quarkus-tls-registry 'javax.net.ssl' causes "java.lang.IllegalStateException: No CN or OU in O=xxx,C=xxx" and crashs quarkus application starts

[TucoBouchState]

Describe the bug

When a quarkus application is using the tls configuration name javax.net.ssl, created by default by quarkus-tls-registry, there is a control on the certificates stored in the cacerts : if one certificate doesn't have a CN or OU, quarkus throws an exception java.lang.IllegalStateException: No CN or OU in O=xxx,C=xxx and crash the application.
This check is new, it has been added from Quarkus 3.19 : see io.quarkus.tls.runtime.JavaxNetSslTrustStoreProvider and also see

quarkus/extensions/tls-registry/runtime/src/main/java/io/quarkus/tls/runtime/CertificateRecorder.java

Line 177 in 974851e

public Optional<TlsConfiguration> get(String name) {

Note, if a tls configuration is defined in the application using the same trust store as the cacerts used by javax.net.ssl configuration, there is no error, the trust store is loaded. The check on the CN or OU doesn't applies.

Expected behavior

The application startup should not crash, i think a warning in the logs should be enough.

Actual behavior

The application startup crash with the exception Caused by: java.lang.IllegalStateException: No CN or OU in O=Govxxxxx Authority,C=xxx if the loaded cacerts contains at least one certificate with no CN or OU defined.

How to Reproduce?

See https://github.com/TucoBouchState/sslconf

Output of uname -a or ver

Microsoft Windows [Version 10.0.26100.3194]

Output of java -version

OpenJDK 64-Bit Server VM Temurin-21.0.6+7 (build 21.0.6+7-LTS, mixed mode, sharing)

Quarkus version or git rev

3.19.4

Build tool (ie. output of mvnw --version or gradlew --version)

Apache Maven 3.9.9 (8e8579a9e76f7d015ee5ec7bfcdc97d260186937)

Additional information

Stack trace :

Caused by: java.lang.IllegalStateException: No CN or OU in O=Govxxxxx Authority,C=xxx
	at io.quarkus.tls.runtime.JavaxNetSslTrustStoreProvider$JavaNetSslTrustOptions.lambda$new$4(JavaxNetSslTrustStoreProvider.java:74)
	at java.base/java.util.Optional.orElseThrow(Optional.java:403)
	at io.quarkus.tls.runtime.JavaxNetSslTrustStoreProvider$JavaNetSslTrustOptions.lambda$new$5(JavaxNetSslTrustStoreProvider.java:74)
	at java.base/java.util.Optional.orElseGet(Optional.java:364)
	at io.quarkus.tls.runtime.JavaxNetSslTrustStoreProvider$JavaNetSslTrustOptions.<init>(JavaxNetSslTrustStoreProvider.java:70)
	at io.quarkus.tls.runtime.JavaxNetSslTrustStoreProvider.getTrustStore(JavaxNetSslTrustStoreProvider.java:45)
	at io.quarkus.tls.runtime.CertificateRecorder.lambda$get$0(CertificateRecorder.java:181)
	at java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1708)
	at io.quarkus.tls.runtime.CertificateRecorder.get(CertificateRecorder.java:180)
	at io.quarkiverse.cxf.CXFClientInfo.tlsConfiguration(CXFClientInfo.java:344)
	at io.quarkiverse.cxf.CXFClientInfo.<init>(CXFClientInfo.java:269)
	at io.quarkiverse.cxf.CxfClientProducer.selectorCXFClientInfo(CxfClientProducer.java:298)
	at io.quarkiverse.cxf.CxfClientProducer.selectorCXFClientInfo(CxfClientProducer.java:[274

[michalvavrik]

cc @ppalaga

[ppalaga]

Thanks for the report, @TucoBouchState! I made the dn -> alias mapping a bit more robust in #47049

[TucoBouchState]

ok thanks you so much, so I see know that normally it won't crash anymore. I'm excited to test your change when it will be available.