From b44096ea1c03fa37a29ef0acdc44dff620f17b7a Mon Sep 17 00:00:00 2001
From: aeberhardt <alexandre.eberhardt@savoirfairelinux.com>
Date: Mon, 13 Jan 2025 10:47:02 -0500
Subject: [PATCH] SSL cert: use system default SSL context instead of custom
truststore
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Removed the manual KeyStore creation and switched to SSLContexts.createSystemDefault()
to rely on Java’s built-in truststore for validating SSL certificates.
It fixes the SSLHandshakeException.
Change-Id: I4cc8afda87825c2da95ddc8f2b74d3d93d0994e6
---
.../jams/server/update/UpdateCheckTask.java | 18 +--------
.../jams/server/update/UpdateDownloader.java | 24 +-----------
jams-server/src/main/resources/oem/ca.crt | 21 ----------
jams-server/src/main/resources/oem/update.crt | 39 -------------------
4 files changed, 4 insertions(+), 98 deletions(-)
delete mode 100644 jams-server/src/main/resources/oem/ca.crt
delete mode 100644 jams-server/src/main/resources/oem/update.crt
diff --git a/jams-server/src/main/java/net/jami/jams/server/update/UpdateCheckTask.java b/jams-server/src/main/java/net/jami/jams/server/update/UpdateCheckTask.java
index a89bc34b..153fa0b9 100644
--- a/jams-server/src/main/java/net/jami/jams/server/update/UpdateCheckTask.java
+++ b/jams-server/src/main/java/net/jami/jams/server/update/UpdateCheckTask.java
@@ -26,7 +26,6 @@ import lombok.extern.slf4j.Slf4j;
import net.jami.jams.common.serialization.adapters.GsonFactory;
import net.jami.jams.common.updater.FileDescription;
import net.jami.jams.common.utils.VersioningUtils;
-import net.jami.jams.common.utils.X509Utils;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
@@ -38,7 +37,6 @@ import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
import java.security.KeyStore;
-import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.TimerTask;
@@ -59,20 +57,8 @@ public class UpdateCheckTask extends TimerTask {
protected UpdateCheckTask() {
try {
- InputStream is =
- UpdateCheckTask.class.getClassLoader().getResourceAsStream("oem/ca.crt");
- X509Certificate certificate =
- X509Utils.getCertificateFromPEMString(new String(is.readAllBytes()));
- trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
- trustStore.load(null, null);
- trustStore.setCertificateEntry("ca", certificate);
-
- is = UpdateCheckTask.class.getClassLoader().getResourceAsStream("oem/update.crt");
- certificate = X509Utils.getCertificateFromPEMString(new String(is.readAllBytes()));
- trustStore.setCertificateEntry("update", certificate);
-
- // Inject the SSL Connection here for a first time.
- sslContext = SSLContexts.custom().loadTrustMaterial(trustStore, null).build();
+ // Load the trust store
+ sslContext = SSLContexts.createSystemDefault();
// read config json
InputStream input =
diff --git a/jams-server/src/main/java/net/jami/jams/server/update/UpdateDownloader.java b/jams-server/src/main/java/net/jami/jams/server/update/UpdateDownloader.java
index d96eba7a..d88944ad 100644
--- a/jams-server/src/main/java/net/jami/jams/server/update/UpdateDownloader.java
+++ b/jams-server/src/main/java/net/jami/jams/server/update/UpdateDownloader.java
@@ -49,7 +49,6 @@ public class UpdateDownloader {
private SSLContext sslContext;
private static final String KEYSTORE_TYPE = "JKS";
- private KeyStore trustStore;
private static volatile String UPDATE_SERVER_URL;
private final HashMap<String, FileDescription> remoteChecksums = new HashMap<>();
@@ -58,22 +57,6 @@ public class UpdateDownloader {
public UpdateDownloader() {
- try {
- InputStream is =
- UpdateCheckTask.class.getClassLoader().getResourceAsStream("oem/ca.crt");
- X509Certificate certificate =
- X509Utils.getCertificateFromPEMString(new String(is.readAllBytes()));
- trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
- trustStore.load(null, null);
- trustStore.setCertificateEntry("ca", certificate);
-
- is = UpdateDownloader.class.getClassLoader().getResourceAsStream("oem/update.crt");
- certificate = X509Utils.getCertificateFromPEMString(new String(is.readAllBytes()));
- trustStore.setCertificateEntry("update", certificate);
- } catch (Exception e) {
- log.info("An unexpected error occurred while loading SFL CA: {}", e.getMessage());
- }
-
InputStream input = this.getClass().getClassLoader().getResourceAsStream("oem/config.json");
if (input == null) {
@@ -102,11 +85,8 @@ public class UpdateDownloader {
JAMSUpdater.privateKey,
"".toCharArray(),
new Certificate[] {JAMSUpdater.certificate});
- sslContext =
- SSLContexts.custom()
- .loadKeyMaterial(ks, "".toCharArray())
- .loadTrustMaterial(trustStore, null)
- .build();
+ sslContext = SSLContexts.createSystemDefault();
+
} catch (Exception e) {
log.warn("An error occurred while downloading the update: " + e);
}
diff --git a/jams-server/src/main/resources/oem/ca.crt b/jams-server/src/main/resources/oem/ca.crt
deleted file mode 100644
index 4cb1f283..00000000
--- a/jams-server/src/main/resources/oem/ca.crt
+++ /dev/null
@@ -1,21 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIDZTCCAk2gAwIBAgIUS02g4gL3VQx8eXWEMXZmq1dFm4wwDQYJKoZIhvcNAQEL
-BQAwQjEYMBYGA1UEAwwPSkFNUyBVcGRhdGVzIENBMRkwFwYDVQQKDBBTYXZvaXJG
-YWlyZUxpbnV4MQswCQYDVQQGEwJDQTAeFw0yMDEyMDMxNDA5NThaFw0zMDEyMDEx
-NDA5NThaMEIxGDAWBgNVBAMMD0pBTVMgVXBkYXRlcyBDQTEZMBcGA1UECgwQU2F2
-b2lyRmFpcmVMaW51eDELMAkGA1UEBhMCQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-DwAwggEKAoIBAQCn00GMb4HVpJvedsHXHq94oiaCRpMv8M6pR9Y8CsG15IltIdAr
-/8lawIfeQLlG/tTSX3ClxYvEJ2n1CQuN05yOw9SRceZNO5raba0PE195RLLL2jRl
-SGOcvgM9e1H19PcS5K8BQRdgrY/QxY3166BxJxk5Zw5H+bO4cB6ILE87ZGNPyyh5
-GIiKuv2oUKjEj8JDKXI09iDzNbqEZVPAgRHyo0cGS2ByCRn+3F43UlyPQSncCaBm
-5H4DEqPkZyOEjKmZUM6+qfMzddeiBmSpEfYPNkkSXLltJDJkBNhwzc7A4/GhJDzr
-XYdB9NthWbkEWdREU3YKsz0TGrZLB7FlkpirAgMBAAGjUzBRMB0GA1UdDgQWBBQj
-5X9MIZHyNmvGi+hUCFvk1s+CoTAfBgNVHSMEGDAWgBQj5X9MIZHyNmvGi+hUCFvk
-1s+CoTAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQB+jnpJzAkF
-+xznUp9Sp3jwJ33oCAzZ3tYWfpdU1PoRNJGPK9RBeZe/94N+9f1OGtB2LgIHdHZs
-6hupaGj8spnbt/wuf3w/u1EbTd1ZjUZDZ2fdRcsUAjAXbOyKFNU6Ynb+AyWUg7AF
-Xnb5P5xkfHR+MK6KchmsHy1AXZaJ+KkydT+umkWyMGL+njecM3yIeUfNCe94DFjL
-mVridYaqgiFEZNy1JOfl0JSdbPajWKcnjDKsJ5mbpNZSThiQla1kC/Qh2hSHyX+A
-57w0qGJxRyHbOwN/thnfoTgtw3O0BH7JiwXbx3xI6cmTVXeY+kT8rPuwfGJI7BW6
-HSlflSvyFdPQ
------END CERTIFICATE-----
diff --git a/jams-server/src/main/resources/oem/update.crt b/jams-server/src/main/resources/oem/update.crt
deleted file mode 100644
index 19f0ac6c..00000000
--- a/jams-server/src/main/resources/oem/update.crt
+++ /dev/null
@@ -1,39 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIG4zCCBcugAwIBAgIJALwXQ5qoglNFMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYD
-VQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEa
-MBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0
-cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2Vj
-dXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTIxMTAwMTAxMzEyOVoX
-DTIyMTEwMjAxMzEyOVowaTELMAkGA1UEBhMCQ0ExEDAOBgNVBAgMB1F1w6liZWMx
-EjAQBgNVBAcMCU1vbnRyw6lhbDEfMB0GA1UECgwWTGUgUHJvamV0IELDqWx1Z2Eg
-SW5jLjETMBEGA1UEAwwKKi5qYW1pLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEP
-ADCCAQoCggEBAJV9RplmP2ASbEe+BubJMgkBZMPi4yseohtVIaR+pp0UhF/pGv9f
-238r1WGvpKuAi0lvMcFgcOKKBiC+aSCtoL18h64dun8pcB8eon/8tQ/v56iXOJY9
-hz+/zidYfVfO2Tobn9RseoOFp0qMIS29EyHjtIhPkQP5XSpN3u90NAp3pKn+FWjc
-yv6h47u+jxnp6ciUtvCM2GG181C5V7LUZpVP1lHcIGvrxtFRPCyV3m8fW7IoDIOn
-w/RdA8nbWQf+B2QPrRUMvUyyuHF9uS/VKuAO7OftjcJKYoJcqSS75fMHIz0oDJn4
-sBINIpxYuY8IGYWUrkluephNYqopDgOBq80CAwEAAaOCA0AwggM8MAwGA1UdEwEB
-/wQCMAAwKQYDVR0lBCIwIAYIKwYBBQUHAwEGCCsGAQUFBwMCBgpghkgBhvhNAQID
-MA4GA1UdDwEB/wQEAwIFoDA2BgNVHR8ELzAtMCugKaAnhiVodHRwOi8vY3JsLmdv
-ZGFkZHkuY29tL2dkaWcyczItMjQuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9bQEH
-FwIwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNv
-bS9yZXBvc2l0b3J5LzAIBgZngQwBAgIwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUF
-BzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6
-Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQw
-HwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wHwYDVR0RBBgwFoIKKi5q
-YW1pLm5ldIIIamFtaS5uZXQwHQYDVR0OBBYEFOT0qymBriizPYdQoexF+DTaKqmT
-MIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgApeb7wnjk5IfBWc59jpXflvld9
-nGAK+PlNXSZcJV3HhAAAAXw5emW5AAAEAwBHMEUCIH5akdxOyae89AIfqqu8AMWT
-kjBAKmAakLaYetKP6yFBAiEA/1fdq4YFhToEHOn0KMh2pt3qSV183Yw5hZMvgeN3
-C5oAdgDfpV6raIJPH2yt7rhfTj5a6s2iEqRqXo47EsAgRFwqcwAAAXw5emfnAAAE
-AwBHMEUCIQCXnNAYdB5EpAw+W0bSX8Tfd9DVGDp46kbFyE1vkyvidQIgfm4VA+6B
-03FBrjRnl/eyJiWWjX9416w0/F0EBJYFWaEAdwBByMqx3yJGShDGoToJQodeTjGL
-GwPr60vHaPCQYpYG9gAAAXw5emh4AAAEAwBIMEYCIQDGCQpqn6tLyTksrwRmrSCY
-YymPBCj7sEVP21AbQledNQIhAN0AmcRpCDwkoIzAo1kRc1qQIocxQFz2gsN/D+Wa
-fIayMA0GCSqGSIb3DQEBCwUAA4IBAQBhkEQEqFZ9EhC01bTNW0NUBvKh3pynSYUU
-uO0plVJpb6uHQXZg57GwbB30t+cZTrARCnaTCotVx82/Nhd/78PoXJaFYJbxK6R6
-4gMW9nR8B3VfjomkQkPzURe9Y5T4iWpaZsydDHM76K01Fwyy90vpS6ZssuiOIgBX
-6Sm+QcnAAoR7nsL2VmBdfptLE6saqDz94uAk17DwfiMJSKODeOsjdXcYArrtcKwi
-UNUhymbp/IjeFMhS0hSNd2edC6Skc1eURslSHJfryM/p/Qo42m+saoTVlRH8gl4N
-p/sjdZcCnhdOE4qCg/30le4T5OFeDM1x/Q1zHeMhfdCROo+dd5ST
------END CERTIFICATE-----
\ No newline at end of file
--
GitLab