update to latest version: v1.4.1

trendmicro · Aug 28, 2024 · f571828 · f571828
1 parent e3815e8
commit f571828
Show file tree

Hide file tree

Showing 5 changed files with 40 additions and 21 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,9 @@
 # CHANGELOG
 
+## 1.4.1 - 2024-08-28
+
+* Support certificate verification bypass using environment variable
+
 ## 1.4.0 - 2024-08-23
 
 * Update README.md

diff --git a/README.md b/README.md
@@ -354,3 +354,9 @@ The communication channel between the client program or SDK and the Trend Vision
 The certificate employed by server-side TLS is a publicly-signed certificate from Trend Micro Inc, issued by a trusted Certificate Authority (CA), further bolstering security measures.
 
 The File Security SDK consistently adopts TLS as the default communication channel, prioritizing security at all times. It is strongly advised not to disable TLS in a production environment while utilizing the File Security SDK, as doing so could compromise the integrity and confidentiality of transmitted data.
+
+## Disabling certificate verification
+
+For customers who need to enable TLS channel encryption without verifying the provided CA certificate, the `TM_AM_DISABLE_CERT_VERIFY` environment variable can be set. However, this option is only recommended for use in testing environments.
+
+When `TM_AM_DISABLE_CERT_VERIFY` is set to `1`, certificate verification is disabled. By default, the certificate will be verified.
diff --git a/VERSION b/VERSION
@@ -1 +1 @@
-1.4.0
+1.4.1
diff --git a/pom.xml b/pom.xml
@@ -5,7 +5,7 @@
 
   <groupId>com.trend</groupId>
   <artifactId>file-security-java-sdk</artifactId>
-  <version>1.4.0</version>
+  <version>1.4.1</version>
 
   <name>file-security-java-sdk</name>
   <url>https://github.com/trendmicro/tm-v1-fs-java-sdk</url>

diff --git a/src/main/java/com/trend/cloudone/amaas/AMaasClient.java b/src/main/java/com/trend/cloudone/amaas/AMaasClient.java
@@ -16,6 +16,8 @@
 import io.grpc.stub.StreamObserver;
 import io.grpc.stub.CallStreamObserver;
 import io.grpc.StatusRuntimeException;
+import io.netty.handler.ssl.util.InsecureTrustManagerFactory;
+import io.netty.handler.ssl.SslContext;
 import com.google.protobuf.ByteString;
 import com.trend.cloudone.amaas.scan.ScanGrpc;
 import com.trend.cloudone.amaas.scan.ScanOuterClass;
@@ -84,27 +86,34 @@ public AMaasClient(final String region, final String host, final String apiKey,
         }
         if (enabledTLS) {
             log(Level.FINE, "Using prod grpc service {0}", target);
-            if (caCertPath != null && !caCertPath.isEmpty()) {
-                // Bring Your Own Certificate case
-                try {
-                    File certFile = Paths.get(caCertPath).toFile();
-                    this.channel = NettyChannelBuilder.forTarget(target)
-                            .sslContext(GrpcSslContexts.forClient().trustManager(certFile).build())
-                            .build();
-                } catch (SSLException | UnsupportedOperationException e) {
-                    throw new AMaasException(AMaasErrorCode.MSG_ID_ERR_LOAD_SSL_CERT);
-                }
-            } else {
-                // Default SSL credentials case
-                try {
-                    log(Level.FINE, "Using prod grpc service {0}", target);
-                    this.channel = NettyChannelBuilder.forTarget(target)
-                            .sslContext(GrpcSslContexts.forClient().build())
-                            .build();
-                } catch (SSLException e) {
-                    throw new AMaasException(AMaasErrorCode.MSG_ID_ERR_LOAD_SSL_CERT);
+            String verifyCertEnv = System.getenv("TM_AM_DISABLE_CERT_VERIFY");
+            boolean verifyCert = !("1".equals(verifyCertEnv));
+            SslContext context;
+
+            try {
+                if (!verifyCert) {
+                    // Bypassing certificate verification
+                    log(Level.FINE, "Bypassing certificate verification");
+                    context = GrpcSslContexts.forClient().trustManager(InsecureTrustManagerFactory.INSTANCE).build();
+                } else {
+                    if (caCertPath != null && !caCertPath.isEmpty()) {
+                        // Bring Your Own Certificate case
+                        log(Level.FINE, "Using certificate {0}", caCertPath);
+                        File certFile = Paths.get(caCertPath).toFile();
+                        context = GrpcSslContexts.forClient().trustManager(certFile).build();
+                    } else {
+                        // Default SSL credentials case
+                        log(Level.FINE, "Using default certificate");
+                        context = GrpcSslContexts.forClient().build();
+                    }
                 }
+            } catch (SSLException | UnsupportedOperationException e) {
+                throw new AMaasException(AMaasErrorCode.MSG_ID_ERR_LOAD_SSL_CERT);
             }
+
+            this.channel = NettyChannelBuilder.forTarget(target)
+                            .sslContext(context)
+                            .build();
         } else {
             log(Level.FINE, "Using grpc service with TLS disenabled {0}", target);
             this.channel = NettyChannelBuilder.forTarget(target)