[MNG-5583] per endpoint support for PKI authentication

[spyhunter99]

This change provides some additional functionality for authenticating to a maven repository that requires HTTP Client Certificate authentication as part of the SSL hand shake.

see also apache/maven-resolver#51
apache/maven#345

[mthmulders]

This field contains a password. We must convert it to char[] later on, so can't we store it as a char[]?

[michael-o]

The upstream model does not allow that. Given that other password fields are strings too, this is acceptable, but not ideal.

[spyhunter99]

i agree with @michael-o otherwise i would have used char[]

[mthmulders]

This field contains a password. We must convert it to char[] later on, so can't we store it as a char[]?

[mthmulders]

Why this additional check on the lower-cased variant?

[spyhunter99]

this was borrowed from tomcat's code base, apparently in certain situational, key aliases are case folded. i've never seen it in the wild either, it's always been case sensitive but i figured there was a reason for this. lmk if you want it stricken from the record

[spyhunter99]

here's the link
https://github.com/apache/tomcat/blob/a6aad15a470f6f69bcc58c53729dc4e787a536ed/java/org/apache/tomcat/util/net/SSLUtilBase.java#L371

[michael-o]

The upstream model does not allow that. Given that other password fields are strings too, this is acceptable, but not ideal.

[spyhunter99]

FYI i'm going to try and add some new unit tests for this to have a more reproducible setup rather than the hacked up sonatype nexus server i'm testing against

[spyhunter99]

regarding unit tests, whats the difference between the regular http wagon and the light weight version?

[michael-o]

regarding unit tests, whats the difference between the regular http wagon and the light weight version?

Bad naming. HttpWagon uses Apache HttpClient, LightweightClient uses HttpURLConnection.

[spyhunter99]

regarding unit tests, whats the difference between the regular http wagon and the light weight version?

Bad naming. HttpWagon uses Apache HttpClient, LightweightClient uses HttpURLConnection.

perhaps i asked the wrong question. In what context is the lightweight version used vs the httpwagon version? i'm trying to figure out if i need to (or should) add the pki support mechanisms to the lightweight setup

[michael-o]

regarding unit tests, whats the difference between the regular http wagon and the light weight version?

Bad naming. HttpWagon uses Apache HttpClient, LightweightClient uses HttpURLConnection.

perhaps i asked the wrong question. In what context is the lightweight version used vs the httpwagon version? i'm trying to figure out if i need to (or should) add the pki support mechanisms to the lightweight setup

Not in Maven itself. It is a user desicion to swap the HTTP client backend for Wagon. The LightweightWagon has flaws as documented in JIRA.

[spyhunter99]

anything else that needs to changed on this PR?

[mthmulders]

Does Tomcat also have a unit test for this class? If so, I think we might want to borrow that as well.

[spyhunter99]

Doesn't look like it. I'll see if I can whip one up. The purpose of the class is to force a selection for a specific certificate. The default JRE implementation will pick the first key pair that matches the server's criteria as part of the hand shake. If you have more than one that matches the criteria but only a specific one will allow access, you're hosed.

[spyhunter99]

actually i'm glad you brought this up, definitely needs a test case. I shouldn't have copied tomcat's code without reading the details. It's purpose is to select the server certificate to for when a single tomcat server hosts multiple domains all in the same key store. We actually need the opposite, client certificate selection.

[michael-o]

Since this is a massive change, I have to complete the current Wagon release first and then will pick this up in June.