Accept keystore password also for truststore.

[aioobe]

What happened?

keytool (and the JDK in general) is moving away from the proprietary JKS format and over to the wider used standardized PKCS12 format (JEP 229). The default format for keytool for example, is as of JDK 9, PKCS12 instead of JKS.

One difference between these two formats is that PKCS12 requires password protection also for public certificates. (At least to the extent of my knowledge. I've managed to create a PKCS12 keystore programatically with an empty password, but not without a password.)

In a JKS keystore you may have noticed that keytool -list can show public certificates, even if you just hit enter at the password prompt. As for PKCS12 keystores this is not the case.

In our SslSocketFactories class we've hardcoded the choice to use no password at all when loading the truststore:

conjure-java-runtime/keystores/src/main/java/com/palantir/conjure/java/config/ssl/SslSocketFactories.java

Line 261 in 478f5d1

keyStore = KeyStores.loadKeyStore(trustStoreType.name(), trustStorePath, Optional.empty());

What did you want to happen?

I would suggest we extend the SslConfiguration class which now accepts...

• trustStorePath
• keyStorePath
• keyStorePassword

...to also include

• trustStorePassword

and make use of this value when loading truststore certificates in the line linked above.

[robert3005]

I have done bunch of work a while back to not use jks nor pkcs12 and implemented pem parsers. Arguably we don't support encrypted pems but ideally you'd switch to those.

[aioobe]

[...] ideally you'd switch to those.

Are you suggesting to drop support for JKS / PKCS12 in favor of PEM?

I noticed that we do have some support form PEM too (SslSocketFactories.java:263) but perhaps not with encryption.