Avoid TrustManagerFacotry.init(ManagerFactoryParameters var1) if no OSCP has been configured (#1157) (#1168)

gjmwoods · web-flow · commit a4fb9462df04 · 2022-03-25T13:15:33.000Z
diff --git a/driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlanImpl.java b/driver/src/main/java/org/neo4j/driver/internal/security/SecurityPlanImpl.java
@@ -21,7 +21,9 @@
 import java.io.File;
 import java.io.IOException;
 import java.security.GeneralSecurityException;
+import java.security.InvalidAlgorithmParameterException;
 import java.security.KeyStore;
+import java.security.KeyStoreException;
 import java.security.Security;
 import java.security.cert.CertificateException;
 import java.security.cert.PKIXBuilderParameters;
@@ -86,14 +88,37 @@ private static SSLContext configureSSLContext( List<File> customCertFiles, Revoc
             loadSystemCertificates( trustedKeyStore );
         }
 
-        // Configure certificate revocation checking (X509CertSelector() selects all certificates)
-        PKIXBuilderParameters pkixBuilderParameters = new PKIXBuilderParameters( trustedKeyStore, new X509CertSelector() );
+        PKIXBuilderParameters pkixBuilderParameters = configurePKIXBuilderParameters( trustedKeyStore, revocationStrategy );
 
-        // sets checking of stapled ocsp response
-        pkixBuilderParameters.setRevocationEnabled( requiresRevocationChecking( revocationStrategy ) );
+        SSLContext sslContext = SSLContext.getInstance( "TLS" );
+        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );
+
+        if ( pkixBuilderParameters == null )
+        {
+            trustManagerFactory.init( trustedKeyStore );
+        }
+        else
+        {
+            trustManagerFactory.init( new CertPathTrustManagerParameters( pkixBuilderParameters ) );
+        }
+
+        sslContext.init( new KeyManager[0], trustManagerFactory.getTrustManagers(), null );
+
+        return sslContext;
+    }
+
+    private static PKIXBuilderParameters configurePKIXBuilderParameters( KeyStore trustedKeyStore, RevocationStrategy revocationStrategy ) throws InvalidAlgorithmParameterException, KeyStoreException
+    {
+        PKIXBuilderParameters pkixBuilderParameters = null;
 
         if ( requiresRevocationChecking( revocationStrategy ) )
         {
+            // Configure certificate revocation checking (X509CertSelector() selects all certificates)
+            pkixBuilderParameters = new PKIXBuilderParameters( trustedKeyStore, new X509CertSelector() );
+
+            // sets checking of stapled ocsp response
+            pkixBuilderParameters.setRevocationEnabled( true );
+
             // enables status_request extension in client hello
             System.setProperty( "jdk.tls.client.enableStatusRequestExtension", "true" );
 
@@ -103,14 +128,7 @@ private static SSLContext configureSSLContext( List<File> customCertFiles, Revoc
                 Security.setProperty( "ocsp.enable", "true" );
             }
         }
-
-        SSLContext sslContext = SSLContext.getInstance( "TLS" );
-
-        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( TrustManagerFactory.getDefaultAlgorithm() );
-        trustManagerFactory.init( new CertPathTrustManagerParameters( pkixBuilderParameters ) );
-        sslContext.init( new KeyManager[0], trustManagerFactory.getTrustManagers(), null );
-
-        return sslContext;
+        return pkixBuilderParameters;
     }
 
     private static void loadSystemCertificates( KeyStore trustedKeyStore ) throws GeneralSecurityException, IOException
