Support for adding certificate in a nested trustManager of CompositeX509ExtendedTrustManager

sslcontext-kickstart/src/main/java/nl/altindag/ssl/util/TrustManagerUtils.java

@@ -276,11 +276,27 @@ public static void addCertificate(X509ExtendedTrustManager trustManager, List<X5
             return;
         }
 
-        if (trustManager instanceof HotSwappableX509ExtendedTrustManager
-                && ((HotSwappableX509ExtendedTrustManager) trustManager).getInnerTrustManager() instanceof InflatableX509ExtendedTrustManager) {
-            ((InflatableX509ExtendedTrustManager) ((HotSwappableX509ExtendedTrustManager) trustManager)
-                    .getInnerTrustManager()).addCertificates(certificates);
-            return;
+        if (trustManager instanceof HotSwappableX509ExtendedTrustManager) {
+            if (((HotSwappableX509ExtendedTrustManager) trustManager).getInnerTrustManager() instanceof InflatableX509ExtendedTrustManager) {
+                ((InflatableX509ExtendedTrustManager) ((HotSwappableX509ExtendedTrustManager) trustManager)
+                        .getInnerTrustManager()).addCertificates(certificates);
+                return;
+            }
+
+            if (((HotSwappableX509ExtendedTrustManager) trustManager).getInnerTrustManager() instanceof CompositeX509ExtendedTrustManager) {
+                List<X509ExtendedTrustManager> innerTrustManagers = ((CompositeX509ExtendedTrustManager) ((HotSwappableX509ExtendedTrustManager) trustManager)
+                        .getInnerTrustManager()).getInnerTrustManagers();
+
+                Optional<InflatableX509ExtendedTrustManager> inflatableX509ExtendedTrustManager = innerTrustManagers.stream()
+                        .filter(InflatableX509ExtendedTrustManager.class::isInstance)
+                        .map(InflatableX509ExtendedTrustManager.class::cast)
+                        .findFirst();
+
+                if (inflatableX509ExtendedTrustManager.isPresent()) {
+                    inflatableX509ExtendedTrustManager.get().addCertificates(certificates);
+                    return;
+                }
+            }
         }
 
         if (trustManager instanceof CompositeX509ExtendedTrustManager) {

sslcontext-kickstart/src/test/java/nl/altindag/ssl/util/TrustManagerUtilsShould.java

@@ -671,6 +671,21 @@ void addCertificateToInflatableX509ExtendedTrustManagerEvenThoughItIsWrappedInAH
         verify(inflatableX509ExtendedTrustManager, times(1)).addCertificates(certificates);
     }
 
+    @Test
+    void addCertificateToInflatableX509ExtendedTrustManagerEvenThoughItIsWrappedInAHotSwappableX509ExtendedTrustManagerWhichIsWrappedIntoACompositeX509ExtendedTrustManager() {
+        X509Certificate certificate = mock(X509Certificate.class);
+        List<X509Certificate> certificates = Collections.singletonList(certificate);
+
+        InflatableX509ExtendedTrustManager inflatableX509ExtendedTrustManager = mock(InflatableX509ExtendedTrustManager.class);
+        X509ExtendedTrustManager jdkTrustManager = TrustManagerUtils.createTrustManagerWithJdkTrustedCertificates();
+        X509ExtendedTrustManager combinedTrustManager = TrustManagerUtils.combine(inflatableX509ExtendedTrustManager, jdkTrustManager);
+        HotSwappableX509ExtendedTrustManager hotSwappableX509ExtendedTrustManager = (HotSwappableX509ExtendedTrustManager) TrustManagerUtils.createSwappableTrustManager(combinedTrustManager);
+
+        TrustManagerUtils.addCertificate(hotSwappableX509ExtendedTrustManager, certificates);
+
+        verify(inflatableX509ExtendedTrustManager, times(1)).addCertificates(certificates);
+    }
+
     @Test
     void addCertificateToInflatableX509ExtendedTrustManagerEvenThoughItIsWrappedInACompositeX509ExtendedTrustManager() {
         X509Certificate certificate = mock(X509Certificate.class);
@@ -909,6 +924,21 @@ void throwExceptionWhenAddingCertificateToANonInflatableX509ExtendedTrustManager
                 .hasMessage("The provided trustManager should be an instance of [nl.altindag.ssl.trustmanager.InflatableX509ExtendedTrustManager]");
     }
 
+    @Test
+    void throwExceptionWhenAddingCertificateToANonInflatableX509ExtendedTrustManagerEvenThoughItIsWrappedInAHotSwappableX509ExtendedTrustManagerContainingACompositeX509ExtendedTrustManager() {
+        X509Certificate certificate = mock(X509Certificate.class);
+        List<X509Certificate> certificates = Collections.singletonList(certificate);
+        X509ExtendedTrustManager nonInflatableTrustManager = mock(X509ExtendedTrustManager.class);
+        CompositeX509ExtendedTrustManager compositeX509ExtendedTrustManager = mock(CompositeX509ExtendedTrustManager.class);
+        HotSwappableX509ExtendedTrustManager hotSwappableX509ExtendedTrustManager = mock(HotSwappableX509ExtendedTrustManager.class);
+        when(hotSwappableX509ExtendedTrustManager.getInnerTrustManager()).thenReturn(compositeX509ExtendedTrustManager);
+        when(compositeX509ExtendedTrustManager.getInnerTrustManagers()).thenReturn(Collections.singletonList(nonInflatableTrustManager));
+
+        assertThatThrownBy(() -> TrustManagerUtils.addCertificate(hotSwappableX509ExtendedTrustManager, certificates))
+                .isInstanceOf(GenericTrustManagerException.class)
+                .hasMessage("The provided trustManager should be an instance of [nl.altindag.ssl.trustmanager.InflatableX509ExtendedTrustManager]");
+    }
+
     @Test
     void throwExceptionWhenAddingCertificateToANonInflatableX509ExtendedTrustManagerEvenThoughItIsWrappedInACompositeX509ExtendedTrustManager() {
         X509Certificate certificate = mock(X509Certificate.class);