feat(sdk): add ssl context (#58)

- Issue #57 - Add kickstart SSLFactory to allow the configuration of a
custom truststore for communications.

Author: ttschampel

README.md

@@ -4,3 +4,9 @@ OpenTDF Java SDK
 
 ### Logging
 We use [slf4j](https://www.slf4j.org/), without providing a backend. We use log4j2 in our tests.
+
+### SSL - Untrusted Certificates
+Use the SDKBuilder.withSSL... methods to build an SDKBuilder with:
+- An SSLFactory: ```sdkBuilder.sslFactory(mySSLFactory)```
+- Directory containing trusted certificates: ```sdkBuilder.sslFactoryFromDirectory(myDirectoryWithCerts)```
+- Java Keystore: ```sdkBuilder.sslFactoryFromKeyStore(keystorepath, keystorePassword)```

pom.xml

@@ -17,6 +17,7 @@
         <log4j.version>2.20.0</log4j.version>
         <grpc.version>1.63.0</grpc.version>
         <protobuf.version>3.25.3</protobuf.version>
+        <sslcontext.version>8.3.5</sslcontext.version>
     </properties>
     <modules>
         <module>protocol</module>
@@ -69,6 +70,45 @@
                 <version>3.4</version>
                 <scope>provided</scope>
             </dependency>
+            <dependency>
+                <groupId>io.github.hakky54</groupId>
+                <artifactId>sslcontext-kickstart-for-pem</artifactId>
+                <version>${sslcontext.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.slf4j</groupId>
+                        <artifactId>slf4j-api</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <dependency>
+                <groupId>io.github.hakky54</groupId>
+                <artifactId>sslcontext-kickstart</artifactId>
+                <version>${sslcontext.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.slf4j</groupId>
+                        <artifactId>slf4j-api</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <dependency>
+                <groupId>io.github.hakky54</groupId>
+                <artifactId>sslcontext-kickstart-for-netty</artifactId>
+                <version>${sslcontext.version}</version>
+                <exclusions>
+                    <exclusion>
+                        <groupId>org.slf4j</groupId>
+                        <artifactId>slf4j-api</artifactId>
+                    </exclusion>
+                </exclusions>
+            </dependency>
+            <dependency>
+                <groupId>io.grpc</groupId>
+                <artifactId>grpc-netty-shaded</artifactId>
+                <version>${grpc.version}</version>
+                <scope>runtime</scope>
+            </dependency>
         </dependencies>
     </dependencyManagement>
 

sdk/pom.xml

@@ -4,18 +4,6 @@
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
     <name>sdk</name>
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <configuration>
-                    <source>11</source>
-                    <target>11</target>
-                </configuration>
-            </plugin>
-        </plugins>
-    </build>
     <artifactId>sdk</artifactId>
     <parent>
         <artifactId>sdk-pom</artifactId>
@@ -111,5 +99,23 @@
             <version>1.26.1</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.github.hakky54</groupId>
+            <artifactId>sslcontext-kickstart-for-pem</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.github.hakky54</groupId>
+            <artifactId>sslcontext-kickstart</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.github.hakky54</groupId>
+            <artifactId>sslcontext-kickstart-for-netty</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp-tls</artifactId>
+            <version>5.0.0-alpha.14</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>

sdk/src/main/java/io/opentdf/platform/sdk/GRPCAuthInterceptor.java

@@ -22,6 +22,7 @@
 import io.grpc.ForwardingClientCall;
 import io.grpc.Metadata;
 import io.grpc.MethodDescriptor;
+import nl.altindag.ssl.SSLFactory;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -40,7 +41,7 @@ class GRPCAuthInterceptor implements ClientInterceptor {
     private final ClientAuthentication clientAuth;
     private final RSAKey rsaKey;
     private final URI tokenEndpointURI;
-
+    private SSLFactory sslFactory;
     private static final Logger logger = LoggerFactory.getLogger(GRPCAuthInterceptor.class);
 
 
@@ -49,11 +50,13 @@ class GRPCAuthInterceptor implements ClientInterceptor {
      *
      * @param clientAuth the client authentication to be used by the interceptor
      * @param rsaKey     the RSA key to be used by the interceptor
+     * @param sslFactory Optional SSLFactory for Requests
      */
-    public GRPCAuthInterceptor(ClientAuthentication clientAuth, RSAKey rsaKey, URI tokenEndpointURI) {
+    public GRPCAuthInterceptor(ClientAuthentication clientAuth, RSAKey rsaKey, URI tokenEndpointURI, SSLFactory sslFactory) {
         this.clientAuth = clientAuth;
         this.rsaKey = rsaKey;
         this.tokenEndpointURI = tokenEndpointURI;
+        this.sslFactory = sslFactory;
     }
 
     /**
@@ -114,6 +117,9 @@ private synchronized AccessToken getToken() {
                 TokenRequest tokenRequest = new TokenRequest(this.tokenEndpointURI,
                         clientAuth, clientGrant, null);
                 HTTPRequest httpRequest = tokenRequest.toHTTPRequest();
+                if(sslFactory!=null){
+                    httpRequest.setSSLSocketFactory(sslFactory.getSslSocketFactory());
+                }
 
                 DPoPProofFactory dpopFactory = new DefaultDPoPProofFactory(rsaKey, JWSAlgorithm.RS256);
 

sdk/src/main/java/io/opentdf/platform/sdk/SDKBuilder.java

@@ -11,17 +11,23 @@
 import com.nimbusds.oauth2.sdk.id.ClientID;
 import com.nimbusds.oauth2.sdk.id.Issuer;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
-import io.grpc.ManagedChannel;
-import io.grpc.ManagedChannelBuilder;
-import io.grpc.Status;
-import io.grpc.StatusRuntimeException;
+import io.grpc.*;
 import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationRequest;
 import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationResponse;
 import io.opentdf.platform.wellknownconfiguration.WellKnownServiceGrpc;
+import nl.altindag.ssl.SSLFactory;
+import nl.altindag.ssl.pem.util.PemUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import javax.net.ssl.X509ExtendedTrustManager;
+import java.io.File;
+import java.io.FileInputStream;
 import java.io.IOException;
+import java.io.InputStream;
+import java.nio.file.Path;
+import java.util.ArrayList;
+import java.util.List;
 import java.util.UUID;
 
 /**
@@ -32,6 +38,7 @@ public class SDKBuilder {
     private String platformEndpoint = null;
     private ClientAuthentication clientAuth = null;
     private Boolean usePlainText;
+    private SSLFactory sslFactory;
 
     private static final Logger logger = LoggerFactory.getLogger(SDKBuilder.class);
 
@@ -44,6 +51,47 @@ public static SDKBuilder newBuilder() {
         return builder;
     }
 
+    public SDKBuilder sslFactory(SSLFactory sslFactory) {
+        this.sslFactory = sslFactory;
+        return this;
+    }
+
+    /**
+     * Add SSL Context with trusted certs from certDirPath
+     * @param certsDirPath Path to a directory containing .pem or .crt trusted certs
+     * @return
+     */
+    public SDKBuilder sslFactoryFromDirectory(String certsDirPath)  throws Exception{
+        File certsDir = new File(certsDirPath);
+        File[] certFiles =
+                certsDir.listFiles((dir, name) -> name.endsWith(".pem") || name.endsWith(".crt"));
+        logger.info("Loading certificates from: " + certsDir.getAbsolutePath());
+        List<InputStream> certStreams = new ArrayList<>();
+        for (File certFile : certFiles) {
+            certStreams.add(new FileInputStream(certFile));
+        }
+        X509ExtendedTrustManager trustManager =
+                PemUtils.loadTrustMaterial(certStreams.toArray(new InputStream[0]));
+        this.sslFactory =
+                SSLFactory.builder().withDefaultTrustMaterial().withSystemTrustMaterial()
+                        .withTrustMaterial(trustManager).build();
+        return this;
+    }
+
+    /**
+     * Add SSL Context with default system trust material + certs contained in a Java keystore
+     * @param keystorePath Path to keystore
+     * @param keystorePassword Password to keystore
+     * @return
+     */
+    public SDKBuilder sslFactoryFromKeyStore(String keystorePath, String keystorePassword) {
+        this.sslFactory =
+                SSLFactory.builder().withDefaultTrustMaterial().withSystemTrustMaterial()
+                        .withTrustMaterial(Path.of(keystorePath), keystorePassword==null ?
+                                "".toCharArray() : keystorePassword.toCharArray()).build();
+        return this;
+    }
+
     public SDKBuilder platformEndpoint(String platformEndpoint) {
         this.platformEndpoint = platformEndpoint;
         return this;
@@ -104,12 +152,16 @@ private GRPCAuthInterceptor getGrpcAuthInterceptor(RSAKey rsaKey) {
         Issuer issuer = new Issuer(platformIssuer);
         OIDCProviderMetadata providerMetadata;
         try {
-            providerMetadata = OIDCProviderMetadata.resolve(issuer);
+            providerMetadata = OIDCProviderMetadata.resolve(issuer, httpRequest -> {
+                if (sslFactory!=null) {
+                    httpRequest.setSSLSocketFactory(sslFactory.getSslSocketFactory());
+                }
+            });
         } catch (IOException | GeneralException e) {
             throw new SDKException("Error resolving the OIDC provider metadata", e);
         }
 
-        return new GRPCAuthInterceptor(clientAuth, rsaKey, providerMetadata.getTokenEndpointURI());
+        return new GRPCAuthInterceptor(clientAuth, rsaKey, providerMetadata.getTokenEndpointURI(), sslFactory);
     }
 
     SDK.Services buildServices() {
@@ -141,12 +193,21 @@ public SDK build() {
      * @return {@type ManagedChannelBuilder<?>} configured with the SDK options
      */
     private ManagedChannelBuilder<?> getManagedChannelBuilder(String endpoint) {
-        ManagedChannelBuilder<?> channelBuilder = ManagedChannelBuilder
-                .forTarget(endpoint);
+        ManagedChannelBuilder<?> channelBuilder;
+        if (sslFactory != null) {
+            channelBuilder = Grpc.newChannelBuilder(endpoint, TlsChannelCredentials.newBuilder()
+                    .trustManager(sslFactory.getTrustManager().get()).build());
+        }else{
+            channelBuilder = ManagedChannelBuilder.forTarget(endpoint);
+        }
 
         if (usePlainText) {
             channelBuilder = channelBuilder.usePlaintext();
         }
         return channelBuilder;
     }
+
+    SSLFactory getSslFactory(){
+        return this.sslFactory;
+    }
 }