Value is cached, so subsequent access is fast. * + *
This method first attempts to load the JDK default keystore. If that fails or is not
+ * available, it falls back to loading the bundled Google certificate store.
+ *
* @since 1.14
+ * @deprecated Depending on your build environment this method potentially can contain outdated
+ * certs if loading jdk default certs fails. Instead of getting trusted certs directly use an
+ * HttpTransport wrapper such as {@link NetHttpTransport}
+ * which uses java jdk internal classes to load default jdk certs specifically for a build
+ * environment. If you need to access the keystore directly please create your own keystore
+ * file.
*/
+ @Deprecated
public static synchronized KeyStore getCertificateTrustStore()
throws IOException, GeneralSecurityException {
if (certTrustStore == null) {
- certTrustStore = SecurityUtils.getPkcs12KeyStore();
- InputStream keyStoreStream = GoogleUtils.class.getResourceAsStream("google.p12");
- SecurityUtils.loadKeyStore(certTrustStore, keyStoreStream, "notasecret");
+ certTrustStore = getJdkDefaultKeyStore();
+ if (certTrustStore == null) {
+ certTrustStore = getBundledKeystore();
+ }
}
return certTrustStore;
}
diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java b/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java
index 93347cd3e..11c8dbbf3 100644
--- a/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java
+++ b/google-api-client/src/main/java/com/google/api/client/googleapis/apache/v2/GoogleApacheHttpTransport.java
@@ -14,10 +14,8 @@
package com.google.api.client.googleapis.apache.v2;
-import com.google.api.client.googleapis.GoogleUtils;
import com.google.api.client.googleapis.mtls.MtlsProvider;
import com.google.api.client.googleapis.mtls.MtlsUtils;
-import com.google.api.client.googleapis.util.Utils;
import com.google.api.client.http.apache.v2.ApacheHttpTransport;
import com.google.api.client.util.Beta;
import com.google.api.client.util.SslUtils;
@@ -47,11 +45,11 @@
public final class GoogleApacheHttpTransport {
/**
- * Returns a new instance of {@link ApacheHttpTransport} that uses {@link
- * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. If
- * `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to "true", and the default
- * client certificate key store from {@link Utils#loadDefaultMtlsKeyStore()} is not null, then the
- * transport uses the default client certificate and is mutual TLS.
+ * Returns a new instance of {@link ApacheHttpTransport} that uses default jdk certificates for
+ * the trusted certificates. If `GOOGLE_API_USE_CLIENT_CERTIFICATE` environment variable is set to
+ * "true", and the default client certificate key store from {@link
+ * Utils#loadDefaultMtlsKeyStore()} is not null, then the transport uses the default client
+ * certificate and is mutual TLS.
*/
public static ApacheHttpTransport newTrustedTransport()
throws GeneralSecurityException, IOException {
@@ -60,9 +58,8 @@ public static ApacheHttpTransport newTrustedTransport()
/**
* {@link Beta}
- * Returns a new instance of {@link ApacheHttpTransport} that uses {@link
- * GoogleUtils#getCertificateTrustStore()} for the trusted certificates. mtlsProvider can be used
- * to configure mutual TLS for the transport.
+ * Returns a new instance of {@link ApacheHttpTransport} that default jdk certs for the trusted
+ * certificates. mtlsProvider can be used to configure mutual TLS for the transport.
*
* @param mtlsProvider MtlsProvider to configure mutual TLS for the transport
*/
@@ -105,22 +102,20 @@ public SocketFactoryRegistryHandler(MtlsProvider mtlsProvider)
mtlsKeyStorePassword = mtlsProvider.getKeyStorePassword();
}
- // Use the included trust store
- KeyStore trustStore = GoogleUtils.getCertificateTrustStore();
SSLContext sslContext = SslUtils.getTlsSslContext();
if (mtlsKeyStore != null && mtlsKeyStorePassword != null) {
this.isMtls = true;
SslUtils.initSslContext(
sslContext,
- trustStore,
+ null,
SslUtils.getPkixTrustManagerFactory(),
mtlsKeyStore,
mtlsKeyStorePassword,
SslUtils.getDefaultKeyManagerFactory());
} else {
this.isMtls = false;
- SslUtils.initSslContext(sslContext, trustStore, SslUtils.getPkixTrustManagerFactory());
+ SslUtils.initSslContext(sslContext, null, SslUtils.getPkixTrustManagerFactory());
}
LayeredConnectionSocketFactory socketFactory = new SSLConnectionSocketFactory(sslContext);
diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java
index 590a422e2..1d8c70a51 100644
--- a/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java
+++ b/google-api-client/src/main/java/com/google/api/client/googleapis/auth/oauth2/GoogleCredential.java
@@ -197,42 +197,64 @@ public static GoogleCredential getApplicationDefault(
/**
* {@link Beta}
- * Return a credential defined by a Json file.
*
- *
Important: If you accept a credential configuration (credential JSON/File/Stream) from an - * external source for authentication to Google Cloud Platform, you must validate it before - * providing it to any Google API or library. Providing an unvalidated credential configuration to - * Google APIs can compromise the security of your systems and data. For more information, refer - * to {@link documentation}. + *
Important: This method does not validate the credential configuration. A security risk holds + * when a credential configuration is accepted from a source that is not under your control and + * used without validation on your side. + * + *
If you are loading your credential configuration from an untrusted source and have not + * mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon + * as possible to prevent security risks to your environment. + * + *
Regardless of the method used, it is always your responsibility to validate configurations + * received from external sources. + * + *
See the {@link documentation} + * for more details. + * + *
Returns a credential defined by a Json file.
*
* @param credentialStream the stream with the credential definition.
* @return the credential defined by the credentialStream.
* @throws IOException if the credential cannot be created from the stream.
+ * @deprecated This method is being deprecated because of a potential security risk.
+ * Please use {@link GoogleCredentials instead.
*/
@Beta
+ @Deprecated
public static GoogleCredential fromStream(InputStream credentialStream) throws IOException {
return fromStream(credentialStream, Utils.getDefaultTransport(), Utils.getDefaultJsonFactory());
}
/**
* {@link Beta}
- * Return a credential defined by a Json file.
*
- *
Important: If you accept a credential configuration (credential JSON/File/Stream) from an - * external source for authentication to Google Cloud Platform, you must validate it before - * providing it to any Google API or library. Providing an unvalidated credential configuration to - * Google APIs can compromise the security of your systems and data. For more information, refer - * to {@link documentation}. + *
Important: This method does not validate the credential configuration. A security risk holds + * when a credential configuration is accepted from a source that is not under your control and + * used without validation on your side. + * + *
If you are loading your credential configuration from an untrusted source and have not + * mitigated the risks (e.g. by validating the configuration yourself), make these changes as soon + * as possible to prevent security risks to your environment. + * + *
Regardless of the method used, it is always your responsibility to validate configurations + * received from external sources. + * + *
See the {@link documentation} + * for more details. + * + *
Returns a credential defined by a Json file.
*
* @param credentialStream the stream with the credential definition.
- * @param transport the transport for Http calls.
- * @param jsonFactory the factory for Json parsing and formatting.
* @return the credential defined by the credentialStream.
* @throws IOException if the credential cannot be created from the stream.
+ * @deprecated This method is being deprecated because of a potential security risk.
+ * Please use {@link GoogleCredentials instead.
*/
@Beta
+ @Deprecated
public static GoogleCredential fromStream(
InputStream credentialStream, HttpTransport transport, JsonFactory jsonFactory)
throws IOException {
diff --git a/google-api-client/src/main/java/com/google/api/client/googleapis/javanet/GoogleNetHttpTransport.java b/google-api-client/src/main/java/com/google/api/client/googleapis/javanet/GoogleNetHttpTransport.java
index 66907fc72..eb4d00b46 100644
--- a/google-api-client/src/main/java/com/google/api/client/googleapis/javanet/GoogleNetHttpTransport.java
+++ b/google-api-client/src/main/java/com/google/api/client/googleapis/javanet/GoogleNetHttpTransport.java
@@ -29,7 +29,10 @@
*
* @since 1.14
* @author Yaniv Inbar
+ * @deprecated This legacy HttpTransport implementation is no longer being maintained.
+ * Please use {@link NetHttpTransport instead.
*/
+@Deprecated
public class GoogleNetHttpTransport {
/**
diff --git a/google-api-client/src/test/java/com/google/api/client/googleapis/GoogleUtilsTest.java b/google-api-client/src/test/java/com/google/api/client/googleapis/GoogleUtilsTest.java
index ef8aa80b1..9e531ab30 100644
--- a/google-api-client/src/test/java/com/google/api/client/googleapis/GoogleUtilsTest.java
+++ b/google-api-client/src/test/java/com/google/api/client/googleapis/GoogleUtilsTest.java
@@ -14,8 +14,9 @@
package com.google.api.client.googleapis;
+import static org.junit.Assert.assertNotEquals;
+
import java.security.KeyStore;
-import java.util.Enumeration;
import java.util.regex.Matcher;
import junit.framework.TestCase;
@@ -26,16 +27,43 @@
*/
public class GoogleUtilsTest extends TestCase {
- public void testGetCertificateTrustStore() throws Exception {
+ public void testGetCertificateTrustStore_LoadsJdkDefaultFirst() throws Exception {
+ GoogleUtils.certTrustStore = null;
+ KeyStore trustStore = GoogleUtils.getCertificateTrustStore();
+
+ // Load bundled keystore to compare
+ KeyStore bundled = GoogleUtils.getBundledKeystore();
+
+ assertNotEquals(
+ "Certificate truststore should NOT contain the same amount of certificates as the bundled keystore",
+ bundled.size(),
+ trustStore.size());
+ }
+
+ public void testGetCertificateTrustStore_LoadsBundledKeystoreIfJdkDefaultLoadFails()
+ throws Exception {
+ GoogleUtils.certTrustStore = null;
+ String[] originalPaths = GoogleUtils.possibleJdkPaths;
+ GoogleUtils.possibleJdkPaths = new String[0];
+
KeyStore trustStore = GoogleUtils.getCertificateTrustStore();
- Enumeration