CredSspScheme to require a valid SSLContext

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/CredSspScheme.java

@@ -31,12 +31,9 @@ import java.nio.ByteBuffer;
 import java.nio.CharBuffer;
 import java.nio.charset.Charset;
 import java.nio.charset.StandardCharsets;
-import java.security.KeyManagementException;
-import java.security.NoSuchAlgorithmException;
 import java.security.Principal;
 import java.security.PublicKey;
 import java.security.cert.Certificate;
-import java.security.cert.CertificateException;
 import java.security.cert.X509Certificate;
 import java.util.Arrays;
 
@@ -48,8 +45,6 @@ import javax.net.ssl.SSLEngineResult.Status;
 import javax.net.ssl.SSLException;
 import javax.net.ssl.SSLPeerUnverifiedException;
 import javax.net.ssl.SSLSession;
-import javax.net.ssl.TrustManager;
-import javax.net.ssl.X509TrustManager;
 
 import org.apache.commons.codec.binary.Base64;
 import org.apache.hc.client5.http.auth.AuthChallenge;
@@ -64,8 +59,6 @@ import org.apache.hc.core5.annotation.Experimental;
 import org.apache.hc.core5.http.HttpHost;
 import org.apache.hc.core5.http.HttpRequest;
 import org.apache.hc.core5.http.protocol.HttpContext;
-import org.apache.hc.core5.ssl.SSLContexts;
-import org.apache.hc.core5.ssl.SSLInitializationException;
 import org.apache.hc.core5.util.Args;
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
@@ -119,6 +112,7 @@ public class CredSspScheme implements AuthScheme
         CREDENTIALS_SENT;
     }
 
+    private final SSLContext sslContext;
     private State state;
     private SSLEngine sslEngine;
     private NTCredentials ntcredentials;
@@ -131,7 +125,8 @@ public class CredSspScheme implements AuthScheme
     private byte[] peerPublicKey;
 
 
-    public CredSspScheme() {
+    public CredSspScheme(final SSLContext sslContext) {
+        this.sslContext = Args.notNull(sslContext, "SSL context");
         state = State.UNINITIATED;
     }
 
@@ -169,53 +164,6 @@ public class CredSspScheme implements AuthScheme
 
     private SSLEngine createSSLEngine()
     {
-        final SSLContext sslContext;
-        try
-        {
-            sslContext = SSLContexts.custom().build();
-        }
-        catch (final NoSuchAlgorithmException | KeyManagementException ex )
-        {
-            throw new SSLInitializationException( "Error creating SSL Context: " + ex.getMessage(), ex );
-        }
-
-        final X509TrustManager tm = new X509TrustManager()
-        {
-
-            @Override
-            public void checkClientTrusted( final X509Certificate[] chain, final String authType )
-                throws CertificateException
-            {
-                // Nothing to do.
-            }
-
-
-            @Override
-            public void checkServerTrusted( final X509Certificate[] chain, final String authType )
-                throws CertificateException
-            {
-                // Nothing to do, accept all. CredSSP server is using its own certificate without any
-                // binding to the PKI trust chains. The public key is verified as part of the CredSSP
-                // protocol exchange.
-            }
-
-
-            @Override
-            public X509Certificate[] getAcceptedIssuers()
-            {
-                return null;
-            }
-
-        };
-        try
-        {
-            sslContext.init( null, new TrustManager[]
-                { tm }, null );
-        }
-        catch ( final KeyManagementException e )
-        {
-            throw new SSLInitializationException( "SSL Context initialization error: " + e.getMessage(), e );
-        }
         final SSLEngine sslEngine = sslContext.createSSLEngine();
         sslEngine.setUseClientMode( true );
         return sslEngine;

httpclient5/src/main/java/org/apache/hc/client5/http/impl/auth/CredSspSchemeFactory.java

@@ -27,18 +27,47 @@
 
 package org.apache.hc.client5.http.impl.auth;
 
+import java.security.KeyManagementException;
+import java.security.KeyStoreException;
+import java.security.NoSuchAlgorithmException;
+
+import javax.net.ssl.SSLContext;
+
 import org.apache.hc.client5.http.auth.AuthScheme;
 import org.apache.hc.client5.http.auth.AuthSchemeProvider;
+import org.apache.hc.client5.http.ssl.TrustAllStrategy;
 import org.apache.hc.core5.annotation.Experimental;
 import org.apache.hc.core5.http.protocol.HttpContext;
+import org.apache.hc.core5.ssl.SSLContexts;
+import org.apache.hc.core5.ssl.SSLInitializationException;
 
 @Experimental
 public class CredSspSchemeFactory implements AuthSchemeProvider
 {
 
+    private final SSLContext sslContext;
+
+    public CredSspSchemeFactory() {
+        this(createDefaultContext());
+    }
+
+    public CredSspSchemeFactory(final SSLContext sslContext) {
+        this.sslContext = sslContext != null ? sslContext : createDefaultContext();
+    }
+
+    private static SSLContext createDefaultContext() throws SSLInitializationException {
+        try {
+            return SSLContexts.custom()
+                    .loadTrustMaterial(new TrustAllStrategy())
+                    .build();
+        } catch (final NoSuchAlgorithmException | KeyManagementException | KeyStoreException ex) {
+            throw new SSLInitializationException(ex.getMessage(), ex);
+        }
+    }
+
     @Override
     public AuthScheme create(final HttpContext context) {
-        return new CredSspScheme();
+        return new CredSspScheme(sslContext);
     }
 
 }