fix: SSL truststore can be loaded in FIPS environments

CHANGELOG.md

@@ -3,6 +3,7 @@
 
 #### Bugs
 * Fix #3848: Supports Queue (cluster) API for Volcano extension
+* Fix #3582: SSL truststore can be loaded in FIPS enabled environments
 
 #### Improvements
 * Fix #3811: Reintroduce `Replaceable` interface in `NonNamespaceOperation`

kubernetes-client-api/src/main/java/io/fabric8/kubernetes/client/internal/CertUtils.java

@@ -54,10 +54,11 @@ public class CertUtils {
   private CertUtils() { }
 
   private static final Logger LOG = LoggerFactory.getLogger(CertUtils.class);
-  public static final String TRUST_STORE_SYSTEM_PROPERTY = "javax.net.ssl.trustStore";
-  public static final String TRUST_STORE_PASSWORD_SYSTEM_PROPERTY = "javax.net.ssl.trustStorePassword";
-  public static final String KEY_STORE_SYSTEM_PROPERTY = "javax.net.ssl.keyStore";
-  public static final String KEY_STORE_PASSWORD_SYSTEM_PROPERTY = "javax.net.ssl.keyStorePassword";
+  private static final String TRUST_STORE_SYSTEM_PROPERTY = "javax.net.ssl.trustStore";
+  private static final String TRUST_STORE_PASSWORD_SYSTEM_PROPERTY = "javax.net.ssl.trustStorePassword";
+  private static final String TRUST_STORE_TYPE_SYSTEM_PROPERTY = "javax.net.ssl.trustStoreType";
+  private static final String KEY_STORE_SYSTEM_PROPERTY = "javax.net.ssl.keyStore";
+  private static final String KEY_STORE_PASSWORD_SYSTEM_PROPERTY = "javax.net.ssl.keyStorePassword";
 
   public static InputStream getInputStreamFromDataOrFile(String data, String file) throws IOException {
     if (data != null) {
@@ -82,8 +83,11 @@ private static char[] getTrustStorePassphrase(String trustStorePassphrase) {
     return trustStorePassphrase.toCharArray();
   }
 
-  public static KeyStore createTrustStore(InputStream pemInputStream, String trustStoreFile, char[] trustStorePassphrase) throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
-    KeyStore trustStore = KeyStore.getInstance(KeyStore.getDefaultType());
+  private static KeyStore createTrustStore(InputStream pemInputStream, String trustStoreFile, char[] trustStorePassphrase)
+    throws IOException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
+
+    final String trustStoreType = System.getProperty(TRUST_STORE_TYPE_SYSTEM_PROPERTY, KeyStore.getDefaultType());
+    KeyStore trustStore = KeyStore.getInstance(trustStoreType);
 
     if (Utils.isNotNullOrEmpty(trustStoreFile)) {
       try (FileInputStream fis = new FileInputStream(trustStoreFile)) {
@@ -135,7 +139,7 @@ private static PrivateKey loadKey(InputStream keyInputStream, String clientKeyAl
       throw new InvalidKeySpecException("Unknown type of PKCS8 Private Key, tried RSA and ECDSA");
   }
 
-  private static PrivateKey handleECKey(InputStream keyInputStream) throws IOException {
+  private static PrivateKey handleECKey(InputStream keyInputStream) {
     // Let's wrap the code to a callable inner class to avoid NoClassDef when loading this class.
     try {
       return new Callable<PrivateKey>() {
@@ -216,8 +220,7 @@ private static void loadDefaultKeyStoreFile(KeyStore keyStore, char[] keyStorePa
     keyStore.load(null);
   }
 
-  private static boolean loadDefaultStoreFile(KeyStore keyStore, File fileToLoad, char[] passphrase)
-    throws CertificateException, NoSuchAlgorithmException, IOException {
+  private static boolean loadDefaultStoreFile(KeyStore keyStore, File fileToLoad, char[] passphrase) {
 
     String notLoadedMessage = "There is a problem with reading default keystore/truststore file %s with the passphrase %s "
       + "- the file won't be loaded. The reason is: %s";
@@ -257,17 +260,14 @@ private static char[] getKeyStorePassphrase(String keyStorePassphrase) {
   // http://oauth.googlecode.com/svn/code/java/
   // All credits to belong to them.
   private static byte[] decodePem(InputStream keyInputStream) throws IOException {
-    BufferedReader reader = new BufferedReader(new InputStreamReader(keyInputStream));
-    try {
+    try (BufferedReader reader = new BufferedReader(new InputStreamReader(keyInputStream))) {
       String line;
       while ((line = reader.readLine()) != null) {
         if (line.contains("-----BEGIN ")) {
           return readBytes(reader, line.trim().replace("BEGIN", "END"));
         }
       }
       throw new IOException("PEM is invalid: no begin marker");
-    } finally {
-      reader.close();
     }
   }
 

kubernetes-client/src/test/java/io/fabric8/kubernetes/client/internal/CertUtilsTest.java

@@ -44,19 +44,20 @@
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
-public class CertUtilsTest {
+class CertUtilsTest {
 
-  private static String FABRIC8_STORE_PATH = Utils.filePath(CertUtilsTest.class.getResource("/ssl/fabric8-store"));
-  private static char[] FABRIC8_STORE_PASSPHRASE = "fabric8".toCharArray();
+  private static final String FABRIC8_STORE_PATH = Utils.filePath(CertUtilsTest.class.getResource("/ssl/fabric8-store"));
+  private static final String FABRIC8_STORE_PASSPHRASE = "fabric8";
   private Properties systemProperties;
 
   @BeforeEach
   public void storeSystemProperties() {
     systemProperties = new Properties();
-    storeSystemProperty(CertUtils.TRUST_STORE_SYSTEM_PROPERTY);
-    storeSystemProperty(CertUtils.TRUST_STORE_PASSWORD_SYSTEM_PROPERTY);
-    storeSystemProperty(CertUtils.KEY_STORE_SYSTEM_PROPERTY);
-    storeSystemProperty(CertUtils.KEY_STORE_PASSWORD_SYSTEM_PROPERTY);
+    storeSystemProperty("javax.net.ssl.trustStore");
+    storeSystemProperty("javax.net.ssl.trustStorePassword");
+    storeSystemProperty("javax.net.ssl.trustStoreType");
+    storeSystemProperty("javax.net.ssl.keyStore");
+    storeSystemProperty("javax.net.ssl.keyStorePassword");
   }
 
   private void storeSystemProperty(String systemProperty) {
@@ -73,7 +74,7 @@ public void resetSystemPropertiesBack() {
 
   @Disabled
   @Test
-  public void testLoadingDodgyKubeConfig() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, InvalidKeySpecException {
+  void testLoadingDodgyKubeConfig() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, InvalidKeySpecException {
     System.setProperty("kubeconfig", "/tmp/ceposta.kubeconfig");
     KubernetesClient client = new DefaultKubernetesClient();
     Config config = client.getConfiguration();
@@ -84,66 +85,67 @@ public void testLoadingDodgyKubeConfig() throws CertificateException, NoSuchAlgo
   }
 
   @Test
-  public void testLoadingMultipleCertsFromSameFile() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
-    KeyStore ts = CertUtils.createTrustStore(getMultipleCertsInputSteam(), null, "changeit".toCharArray());
+  void testLoadingMultipleCertsFromSameFile() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
+    KeyStore ts = CertUtils.createTrustStore(
+      null, "src/test/resources/ssl/multiple-certs.pem", null, "changeit");
     assertTrue(ts.size() >= 2);
   }
 
   @Test
-  public void testLoadingMultipleCertsWithSameSubjectFromSameFile() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
-    KeyStore ts = CertUtils.createTrustStore(CertUtils.getInputStreamFromDataOrFile(
-      null,
-      "src/test/resources/ssl/nonunique-subject.pem"
-    ), null, "changeit".toCharArray());
+  void testLoadingMultipleCertsWithSameSubjectFromSameFile() throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
+    KeyStore ts = CertUtils.createTrustStore(
+      null, "src/test/resources/ssl/nonunique-subject.pem", null, "changeit");
 
     assertTrue(ts.size() >= 2);
   }
 
   @Test
-  public void testLoadTrustStoreFromFileUsingConfigProperties()
+  void testLoadTrustStoreFromFileUsingConfigProperties()
     throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
 
     KeyStore trustStore =
-      CertUtils.createTrustStore(getMultipleCertsInputSteam(), FABRIC8_STORE_PATH, FABRIC8_STORE_PASSPHRASE);
+      CertUtils.createTrustStore(
+        null, "src/test/resources/ssl/multiple-certs.pem", FABRIC8_STORE_PATH, FABRIC8_STORE_PASSPHRASE);
 
     assertEquals(3, trustStore.size());
     verifyFabric8InStore(trustStore);
   }
 
   @Test
-  public void testLoadTrustStoreFromFileUsingSystemProperties()
+  void testLoadTrustStoreFromFileUsingSystemProperties()
     throws CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
 
-    System.setProperty(CertUtils.TRUST_STORE_SYSTEM_PROPERTY, FABRIC8_STORE_PATH);
-    System.setProperty(CertUtils.TRUST_STORE_PASSWORD_SYSTEM_PROPERTY, String.valueOf(FABRIC8_STORE_PASSPHRASE));
+    System.setProperty("javax.net.ssl.trustStore", FABRIC8_STORE_PATH);
+    System.setProperty("javax.net.ssl.trustStorePassword", FABRIC8_STORE_PASSPHRASE);
 
     KeyStore trustStore =
-      CertUtils.createTrustStore(getMultipleCertsInputSteam(), null, null);
+      CertUtils.createTrustStore(
+        null, "src/test/resources/ssl/multiple-certs.pem", null, null);
 
     assertEquals(3, trustStore.size());
     verifyFabric8InStore(trustStore);
   }
 
   @Test
-  public void testLoadKeyStoreFromFileUsingConfigProperties()
+  void testLoadKeyStoreFromFileUsingConfigProperties()
     throws InvalidKeySpecException, CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException {
 
-    InputStream privateKey = getClass().getResourceAsStream("/ssl/fabric8");
-
     KeyStore trustStore =
-      CertUtils.createKeyStore(getMultipleCertsInputSteam(), privateKey, "RSA", "changeit".toCharArray(),
+      CertUtils.createKeyStore(
+        null, "src/test/resources/ssl/multiple-certs.pem",
+        null, "src/test/resources/ssl/fabric8", "RSA", "changeit",
         FABRIC8_STORE_PATH, FABRIC8_STORE_PASSPHRASE);
 
     assertEquals(2, trustStore.size());
     verifyFabric8InStore(trustStore);
   }
 
   @Test
-  public void testLoadKeyStoreFromFileUsingSystemProperties()
+  void testLoadKeyStoreFromFileUsingSystemProperties()
     throws InvalidKeySpecException, CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, URISyntaxException {
 
-    System.setProperty(CertUtils.KEY_STORE_SYSTEM_PROPERTY, FABRIC8_STORE_PATH);
-    System.setProperty(CertUtils.KEY_STORE_PASSWORD_SYSTEM_PROPERTY, String.valueOf(FABRIC8_STORE_PASSPHRASE));
+    System.setProperty("javax.net.ssl.keyStore", FABRIC8_STORE_PATH);
+    System.setProperty("javax.net.ssl.keyStorePassword", String.valueOf(FABRIC8_STORE_PASSPHRASE));
 
     String privateKeyPath = Utils.filePath(getClass().getResource("/ssl/fabric8"));
     String multipleCertsPath = Utils.filePath(getClass().getResource("/ssl/multiple-certs.pem"));
@@ -189,14 +191,10 @@ private void verifyFabric8InStore(KeyStore trustStore)
     Certificate certificate = trustStore.getCertificate("fabric8-in-store");
     assertNotNull(certificate);
 
-    InputStream certificateFile = CertUtils.getInputStreamFromDataOrFile(null, "src/test/resources/ssl/fabric8.crt");
-    KeyStore storeWithCert = CertUtils.createTrustStore(certificateFile, null, "".toCharArray());
+    KeyStore storeWithCert = CertUtils.createTrustStore(
+      null, "src/test/resources/ssl/fabric8.crt", null, "");
     String certificateAlias = storeWithCert.getCertificateAlias(certificate);
     assertNotNull(certificateAlias);
   }
 
-  private InputStream getMultipleCertsInputSteam() throws IOException {
-    return CertUtils.getInputStreamFromDataOrFile(null, "src/test/resources/ssl/multiple-certs.pem");
-  }
-
 }