{util-core,finagle-core}: Make it possible to directly construct X509…

…Certificates without an on-disk file

Problem

Right now our entire X509Certificate chain is File-based.  This doesn't work
well in cases where you don't want to have to use a File.

Solution

Add a new way to construct an X509Certificate and TrustManager that are based
on a buffered String, instead of File.  Also rename PemFile to PemByte so that
it assumes being fully-buffered instead of not-yet read.

JIRA Issues: CSL-10763

Differential Revision: https://phabricator.twitter.biz/D641088

CHANGELOG.rst

@@ -24,6 +24,9 @@ New Features
 * finagle-http: Integrate Kerberos authentication filter to finagle http client and server.
   ``PHAB_ID=D634270`` ``PHAB_ID=D621714``
 
+* finagle-core: Provided `c.t.f.ssl.TrustCredentials.X509Certificates` to enable directly
+  passing `X509Certificate` instead of passing a `File`. ``PHAB_ID=D641088``
+
 Breaking API Changes
 ~~~~~~~~~~~~~~~~~~~~
 * finagle: Builds are now only supported for Scala 2.12+ ``PHAB_ID=D631091``

finagle-core/src/main/scala/com/twitter/finagle/ssl/SslConfigurations.scala

@@ -67,6 +67,12 @@ private[ssl] object SslConfigurations {
           case Return(tms) => Some(tms)
           case Throw(ex) => throw SslConfigurationException(ex)
         }
+      case TrustCredentials.X509Certificates(x509Certs) =>
+        val tryTms = X509TrustManagerFactory.buildTrustManager(x509Certs)
+        tryTms match {
+          case Return(tms) => Some(tms)
+          case Throw(ex) => throw SslConfigurationException(ex)
+        }
       case TrustCredentials.TrustManagerFactory(trustManagerFactory) =>
         Some(trustManagerFactory.getTrustManagers)
     }
@@ -183,6 +189,11 @@ private[ssl] object SslConfigurations {
           "TrustCredentials.CertCollection",
           engineFactoryName
         )
+      case TrustCredentials.X509Certificates(_) =>
+        throw SslConfigurationException.notSupported(
+          "TrustCredentials.X509Certificates",
+          engineFactoryName
+        )
       case TrustCredentials.TrustManagerFactory(_) =>
         throw SslConfigurationException.notSupported(
           "TrustCredentials.TrustManagerFactory",

finagle-core/src/main/scala/com/twitter/finagle/ssl/TrustCredentials.scala

@@ -1,6 +1,7 @@
 package com.twitter.finagle.ssl
 
 import java.io.File
+import java.security.cert.X509Certificate
 import javax.net.ssl
 
 /**
@@ -28,14 +29,23 @@ object TrustCredentials {
   case object Insecure extends TrustCredentials
 
   /**
-   * The collection of certificates which should be used in
-   * verifying a remote peer's credentials.
+   * Indicates the collection of certificates which should be used in
+   * verifying a remote peer's credentials can be read from the given
+   * file.
    *
    * @param file A file containing a collection of X.509 certificates
    *             in PEM format.
    */
   case class CertCollection(file: File) extends TrustCredentials
 
+  /**
+   * The collection of certificates which should be used in
+   * verifying a remote peer's credentials.
+   *
+   * @param x509Certs A collection of X.509 certificates
+   */
+  case class X509Certificates(x509Certs: Seq[X509Certificate]) extends TrustCredentials
+
   /**
    * Indicates that the trust credentials from the [[ssl.TrustManagerFactory]]
    * should be used in verifying a remote peer's credentials.

finagle-netty4/src/main/scala/com/twitter/finagle/netty4/ssl/Netty4SslConfigurations.scala

@@ -35,6 +35,8 @@ private[finagle] object Netty4SslConfigurations {
         builder.trustManager(InsecureTrustManagerFactory.INSTANCE)
       case TrustCredentials.CertCollection(file) =>
         builder.trustManager(file)
+      case TrustCredentials.X509Certificates(x509Certs) =>
+        builder.trustManager(x509Certs: _*)
       case TrustCredentials.TrustManagerFactory(trustManagerFactory) =>
         builder.trustManager(trustManagerFactory)
     }