Improve handling of CA certificates (#518)

Instead of bundling Pkl's built-in CA certificates as a class path resource and loading them at runtime, pass them to the native image compiler as the default SSL context's trust store. This results in faster SSL initialization and is more consistent with how default certificates are handled when running on the JVM. Further related improvements: - Remove HttpClientBuilder methods `addDefaultCliCertificates` and `addBuiltInCertificates`. - Remove pkl-certs subproject and the optional dependencies on it. - Move `PklCARoots.pem` to `pkl-cli/src/certs`. - Fix certificate related error messages that were missing an argument. - Prevent PklBugException if initialization of `CliBaseOptions.httpClient` fails. - Add ability to set CA certificates as a byte array - Add CA certificates option to message passing API
2026-04-20 07:21:32 +02:00 · 2024-06-12 17:53:03 -07:00
parent d7a1778199
commit 919de4838c
28 changed files with 240 additions and 275 deletions
--- a/pkl-core/src/main/java/org/pkl/core/http/HttpClient.java
+++ b/pkl-core/src/main/java/org/pkl/core/http/HttpClient.java
@@ -67,49 +67,22 @@ public interface HttpClient extends AutoCloseable {
     *
     * <p>The given file must contain <a href="https://en.wikipedia.org/wiki/X.509">X.509</a>
     * certificates in PEM format.
+     *
+     * <p>If no CA certificates are added via this method nor {@link #addCertificates(byte[])}, the
+     * built-in CA certificates of the Pkl native executable or JVM are used.
     */
-    Builder addCertificates(Path file);
+    Builder addCertificates(Path path);

    /**
-     * Adds a CA certificate file to the client's trust store.
+     * Adds CA certificate bytes to the client's trust store.
     *
-     * <p>The given file must contain <a href="https://en.wikipedia.org/wiki/X.509">X.509</a>
-     * certificates in PEM format.
+     * <p>The given cert must be an <a href="https://en.wikipedia.org/wiki/X.509">X.509</a>
+     * certificate in PEM format.
     *
-     * <p>This method is intended to be used for adding certificate files located on the class path.
-     * To add certificate files located on the file system, use {@link #addCertificates(Path)}.
-     *
-     * @throws HttpClientInitException if the given URI has a scheme other than {@code jar:} or
-     *     {@code file:}
+     * <p>If no CA certificates are added via this method nor {@link #addCertificates(Path)}, the
+     * built-in CA certificates of the Pkl native executable or JVM are used.
     */
-    Builder addCertificates(URI file);
-
-    /**
-     * Adds the CA certificate files in {@code ~/.pkl/cacerts/} to the client's trust store.
-     *
-     * <p>Each file must contain <a href="https://en.wikipedia.org/wiki/X.509">X.509</a>
-     * certificates in PEM format. If {@code ~/.pkl/cacerts/} does not exist or is empty, Pkl's
-     * {@link #addBuiltInCertificates() built-in certificates} are added instead.
-     *
-     * <p>This method implements the default behavior of Pkl CLIs.
-     *
-     * <p>NOTE: This method requires the optional {@code pkl-certs} JAR to be present on the class
-     * path.
-     *
-     * @throws HttpClientInitException if an I/O error occurs while scanning {@code ~/.pkl/cacerts/}
-     *     or the {@code pkl-certs} JAR is not found on the class path
-     */
-    Builder addDefaultCliCertificates();
-
-    /**
-     * Adds Pkl's built-in CA certificates to the client's trust store.
-     *
-     * <p>NOTE: This method requires the optional {@code pkl-certs} JAR to be present on the class
-     * path.
-     *
-     * @throws HttpClientInitException if the {@code pkl-certs} JAR is not found on the class path
-     */
-    Builder addBuiltInCertificates();
+    Builder addCertificates(byte[] certificateBytes);

    /**
     * Sets a test server's listening port.
--- a/pkl-core/src/main/java/org/pkl/core/http/HttpClientBuilder.java
+++ b/pkl-core/src/main/java/org/pkl/core/http/HttpClientBuilder.java
@@ -15,11 +15,9 @@
 */
 package org.pkl.core.http;

-import java.io.IOException;
 import java.net.ProxySelector;
 import java.net.URI;
-import java.net.URISyntaxException;
-import java.nio.file.Files;
+import java.nio.ByteBuffer;
 import java.nio.file.Path;
 import java.time.Duration;
 import java.util.ArrayList;
@@ -27,27 +25,18 @@ import java.util.List;
 import java.util.function.Supplier;
 import org.pkl.core.Release;
 import org.pkl.core.http.HttpClient.Builder;
-import org.pkl.core.util.ErrorMessages;
-import org.pkl.core.util.IoUtils;

 final class HttpClientBuilder implements HttpClient.Builder {
  private String userAgent;
  private Duration connectTimeout = Duration.ofSeconds(60);
  private Duration requestTimeout = Duration.ofSeconds(60);
-  private final Path caCertsDir;
  private final List<Path> certificateFiles = new ArrayList<>();
-  private final List<URI> certificateUris = new ArrayList<>();
+  private final List<ByteBuffer> certificateBytes = new ArrayList<>();
  private int testPort = -1;
  private ProxySelector proxySelector;

  HttpClientBuilder() {
-    this(IoUtils.getPklHomeDir().resolve("cacerts"));
-  }
-
-  // only exists for testing
-  HttpClientBuilder(Path caCertsDir) {
    var release = Release.current();
-    this.caCertsDir = caCertsDir;
    this.userAgent =
        "Pkl/" + release.version() + " (" + release.os() + "; " + release.flavor() + ")";
  }
@@ -70,39 +59,14 @@ final class HttpClientBuilder implements HttpClient.Builder {
  }

  @Override
-  public HttpClient.Builder addCertificates(Path file) {
-    certificateFiles.add(file);
+  public HttpClient.Builder addCertificates(Path path) {
+    certificateFiles.add(path);
    return this;
  }

  @Override
-  public HttpClient.Builder addCertificates(URI url) {
-    var scheme = url.getScheme();
-    if (!"jar".equalsIgnoreCase(scheme) && !"file".equalsIgnoreCase(scheme)) {
-      throw new HttpClientInitException(ErrorMessages.create("expectedJarOrFileUrl", url));
-    }
-    certificateUris.add(url);
-    return this;
-  }
-
-  public HttpClient.Builder addDefaultCliCertificates() {
-    var fileCount = certificateFiles.size();
-    if (Files.isDirectory(caCertsDir)) {
-      try (var files = Files.list(caCertsDir)) {
-        files.filter(Files::isRegularFile).forEach(certificateFiles::add);
-      } catch (IOException e) {
-        throw new HttpClientInitException(e);
-      }
-    }
-    if (certificateFiles.size() == fileCount) {
-      addBuiltInCertificates();
-    }
-    return this;
-  }
-
-  @Override
-  public HttpClient.Builder addBuiltInCertificates() {
-    certificateUris.add(getBuiltInCertificates());
+  public Builder addCertificates(byte[] certificateBytes) {
+    this.certificateBytes.add(ByteBuffer.wrap(certificateBytes));
    return this;
  }

@@ -134,27 +98,14 @@ final class HttpClientBuilder implements HttpClient.Builder {
  }

  private Supplier<HttpClient> doBuild() {
-    // make defensive copies because Supplier may get called after builder was mutated
+    // make defensive copy because Supplier may get called after builder was mutated
    var certificateFiles = List.copyOf(this.certificateFiles);
-    var certificateUris = List.copyOf(this.certificateUris);
    var proxySelector =
        this.proxySelector != null ? this.proxySelector : java.net.ProxySelector.getDefault();
    return () -> {
      var jdkClient =
-          new JdkHttpClient(certificateFiles, certificateUris, connectTimeout, proxySelector);
+          new JdkHttpClient(certificateFiles, certificateBytes, connectTimeout, proxySelector);
      return new RequestRewritingClient(userAgent, requestTimeout, testPort, jdkClient);
    };
  }
-
-  private static URI getBuiltInCertificates() {
-    var resource = HttpClientBuilder.class.getResource("/org/pkl/certs/PklCARoots.pem");
-    if (resource == null) {
-      throw new HttpClientInitException(ErrorMessages.create("cannotFindBuiltInCertificates"));
-    }
-    try {
-      return resource.toURI();
-    } catch (URISyntaxException e) {
-      throw new AssertionError("unreachable");
-    }
-  }
 }
--- a/pkl-core/src/main/java/org/pkl/core/http/JdkHttpClient.java
+++ b/pkl-core/src/main/java/org/pkl/core/http/JdkHttpClient.java
@@ -15,17 +15,18 @@
 */
 package org.pkl.core.http;

+import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.lang.invoke.MethodHandle;
 import java.lang.invoke.MethodHandles;
 import java.lang.invoke.MethodType;
 import java.net.ConnectException;
-import java.net.URI;
 import java.net.http.HttpClient.Redirect;
 import java.net.http.HttpRequest;
 import java.net.http.HttpResponse;
 import java.net.http.HttpResponse.BodyHandler;
+import java.nio.ByteBuffer;
 import java.nio.file.Files;
 import java.nio.file.NoSuchFileException;
 import java.nio.file.Path;
@@ -79,12 +80,12 @@ final class JdkHttpClient implements HttpClient {

  JdkHttpClient(
      List<Path> certificateFiles,
-      List<URI> certificateUris,
+      List<ByteBuffer> certificateBytes,
      Duration connectTimeout,
      java.net.ProxySelector proxySelector) {
    underlying =
        java.net.http.HttpClient.newBuilder()
-            .sslContext(createSslContext(certificateFiles, certificateUris))
+            .sslContext(createSslContext(certificateFiles, certificateBytes))
            .connectTimeout(connectTimeout)
            .proxy(proxySelector)
            .followRedirects(Redirect.NORMAL)
@@ -126,10 +127,10 @@ final class JdkHttpClient implements HttpClient {

  // https://docs.oracle.com/en/java/javase/11/docs/specs/security/standard-names.html#security-algorithm-implementation-requirements
  private static SSLContext createSslContext(
-      List<Path> certificateFiles, List<URI> certificateUris) {
+      List<Path> certificateFiles, List<ByteBuffer> certificateBytes) {
    try {
-      if (certificateFiles.isEmpty() && certificateUris.isEmpty()) {
-        // fall back to JVM defaults (not Pkl built-in certs)
+      if (certificateFiles.isEmpty() && certificateBytes.isEmpty()) {
+        // use Pkl native executable's or JVM's built-in CA certificates
        return SSLContext.getDefault();
      }

@@ -141,7 +142,7 @@ final class JdkHttpClient implements HttpClient {

      var certFactory = CertificateFactory.getInstance("X.509");
      Set<TrustAnchor> trustAnchors =
-          createTrustAnchors(certFactory, certificateFiles, certificateUris);
+          createTrustAnchors(certFactory, certificateFiles, certificateBytes);
      var pkixParameters = new PKIXBuilderParameters(trustAnchors, new X509CertSelector());
      // equivalent of "com.sun.net.ssl.checkRevocation=true"
      pkixParameters.setRevocationEnabled(true);
@@ -161,9 +162,8 @@ final class JdkHttpClient implements HttpClient {
  }

  private static Set<TrustAnchor> createTrustAnchors(
-      CertificateFactory factory, List<Path> certificateFiles, List<URI> certificateUris) {
+      CertificateFactory factory, List<Path> certificateFiles, List<ByteBuffer> certificateBytes) {
    var anchors = new HashSet<TrustAnchor>();
-
    for (var file : certificateFiles) {
      try (var stream = Files.newInputStream(file)) {
        collectTrustAnchors(anchors, factory, stream, file);
@@ -174,16 +174,10 @@ final class JdkHttpClient implements HttpClient {
            ErrorMessages.create("cannotReadCertFile", Exceptions.getRootReason(e)));
      }
    }
-
-    for (var uri : certificateUris) {
-      try (var stream = uri.toURL().openStream()) {
-        collectTrustAnchors(anchors, factory, stream, uri);
-      } catch (IOException e) {
-        throw new HttpClientInitException(
-            ErrorMessages.create("cannotReadCertFile", Exceptions.getRootReason(e)));
-      }
+    for (var byteBuffer : certificateBytes) {
+      var stream = new ByteArrayInputStream(byteBuffer.array());
+      collectTrustAnchors(anchors, factory, stream, "<unavailable>");
    }
-
    return anchors;
  }

--- a/pkl-core/src/main/java/org/pkl/core/service/ExecutorSpiImpl.java
+++ b/pkl-core/src/main/java/org/pkl/core/service/ExecutorSpiImpl.java
@@ -17,7 +17,6 @@ package org.pkl.core.service;

 import static org.pkl.core.module.ProjectDependenciesManager.PKL_PROJECT_FILENAME;

-import java.net.URI;
 import java.nio.file.Path;
 import java.util.Collections;
 import java.util.LinkedHashMap;
@@ -132,35 +131,35 @@ public final class ExecutorSpiImpl implements ExecutorSpi {

  private HttpClient getOrCreateHttpClient(ExecutorSpiOptions options) {
    List<Path> certificateFiles;
-    List<URI> certificateUris;
+    List<byte[]> certificateBytes;
    int testPort;
    try {
      if (options instanceof ExecutorSpiOptions2 options2) {
        certificateFiles = options2.getCertificateFiles();
-        certificateUris = options2.getCertificateUris();
+        certificateBytes = options2.getCertificateBytes();
        testPort = options2.getTestPort();
      } else {
        certificateFiles = List.of();
-        certificateUris = List.of();
+        certificateBytes = List.of();
        testPort = -1;
      }
      // host pkl-executor does not have class ExecutorOptions2 defined.
      // this will happen if the pkl-executor distribution is too old.
    } catch (NoClassDefFoundError e) {
      certificateFiles = List.of();
-      certificateUris = List.of();
+      certificateBytes = List.of();
      testPort = -1;
    }
-    var clientKey = new HttpClientKey(certificateFiles, certificateUris, testPort);
+    var clientKey = new HttpClientKey(certificateFiles, certificateBytes, testPort);
    return httpClients.computeIfAbsent(
        clientKey,
        (key) -> {
          var builder = HttpClient.builder();
-          for (var file : key.certificateFiles) {
-            builder.addCertificates(file);
+          for (var path : key.certificateFiles) {
+            builder.addCertificates(path);
          }
-          for (var uri : key.certificateUris) {
-            builder.addCertificates(uri);
+          for (var bytes : key.certificateBytes) {
+            builder.addCertificates(bytes);
          }
          builder.setTestPort(key.testPort);
          // If the above didn't add any certificates,
@@ -171,13 +170,13 @@ public final class ExecutorSpiImpl implements ExecutorSpi {

  private static final class HttpClientKey {
    final Set<Path> certificateFiles;
-    final Set<URI> certificateUris;
+    final Set<byte[]> certificateBytes;
    final int testPort;

-    HttpClientKey(List<Path> certificateFiles, List<URI> certificateUris, int testPort) {
-      // also serve as defensive copies
+    HttpClientKey(List<Path> certificateFiles, List<byte[]> certificateBytes, int testPort) {
+      // also serves as defensive copy
      this.certificateFiles = Set.copyOf(certificateFiles);
-      this.certificateUris = Set.copyOf(certificateUris);
+      this.certificateBytes = Set.copyOf(certificateBytes);
      this.testPort = testPort;
    }

@@ -191,13 +190,13 @@ public final class ExecutorSpiImpl implements ExecutorSpi {
      }
      HttpClientKey that = (HttpClientKey) obj;
      return certificateFiles.equals(that.certificateFiles)
-          && certificateUris.equals(that.certificateUris)
+          && certificateBytes.equals(that.certificateBytes)
          && testPort == that.testPort;
    }

    @Override
    public int hashCode() {
-      return Objects.hash(certificateFiles, certificateUris, testPort);
+      return Objects.hash(certificateFiles, certificateBytes, testPort);
    }
  }
 }