From a4fb9462df04633575d5252cf8dd517365c9090f Mon Sep 17 00:00:00 2001 From: gjmwoods <42248895+gjmwoods@users.noreply.github.com> Date: Fri, 25 Mar 2022 13:15:33 +0000 Subject: [PATCH] Avoid TrustManagerFacotry.init(ManagerFactoryParameters var1) if no OSCP has been configured (#1157) (#1168) --- .../internal/security/SecurityPlanImpl.java | 42 +++++++++++++------ 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlanImpl.java b/driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlanImpl.java index b394d7d2f5..622b3f472a 100644 --- a/driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlanImpl.java +++ b/driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlanImpl.java @@ -21,7 +21,9 @@ import java.io.File; import java.io.IOException; import java.security.GeneralSecurityException; +import java.security.InvalidAlgorithmParameterException; import java.security.KeyStore; +import java.security.KeyStoreException; import java.security.Security; import java.security.cert.CertificateException; import java.security.cert.PKIXBuilderParameters; @@ -86,14 +88,37 @@ private static SSLContext configureSSLContext( List customCertFiles, Revoc loadSystemCertificates( trustedKeyStore ); } - // Configure certificate revocation checking (X509CertSelector() selects all certificates) - PKIXBuilderParameters pkixBuilderParameters = new PKIXBuilderParameters( trustedKeyStore, new X509CertSelector() ); + PKIXBuilderParameters pkixBuilderParameters = configurePKIXBuilderParameters( trustedKeyStore, revocationStrategy ); - // sets checking of stapled ocsp response - pkixBuilderParameters.setRevocationEnabled( requiresRevocationChecking( revocationStrategy ) ); + SSLContext sslContext = SSLContext.getInstance( "TLS" ); + TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() ); + + if ( pkixBuilderParameters == null ) + { + trustManagerFactory.init( trustedKeyStore ); + } + else + { + trustManagerFactory.init( new CertPathTrustManagerParameters( pkixBuilderParameters ) ); + } + + sslContext.init( new KeyManager[0], trustManagerFactory.getTrustManagers(), null ); + + return sslContext; + } + + private static PKIXBuilderParameters configurePKIXBuilderParameters( KeyStore trustedKeyStore, RevocationStrategy revocationStrategy ) throws InvalidAlgorithmParameterException, KeyStoreException + { + PKIXBuilderParameters pkixBuilderParameters = null; if ( requiresRevocationChecking( revocationStrategy ) ) { + // Configure certificate revocation checking (X509CertSelector() selects all certificates) + pkixBuilderParameters = new PKIXBuilderParameters( trustedKeyStore, new X509CertSelector() ); + + // sets checking of stapled ocsp response + pkixBuilderParameters.setRevocationEnabled( true ); + // enables status_request extension in client hello System.setProperty( "jdk.tls.client.enableStatusRequestExtension", "true" ); @@ -103,14 +128,7 @@ private static SSLContext configureSSLContext( List customCertFiles, Revoc Security.setProperty( "ocsp.enable", "true" ); } } - - SSLContext sslContext = SSLContext.getInstance( "TLS" ); - - TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() ); - trustManagerFactory.init( new CertPathTrustManagerParameters( pkixBuilderParameters ) ); - sslContext.init( new KeyManager[0], trustManagerFactory.getTrustManagers(), null ); - - return sslContext; + return pkixBuilderParameters; } private static void loadSystemCertificates( KeyStore trustedKeyStore ) throws GeneralSecurityException, IOException