feat(sdk): add ssl context

README.md

@@ -4,3 +4,9 @@ OpenTDF Java SDK
 
 ### Logging
 We use [slf4j](https://www.slf4j.org/), without providing a backend. We use log4j2 in our tests.
+
+### SSL - Untrusted Certificates
+Use the SDKBuilder.withSSL... methods to build an SDKBuilder with:
+- An SSLFactory: ```sdkBuilder.sslFactory(mySSLFactory)```
+- Directory containing trusted certificates: ```sdkBuilder.sslFactoryFromDirectory(myDirectoryWithCerts)```
+- Java Keystore: ```sdkBuilder.sslFactoryFromKeyStore(keystorepath, keystorePassword)```

pom.xml

@@ -17,6 +17,7 @@
  <log4j.version>2.20.0</log4j.version>
  <grpc.version>1.63.0</grpc.version>
  <protobuf.version>3.25.3</protobuf.version>
+ <sslcontext.version>8.3.5</sslcontext.version>
  </properties>
  <modules>
  <module>protocol</module>
@@ -69,6 +70,45 @@
  <version>3.4</version>
  <scope>provided</scope>
  </dependency>
+ <dependency>
+ <groupId>io.github.hakky54</groupId>
+ <artifactId>sslcontext-kickstart-for-pem</artifactId>
+ <version>${sslcontext.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>io.github.hakky54</groupId>
+ <artifactId>sslcontext-kickstart</artifactId>
+ <version>${sslcontext.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>io.github.hakky54</groupId>
+ <artifactId>sslcontext-kickstart-for-netty</artifactId>
+ <version>${sslcontext.version}</version>
+ <exclusions>
+ <exclusion>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ </exclusion>
+ </exclusions>
+ </dependency>
+ <dependency>
+ <groupId>io.grpc</groupId>
+ <artifactId>grpc-netty-shaded</artifactId>
+ <version>${grpc.version}</version>
+ <scope>runtime</scope>
+ </dependency>
  </dependencies>
  </dependencyManagement>
 

sdk/pom.xml

@@ -4,18 +4,6 @@
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
  <name>sdk</name>
- <build>
- <plugins>
- <plugin>
- <groupId>org.apache.maven.plugins</groupId>
- <artifactId>maven-compiler-plugin</artifactId>
- <configuration>
- <source>11</source>
- <target>11</target>
- </configuration>
- </plugin>
- </plugins>
- </build>
  <artifactId>sdk</artifactId>
  <parent>
  <artifactId>sdk-pom</artifactId>
@@ -111,5 +99,23 @@
  <version>1.26.1</version>
  <scope>test</scope>
  </dependency>
+ <dependency>
+ <groupId>io.github.hakky54</groupId>
+ <artifactId>sslcontext-kickstart-for-pem</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>io.github.hakky54</groupId>
+ <artifactId>sslcontext-kickstart</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>io.github.hakky54</groupId>
+ <artifactId>sslcontext-kickstart-for-netty</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>com.squareup.okhttp3</groupId>
+ <artifactId>okhttp-tls</artifactId>
+ <version>5.0.0-alpha.14</version>
+ <scope>test</scope>
+ </dependency>
  </dependencies>
 </project>

sdk/src/main/java/io/opentdf/platform/sdk/GRPCAuthInterceptor.java

@@ -22,6 +22,7 @@
 import io.grpc.ForwardingClientCall;
 import io.grpc.Metadata;
 import io.grpc.MethodDescriptor;
+import nl.altindag.ssl.SSLFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -40,7 +41,7 @@ class GRPCAuthInterceptor implements ClientInterceptor {
  private final ClientAuthentication clientAuth;
  private final RSAKey rsaKey;
  private final URI tokenEndpointURI;
-
+ private SSLFactory sslFactory;
  private static final Logger logger = LoggerFactory.getLogger(GRPCAuthInterceptor.class);
 
 
@@ -49,11 +50,13 @@ class GRPCAuthInterceptor implements ClientInterceptor {
  *
  * @param clientAuth the client authentication to be used by the interceptor
  * @param rsaKey the RSA key to be used by the interceptor
+ * @param sslFactory Optional SSLFactory for Requests
  */
- public GRPCAuthInterceptor(ClientAuthentication clientAuth, RSAKey rsaKey, URI tokenEndpointURI) {
+ public GRPCAuthInterceptor(ClientAuthentication clientAuth, RSAKey rsaKey, URI tokenEndpointURI, SSLFactory sslFactory) {
  this.clientAuth = clientAuth;
  this.rsaKey = rsaKey;
  this.tokenEndpointURI = tokenEndpointURI;
+ this.sslFactory = sslFactory;
  }
 
  /**
@@ -114,6 +117,9 @@ private synchronized AccessToken getToken() {
  TokenRequest tokenRequest = new TokenRequest(this.tokenEndpointURI,
  clientAuth, clientGrant, null);
  HTTPRequest httpRequest = tokenRequest.toHTTPRequest();
+ if(sslFactory!=null){
+ httpRequest.setSSLSocketFactory(sslFactory.getSslSocketFactory());
+ }
 
  DPoPProofFactory dpopFactory = new DefaultDPoPProofFactory(rsaKey, JWSAlgorithm.RS256);
 

sdk/src/main/java/io/opentdf/platform/sdk/SDKBuilder.java

@@ -11,17 +11,23 @@
 import com.nimbusds.oauth2.sdk.id.ClientID;
 import com.nimbusds.oauth2.sdk.id.Issuer;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
-import io.grpc.ManagedChannel;
-import io.grpc.ManagedChannelBuilder;
-import io.grpc.Status;
-import io.grpc.StatusRuntimeException;
+import io.grpc.*;
 import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationRequest;
 import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationResponse;
 import io.opentdf.platform.wellknownconfiguration.WellKnownServiceGrpc;
+import nl.altindag.ssl.SSLFactory;
+import nl.altindag.ssl.pem.util.PemUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.net.ssl.X509ExtendedTrustManager;
+import java.io.File;
+import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Path;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.UUID;
 
 /**
@@ -32,6 +38,7 @@ public class SDKBuilder {
  private String platformEndpoint = null;
  private ClientAuthentication clientAuth = null;
  private Boolean usePlainText;
+ private SSLFactory sslFactory;
 
  private static final Logger logger = LoggerFactory.getLogger(SDKBuilder.class);
 
@@ -44,6 +51,47 @@ public static SDKBuilder newBuilder() {
  return builder;
  }
 
+ public SDKBuilder sslFactory(SSLFactory sslFactory) {
+ this.sslFactory = sslFactory;
+ return this;
+ }
+
+ /**
+ * Add SSL Context with trusted certs from certDirPath
+ * @param certsDirPath Path to a directory containing .pem or .crt trusted certs
+ * @return
+ */
+ public SDKBuilder sslFactoryFromDirectory(String certsDirPath) throws Exception{
+ File certsDir = new File(certsDirPath);
+ File[] certFiles =
+ certsDir.listFiles((dir, name) -> name.endsWith(".pem") || name.endsWith(".crt"));
+ logger.info("Loading certificates from: " + certsDir.getAbsolutePath());
+ List<InputStream> certStreams = new ArrayList<>();
+ for (File certFile : certFiles) {
+ certStreams.add(new FileInputStream(certFile));
+ }
+ X509ExtendedTrustManager trustManager =
+ PemUtils.loadTrustMaterial(certStreams.toArray(new InputStream[0]));
+ this.sslFactory =
+ SSLFactory.builder().withDefaultTrustMaterial().withSystemTrustMaterial()
+ .withTrustMaterial(trustManager).build();
+ return this;
+ }
+
+ /**
+ * Add SSL Context with default system trust material + certs contained in a Java keystore
+ * @param keystorePath Path to keystore
+ * @param keystorePassword Password to keystore
+ * @return
+ */
+ public SDKBuilder sslFactoryFromKeyStore(String keystorePath, String keystorePassword) {
+ this.sslFactory =
+ SSLFactory.builder().withDefaultTrustMaterial().withSystemTrustMaterial()
+ .withTrustMaterial(Path.of(keystorePath), keystorePassword==null ?
+ "".toCharArray() : keystorePassword.toCharArray()).build();
+ return this;
+ }
+
  public SDKBuilder platformEndpoint(String platformEndpoint) {
  this.platformEndpoint = platformEndpoint;
  return this;
@@ -104,12 +152,16 @@ private GRPCAuthInterceptor getGrpcAuthInterceptor(RSAKey rsaKey) {
  Issuer issuer = new Issuer(platformIssuer);
  OIDCProviderMetadata providerMetadata;
  try {
- providerMetadata = OIDCProviderMetadata.resolve(issuer);
+ providerMetadata = OIDCProviderMetadata.resolve(issuer, httpRequest -> {
+ if (sslFactory!=null) {
+ httpRequest.setSSLSocketFactory(sslFactory.getSslSocketFactory());
+ }
+ });
  } catch (IOException | GeneralException e) {
  throw new SDKException("Error resolving the OIDC provider metadata", e);
  }
 
- return new GRPCAuthInterceptor(clientAuth, rsaKey, providerMetadata.getTokenEndpointURI());
+ return new GRPCAuthInterceptor(clientAuth, rsaKey, providerMetadata.getTokenEndpointURI(), sslFactory);
  }
 
  SDK.Services buildServices() {
@@ -141,12 +193,21 @@ public SDK build() {
  * @return {@type ManagedChannelBuilder<?>} configured with the SDK options
  */
  private ManagedChannelBuilder<?> getManagedChannelBuilder(String endpoint) {
- ManagedChannelBuilder<?> channelBuilder = ManagedChannelBuilder
- .forTarget(endpoint);
+ ManagedChannelBuilder<?> channelBuilder;
+ if (sslFactory != null) {
+ channelBuilder = Grpc.newChannelBuilder(endpoint, TlsChannelCredentials.newBuilder()
+ .trustManager(sslFactory.getTrustManager().get()).build());
+ }else{
+ channelBuilder = ManagedChannelBuilder.forTarget(endpoint);
+ }
 
  if (usePlainText) {
  channelBuilder = channelBuilder.usePlaintext();
  }
  return channelBuilder;
  }
+
+ SSLFactory getSslFactory(){
+ return this.sslFactory;
+ }
 }