MirrorMirror
/
Signal-Server
mirror of https://github.com/signalapp/Signal-Server.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow HTTP clients to trust multiple certificates to support certificate rollover

This commit is contained in:
Jon Chambers 2022-10-17 14:47:39 -04:00 committed by Jon Chambers
parent a41d047f58
commit 0120a85c39
9 changed files with 154 additions and 86 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
service/config/sample.yml
View File

@ -240,7 +240,8 @@ recaptcha:
storageService: storageService:
uri: storage.example.com uri: storage.example.com
userAuthenticationTokenSharedSecret: 00000f userAuthenticationTokenSharedSecret: 00000f
storageCaCertificate: | storageCaCertificates:
- |
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
@ -266,7 +267,8 @@ storageService:
backupService: backupService:
uri: backup.example.com uri: backup.example.com
userAuthenticationTokenSharedSecret: 00000f userAuthenticationTokenSharedSecret: 00000f
backupCaCertificate: | backupCaCertificates:
- |
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ/0123456789+abcdefghijklmnopqrstuvwxyz

13
service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureBackupServiceConfiguration.java
View File

@ -13,6 +13,7 @@ import javax.validation.constraints.NotNull;
import com.google.common.annotations.VisibleForTesting; import com.google.common.annotations.VisibleForTesting;
import org.apache.commons.codec.DecoderException; import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex; import org.apache.commons.codec.binary.Hex;
import java.util.List;
public class SecureBackupServiceConfiguration { public class SecureBackupServiceConfiguration {
@ -24,9 +25,9 @@ public class SecureBackupServiceConfiguration {
@JsonProperty @JsonProperty
private String uri; private String uri;
@NotBlank @NotEmpty
@JsonProperty @JsonProperty
private String backupCaCertificate; private List<@NotBlank String> backupCaCertificates;
@NotNull @NotNull
@Valid @Valid
@ -52,12 +53,12 @@ public class SecureBackupServiceConfiguration {
} }
@VisibleForTesting @VisibleForTesting
public void setBackupCaCertificate(final String backupCaCertificate) { public void setBackupCaCertificates(final List<String> backupCaCertificates) {
this.backupCaCertificate = backupCaCertificate; this.backupCaCertificates = backupCaCertificates;
} }
public String getBackupCaCertificate() { public List<String> getBackupCaCertificates() {
return backupCaCertificate; return backupCaCertificates;
} }
public CircuitBreakerConfiguration getCircuitBreakerConfiguration() { public CircuitBreakerConfiguration getCircuitBreakerConfiguration() {

13
service/src/main/java/org/whispersystems/textsecuregcm/configuration/SecureStorageServiceConfiguration.java
View File

@ -13,6 +13,7 @@ import javax.validation.constraints.NotEmpty;
import javax.validation.constraints.NotNull; import javax.validation.constraints.NotNull;
import org.apache.commons.codec.DecoderException; import org.apache.commons.codec.DecoderException;
import org.apache.commons.codec.binary.Hex; import org.apache.commons.codec.binary.Hex;
import java.util.List;
public class SecureStorageServiceConfiguration { public class SecureStorageServiceConfiguration {
@ -24,9 +25,9 @@ public class SecureStorageServiceConfiguration {
@JsonProperty @JsonProperty
private String uri; private String uri;
@NotBlank @NotEmpty
@JsonProperty @JsonProperty
private String storageCaCertificate; private List<@NotBlank String> storageCaCertificates;
@NotNull @NotNull
@Valid @Valid
@ -52,12 +53,12 @@ public class SecureStorageServiceConfiguration {
} }
@VisibleForTesting @VisibleForTesting
public void setStorageCaCertificate(final String certificatePem) { public void setStorageCaCertificates(final List<String> certificatePem) {
this.storageCaCertificate = certificatePem; this.storageCaCertificates = certificatePem;
} }
public String getStorageCaCertificate() { public List<String> getStorageCaCertificates() {
return storageCaCertificate; return storageCaCertificates;
} }
public CircuitBreakerConfiguration getCircuitBreakerConfiguration() { public CircuitBreakerConfiguration getCircuitBreakerConfiguration() {

2
service/src/main/java/org/whispersystems/textsecuregcm/http/FaultTolerantHttpClient.java
View File

@ -135,7 +135,7 @@ public class FaultTolerantHttpClient {
return this; return this;
} }
public Builder withTrustedServerCertificate(final String certificatePem) throws CertificateException { public Builder withTrustedServerCertificates(final String... certificatePem) throws CertificateException {
this.trustStore = CertificateUtil.buildKeyStoreForPem(certificatePem); this.trustStore = CertificateUtil.buildKeyStoreForPem(certificatePem);
return this; return this;
} }

2
service/src/main/java/org/whispersystems/textsecuregcm/securebackup/SecureBackupClient.java
View File

@ -46,7 +46,7 @@ public class SecureBackupClient {
.withExecutor(executor) .withExecutor(executor)
.withName("secure-backup") .withName("secure-backup")
.withSecurityProtocol(FaultTolerantHttpClient.SECURITY_PROTOCOL_TLS_1_2) .withSecurityProtocol(FaultTolerantHttpClient.SECURITY_PROTOCOL_TLS_1_2)
.withTrustedServerCertificate(configuration.getBackupCaCertificate()) .withTrustedServerCertificates(configuration.getBackupCaCertificates().toArray(new String[0]))
.build(); .build();
} }

2
service/src/main/java/org/whispersystems/textsecuregcm/securestorage/SecureStorageClient.java
View File

@ -47,7 +47,7 @@ public class SecureStorageClient {
.withExecutor(executor) .withExecutor(executor)
.withName("secure-storage") .withName("secure-storage")
.withSecurityProtocol(FaultTolerantHttpClient.SECURITY_PROTOCOL_TLS_1_3) .withSecurityProtocol(FaultTolerantHttpClient.SECURITY_PROTOCOL_TLS_1_3)
.withTrustedServerCertificate(configuration.getStorageCaCertificate()) .withTrustedServerCertificates(configuration.getStorageCaCertificates().toArray(new String[0]))
.build(); .build();
} }

16
service/src/main/java/org/whispersystems/textsecuregcm/util/CertificateUtil.java
View File

@ -15,18 +15,22 @@ import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate; import java.security.cert.X509Certificate;
public class CertificateUtil { public class CertificateUtil {
public static KeyStore buildKeyStoreForPem(final String caCertificatePem) throws CertificateException
{ public static KeyStore buildKeyStoreForPem(final String... caCertificatePems) throws CertificateException {
try { try {
X509Certificate certificate = getCertificate(caCertificatePem); final KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(null);
for (int i = 0; i < caCertificatePems.length; i++) {
final X509Certificate certificate = getCertificate(caCertificatePems[i]);
if (certificate == null) { if (certificate == null) {
throw new CertificateException("No certificate found in parsing!"); throw new CertificateException("No certificate found in parsing!");
} }
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType()); keyStore.setCertificateEntry("ca-" + i, certificate);
keyStore.load(null); }
keyStore.setCertificateEntry("ca", certificate);
return keyStore; return keyStore;
} catch (IOException | KeyStoreException ex) { } catch (IOException | KeyStoreException ex) {
throw new CertificateException(ex); throw new CertificateException(ex);

34
service/src/test/java/org/whispersystems/textsecuregcm/securebackup/SecureBackupClientTest.java
View File

@ -16,6 +16,7 @@ import static org.mockito.Mockito.when;
import com.github.tomakehurst.wiremock.junit5.WireMockExtension; import com.github.tomakehurst.wiremock.junit5.WireMockExtension;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.util.List;
import java.util.UUID; import java.util.UUID;
import java.util.concurrent.CompletionException; import java.util.concurrent.CompletionException;
import java.util.concurrent.ExecutorService; import java.util.concurrent.ExecutorService;
@ -53,7 +54,7 @@ class SecureBackupClientTest {
config.setUri("http://localhost:" + wireMock.getPort()); config.setUri("http://localhost:" + wireMock.getPort());
// This is a randomly-generated, throwaway certificate that's not actually connected to anything // This is a randomly-generated, throwaway certificate that's not actually connected to anything
config.setBackupCaCertificate(""" config.setBackupCaCertificates(List.of("""
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEL MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEL
MAkGA1UECAwCVVMxHjAcBgNVBAoMFVNpZ25hbCBNZXNzZW5nZXIsIExMQzETMBEG MAkGA1UECAwCVVMxHjAcBgNVBAoMFVNpZ25hbCBNZXNzZW5nZXIsIExMQzETMBEG
@ -69,7 +70,36 @@ class SecureBackupClientTest {
y7MTM4NoBV1k0zb5LAk89SIDPr/maW5AsLtEomzjnEiomjoMBUdNe3YCgQReoLnr y7MTM4NoBV1k0zb5LAk89SIDPr/maW5AsLtEomzjnEiomjoMBUdNe3YCgQReoLnr
R/QaUNbrCjTGYfBsjGbIzmkWPUyTec2ZdRyJ8JiVl386+6CZkxnndQ== R/QaUNbrCjTGYfBsjGbIzmkWPUyTec2ZdRyJ8JiVl386+6CZkxnndQ==
-----END CERTIFICATE----- -----END CERTIFICATE-----
"""); """,
"""
-----BEGIN CERTIFICATE-----
MIIEpDCCAowCCQC43PUTWSADVjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjIxMDE3MjA0NTM0WhcNMjMxMDE3MjA0NTM0WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDV
x1cdEd2ffQTlTXWRiCHGcrlYf4RJnctt9sw/BuHWTLXBu5LhyJSGn5LRszO/NCXK
Z/cmGR7pLj366RtiwL+Qo3nhvDCK7T9xZeNIusM6XMcMK9D/DGCYPqtjQz8NXd9V
ajBBe6nwTDTa+oqX8Mt89foWNkg5Il/lY62u9Dr18LRZ2W9zzYi3Q9/K0CbIX6pM
yVlPIO5rITOR2IsbeyqsO9jufgX5lP4ZKLLBAP1b7usjC4YdvWacjQg/rK5aay1x
jC2HCDgo/4N30QVXzSA9nFfSe6AE/xkStK4819JqOkY5JsJCbef1P3hOOdSLEjbp
xq3MjOs6G6dOgteaAGs10vx7dHxDWETTIiD7BIZ9zRYgOF5bkCaIUO+JfySE1MHD
KBAFLoRuvmRev5Ln5R0MCHpUMSmMNgJqz+RWZV3g/gpYbuWiHgJOwL1393eK50Bg
W7SXQ8EjJj2yXZSH+1gPzN0DRoJZiaBoTPnCL2qUgvwFpW1PJsM5FDyUJFUoK5kK
HLBBSKAPt6ZlSrUe2nBgJv7EF1GK+fTU08LXgW33OpLceGPa0zTShkukQUMtUtZ8
GqhO12ohMzEupIu5Xurthq4VVUrzHUdj1ZZRMhAbfLU36sd03MMyL/xBqTN6dzCa
GDGIPGpYjAllZ5xMRt2kZdv+Kr6oo3u2nLUIsqI7KQIDAQABMA0GCSqGSIb3DQEB
CwUAA4ICAQCB5s43YF35ssf5YONW5iAaifGpi1o0866xfeOybtohFGvQ7V2W34i9
TYBCt8+0hgatMcvZ08f0vqig1i7nrvYcE1hnhL7JNkU8qm0s9ytHZt6j62nB0kd/
uqE2hOEQalTf/2TGPV0CCgiqLyd8lEUQvQeA38wktwUeZpVnErlzHeMR2CvV3K8R
u4vV6SnBcf+TAt56RKYZkPyvZj5llQPo14Glyoo8qZES7Ky1SHmM0GL+baPRBjRW
3KgSt98Wyu4yr9qu21JpnbAnLhBfzfSKjSeCRgFElUE1GIaFGRZ7ypA74dUKeLnb
/VUWrszmUhGaEjV9dpI6x6B/kSpQMtIQqBaKRY2ALUeEujS/rURi4iMDwSU+GkSH
cyEvZKS97OA/dWeXfLXdo4beDBRG93bI4rQnDg5+VdlBOkQSLueb8x6/VThMoC5d
vZiotFQHseljQAdTkNa6tBu6c4XDYPCKB3CfkMYOlCfTS7Acn5G6dxTPKBtLGBnL
nQfYyzuwYkN09+2PVzt6auBHr3To7uoclkxX+hxyvPIwIZ0N6b4tQR1FCAkvg29Q
WIOjZOKGW690ESKCKOnFjUHVO0HpuWnT81URTuY62FXsYdVc2wE4v0E04mEbqQ0P
lY6ZKNA81Lm3YADYtObmK1IUrOPo9BeIaPy0UM08SmN880Vunqa91Q==
-----END CERTIFICATE-----
"""));
secureStorageClient = new SecureBackupClient(credentialGenerator, httpExecutor, config); secureStorageClient = new SecureBackupClient(credentialGenerator, httpExecutor, config);
} }

34
service/src/test/java/org/whispersystems/textsecuregcm/securestorage/SecureStorageClientTest.java
View File

@ -16,6 +16,7 @@ import static org.mockito.Mockito.when;
import com.github.tomakehurst.wiremock.junit5.WireMockExtension; import com.github.tomakehurst.wiremock.junit5.WireMockExtension;
import java.security.cert.CertificateException; import java.security.cert.CertificateException;
import java.util.List;
import java.util.UUID; import java.util.UUID;
import java.util.concurrent.CompletionException; import java.util.concurrent.CompletionException;
import java.util.concurrent.ExecutorService; import java.util.concurrent.ExecutorService;
@ -53,7 +54,7 @@ class SecureStorageClientTest {
config.setUri("http://localhost:" + wireMock.getPort()); config.setUri("http://localhost:" + wireMock.getPort());
// This is a randomly-generated, throwaway certificate that's not actually connected to anything // This is a randomly-generated, throwaway certificate that's not actually connected to anything
config.setStorageCaCertificate(""" config.setStorageCaCertificates(List.of("""
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEL MIICZDCCAc2gAwIBAgIBADANBgkqhkiG9w0BAQ0FADBPMQswCQYDVQQGEwJ1czEL
MAkGA1UECAwCVVMxHjAcBgNVBAoMFVNpZ25hbCBNZXNzZW5nZXIsIExMQzETMBEG MAkGA1UECAwCVVMxHjAcBgNVBAoMFVNpZ25hbCBNZXNzZW5nZXIsIExMQzETMBEG
@ -69,7 +70,36 @@ class SecureStorageClientTest {
y7MTM4NoBV1k0zb5LAk89SIDPr/maW5AsLtEomzjnEiomjoMBUdNe3YCgQReoLnr y7MTM4NoBV1k0zb5LAk89SIDPr/maW5AsLtEomzjnEiomjoMBUdNe3YCgQReoLnr
R/QaUNbrCjTGYfBsjGbIzmkWPUyTec2ZdRyJ8JiVl386+6CZkxnndQ== R/QaUNbrCjTGYfBsjGbIzmkWPUyTec2ZdRyJ8JiVl386+6CZkxnndQ==
-----END CERTIFICATE----- -----END CERTIFICATE-----
"""); """,
"""
-----BEGIN CERTIFICATE-----
MIIEpDCCAowCCQC43PUTWSADVjANBgkqhkiG9w0BAQsFADAUMRIwEAYDVQQDDAls
b2NhbGhvc3QwHhcNMjIxMDE3MjA0NTM0WhcNMjMxMDE3MjA0NTM0WjAUMRIwEAYD
VQQDDAlsb2NhbGhvc3QwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDV
x1cdEd2ffQTlTXWRiCHGcrlYf4RJnctt9sw/BuHWTLXBu5LhyJSGn5LRszO/NCXK
Z/cmGR7pLj366RtiwL+Qo3nhvDCK7T9xZeNIusM6XMcMK9D/DGCYPqtjQz8NXd9V
ajBBe6nwTDTa+oqX8Mt89foWNkg5Il/lY62u9Dr18LRZ2W9zzYi3Q9/K0CbIX6pM
yVlPIO5rITOR2IsbeyqsO9jufgX5lP4ZKLLBAP1b7usjC4YdvWacjQg/rK5aay1x
jC2HCDgo/4N30QVXzSA9nFfSe6AE/xkStK4819JqOkY5JsJCbef1P3hOOdSLEjbp
xq3MjOs6G6dOgteaAGs10vx7dHxDWETTIiD7BIZ9zRYgOF5bkCaIUO+JfySE1MHD
KBAFLoRuvmRev5Ln5R0MCHpUMSmMNgJqz+RWZV3g/gpYbuWiHgJOwL1393eK50Bg
W7SXQ8EjJj2yXZSH+1gPzN0DRoJZiaBoTPnCL2qUgvwFpW1PJsM5FDyUJFUoK5kK
HLBBSKAPt6ZlSrUe2nBgJv7EF1GK+fTU08LXgW33OpLceGPa0zTShkukQUMtUtZ8
GqhO12ohMzEupIu5Xurthq4VVUrzHUdj1ZZRMhAbfLU36sd03MMyL/xBqTN6dzCa
GDGIPGpYjAllZ5xMRt2kZdv+Kr6oo3u2nLUIsqI7KQIDAQABMA0GCSqGSIb3DQEB
CwUAA4ICAQCB5s43YF35ssf5YONW5iAaifGpi1o0866xfeOybtohFGvQ7V2W34i9
TYBCt8+0hgatMcvZ08f0vqig1i7nrvYcE1hnhL7JNkU8qm0s9ytHZt6j62nB0kd/
uqE2hOEQalTf/2TGPV0CCgiqLyd8lEUQvQeA38wktwUeZpVnErlzHeMR2CvV3K8R
u4vV6SnBcf+TAt56RKYZkPyvZj5llQPo14Glyoo8qZES7Ky1SHmM0GL+baPRBjRW
3KgSt98Wyu4yr9qu21JpnbAnLhBfzfSKjSeCRgFElUE1GIaFGRZ7ypA74dUKeLnb
/VUWrszmUhGaEjV9dpI6x6B/kSpQMtIQqBaKRY2ALUeEujS/rURi4iMDwSU+GkSH
cyEvZKS97OA/dWeXfLXdo4beDBRG93bI4rQnDg5+VdlBOkQSLueb8x6/VThMoC5d
vZiotFQHseljQAdTkNa6tBu6c4XDYPCKB3CfkMYOlCfTS7Acn5G6dxTPKBtLGBnL
nQfYyzuwYkN09+2PVzt6auBHr3To7uoclkxX+hxyvPIwIZ0N6b4tQR1FCAkvg29Q
WIOjZOKGW690ESKCKOnFjUHVO0HpuWnT81URTuY62FXsYdVc2wE4v0E04mEbqQ0P
lY6ZKNA81Lm3YADYtObmK1IUrOPo9BeIaPy0UM08SmN880Vunqa91Q==
-----END CERTIFICATE-----
"""));
secureStorageClient = new SecureStorageClient(credentialGenerator, httpExecutor, config); secureStorageClient = new SecureStorageClient(credentialGenerator, httpExecutor, config);
} }