Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Refactor CA trust (and update URLs) #10

Merged
merged 2 commits into from
Apr 8, 2024
Merged

Refactor CA trust (and update URLs) #10

merged 2 commits into from
Apr 8, 2024

Conversation

TymanWasTaken
Copy link
Contributor

Description

Migrates our current strategy of loading a single DER file (and one that is already trusted through cross-signing) using an entire dedicated class to a new method of loading multiple certificates in a keystore, without a dedicated class. Explanation of the root certificates added, their hashes, and why they are added is located in a javadoc comment for future clarity.

In addition, I just swapped all instances of polyfrost.cc to polyfrost.org :)

Related Issue(s)

None

How to test

The current state of testing on the modern branch doesn't seem great but you can just download the keystore and test the code yourself in another project with JDK 1.8u51:

Example code 
package org.example;

import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import java.io.IOException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;

public class Main {
    private static SSLSocketFactory getSSLSocketFactory() throws KeyManagementException, KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        Path keyStorePath = Paths.get(System.getProperty("java.home"), "lib", "security", "cacerts");
        keyStore.load(Files.newInputStream(keyStorePath), null);
        keyStore.load(Files.newInputStream(Paths.get(/* KEYSTORE PATH HERE */)), "polyfrost".toCharArray());
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(null, trustManagerFactory.getTrustManagers(), null);
        return sslContext.getSocketFactory();
    }

    public static void main(String[] args) throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, KeyManagementException {
        URL url = new URL("https://valid-isrgrootx1.letsencrypt.org/");
        HttpsURLConnection con = (HttpsURLConnection) url.openConnection();
        con.setRequestMethod("GET");
        con.setConnectTimeout(15000);
        con.setReadTimeout(15000);
        con.setSSLSocketFactory(Main.getSSLSocketFactory());
        int status = con.getResponseCode();
        System.out.println("Request succeeded");
    }
}

Release Notes

fix downloads from sites with certificates issued by letsencrypt and a few other issuers

Documentation

N/A

@TymanWasTaken TymanWasTaken requested review from xtrm-en and Wyvest April 8, 2024 04:29
@Wyvest Wyvest merged commit 46e25a4 into modern Apr 8, 2024
4 checks passed
@Wyvest Wyvest deleted the refactor-ca-trust branch April 8, 2024 04:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xtrm-en xtrm-en Awaiting requested review from xtrm-en

@Wyvest Wyvest Awaiting requested review from Wyvest

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@TymanWasTaken @Wyvest