From 46ffc02ce2abd2df073063eb37bb7305b4744795 Mon Sep 17 00:00:00 2001
From: Tristan Tarrant <ttarrant@redhat.com>
Date: Mon, 29 Aug 2022 11:14:18 +0200
Subject: [PATCH] ISPN-14103 Use supplied security provider to load keystore
 and init key/trust managers

---
 .../transport/netty/ChannelInitializer.java   |  2 +
 .../commons/util/SslContextFactory.java       | 43 ++++++++++++++++---
 2 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/impl/transport/netty/ChannelInitializer.java b/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/impl/transport/netty/ChannelInitializer.java
index 7c5cb0a5c738..28d60b414045 100644
--- a/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/impl/transport/netty/ChannelInitializer.java
+++ b/client/hotrod-client/src/main/java/org/infinispan/client/hotrod/impl/transport/netty/ChannelInitializer.java
@@ -140,6 +140,7 @@ private void initSsl(Channel channel) {
                      .keyAlias(ssl.keyAlias())
                      .keyStoreCertificatePassword(ssl.keyStoreCertificatePassword())
                      .classLoader(configuration.classLoader())
+                     .provider(ssl.provider())
                      .getKeyManagerFactory());
             }
             if (ssl.trustStoreFileName() != null) {
@@ -151,6 +152,7 @@ private void initSsl(Channel channel) {
                         .trustStoreType(ssl.trustStoreType())
                         .trustStorePassword(ssl.trustStorePassword())
                         .classLoader(configuration.classLoader())
+                        .provider(ssl.provider())
                         .getTrustManagerFactory());
                }
             }
diff --git a/commons/all/src/main/java/org/infinispan/commons/util/SslContextFactory.java b/commons/all/src/main/java/org/infinispan/commons/util/SslContextFactory.java
index 0ca8156f9a95..2bcca08e0638 100644
--- a/commons/all/src/main/java/org/infinispan/commons/util/SslContextFactory.java
+++ b/commons/all/src/main/java/org/infinispan/commons/util/SslContextFactory.java
@@ -8,6 +8,8 @@
 import java.io.InputStream;
 import java.security.GeneralSecurityException;
 import java.security.KeyStore;
+import java.security.Provider;
+import java.security.Security;
 
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
@@ -16,6 +18,7 @@
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 
+import org.wildfly.common.Assert;
 import org.wildfly.openssl.OpenSSLProvider;
 import org.wildfly.openssl.SSL;
 
@@ -57,6 +60,7 @@ public class SslContextFactory {
    private String sslProtocol = DEFAULT_SSL_PROTOCOL;
    private boolean useNativeIfAvailable = true;
    private ClassLoader classLoader;
+   private String provider;
 
    public SslContextFactory() {
    }
@@ -112,6 +116,13 @@ public SslContextFactory sslProtocol(String sslProtocol) {
       return this;
    }
 
+   public SslContextFactory provider(String provider) {
+      if (provider != null) {
+         this.provider = provider;
+      }
+      return this;
+   }
+
    public SslContextFactory useNativeIfAvailable(boolean useNativeIfAvailable) {
       this.useNativeIfAvailable = useNativeIfAvailable;
       return this;
@@ -148,7 +159,9 @@ public SSLContext getContext() {
    }
 
    public KeyManagerFactory getKeyManagerFactory() throws IOException, GeneralSecurityException {
-      KeyStore ks = KeyStore.getInstance(keyStoreType != null ? keyStoreType : DEFAULT_KEYSTORE_TYPE);
+      String type = keyStoreType != null ? keyStoreType : DEFAULT_KEYSTORE_TYPE;
+      Provider provider = findProvider(this.provider, KeyManagerFactory.class.getSimpleName(), type);
+      KeyStore ks = provider != null ? KeyStore.getInstance(type, provider) : KeyStore.getInstance(type);
       loadKeyStore(ks, keyStoreFileName, keyStorePassword, classLoader);
       char[] keyPassword = keyStoreCertificatePassword == null ? keyStorePassword : keyStoreCertificatePassword;
       if (keyAlias != null) {
@@ -156,22 +169,28 @@ public KeyManagerFactory getKeyManagerFactory() throws IOException, GeneralSecur
             KeyStore.PasswordProtection passParam = new KeyStore.PasswordProtection(keyPassword);
             KeyStore.Entry entry = ks.getEntry(keyAlias, passParam);
             // Recreate the keystore with just one key
-            ks = KeyStore.getInstance(keyStoreType != null ? keyStoreType : DEFAULT_KEYSTORE_TYPE);
+            ks = provider != null ? KeyStore.getInstance(type, provider) : KeyStore.getInstance(type);
             ks.load(null);
             ks.setEntry(keyAlias, entry, passParam);
          } else {
             throw SECURITY.noSuchAliasInKeyStore(keyAlias, keyStoreFileName);
          }
       }
-      KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+      String algorithm = KeyManagerFactory.getDefaultAlgorithm();
+      provider = findProvider(this.provider, KeyManagerFactory.class.getSimpleName(), algorithm);
+      KeyManagerFactory kmf = provider != null ? KeyManagerFactory.getInstance(algorithm, provider) : KeyManagerFactory.getInstance(algorithm);
       kmf.init(ks, keyPassword);
       return kmf;
    }
 
    public TrustManagerFactory getTrustManagerFactory() throws IOException, GeneralSecurityException {
-      KeyStore ks = KeyStore.getInstance(trustStoreType != null ? trustStoreType : DEFAULT_KEYSTORE_TYPE);
+      String type = trustStoreType != null ? trustStoreType : DEFAULT_KEYSTORE_TYPE;
+      Provider provider = findProvider(this.provider, KeyStore.class.getSimpleName(), trustStoreType);
+      KeyStore ks = provider != null ? KeyStore.getInstance(type, provider) : KeyStore.getInstance(type);
       loadKeyStore(ks, trustStoreFileName, trustStorePassword, classLoader);
-      TrustManagerFactory tmf = TrustManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
+      String algorithm = KeyManagerFactory.getDefaultAlgorithm();
+      provider = findProvider(this.provider, TrustManagerFactory.class.getSimpleName(), algorithm);
+      TrustManagerFactory tmf = provider != null ? TrustManagerFactory.getInstance(algorithm, provider) : TrustManagerFactory.getInstance(algorithm);
       tmf.init(ks);
       return tmf;
    }
@@ -204,4 +223,18 @@ private static void loadKeyStore(KeyStore ks, String keyStoreFileName, char[] ke
          Util.close(is);
       }
    }
+
+   public static Provider findProvider(String providerName, String serviceType, String algorithm) {
+      Provider[] providers = Security.getProviders();
+      for (int i = 0; i < providers.length; i++) {
+         Provider provider = Assert.checkNotNullArrayParam("providers", i, providers[i]);
+         if (providerName == null || providerName.equals(provider.getName())) {
+            Provider.Service providerService = provider.getService(serviceType, algorithm);
+            if (providerService != null) {
+               return provider;
+            }
+         }
+      }
+      return null;
+   }
 }