Make OCSP checks soft-fail

This addresses an issue where network requests may fail if cert revocation checks error, which may occur due to availaibility issues, or due to lack of internet access. This also changes the built-in certs to be loaded from resources, which lets us enable soft-fail when CA certs come from Pkl's built-in certs.
apple · Jun 26, 2024 · 1940627 · 1940627
1 parent 3b78687
commit 1940627
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 45 deletions.
diff --git a/pkl-cli/pkl-cli.gradle.kts b/pkl-cli/pkl-cli.gradle.kts
@@ -1,6 +1,3 @@
-import java.security.KeyStore
-import java.security.cert.CertificateFactory
-
 plugins {
   pklAllProjects
   pklKotlinLibrary
@@ -38,8 +35,6 @@ val stagedLinuxAarch64Executable: Configuration by configurations.creating
 val stagedAlpineLinuxAmd64Executable: Configuration by configurations.creating
 val stagedWindowsAmd64Executable: Configuration by configurations.creating
 
-val certs: SourceSet by sourceSets.creating
-
 dependencies {
   compileOnly(libs.svm)
 
@@ -148,38 +143,11 @@ tasks.check {
   dependsOn(testStartJavaExecutable)
 }
 
-val trustStore = layout.buildDirectory.dir("generateTrustStore/PklCARoots.p12")
-val trustStorePassword = "password" // no sensitive data to protect
-
-// generate a trust store for Pkl's built-in CA certificates
-val generateTrustStore by tasks.registering {
-  inputs.file(certs.resources.singleFile)
-  outputs.file(trustStore)
-  doLast {
-    val certificates = certs.resources.singleFile.inputStream().use { stream ->
-      CertificateFactory.getInstance("X.509").generateCertificates(stream)
-    }
-    KeyStore.getInstance("PKCS12").apply {
-      load(null, trustStorePassword.toCharArray()) // initialize empty trust store
-      for ((index, certificate) in certificates.withIndex()) {
-        setCertificateEntry("cert-$index", certificate)
-      }
-      val trustStoreFile = trustStore.get().asFile
-      trustStoreFile.parentFile.mkdirs()
-      trustStoreFile.outputStream().use { stream ->
-        store(stream, trustStorePassword.toCharArray())
-      }
-    }
-  }
-}
-
 fun Exec.configureExecutable(
   graalVm: BuildInfo.GraalVm,
   outputFile: Provider<RegularFile>,
   extraArgs: List<String> = listOf()
 ) {
-  dependsOn(generateTrustStore)
-
   inputs.files(sourceSets.main.map { it.output })
     .withPropertyName("mainSourceSets")
     .withPathSensitivity(PathSensitivity.RELATIVE)
@@ -210,14 +178,10 @@ fun Exec.configureExecutable(
       // needed for messagepack-java (see https://github.com/msgpack/msgpack-java/issues/600)
       add("--initialize-at-run-time=org.msgpack.core.buffer.DirectBufferAccess")
       add("--no-fallback")
-      add("-Djavax.net.ssl.trustStore=${trustStore.get().asFile}")
-      add("-Djavax.net.ssl.trustStorePassword=$trustStorePassword")
-      add("-Djavax.net.ssl.trustStoreType=PKCS12")
-      // security property "ocsp.enable=true" is set in Main.kt
-      add("-Dcom.sun.net.ssl.checkRevocation=true")
       add("-H:IncludeResources=org/pkl/core/stdlib/.*\\.pkl")
       add("-H:IncludeResources=org/jline/utils/.*")
       add("-H:IncludeResourceBundles=org.pkl.core.errorMessages")
+      add("-H:IncludeResources=org/pkl/commons/cli/PklCARoots.pem")
       add("--macro:truffle")
       add("-H:Class=org.pkl.cli.Main")
       add("-H:Name=${outputFile.get().asFile.name}")

diff --git a/pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliCommand.kt b/pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliCommand.kt
@@ -173,6 +173,11 @@ abstract class CliCommand(protected val cliOptions: CliBaseOptions) {
     val caCertsDir = IoUtils.getPklHomeDir().resolve("cacerts")
     if (Files.isDirectory(caCertsDir)) {
       Files.list(caCertsDir).filter { it.isRegularFile() }.forEach { addCertificates(it) }
+    } else {
+      val defaultCerts =
+        javaClass.classLoader.getResourceAsStream("org/pkl/commons/cli/PklCARoots.pem")
+          ?: throw CliException("Could not find bundled certificates")
+      addCertificates(defaultCerts.readAllBytes())
     }
   }
 

diff --git a/pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliMain.kt b/pkl-commons-cli/src/main/kotlin/org/pkl/commons/cli/CliMain.kt
@@ -16,7 +16,6 @@
 package org.pkl.commons.cli
 
 import java.io.PrintStream
-import java.security.Security
 import kotlin.system.exitProcess
 
 /** Building block for CLIs. Intended to be called from a `main` method. */
@@ -30,9 +29,6 @@ fun cliMain(block: () -> Unit) {
 
   // Force `native-image` to use system proxies (which does not happen with `-D`).
   System.setProperty("java.net.useSystemProxies", "true")
-  // enable OCSP for default SSL context
-  Security.setProperty("ocsp.enable", "true")
-
   try {
     block()
   } catch (e: CliTestException) {

diff --git a/pkl-cli/src/certs/resources/PklCARoots.pem → ...ources/org/pkl/commons/cli/PklCARoots.pem b/pkl-cli/src/certs/resources/PklCARoots.pem → ...ources/org/pkl/commons/cli/PklCARoots.pem
diff --git a/pkl-core/src/main/java/org/pkl/core/http/JdkHttpClient.java b/pkl-core/src/main/java/org/pkl/core/http/JdkHttpClient.java
@@ -37,11 +37,13 @@
 import java.security.cert.CertificateFactory;
 import java.security.cert.PKIXBuilderParameters;
 import java.security.cert.PKIXRevocationChecker;
+import java.security.cert.PKIXRevocationChecker.Option;
 import java.security.cert.TrustAnchor;
 import java.security.cert.X509CertSelector;
 import java.security.cert.X509Certificate;
 import java.time.Duration;
 import java.util.Collection;
+import java.util.EnumSet;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
@@ -130,21 +132,19 @@ private static SSLContext createSslContext(
       List<Path> certificateFiles, List<ByteBuffer> certificateBytes) {
     try {
       if (certificateFiles.isEmpty() && certificateBytes.isEmpty()) {
-        // use Pkl native executable's or JVM's built-in CA certificates
+        // use JVM's built-in CA certificates
         return SSLContext.getDefault();
       }
 
       var certPathBuilder = CertPathBuilder.getInstance("PKIX");
       // create a non-legacy revocation checker that is configured via setOptions() instead of
       // security property "ocsp.enabled"
       var revocationChecker = (PKIXRevocationChecker) certPathBuilder.getRevocationChecker();
-      revocationChecker.setOptions(Set.of()); // prefer OCSP, fall back to CRLs
-
       var certFactory = CertificateFactory.getInstance("X.509");
       Set<TrustAnchor> trustAnchors =
           createTrustAnchors(certFactory, certificateFiles, certificateBytes);
+      revocationChecker.setOptions(EnumSet.of(Option.SOFT_FAIL)); // prefer OCSP, fall back to CRLs
       var pkixParameters = new PKIXBuilderParameters(trustAnchors, new X509CertSelector());
-      // equivalent of "com.sun.net.ssl.checkRevocation=true"
       pkixParameters.setRevocationEnabled(true);
       pkixParameters.addCertPathChecker(revocationChecker);