in zuul-core/src/main/java/com/netflix/zuul/netty/ssl/BaseSslContextFactory.java [186:226]
protected List<X509Certificate> getTrustedX509Certificates()
throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException {
ArrayList<X509Certificate> trustedCerts = new ArrayList<>();
// Add the certificates from the JKS truststore - ie. the CA's of the client cert that peer Zuul's will use.
if (serverSslConfig.getClientAuth() == ClientAuth.REQUIRE
|| serverSslConfig.getClientAuth() == ClientAuth.OPTIONAL) {
// Get the encrypted bytes of the truststore password.
byte[] trustStorePwdBytes;
if (serverSslConfig.getClientAuthTrustStorePassword() != null) {
trustStorePwdBytes = Base64.getDecoder().decode(serverSslConfig.getClientAuthTrustStorePassword());
} else if (serverSslConfig.getClientAuthTrustStorePasswordFile() != null) {
trustStorePwdBytes = Files.readAllBytes(
serverSslConfig.getClientAuthTrustStorePasswordFile().toPath());
} else {
throw new IllegalArgumentException(
"Must specify either ClientAuthTrustStorePassword or ClientAuthTrustStorePasswordFile!");
}
// Decrypt the truststore password.
String trustStorePassword = getTruststorePassword(trustStorePwdBytes);
boolean dumpDecryptedTrustStorePassword = false;
if (dumpDecryptedTrustStorePassword) {
LOG.debug("X509Cert Trust Store Password {}", trustStorePassword);
}
KeyStore trustStore = KeyStore.getInstance("JKS");
trustStore.load(
new FileInputStream(serverSslConfig.getClientAuthTrustStoreFile()),
trustStorePassword.toCharArray());
Enumeration<String> aliases = trustStore.aliases();
while (aliases.hasMoreElements()) {
X509Certificate cert = (X509Certificate) trustStore.getCertificate(aliases.nextElement());
trustedCerts.add(cert);
}
}
return trustedCerts;
}