From 9c24872d6b5508ef8ceff649aba3a49c266709ea Mon Sep 17 00:00:00 2001 From: ue64803 Date: Tue, 21 Apr 2026 10:26:13 +0200 Subject: [PATCH 1/3] Handle multiple directories in SSL_CERT_DIR env variable --- api/src/main/java/io/minio/Http.java | 61 +++++++++++++++++----------- 1 file changed, 37 insertions(+), 24 deletions(-) diff --git a/api/src/main/java/io/minio/Http.java b/api/src/main/java/io/minio/Http.java index 5fa9bec24..a31dedf18 100644 --- a/api/src/main/java/io/minio/Http.java +++ b/api/src/main/java/io/minio/Http.java @@ -20,6 +20,7 @@ import com.google.common.collect.Multimap; import io.minio.credentials.Credentials; import io.minio.errors.MinioException; +import java.io.File; import java.io.IOException; import java.io.InputStream; import java.io.RandomAccessFile; @@ -423,15 +424,15 @@ private static X509TrustManager buildTrustManagerFromKeyStore(KeyStore ks) } private static int setCertificateEntry( - CertificateFactory cf, KeyStore ks, Path file, String namePrefix) + CertificateFactory cf, KeyStore ks, Path certPath, String namePrefix) throws CertificateException, IOException, KeyStoreException { - try (InputStream in = Files.newInputStream(file)) { - int index = 0; + try (InputStream in = Files.newInputStream(certPath)) { + int certsInFile = 0; while (in.available() > 0) { X509Certificate cert = (X509Certificate) cf.generateCertificate(in); - ks.setCertificateEntry(namePrefix + (index++), cert); + ks.setCertificateEntry(namePrefix + (certsInFile++), cert); } - return index; + return certsInFile; } } @@ -444,30 +445,42 @@ private static X509TrustManager getTrustManagerFromFile(String filePath) return buildTrustManagerFromKeyStore(ks); } - private static X509TrustManager getTrustManagerFromDir(String dirPath) + private static X509TrustManager getTrustManagerFromDirs(String dirPaths) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException { - CertificateFactory cf = CertificateFactory.getInstance("X.509"); - KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); + final CertificateFactory cf = CertificateFactory.getInstance("X.509"); + final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(null); - int index = 0; - try (Stream paths = Files.walk(Paths.get(dirPath))) { - int number = 1; - for (Path file : (Iterable) paths.filter(Files::isRegularFile)::iterator) { - try { - index += setCertificateEntry(cf, ks, file, "cert-dir-file-" + number + "-"); - number++; - } catch (CertificateException | IOException | KeyStoreException e) { - // Ignore these errors. + int totalCertificates = 0; + int fileNumber = 1; + for (Path directory : getDirectories(dirPaths)) { + try (Stream paths = Files.walk(directory)) { + for (Path certPath : (Iterable) paths.filter(Files::isRegularFile)::iterator) { + try { + totalCertificates += + setCertificateEntry(cf, ks, certPath, "cert-dir-file-" + fileNumber + "-"); + } catch (CertificateException | IOException | KeyStoreException e) { + // Ignore these errors. + } + fileNumber++; } } } - if (index == 0) return null; + if (totalCertificates == 0) return null; return buildTrustManagerFromKeyStore(ks); } + private static List getDirectories(String dirPaths) { + return Stream.of(dirPaths.split(File.pathSeparator)) + .map(String::trim) + .filter(s -> !s.isEmpty()) + .map(Paths::get) + .filter(Files::isDirectory) + .collect(Collectors.toList()); + } + private static X509TrustManager getDefaultTrustManager() throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException { TrustManagerFactory factory = @@ -479,15 +492,15 @@ private static X509TrustManager getDefaultTrustManager() return null; } - private static X509TrustManager getCompositeTrustManager(String filePath, String dirPath) + private static X509TrustManager getCompositeTrustManager(String filePath, String dirPaths) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException { List trustManagers = new ArrayList<>(); X509TrustManager defaultTm = getDefaultTrustManager(); if (defaultTm != null) trustManagers.add(defaultTm); - if (dirPath != null && !dirPath.isEmpty()) { - X509TrustManager dirTm = getTrustManagerFromDir(dirPath); + if (dirPaths != null && !dirPaths.isEmpty()) { + X509TrustManager dirTm = getTrustManagerFromDirs(dirPaths); if (dirTm != null) trustManagers.add(dirTm); } @@ -579,11 +592,11 @@ public static OkHttpClient enablePKCS12Certificates( httpClient, trustStorePath, trustStorePassword, keyStorePath, keyStorePassword, "PKCS12"); } - /** Enable external TLS certificates from given file path and all valid files from dir path. */ + /** Enable external TLS certificates from given file path and all valid files from dir paths. */ public static OkHttpClient enableExternalCertificates( - OkHttpClient client, String filePath, String dirPath) throws MinioException { + OkHttpClient client, String filePath, String dirPaths) throws MinioException { try { - X509TrustManager tm = getCompositeTrustManager(filePath, dirPath); + X509TrustManager tm = getCompositeTrustManager(filePath, dirPaths); if (tm == null) return client; SSLContext sslContext = SSLContext.getInstance("TLS"); From bd6c9179b6d2babc3c34a7f878946e759f68acbc Mon Sep 17 00:00:00 2001 From: ue64803 Date: Tue, 21 Apr 2026 13:19:40 +0200 Subject: [PATCH 2/3] Revert variable and method names per review --- api/src/main/java/io/minio/Http.java | 47 ++++++++++++++-------------- 1 file changed, 23 insertions(+), 24 deletions(-) diff --git a/api/src/main/java/io/minio/Http.java b/api/src/main/java/io/minio/Http.java index a31dedf18..150e42e55 100644 --- a/api/src/main/java/io/minio/Http.java +++ b/api/src/main/java/io/minio/Http.java @@ -424,15 +424,15 @@ private static X509TrustManager buildTrustManagerFromKeyStore(KeyStore ks) } private static int setCertificateEntry( - CertificateFactory cf, KeyStore ks, Path certPath, String namePrefix) + CertificateFactory cf, KeyStore ks, Path file, String namePrefix) throws CertificateException, IOException, KeyStoreException { - try (InputStream in = Files.newInputStream(certPath)) { - int certsInFile = 0; + try (InputStream in = Files.newInputStream(file)) { + int index = 0; while (in.available() > 0) { X509Certificate cert = (X509Certificate) cf.generateCertificate(in); - ks.setCertificateEntry(namePrefix + (certsInFile++), cert); + ks.setCertificateEntry(namePrefix + (index++), cert); } - return certsInFile; + return index; } } @@ -445,35 +445,34 @@ private static X509TrustManager getTrustManagerFromFile(String filePath) return buildTrustManagerFromKeyStore(ks); } - private static X509TrustManager getTrustManagerFromDirs(String dirPaths) + private static X509TrustManager getTrustManagerFromDir(String dirPath) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException { - final CertificateFactory cf = CertificateFactory.getInstance("X.509"); - final KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); + CertificateFactory cf = CertificateFactory.getInstance("X.509"); + KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(null); - int totalCertificates = 0; - int fileNumber = 1; - for (Path directory : getDirectories(dirPaths)) { + int index = 0; + int number = 1; + for (Path directory : getDirectories(dirPath)) { try (Stream paths = Files.walk(directory)) { - for (Path certPath : (Iterable) paths.filter(Files::isRegularFile)::iterator) { + for (Path file : (Iterable) paths.filter(Files::isRegularFile)::iterator) { try { - totalCertificates += - setCertificateEntry(cf, ks, certPath, "cert-dir-file-" + fileNumber + "-"); + index += setCertificateEntry(cf, ks, file, "cert-dir-file-" + number + "-"); + number++; } catch (CertificateException | IOException | KeyStoreException e) { // Ignore these errors. } - fileNumber++; } } } - if (totalCertificates == 0) return null; + if (index == 0) return null; return buildTrustManagerFromKeyStore(ks); } - private static List getDirectories(String dirPaths) { - return Stream.of(dirPaths.split(File.pathSeparator)) + private static List getDirectories(String dirPath) { + return Stream.of(dirPath.split(File.pathSeparator)) .map(String::trim) .filter(s -> !s.isEmpty()) .map(Paths::get) @@ -492,15 +491,15 @@ private static X509TrustManager getDefaultTrustManager() return null; } - private static X509TrustManager getCompositeTrustManager(String filePath, String dirPaths) + private static X509TrustManager getCompositeTrustManager(String filePath, String dirPath) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException { List trustManagers = new ArrayList<>(); X509TrustManager defaultTm = getDefaultTrustManager(); if (defaultTm != null) trustManagers.add(defaultTm); - if (dirPaths != null && !dirPaths.isEmpty()) { - X509TrustManager dirTm = getTrustManagerFromDirs(dirPaths); + if (dirPath != null && !dirPath.isEmpty()) { + X509TrustManager dirTm = getTrustManagerFromDir(dirPath); if (dirTm != null) trustManagers.add(dirTm); } @@ -592,11 +591,11 @@ public static OkHttpClient enablePKCS12Certificates( httpClient, trustStorePath, trustStorePassword, keyStorePath, keyStorePassword, "PKCS12"); } - /** Enable external TLS certificates from given file path and all valid files from dir paths. */ + /** Enable external TLS certificates from given file path and all valid files from dir path. */ public static OkHttpClient enableExternalCertificates( - OkHttpClient client, String filePath, String dirPaths) throws MinioException { + OkHttpClient client, String filePath, String dirPath) throws MinioException { try { - X509TrustManager tm = getCompositeTrustManager(filePath, dirPaths); + X509TrustManager tm = getCompositeTrustManager(filePath, dirPath); if (tm == null) return client; SSLContext sslContext = SSLContext.getInstance("TLS"); From 443893ab127ad035d1f6dbaa9ef5bb953f083578 Mon Sep 17 00:00:00 2001 From: ue64803 Date: Wed, 22 Apr 2026 10:12:07 +0200 Subject: [PATCH 3/3] Inline directory splitting logic --- api/src/main/java/io/minio/Http.java | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/api/src/main/java/io/minio/Http.java b/api/src/main/java/io/minio/Http.java index 150e42e55..03a990d2d 100644 --- a/api/src/main/java/io/minio/Http.java +++ b/api/src/main/java/io/minio/Http.java @@ -451,9 +451,17 @@ private static X509TrustManager getTrustManagerFromDir(String dirPath) KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType()); ks.load(null); + List directories = + Stream.of(dirPath.split(File.pathSeparator)) + .map(String::trim) + .filter(s -> !s.isEmpty()) + .map(Paths::get) + .filter(Files::isDirectory) + .collect(Collectors.toList()); + int index = 0; int number = 1; - for (Path directory : getDirectories(dirPath)) { + for (Path directory : directories) { try (Stream paths = Files.walk(directory)) { for (Path file : (Iterable) paths.filter(Files::isRegularFile)::iterator) { try { @@ -471,15 +479,6 @@ private static X509TrustManager getTrustManagerFromDir(String dirPath) return buildTrustManagerFromKeyStore(ks); } - private static List getDirectories(String dirPath) { - return Stream.of(dirPath.split(File.pathSeparator)) - .map(String::trim) - .filter(s -> !s.isEmpty()) - .map(Paths::get) - .filter(Files::isDirectory) - .collect(Collectors.toList()); - } - private static X509TrustManager getDefaultTrustManager() throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException { TrustManagerFactory factory =