Merge pull request #218 from pontusmelke/1.0-cleanup-tls-opts

Deprecate TRUST_SIGNED_CERTIFICATES

Author: pontusmelke

driver/src/main/java/org/neo4j/driver/internal/connector/socket/SSLContextFactory.java

@@ -27,8 +27,8 @@
 import javax.net.ssl.TrustManagerFactory;
 
 import org.neo4j.driver.v1.Config;
-import org.neo4j.driver.v1.exceptions.ClientException;
 import org.neo4j.driver.v1.Logger;
+import org.neo4j.driver.v1.exceptions.ClientException;
 
 import static org.neo4j.driver.internal.util.CertificateTool.loadX509Cert;
 
@@ -55,6 +55,10 @@ public SSLContext create()
 
         switch ( authConfig.strategy() ) {
         case TRUST_SIGNED_CERTIFICATES:
+            logger.warn( "Option `TRUST_SIGNED_CERTIFICATE` has been deprecated and will be removed in a future version " +
+                         "of the driver. Please switch to use `TRUST_CUSTOM_CA_SIGNED_CERTIFICATES` instead." );
+            //intentional fallthrough
+        case TRUST_CUSTOM_CA_SIGNED_CERTIFICATES:
             // A certificate file is specified so we will load the certificates in the file
             // Init a in memory TrustedKeyStore
             KeyStore trustedKeyStore = KeyStore.getInstance( "JKS" );
@@ -67,7 +71,13 @@ public SSLContext create()
             TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance( "SunX509" );
             trustManagerFactory.init( trustedKeyStore );
             trustManagers = trustManagerFactory.getTrustManagers();
+
             break;
+
+        //just rely on system defaults
+        case TRUST_SYSTEM_CA_SIGNED_CERTIFICATES:
+            return SSLContext.getDefault();
+
         case TRUST_ON_FIRST_USE:
             trustManagers = new TrustManager[]{new TrustOnFirstUseTrustManager( host, port, authConfig.certFile(), logger )};
             break;

driver/src/main/java/org/neo4j/driver/v1/Config.java

@@ -25,7 +25,7 @@
 import org.neo4j.driver.v1.util.Immutable;
 
 import static java.lang.System.getProperty;
-import static org.neo4j.driver.v1.Config.TrustStrategy.*;
+import static org.neo4j.driver.v1.Config.TrustStrategy.trustOnFirstUse;
 
 /**
  * A configuration class to config driver properties.
@@ -243,7 +243,7 @@ public ConfigBuilder withEncryptionLevel( EncryptionLevel level )
         /**
          * Specify how to determine the authenticity of an encryption certificate provided by the Neo4j instance we are connecting to.
          * This defaults to {@link TrustStrategy#trustOnFirstUse(File)}.
-         * See {@link TrustStrategy#trustSignedBy(File)} for using certificate signatures instead to verify
+         * See {@link TrustStrategy#trustCustomCertificateSignedBy(File)} for using certificate signatures instead to verify
          * trust.
          * <p>
          * This is an important setting to understand, because unless we know that the remote server we have an encrypted connection to
@@ -290,12 +290,20 @@ public static class TrustStrategy
         public enum Strategy
         {
             TRUST_ON_FIRST_USE,
-            TRUST_SIGNED_CERTIFICATES
+            @Deprecated
+            TRUST_SIGNED_CERTIFICATES,
+            TRUST_CUSTOM_CA_SIGNED_CERTIFICATES,
+            TRUST_SYSTEM_CA_SIGNED_CERTIFICATES
         }
 
         private final Strategy strategy;
         private final File certFile;
 
+        private TrustStrategy( Strategy strategy )
+        {
+            this( strategy, null );
+        }
+
         private TrustStrategy( Strategy strategy, File certFile )
         {
             this.strategy = strategy;
@@ -316,6 +324,15 @@ public File certFile()
             return certFile;
         }
 
+        /**
+         * Use {@link #trustCustomCertificateSignedBy(File)} instead.
+         */
+        @Deprecated
+        public static TrustStrategy trustSignedBy( File certFile )
+        {
+            return new TrustStrategy( Strategy.TRUST_SIGNED_CERTIFICATES, certFile );
+        }
+
         /**
          * Only encrypted connections to Neo4j instances with certificates signed by a trusted certificate will be accepted.
          * The file specified should contain one or more trusted X.509 certificates.
@@ -326,9 +343,14 @@ public File certFile()
          * @param certFile the trusted certificate file
          * @return an authentication config
          */
-        public static TrustStrategy trustSignedBy( File certFile )
+        public static TrustStrategy trustCustomCertificateSignedBy( File certFile )
         {
-            return new TrustStrategy( Strategy.TRUST_SIGNED_CERTIFICATES, certFile );
+            return new TrustStrategy( Strategy.TRUST_CUSTOM_CA_SIGNED_CERTIFICATES, certFile );
+        }
+
+        public static TrustStrategy trustSystemCertifcates()
+        {
+            return new TrustStrategy( Strategy.TRUST_SYSTEM_CA_SIGNED_CERTIFICATES );
         }
 
         /**
@@ -339,7 +361,7 @@ public static TrustStrategy trustSignedBy( File certFile )
          * Each time we reconnect to a known host, we verify that its certificate remains the same, guarding against attackers intercepting our communication.
          * <p>
          * Note that this approach is vulnerable to man-in-the-middle attacks the very first time you connect to a new Neo4j instance.
-         * If you do not trust the network you are connecting over, consider using {@link #trustSignedBy(File) signed certificates} instead, or manually adding the
+         * If you do not trust the network you are connecting over, consider using {@link #trustCustomCertificateSignedBy(File)}  signed certificates} instead, or manually adding the
          * trusted host line into the specified file.
          *
          * @param knownHostsFile a file where known certificates are stored.

driver/src/test/java/org/neo4j/driver/internal/ConfigTest.java

@@ -69,13 +69,13 @@ public void shouldChangeToTrustedCert()
     {
         // Given
         File trustedCert = new File( "trusted_cert" );
-        Config config = Config.build().withTrustStrategy( Config.TrustStrategy.trustSignedBy( trustedCert ) ).toConfig();
+        Config config = Config.build().withTrustStrategy( Config.TrustStrategy.trustCustomCertificateSignedBy( trustedCert ) ).toConfig();
 
         // When
         Config.TrustStrategy authConfig = config.trustStrategy();
 
         // Then
-        assertEquals( authConfig.strategy(), Config.TrustStrategy.Strategy.TRUST_SIGNED_CERTIFICATES );
+        assertEquals( authConfig.strategy(), Config.TrustStrategy.Strategy.TRUST_CUSTOM_CA_SIGNED_CERTIFICATES );
         assertEquals( trustedCert.getAbsolutePath(), authConfig.certFile().getAbsolutePath() );
     }
 
@@ -86,7 +86,7 @@ public void shouldConfigureMinIdleTime() throws Throwable
         Config config = Config.build().withSessionLivenessCheckTimeout( 1337 ).toConfig();
 
         // then
-        assertThat( config.idleTimeBeforeConnectionTest(), equalTo( 1337l ) );
+        assertThat( config.idleTimeBeforeConnectionTest(), equalTo( 1337L ) );
     }
 
     public static void deleteDefaultKnownCertFileIfExists()