Make keystore custom cert injection additive

aws · Feb 17, 2025 · 117ac74 · 117ac74
1 parent 6140493
commit 117ac74
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 8 deletions.
diff --git a/plugin/src/software/aws/toolkits/eclipse/amazonq/lsp/connection/QLspConnectionProvider.java b/plugin/src/software/aws/toolkits/eclipse/amazonq/lsp/connection/QLspConnectionProvider.java
@@ -44,10 +44,10 @@ public QLspConnectionProvider() throws IOException {
 
     @Override
     protected final void addEnvironmentVariables(final Map<String, String> env) {
-        String httpsProxyPreference = ProxyUtil.getHttpsProxyUrl();
+        String httpsProxyUrl = ProxyUtil.getHttpsProxyUrl();
         String caCertPreference = Activator.getDefault().getPreferenceStore().getString(AmazonQPreferencePage.CA_CERT);
-        if (!StringUtils.isEmpty(httpsProxyPreference)) {
-            env.put("HTTPS_PROXY", httpsProxyPreference);
+        if (!StringUtils.isEmpty(httpsProxyUrl)) {
+            env.put("HTTPS_PROXY", httpsProxyUrl);
         }
         if (!StringUtils.isEmpty(caCertPreference)) {
             env.put("NODE_EXTRA_CA_CERTS", caCertPreference);

diff --git a/plugin/src/software/aws/toolkits/eclipse/amazonq/util/ProxyUtil.java b/plugin/src/software/aws/toolkits/eclipse/amazonq/util/ProxyUtil.java
@@ -16,7 +16,9 @@
 import java.security.cert.X509Certificate;
 
 import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509TrustManager;
 
 import org.eclipse.mylyn.commons.ui.dialogs.AbstractNotificationPopup;
 import org.eclipse.swt.widgets.Display;
@@ -154,22 +156,35 @@ private static String getCustomCertPath() {
     }
 
     private static SSLContext createSslContextWithCustomCert(final String certPath) throws Exception {
+        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        tmf.init((KeyStore) null);
+
+        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+        keyStore.load(null, null);
+
+        for (TrustManager tm : tmf.getTrustManagers()) {
+            if (tm instanceof X509TrustManager) {
+                X509TrustManager xtm = (X509TrustManager) tm;
+                for (X509Certificate cert : xtm.getAcceptedIssuers()) {
+                    keyStore.setCertificateEntry(cert.getSubjectX500Principal().getName(), cert);
+                }
+            }
+        }
+
         CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
         X509Certificate cert;
 
         try (FileInputStream fis = new FileInputStream(certPath)) {
             cert = (X509Certificate) certificateFactory.generateCertificate(fis);
         }
 
-        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
-        keyStore.load(null, null);
         keyStore.setCertificateEntry("custom-cert", cert);
 
-        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
-        tmf.init(keyStore);
+        TrustManagerFactory customTmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+        customTmf.init(keyStore);
 
         SSLContext sslContext = SSLContext.getInstance("TLSv1.2");
-        sslContext.init(null, tmf.getTrustManagers(), null);
+        sslContext.init(null, customTmf.getTrustManagers(), null);
         Activator.getLogger().info("Picked up custom CA cert.");
 
         return sslContext;