {
+    tm.checkClientTrusted(chain, fixAuthType(authType), socket);
+  }
+
+  @Override
+  public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
+      throws CertificateException {
+    tm.checkClientTrusted(chain, fixAuthType(authType), engine);
+  }
+
+  @Override
+  public void checkClientTrusted(X509Certificate[] chain, String authType)
+      throws CertificateException {
+    tm.checkClientTrusted(chain, fixAuthType(authType));
+  }
+
+  @Override
+  public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket)
+      throws CertificateException {
+    tm.checkServerTrusted(chain, fixAuthType(authType), socket);
+  }
+
+  @Override
+  public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine)
+      throws CertificateException {
+    tm.checkServerTrusted(chain, fixAuthType(authType), engine);
+  }
+
+  @Override
+  public void checkServerTrusted(X509Certificate[] chain, String authType)
+      throws CertificateException {
+    tm.checkServerTrusted(chain, fixAuthType(authType));
+  }
+
+  @Override
+  public X509Certificate[] getAcceptedIssuers() {
+    return tm.getAcceptedIssuers();
+  }
+
+  private String fixAuthType(String authType) {
+    if ("GENERIC".equals(authType)) {
+      return "UNKNOWN";
+    }
+    return authType;
+  }
+}
@@ -0,0 +1,82 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.cloud.sql.core;
+
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.Security;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+
+/**
+ * This is a workaround for a known bug in Conscrypt crypto in how it handles X509 auth type.
+ * OpenJDK interpres the X509 certificate auth type as "UNKNOWN" while Conscrypt interpret the same
+ * certificate as auth type "GENERIC". This incompatibility causes problems in the JDK.
+ *
+ * <p>This adapter works around the issue by creating wrappers around all TrustManager instances. It
+ * replaces "GENERIC" auth type with "UNKNOWN" auth type before delegating calls.
+ *
+ * <p>In the JVM, we need to implement 3 classes to make sure that we are capturing all of the
+ * TrustManager instances created when Conscrypt is the Java Crypto provider so that we can wrap
+ * them with the ConscryptWorkaroundTrustManager:
+ *
+ * <p>class ConscryptWorkaroundTrustManagerFactory extends TrustManagerFactory - has a bunch of
+ * final methods that delegate to a TrustManagerFactorySpi. class
+ * ConscryptWorkaroundTrustManagerFactorySpi implements TrustManagerFactorySpi - can actually
+ * intercept and delegate calls related to trust managers and wrap them with
+ * ConscryptWorkaroundTrustManager ConscryptWorkaroundTrustManager - the workaround for the
+ * Conscrypt bug.
+ *
+ * <p>See https://github.com/google/conscrypt/issues/1033#issuecomment-982701272
+ */
+class ConscryptWorkaroundTrustManagerFactory extends TrustManagerFactory {
+  private static final boolean CONSCRYPT_TLS;
+
+  static {
+    // Provider name is "Conscrypt", hardcoded string in the library source:
+    // https://github.com/google/conscrypt/blob/655ad5069e1cb4d1989b8117eaf090371885af99/openjdk/src/main/java/org/conscrypt/Platform.java#L149
+    Provider p = Security.getProvider("Conscrypt");
+    if (p != null) {
+      try {
+        SSLContext ctx = SSLContext.getInstance("TLS");
+        Provider prov = ctx.getProvider();
+        CONSCRYPT_TLS = "Conscrypt".equals(prov.getName());
+      } catch (NoSuchAlgorithmException e) {
+        throw new RuntimeException("Unable to load algorithm TLS", e);
+      }
+    } else {
+      CONSCRYPT_TLS = false;
+    }
+  }
+
+  /** Returns true if the Conscrypt Java Crypto Extension is installed. */
+  static boolean isWorkaroundNeeded() {
+    return CONSCRYPT_TLS;
+  }
+
+  static ConscryptWorkaroundTrustManagerFactory newInstance() throws NoSuchAlgorithmException {
+    TrustManagerFactory delegate = TrustManagerFactory.getInstance("X.509");
+    return new ConscryptWorkaroundTrustManagerFactory(delegate);
+  }
+
+  private ConscryptWorkaroundTrustManagerFactory(TrustManagerFactory delegate) {
+    super(
+        new ConscryptWorkaroundTrustManagerFactorySpi(delegate),
+        delegate.getProvider(),
+        delegate.getAlgorithm());
+  }
+}
@@ -0,0 +1,71 @@
+/*
+ * Copyright 2024 Google LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.google.cloud.sql.core;
+
+import java.security.InvalidAlgorithmParameterException;
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import javax.net.ssl.ManagerFactoryParameters;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.TrustManagerFactorySpi;
+import javax.net.ssl.X509ExtendedTrustManager;
+
+/**
+ * This is a workaround for a known bug in Conscrypt crypto in how it handles X509 auth type.
+ * OpenJDK interpres the X509 certificate auth type as "UNKNOWN" while Conscrypt interpret the same
+ * certificate as auth type "GENERIC". This incompatibility causes problems in the JDK.
+ *
+ * <p>This adapter works around the issue by creating wrappers around all TrustManager instances. It
+ * replaces "GENERIC" auth type with "UNKNOWN" auth type before delegating calls.
+ *
+ * <p>See https://github.com/google/conscrypt/issues/1033#issuecomment-982701272
+ */
+class ConscryptWorkaroundTrustManagerFactorySpi extends TrustManagerFactorySpi {
+  private final TrustManagerFactory delegate;
+
+  ConscryptWorkaroundTrustManagerFactorySpi(TrustManagerFactory delegate) {
+    this.delegate = delegate;
+  }
+
+  @Override
+  protected void engineInit(KeyStore ks) throws KeyStoreException {
+    delegate.init(ks);
+  }
+
+  @Override
+  protected void engineInit(ManagerFactoryParameters spec)
+      throws InvalidAlgorithmParameterException {
+    delegate.init(spec);
+  }
+
+  @Override
+  protected TrustManager[] engineGetTrustManagers() {
+    TrustManager[] tms = delegate.getTrustManagers();
+    TrustManager[] delegates = new TrustManager[tms.length];
+    for (int i = 0; i < tms.length; i++) {
+      if (tms[i] instanceof X509ExtendedTrustManager) {
+        delegates[i] =
+            new ConscryptWorkaroundDelegatingTrustManger((X509ExtendedTrustManager) tms[i]);
+      } else {
+
+        delegates[i] = tms[i];
+      }
+    }
+    return delegates;
+  }
+}
@@ -382,8 +382,20 @@ private SslData createSslData(
       KeyStore trustedKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
       trustedKeyStore.load(null, null);
       trustedKeyStore.setCertificateEntry("instance", instanceMetadata.getInstanceCaCertificate());
-      TrustManagerFactory tmf = TrustManagerFactory.getInstance("X.509");
+      TrustManagerFactory tmf;
+
+      // Note: This is a workaround for Conscrypt bug #1033
+      // Conscrypt is the JCE provider on some Google Cloud runtimes like DataProc.
+      // https://github.com/google/conscrypt/issues/1033
+      //
+      if (ConscryptWorkaroundTrustManagerFactory.isWorkaroundNeeded()) {
+        tmf = ConscryptWorkaroundTrustManagerFactory.newInstance();
+      } else {
+        tmf = TrustManagerFactory.getInstance("X.509");
+      }
+
       tmf.init(trustedKeyStore);
+
       SSLContext sslContext;
 
       try {

@@ -104,8 +104,45 @@
         </dependency>
       </dependencies>
     </profile>
+
+    <profile>
+      <id>google-conscript</id>
+      <dependencies>
+        <dependency>
+          <groupId>org.conscrypt</groupId>
+          <artifactId>conscrypt-openjdk-uber</artifactId>
+          <version>2.5.2</version>
+        </dependency>
+      </dependencies>
+      <build>
+        <plugins>
+          <plugin>
+            <artifactId>maven-surefire-plugin</artifactId>
+            <version>3.2.5</version>
+            <executions>
+              <execution>
+                <phase>integration-test</phase>
+                <goals>
+                  <goal>test</goal>
+                </goals>
+                <configuration>
+                  <!-- double-equals means override the JRE default properties, don't append -->
+                  <argLine>-Djava.security.properties==src/test/resources/conscrypt-security.properties</argLine>
+                  <classpathDependencyExcludes>
+                    <classpathDependencyExclude>org.bouncycastle:bcpkix-jdk15on</classpathDependencyExclude>
+                    <classpathDependencyExclude>org.bouncycastle:bcprov-jdk15on</classpathDependencyExclude>
+                    <classpathDependencyExclude>org.bouncycastle:bcutil-jdk15on</classpathDependencyExclude>
+                  </classpathDependencyExcludes>
+                </configuration>
+              </execution>
+            </executions>
+          </plugin>
+        </plugins>
+      </build>
+    </profile>
   </profiles>
 
+
   <build>
     <plugins>
       <plugin>

@@ -22,21 +22,29 @@
 import com.google.common.collect.ImmutableList;
 import com.zaxxer.hikari.HikariConfig;
 import com.zaxxer.hikari.HikariDataSource;
+import java.security.NoSuchAlgorithmException;
+import java.security.Provider;
+import java.security.Security;
 import java.sql.*;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 import java.util.concurrent.TimeUnit;
+import javax.net.ssl.SSLContext;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.Timeout;
 import org.junit.runner.RunWith;
 import org.junit.runners.JUnit4;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 @RunWith(JUnit4.class)
 public class JdbcPostgresIamAuthIntegrationTests {
+  private static final Logger log =
+      LoggerFactory.getLogger(JdbcPostgresIamAuthIntegrationTests.class);
 
   // [START cloud_sql_connector_postgres_jdbc_iam_auth]
   private static final String CONNECTION_NAME = System.getenv("POSTGRES_IAM_CONNECTION_NAME");
@@ -59,6 +67,19 @@ public static void checkEnvVars() {
                         "Environment variable '%s' must be set to perform these tests.", varName))
                 .that(System.getenv(varName))
                 .isNotEmpty());
+
+    log.info("Crypto Providers: ");
+    Provider[] providers = Security.getProviders();
+    for (Provider p : providers) {
+      log.info("  {}", p.getName());
+    }
+    try {
+      SSLContext ctx = SSLContext.getInstance("TLS");
+      Provider prov = ctx.getProvider();
+      log.info("TLS Provider: {}", prov.getName());
+    } catch (NoSuchAlgorithmException e) {
+      throw new RuntimeException(e);
+    }
   }
 
   @Before