Factory beans for easier handling of simple trust scenarios.
Basics
Technical
Logistics
Basics
Technical
Logistics
Description
Environment
None
Activity
Scott Cantor October 26, 2016 at 7:15 PM
Scott Cantor
October 26, 2016 at 7:15 PM
r8549
PKIX factory bean that supports anchors, CRLs, and a verify depth setting. The rest is just defaulted with dynamic name extraction turned on, which fits the code path of the HTTP client, so it defaults to verifying against the hostname.
Tested with both end entity and a CA cert as the trust anchor.
Scott Cantor October 24, 2016 at 7:59 PM
Scott Cantor
October 24, 2016 at 7:59 PM
r8530
First case handled, a bean for ExplicitKeyTrustEngine on top of a StaticCredentialResolver on top of any number of key and certificate resources.
I might need to do an additional layer of indirection on this for HttpClientSecurityParameters but even without that it's a big improvement.
Fixed
Details
Details
Created October 24, 2016 at 7:56 PM
Updated November 11, 2016 at 12:29 AM
Resolved October 26, 2016 at 7:15 PM
With increased use of the new HttpClient machinery for managing TLS trust rules, we need some factory beans to ease the wiring of trust engines that handle the simple 90/10 cases of explicit roots or keys. We have some of these for the custom parsers now, but nothing that handles native Spring.