Add config property to specify a list of truststores

[shawkins]

Description

To support the work on #23742 there should be a option for specifying multiple truststores such that they will treated as a single logical truststore. It should likely extend to the java default truststore as well - with potentially an option to opt out.

Support will only for truststores which do not have a password.

Detailed Design:

• Add a new security option --truststore-paths - it will accept both files and directories. Directories will be processed recursively to support the operator usecase of having multiple mounts under a single root directory. The files accepted will be .p12 / .pfx, otherwise they will be assumed to be pem files. A single merged truststore will be created from these files and the system default truststore. The javax.net.ssl properties will be updated at startup to reference the new merged store.
• The spi-truststore will need to fallback to the system truststore when no file is specifically configured. This will pickup the truststore created by the --truststore-paths option for use by several existing logic paths in keycloak that expect the truststore to be provided by the spi-truststore. This will also allow for users to use the hostname verification property even without specifing the file.

Discussion

No response

Motivation

To simplify the user experience around truststores.

Details

Ideally the implementation should allow for automatic reloading of the certs to satify #10654

[shawkins]

A related effort in quarkus - quarkusio/quarkus#17038 - that unfortunately did not progress.

quarkusio/quarkus#20594 - matches the intent of issue almost exactly. This also did not progress.

Some related considerations if/when native is in the picture (at least for the javax property truststore): https://quarkus.io/guides/native-and-ssl https://www.graalvm.org/latest/reference-manual/native-image/dynamic-features/CertificateManagement/