Jake Slack | 03928ae | 2014-05-13 18:41:56 -0700 | [diff] [blame] | 1 | // |
| 2 | // ======================================================================== |
| 3 | // Copyright (c) 1995-2014 Mort Bay Consulting Pty. Ltd. |
| 4 | // ------------------------------------------------------------------------ |
| 5 | // All rights reserved. This program and the accompanying materials |
| 6 | // are made available under the terms of the Eclipse Public License v1.0 |
| 7 | // and Apache License v2.0 which accompanies this distribution. |
| 8 | // |
| 9 | // The Eclipse Public License is available at |
| 10 | // http://www.eclipse.org/legal/epl-v10.html |
| 11 | // |
| 12 | // The Apache License v2.0 is available at |
| 13 | // http://www.opensource.org/licenses/apache2.0.php |
| 14 | // |
| 15 | // You may elect to redistribute this code under either of these licenses. |
| 16 | // ======================================================================== |
| 17 | // |
| 18 | |
| 19 | package org.eclipse.jetty.util.ssl; |
| 20 | |
| 21 | import java.io.ByteArrayInputStream; |
| 22 | import java.io.ByteArrayOutputStream; |
| 23 | import java.io.File; |
| 24 | import java.io.IOException; |
| 25 | import java.io.InputStream; |
| 26 | import java.net.InetAddress; |
| 27 | import java.security.InvalidParameterException; |
| 28 | import java.security.KeyStore; |
| 29 | import java.security.SecureRandom; |
| 30 | import java.security.Security; |
| 31 | import java.security.cert.CRL; |
| 32 | import java.security.cert.CertStore; |
| 33 | import java.security.cert.Certificate; |
| 34 | import java.security.cert.CollectionCertStoreParameters; |
| 35 | import java.security.cert.PKIXBuilderParameters; |
| 36 | import java.security.cert.X509CertSelector; |
| 37 | import java.util.Arrays; |
| 38 | import java.util.Collection; |
| 39 | import java.util.Collections; |
| 40 | import java.util.LinkedHashSet; |
| 41 | import java.util.List; |
| 42 | import java.util.Set; |
| 43 | import javax.net.ssl.CertPathTrustManagerParameters; |
| 44 | import javax.net.ssl.KeyManager; |
| 45 | import javax.net.ssl.KeyManagerFactory; |
| 46 | import javax.net.ssl.SSLContext; |
| 47 | import javax.net.ssl.SSLEngine; |
| 48 | import javax.net.ssl.SSLServerSocket; |
| 49 | import javax.net.ssl.SSLServerSocketFactory; |
| 50 | import javax.net.ssl.SSLSocket; |
| 51 | import javax.net.ssl.SSLSocketFactory; |
| 52 | import javax.net.ssl.TrustManager; |
| 53 | import javax.net.ssl.TrustManagerFactory; |
| 54 | import javax.net.ssl.X509KeyManager; |
| 55 | import javax.net.ssl.X509TrustManager; |
| 56 | |
| 57 | import org.eclipse.jetty.util.IO; |
| 58 | import org.eclipse.jetty.util.component.AbstractLifeCycle; |
| 59 | import org.eclipse.jetty.util.log.Log; |
| 60 | import org.eclipse.jetty.util.log.Logger; |
| 61 | import org.eclipse.jetty.util.resource.Resource; |
| 62 | import org.eclipse.jetty.util.security.CertificateUtils; |
| 63 | import org.eclipse.jetty.util.security.CertificateValidator; |
| 64 | import org.eclipse.jetty.util.security.Password; |
| 65 | |
| 66 | |
| 67 | /* ------------------------------------------------------------ */ |
| 68 | /** |
| 69 | * SslContextFactory is used to configure SSL connectors |
| 70 | * as well as HttpClient. It holds all SSL parameters and |
| 71 | * creates SSL context based on these parameters to be |
| 72 | * used by the SSL connectors. |
| 73 | */ |
| 74 | public class SslContextFactory extends AbstractLifeCycle |
| 75 | { |
| 76 | public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager() |
| 77 | { |
| 78 | public java.security.cert.X509Certificate[] getAcceptedIssuers() |
| 79 | { |
| 80 | return new java.security.cert.X509Certificate[]{}; |
| 81 | } |
| 82 | |
| 83 | public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) |
| 84 | { |
| 85 | } |
| 86 | |
| 87 | public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) |
| 88 | { |
| 89 | } |
| 90 | }}; |
| 91 | |
| 92 | private static final Logger LOG = Log.getLogger(SslContextFactory.class); |
| 93 | |
| 94 | public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM = |
| 95 | (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ? |
| 96 | "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm")); |
| 97 | public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM = |
| 98 | (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ? |
| 99 | "SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm")); |
| 100 | |
| 101 | /** Default value for the keystore location path. */ |
| 102 | public static final String DEFAULT_KEYSTORE_PATH = |
| 103 | System.getProperty("user.home") + File.separator + ".keystore"; |
| 104 | |
| 105 | /** String name of key password property. */ |
| 106 | public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword"; |
| 107 | |
| 108 | /** String name of keystore password property. */ |
| 109 | public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password"; |
| 110 | |
| 111 | /** Excluded protocols. */ |
| 112 | private final Set<String> _excludeProtocols = new LinkedHashSet<String>(); |
| 113 | /** Included protocols. */ |
| 114 | private Set<String> _includeProtocols = null; |
| 115 | |
| 116 | /** Excluded cipher suites. */ |
| 117 | private final Set<String> _excludeCipherSuites = new LinkedHashSet<String>(); |
| 118 | /** Included cipher suites. */ |
| 119 | private Set<String> _includeCipherSuites = null; |
| 120 | |
| 121 | /** Keystore path. */ |
| 122 | private String _keyStorePath; |
| 123 | /** Keystore provider name */ |
| 124 | private String _keyStoreProvider; |
| 125 | /** Keystore type */ |
| 126 | private String _keyStoreType = "JKS"; |
| 127 | /** Keystore input stream */ |
| 128 | private InputStream _keyStoreInputStream; |
| 129 | |
| 130 | /** SSL certificate alias */ |
| 131 | private String _certAlias; |
| 132 | |
| 133 | /** Truststore path */ |
| 134 | private String _trustStorePath; |
| 135 | /** Truststore provider name */ |
| 136 | private String _trustStoreProvider; |
| 137 | /** Truststore type */ |
| 138 | private String _trustStoreType = "JKS"; |
| 139 | /** Truststore input stream */ |
| 140 | private InputStream _trustStoreInputStream; |
| 141 | |
| 142 | /** Set to true if client certificate authentication is required */ |
| 143 | private boolean _needClientAuth = false; |
| 144 | /** Set to true if client certificate authentication is desired */ |
| 145 | private boolean _wantClientAuth = false; |
| 146 | |
| 147 | /** Set to true if renegotiation is allowed */ |
| 148 | private boolean _allowRenegotiate = true; |
| 149 | |
| 150 | /** Keystore password */ |
| 151 | private transient Password _keyStorePassword; |
| 152 | /** Key manager password */ |
| 153 | private transient Password _keyManagerPassword; |
| 154 | /** Truststore password */ |
| 155 | private transient Password _trustStorePassword; |
| 156 | |
| 157 | /** SSL provider name */ |
| 158 | private String _sslProvider; |
| 159 | /** SSL protocol name */ |
| 160 | private String _sslProtocol = "TLS"; |
| 161 | |
| 162 | /** SecureRandom algorithm */ |
| 163 | private String _secureRandomAlgorithm; |
| 164 | /** KeyManager factory algorithm */ |
| 165 | private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM; |
| 166 | /** TrustManager factory algorithm */ |
| 167 | private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM; |
| 168 | |
| 169 | /** Set to true if SSL certificate validation is required */ |
| 170 | private boolean _validateCerts; |
| 171 | /** Set to true if SSL certificate of the peer validation is required */ |
| 172 | private boolean _validatePeerCerts; |
| 173 | /** Maximum certification path length (n - number of intermediate certs, -1 for unlimited) */ |
| 174 | private int _maxCertPathLength = -1; |
| 175 | /** Path to file that contains Certificate Revocation List */ |
| 176 | private String _crlPath; |
| 177 | /** Set to true to enable CRL Distribution Points (CRLDP) support */ |
| 178 | private boolean _enableCRLDP = false; |
| 179 | /** Set to true to enable On-Line Certificate Status Protocol (OCSP) support */ |
| 180 | private boolean _enableOCSP = false; |
| 181 | /** Location of OCSP Responder */ |
| 182 | private String _ocspResponderURL; |
| 183 | |
| 184 | /** SSL keystore */ |
| 185 | private KeyStore _keyStore; |
| 186 | /** SSL truststore */ |
| 187 | private KeyStore _trustStore; |
| 188 | /** Set to true to enable SSL Session caching */ |
| 189 | private boolean _sessionCachingEnabled = true; |
| 190 | /** SSL session cache size */ |
| 191 | private int _sslSessionCacheSize; |
| 192 | /** SSL session timeout */ |
| 193 | private int _sslSessionTimeout; |
| 194 | |
| 195 | /** SSL context */ |
| 196 | private SSLContext _context; |
| 197 | |
| 198 | private boolean _trustAll; |
| 199 | |
| 200 | /* ------------------------------------------------------------ */ |
| 201 | /** |
| 202 | * Construct an instance of SslContextFactory |
| 203 | * Default constructor for use in XmlConfiguration files |
| 204 | */ |
| 205 | public SslContextFactory() |
| 206 | { |
| 207 | _trustAll=true; |
| 208 | } |
| 209 | |
| 210 | /* ------------------------------------------------------------ */ |
| 211 | /** |
| 212 | * Construct an instance of SslContextFactory |
| 213 | * Default constructor for use in XmlConfiguration files |
| 214 | * @param trustAll whether to blindly trust all certificates |
| 215 | * @see #setTrustAll(boolean) |
| 216 | */ |
| 217 | public SslContextFactory(boolean trustAll) |
| 218 | { |
| 219 | _trustAll=trustAll; |
| 220 | } |
| 221 | |
| 222 | /* ------------------------------------------------------------ */ |
| 223 | /** |
| 224 | * Construct an instance of SslContextFactory |
| 225 | * @param keyStorePath default keystore location |
| 226 | */ |
| 227 | public SslContextFactory(String keyStorePath) |
| 228 | { |
| 229 | _keyStorePath = keyStorePath; |
| 230 | } |
| 231 | |
| 232 | /* ------------------------------------------------------------ */ |
| 233 | /** |
| 234 | * Create the SSLContext object and start the lifecycle |
| 235 | * @see org.eclipse.jetty.util.component.AbstractLifeCycle#doStart() |
| 236 | */ |
| 237 | @Override |
| 238 | protected void doStart() throws Exception |
| 239 | { |
| 240 | if (_context == null) |
| 241 | { |
| 242 | if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null && |
| 243 | _trustStore==null && _trustStoreInputStream == null && _trustStorePath == null ) |
| 244 | { |
| 245 | TrustManager[] trust_managers=null; |
| 246 | |
| 247 | if (_trustAll) |
| 248 | { |
| 249 | LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!"); |
| 250 | // Create a trust manager that does not validate certificate chains |
| 251 | trust_managers = TRUST_ALL_CERTS; |
| 252 | } |
| 253 | |
| 254 | SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); |
| 255 | _context = SSLContext.getInstance(_sslProtocol); |
| 256 | _context.init(null, trust_managers, secureRandom); |
| 257 | } |
| 258 | else |
| 259 | { |
| 260 | // verify that keystore and truststore |
| 261 | // parameters are set up correctly |
| 262 | checkKeyStore(); |
| 263 | |
| 264 | KeyStore keyStore = loadKeyStore(); |
| 265 | KeyStore trustStore = loadTrustStore(); |
| 266 | |
| 267 | Collection<? extends CRL> crls = loadCRL(_crlPath); |
| 268 | |
| 269 | if (_validateCerts && keyStore != null) |
| 270 | { |
| 271 | if (_certAlias == null) |
| 272 | { |
| 273 | List<String> aliases = Collections.list(keyStore.aliases()); |
| 274 | _certAlias = aliases.size() == 1 ? aliases.get(0) : null; |
| 275 | } |
| 276 | |
| 277 | Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias); |
| 278 | if (cert == null) |
| 279 | { |
| 280 | throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias)); |
| 281 | } |
| 282 | |
| 283 | CertificateValidator validator = new CertificateValidator(trustStore, crls); |
| 284 | validator.setMaxCertPathLength(_maxCertPathLength); |
| 285 | validator.setEnableCRLDP(_enableCRLDP); |
| 286 | validator.setEnableOCSP(_enableOCSP); |
| 287 | validator.setOcspResponderURL(_ocspResponderURL); |
| 288 | validator.validate(keyStore, cert); |
| 289 | } |
| 290 | |
| 291 | KeyManager[] keyManagers = getKeyManagers(keyStore); |
| 292 | TrustManager[] trustManagers = getTrustManagers(trustStore,crls); |
| 293 | |
| 294 | SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm); |
| 295 | _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider); |
| 296 | _context.init(keyManagers,trustManagers,secureRandom); |
| 297 | |
| 298 | SSLEngine engine=newSslEngine(); |
| 299 | |
| 300 | LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols())); |
| 301 | if (LOG.isDebugEnabled()) |
| 302 | LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites())); |
| 303 | } |
| 304 | } |
| 305 | } |
| 306 | |
| 307 | /* ------------------------------------------------------------ */ |
| 308 | /** |
| 309 | * @return The array of protocol names to exclude from |
| 310 | * {@link SSLEngine#setEnabledProtocols(String[])} |
| 311 | */ |
| 312 | public String[] getExcludeProtocols() |
| 313 | { |
| 314 | return _excludeProtocols.toArray(new String[_excludeProtocols.size()]); |
| 315 | } |
| 316 | |
| 317 | /* ------------------------------------------------------------ */ |
| 318 | /** |
| 319 | * @param protocols |
| 320 | * The array of protocol names to exclude from |
| 321 | * {@link SSLEngine#setEnabledProtocols(String[])} |
| 322 | */ |
| 323 | public void setExcludeProtocols(String... protocols) |
| 324 | { |
| 325 | checkNotStarted(); |
| 326 | |
| 327 | _excludeProtocols.clear(); |
| 328 | _excludeProtocols.addAll(Arrays.asList(protocols)); |
| 329 | } |
| 330 | |
| 331 | /* ------------------------------------------------------------ */ |
| 332 | /** |
| 333 | * @param protocol Protocol names to add to {@link SSLEngine#setEnabledProtocols(String[])} |
| 334 | */ |
| 335 | public void addExcludeProtocols(String... protocol) |
| 336 | { |
| 337 | checkNotStarted(); |
| 338 | _excludeProtocols.addAll(Arrays.asList(protocol)); |
| 339 | } |
| 340 | |
| 341 | /* ------------------------------------------------------------ */ |
| 342 | /** |
| 343 | * @return The array of protocol names to include in |
| 344 | * {@link SSLEngine#setEnabledProtocols(String[])} |
| 345 | */ |
| 346 | public String[] getIncludeProtocols() |
| 347 | { |
| 348 | return _includeProtocols.toArray(new String[_includeProtocols.size()]); |
| 349 | } |
| 350 | |
| 351 | /* ------------------------------------------------------------ */ |
| 352 | /** |
| 353 | * @param protocols |
| 354 | * The array of protocol names to include in |
| 355 | * {@link SSLEngine#setEnabledProtocols(String[])} |
| 356 | */ |
| 357 | public void setIncludeProtocols(String... protocols) |
| 358 | { |
| 359 | checkNotStarted(); |
| 360 | |
| 361 | _includeProtocols = new LinkedHashSet<String>(Arrays.asList(protocols)); |
| 362 | } |
| 363 | |
| 364 | /* ------------------------------------------------------------ */ |
| 365 | /** |
| 366 | * @return The array of cipher suite names to exclude from |
| 367 | * {@link SSLEngine#setEnabledCipherSuites(String[])} |
| 368 | */ |
| 369 | public String[] getExcludeCipherSuites() |
| 370 | { |
| 371 | return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]); |
| 372 | } |
| 373 | |
| 374 | /* ------------------------------------------------------------ */ |
| 375 | /** |
| 376 | * @param cipherSuites |
| 377 | * The array of cipher suite names to exclude from |
| 378 | * {@link SSLEngine#setEnabledCipherSuites(String[])} |
| 379 | */ |
| 380 | public void setExcludeCipherSuites(String... cipherSuites) |
| 381 | { |
| 382 | checkNotStarted(); |
| 383 | _excludeCipherSuites.clear(); |
| 384 | _excludeCipherSuites.addAll(Arrays.asList(cipherSuites)); |
| 385 | } |
| 386 | |
| 387 | /* ------------------------------------------------------------ */ |
| 388 | /** |
| 389 | * @param cipher Cipher names to add to {@link SSLEngine#setEnabledCipherSuites(String[])} |
| 390 | */ |
| 391 | public void addExcludeCipherSuites(String... cipher) |
| 392 | { |
| 393 | checkNotStarted(); |
| 394 | _excludeCipherSuites.addAll(Arrays.asList(cipher)); |
| 395 | } |
| 396 | |
| 397 | /* ------------------------------------------------------------ */ |
| 398 | /** |
| 399 | * @return The array of cipher suite names to include in |
| 400 | * {@link SSLEngine#setEnabledCipherSuites(String[])} |
| 401 | */ |
| 402 | public String[] getIncludeCipherSuites() |
| 403 | { |
| 404 | return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]); |
| 405 | } |
| 406 | |
| 407 | /* ------------------------------------------------------------ */ |
| 408 | /** |
| 409 | * @param cipherSuites |
| 410 | * The array of cipher suite names to include in |
| 411 | * {@link SSLEngine#setEnabledCipherSuites(String[])} |
| 412 | */ |
| 413 | public void setIncludeCipherSuites(String... cipherSuites) |
| 414 | { |
| 415 | checkNotStarted(); |
| 416 | |
| 417 | _includeCipherSuites = new LinkedHashSet<String>(Arrays.asList(cipherSuites)); |
| 418 | } |
| 419 | |
| 420 | /* ------------------------------------------------------------ */ |
| 421 | /** |
| 422 | * @return The file or URL of the SSL Key store. |
| 423 | */ |
| 424 | public String getKeyStorePath() |
| 425 | { |
| 426 | return _keyStorePath; |
| 427 | } |
| 428 | |
| 429 | /* ------------------------------------------------------------ */ |
| 430 | @Deprecated |
| 431 | public String getKeyStore() |
| 432 | { |
| 433 | return _keyStorePath; |
| 434 | } |
| 435 | |
| 436 | /* ------------------------------------------------------------ */ |
| 437 | /** |
| 438 | * @param keyStorePath |
| 439 | * The file or URL of the SSL Key store. |
| 440 | */ |
| 441 | public void setKeyStorePath(String keyStorePath) |
| 442 | { |
| 443 | checkNotStarted(); |
| 444 | |
| 445 | _keyStorePath = keyStorePath; |
| 446 | } |
| 447 | |
| 448 | /* ------------------------------------------------------------ */ |
| 449 | /** |
| 450 | * @param keyStorePath the file system path or URL of the keystore |
| 451 | * @deprecated Use {@link #setKeyStorePath(String)} |
| 452 | */ |
| 453 | @Deprecated |
| 454 | public void setKeyStore(String keyStorePath) |
| 455 | { |
| 456 | checkNotStarted(); |
| 457 | |
| 458 | _keyStorePath = keyStorePath; |
| 459 | } |
| 460 | |
| 461 | /* ------------------------------------------------------------ */ |
| 462 | /** |
| 463 | * @return The provider of the key store |
| 464 | */ |
| 465 | public String getKeyStoreProvider() |
| 466 | { |
| 467 | return _keyStoreProvider; |
| 468 | } |
| 469 | |
| 470 | /* ------------------------------------------------------------ */ |
| 471 | /** |
| 472 | * @param keyStoreProvider |
| 473 | * The provider of the key store |
| 474 | */ |
| 475 | public void setKeyStoreProvider(String keyStoreProvider) |
| 476 | { |
| 477 | checkNotStarted(); |
| 478 | |
| 479 | _keyStoreProvider = keyStoreProvider; |
| 480 | } |
| 481 | |
| 482 | /* ------------------------------------------------------------ */ |
| 483 | /** |
| 484 | * @return The type of the key store (default "JKS") |
| 485 | */ |
| 486 | public String getKeyStoreType() |
| 487 | { |
| 488 | return (_keyStoreType); |
| 489 | } |
| 490 | |
| 491 | /* ------------------------------------------------------------ */ |
| 492 | /** |
| 493 | * @param keyStoreType |
| 494 | * The type of the key store (default "JKS") |
| 495 | */ |
| 496 | public void setKeyStoreType(String keyStoreType) |
| 497 | { |
| 498 | checkNotStarted(); |
| 499 | |
| 500 | _keyStoreType = keyStoreType; |
| 501 | } |
| 502 | |
| 503 | /* ------------------------------------------------------------ */ |
| 504 | /** Get the _keyStoreInputStream. |
| 505 | * @return the _keyStoreInputStream |
| 506 | * |
| 507 | * @deprecated |
| 508 | */ |
| 509 | @Deprecated |
| 510 | public InputStream getKeyStoreInputStream() |
| 511 | { |
| 512 | checkKeyStore(); |
| 513 | |
| 514 | return _keyStoreInputStream; |
| 515 | } |
| 516 | |
| 517 | /* ------------------------------------------------------------ */ |
| 518 | /** Set the keyStoreInputStream. |
| 519 | * @param keyStoreInputStream the InputStream to the KeyStore |
| 520 | * |
| 521 | * @deprecated Use {@link #setKeyStore(KeyStore)} |
| 522 | */ |
| 523 | @Deprecated |
| 524 | public void setKeyStoreInputStream(InputStream keyStoreInputStream) |
| 525 | { |
| 526 | checkNotStarted(); |
| 527 | |
| 528 | _keyStoreInputStream = keyStoreInputStream; |
| 529 | } |
| 530 | |
| 531 | /* ------------------------------------------------------------ */ |
| 532 | /** |
| 533 | * @return Alias of SSL certificate for the connector |
| 534 | */ |
| 535 | public String getCertAlias() |
| 536 | { |
| 537 | return _certAlias; |
| 538 | } |
| 539 | |
| 540 | /* ------------------------------------------------------------ */ |
| 541 | /** |
| 542 | * @param certAlias |
| 543 | * Alias of SSL certificate for the connector |
| 544 | */ |
| 545 | public void setCertAlias(String certAlias) |
| 546 | { |
| 547 | checkNotStarted(); |
| 548 | |
| 549 | _certAlias = certAlias; |
| 550 | } |
| 551 | |
| 552 | /* ------------------------------------------------------------ */ |
| 553 | /** |
| 554 | * @return The file name or URL of the trust store location |
| 555 | */ |
| 556 | public String getTrustStore() |
| 557 | { |
| 558 | return _trustStorePath; |
| 559 | } |
| 560 | |
| 561 | /* ------------------------------------------------------------ */ |
| 562 | /** |
| 563 | * @param trustStorePath |
| 564 | * The file name or URL of the trust store location |
| 565 | */ |
| 566 | public void setTrustStore(String trustStorePath) |
| 567 | { |
| 568 | checkNotStarted(); |
| 569 | |
| 570 | _trustStorePath = trustStorePath; |
| 571 | } |
| 572 | |
| 573 | /* ------------------------------------------------------------ */ |
| 574 | /** |
| 575 | * @return The provider of the trust store |
| 576 | */ |
| 577 | public String getTrustStoreProvider() |
| 578 | { |
| 579 | return _trustStoreProvider; |
| 580 | } |
| 581 | |
| 582 | /* ------------------------------------------------------------ */ |
| 583 | /** |
| 584 | * @param trustStoreProvider |
| 585 | * The provider of the trust store |
| 586 | */ |
| 587 | public void setTrustStoreProvider(String trustStoreProvider) |
| 588 | { |
| 589 | checkNotStarted(); |
| 590 | |
| 591 | _trustStoreProvider = trustStoreProvider; |
| 592 | } |
| 593 | |
| 594 | /* ------------------------------------------------------------ */ |
| 595 | /** |
| 596 | * @return The type of the trust store (default "JKS") |
| 597 | */ |
| 598 | public String getTrustStoreType() |
| 599 | { |
| 600 | return _trustStoreType; |
| 601 | } |
| 602 | |
| 603 | /* ------------------------------------------------------------ */ |
| 604 | /** |
| 605 | * @param trustStoreType |
| 606 | * The type of the trust store (default "JKS") |
| 607 | */ |
| 608 | public void setTrustStoreType(String trustStoreType) |
| 609 | { |
| 610 | checkNotStarted(); |
| 611 | |
| 612 | _trustStoreType = trustStoreType; |
| 613 | } |
| 614 | |
| 615 | /* ------------------------------------------------------------ */ |
| 616 | /** Get the _trustStoreInputStream. |
| 617 | * @return the _trustStoreInputStream |
| 618 | * |
| 619 | * @deprecated |
| 620 | */ |
| 621 | @Deprecated |
| 622 | public InputStream getTrustStoreInputStream() |
| 623 | { |
| 624 | checkKeyStore(); |
| 625 | |
| 626 | return _trustStoreInputStream; |
| 627 | } |
| 628 | |
| 629 | /* ------------------------------------------------------------ */ |
| 630 | /** Set the _trustStoreInputStream. |
| 631 | * @param trustStoreInputStream the InputStream to the TrustStore |
| 632 | * |
| 633 | * @deprecated |
| 634 | */ |
| 635 | @Deprecated |
| 636 | public void setTrustStoreInputStream(InputStream trustStoreInputStream) |
| 637 | { |
| 638 | checkNotStarted(); |
| 639 | |
| 640 | _trustStoreInputStream = trustStoreInputStream; |
| 641 | } |
| 642 | |
| 643 | /* ------------------------------------------------------------ */ |
| 644 | /** |
| 645 | * @return True if SSL needs client authentication. |
| 646 | * @see SSLEngine#getNeedClientAuth() |
| 647 | */ |
| 648 | public boolean getNeedClientAuth() |
| 649 | { |
| 650 | return _needClientAuth; |
| 651 | } |
| 652 | |
| 653 | /* ------------------------------------------------------------ */ |
| 654 | /** |
| 655 | * @param needClientAuth |
| 656 | * True if SSL needs client authentication. |
| 657 | * @see SSLEngine#getNeedClientAuth() |
| 658 | */ |
| 659 | public void setNeedClientAuth(boolean needClientAuth) |
| 660 | { |
| 661 | checkNotStarted(); |
| 662 | |
| 663 | _needClientAuth = needClientAuth; |
| 664 | } |
| 665 | |
| 666 | /* ------------------------------------------------------------ */ |
| 667 | /** |
| 668 | * @return True if SSL wants client authentication. |
| 669 | * @see SSLEngine#getWantClientAuth() |
| 670 | */ |
| 671 | public boolean getWantClientAuth() |
| 672 | { |
| 673 | return _wantClientAuth; |
| 674 | } |
| 675 | |
| 676 | /* ------------------------------------------------------------ */ |
| 677 | /** |
| 678 | * @param wantClientAuth |
| 679 | * True if SSL wants client authentication. |
| 680 | * @see SSLEngine#getWantClientAuth() |
| 681 | */ |
| 682 | public void setWantClientAuth(boolean wantClientAuth) |
| 683 | { |
| 684 | checkNotStarted(); |
| 685 | |
| 686 | _wantClientAuth = wantClientAuth; |
| 687 | } |
| 688 | |
| 689 | /* ------------------------------------------------------------ */ |
| 690 | /** |
| 691 | * @return true if SSL certificate has to be validated |
| 692 | * @deprecated |
| 693 | */ |
| 694 | @Deprecated |
| 695 | public boolean getValidateCerts() |
| 696 | { |
| 697 | return _validateCerts; |
| 698 | } |
| 699 | |
| 700 | /* ------------------------------------------------------------ */ |
| 701 | /** |
| 702 | * @return true if SSL certificate has to be validated |
| 703 | */ |
| 704 | public boolean isValidateCerts() |
| 705 | { |
| 706 | return _validateCerts; |
| 707 | } |
| 708 | |
| 709 | /* ------------------------------------------------------------ */ |
| 710 | /** |
| 711 | * @param validateCerts |
| 712 | * true if SSL certificates have to be validated |
| 713 | */ |
| 714 | public void setValidateCerts(boolean validateCerts) |
| 715 | { |
| 716 | checkNotStarted(); |
| 717 | |
| 718 | _validateCerts = validateCerts; |
| 719 | } |
| 720 | |
| 721 | /* ------------------------------------------------------------ */ |
| 722 | /** |
| 723 | * @return true if SSL certificates of the peer have to be validated |
| 724 | */ |
| 725 | public boolean isValidatePeerCerts() |
| 726 | { |
| 727 | return _validatePeerCerts; |
| 728 | } |
| 729 | |
| 730 | /* ------------------------------------------------------------ */ |
| 731 | /** |
| 732 | * @param validatePeerCerts |
| 733 | * true if SSL certificates of the peer have to be validated |
| 734 | */ |
| 735 | public void setValidatePeerCerts(boolean validatePeerCerts) |
| 736 | { |
| 737 | checkNotStarted(); |
| 738 | |
| 739 | _validatePeerCerts = validatePeerCerts; |
| 740 | } |
| 741 | |
| 742 | /* ------------------------------------------------------------ */ |
| 743 | /** |
| 744 | * @return True if SSL re-negotiation is allowed (default false) |
| 745 | */ |
| 746 | public boolean isAllowRenegotiate() |
| 747 | { |
| 748 | return _allowRenegotiate; |
| 749 | } |
| 750 | |
| 751 | /* ------------------------------------------------------------ */ |
| 752 | /** |
| 753 | * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered |
| 754 | * a vulnerability in SSL/TLS with re-negotiation. If your JVM |
| 755 | * does not have CVE-2009-3555 fixed, then re-negotiation should |
| 756 | * not be allowed. CVE-2009-3555 was fixed in Sun java 1.6 with a ban |
| 757 | * of renegotiates in u19 and with RFC5746 in u22. |
| 758 | * |
| 759 | * @param allowRenegotiate |
| 760 | * true if re-negotiation is allowed (default false) |
| 761 | */ |
| 762 | public void setAllowRenegotiate(boolean allowRenegotiate) |
| 763 | { |
| 764 | checkNotStarted(); |
| 765 | |
| 766 | _allowRenegotiate = allowRenegotiate; |
| 767 | } |
| 768 | |
| 769 | /* ------------------------------------------------------------ */ |
| 770 | /** |
| 771 | * @param password |
| 772 | * The password for the key store |
| 773 | */ |
| 774 | public void setKeyStorePassword(String password) |
| 775 | { |
| 776 | checkNotStarted(); |
| 777 | |
| 778 | _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); |
| 779 | } |
| 780 | |
| 781 | /* ------------------------------------------------------------ */ |
| 782 | /** |
| 783 | * @param password |
| 784 | * The password (if any) for the specific key within the key store |
| 785 | */ |
| 786 | public void setKeyManagerPassword(String password) |
| 787 | { |
| 788 | checkNotStarted(); |
| 789 | |
| 790 | _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null); |
| 791 | } |
| 792 | |
| 793 | /* ------------------------------------------------------------ */ |
| 794 | /** |
| 795 | * @param password |
| 796 | * The password for the trust store |
| 797 | */ |
| 798 | public void setTrustStorePassword(String password) |
| 799 | { |
| 800 | checkNotStarted(); |
| 801 | |
| 802 | _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null); |
| 803 | } |
| 804 | |
| 805 | /* ------------------------------------------------------------ */ |
| 806 | /** |
| 807 | * @return The SSL provider name, which if set is passed to |
| 808 | * {@link SSLContext#getInstance(String, String)} |
| 809 | */ |
| 810 | public String getProvider() |
| 811 | { |
| 812 | return _sslProvider; |
| 813 | } |
| 814 | |
| 815 | /* ------------------------------------------------------------ */ |
| 816 | /** |
| 817 | * @param provider |
| 818 | * The SSL provider name, which if set is passed to |
| 819 | * {@link SSLContext#getInstance(String, String)} |
| 820 | */ |
| 821 | public void setProvider(String provider) |
| 822 | { |
| 823 | checkNotStarted(); |
| 824 | |
| 825 | _sslProvider = provider; |
| 826 | } |
| 827 | |
| 828 | /* ------------------------------------------------------------ */ |
| 829 | /** |
| 830 | * @return The SSL protocol (default "TLS") passed to |
| 831 | * {@link SSLContext#getInstance(String, String)} |
| 832 | */ |
| 833 | public String getProtocol() |
| 834 | { |
| 835 | return _sslProtocol; |
| 836 | } |
| 837 | |
| 838 | /* ------------------------------------------------------------ */ |
| 839 | /** |
| 840 | * @param protocol |
| 841 | * The SSL protocol (default "TLS") passed to |
| 842 | * {@link SSLContext#getInstance(String, String)} |
| 843 | */ |
| 844 | public void setProtocol(String protocol) |
| 845 | { |
| 846 | checkNotStarted(); |
| 847 | |
| 848 | _sslProtocol = protocol; |
| 849 | } |
| 850 | |
| 851 | /* ------------------------------------------------------------ */ |
| 852 | /** |
| 853 | * @return The algorithm name, which if set is passed to |
| 854 | * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to |
| 855 | * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} |
| 856 | */ |
| 857 | public String getSecureRandomAlgorithm() |
| 858 | { |
| 859 | return _secureRandomAlgorithm; |
| 860 | } |
| 861 | |
| 862 | /* ------------------------------------------------------------ */ |
| 863 | /** |
| 864 | * @param algorithm |
| 865 | * The algorithm name, which if set is passed to |
| 866 | * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to |
| 867 | * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} |
| 868 | */ |
| 869 | public void setSecureRandomAlgorithm(String algorithm) |
| 870 | { |
| 871 | checkNotStarted(); |
| 872 | |
| 873 | _secureRandomAlgorithm = algorithm; |
| 874 | } |
| 875 | |
| 876 | /* ------------------------------------------------------------ */ |
| 877 | /** |
| 878 | * @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} |
| 879 | */ |
| 880 | public String getSslKeyManagerFactoryAlgorithm() |
| 881 | { |
| 882 | return (_keyManagerFactoryAlgorithm); |
| 883 | } |
| 884 | |
| 885 | /* ------------------------------------------------------------ */ |
| 886 | /** |
| 887 | * @param algorithm |
| 888 | * The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} |
| 889 | */ |
| 890 | public void setSslKeyManagerFactoryAlgorithm(String algorithm) |
| 891 | { |
| 892 | checkNotStarted(); |
| 893 | |
| 894 | _keyManagerFactoryAlgorithm = algorithm; |
| 895 | } |
| 896 | |
| 897 | /* ------------------------------------------------------------ */ |
| 898 | /** |
| 899 | * @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} |
| 900 | */ |
| 901 | public String getTrustManagerFactoryAlgorithm() |
| 902 | { |
| 903 | return (_trustManagerFactoryAlgorithm); |
| 904 | } |
| 905 | |
| 906 | /* ------------------------------------------------------------ */ |
| 907 | /** |
| 908 | * @return True if all certificates should be trusted if there is no KeyStore or TrustStore |
| 909 | */ |
| 910 | public boolean isTrustAll() |
| 911 | { |
| 912 | return _trustAll; |
| 913 | } |
| 914 | |
| 915 | /* ------------------------------------------------------------ */ |
| 916 | /** |
| 917 | * @param trustAll True if all certificates should be trusted if there is no KeyStore or TrustStore |
| 918 | */ |
| 919 | public void setTrustAll(boolean trustAll) |
| 920 | { |
| 921 | _trustAll = trustAll; |
| 922 | } |
| 923 | |
| 924 | /* ------------------------------------------------------------ */ |
| 925 | /** |
| 926 | * @param algorithm |
| 927 | * The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} |
| 928 | * Use the string "TrustAll" to install a trust manager that trusts all. |
| 929 | */ |
| 930 | public void setTrustManagerFactoryAlgorithm(String algorithm) |
| 931 | { |
| 932 | checkNotStarted(); |
| 933 | |
| 934 | _trustManagerFactoryAlgorithm = algorithm; |
| 935 | } |
| 936 | |
| 937 | /* ------------------------------------------------------------ */ |
| 938 | /** |
| 939 | * @return Path to file that contains Certificate Revocation List |
| 940 | */ |
| 941 | public String getCrlPath() |
| 942 | { |
| 943 | return _crlPath; |
| 944 | } |
| 945 | |
| 946 | /* ------------------------------------------------------------ */ |
| 947 | /** |
| 948 | * @param crlPath |
| 949 | * Path to file that contains Certificate Revocation List |
| 950 | */ |
| 951 | public void setCrlPath(String crlPath) |
| 952 | { |
| 953 | checkNotStarted(); |
| 954 | |
| 955 | _crlPath = crlPath; |
| 956 | } |
| 957 | |
| 958 | /* ------------------------------------------------------------ */ |
| 959 | /** |
| 960 | * @return Maximum number of intermediate certificates in |
| 961 | * the certification path (-1 for unlimited) |
| 962 | */ |
| 963 | public int getMaxCertPathLength() |
| 964 | { |
| 965 | return _maxCertPathLength; |
| 966 | } |
| 967 | |
| 968 | /* ------------------------------------------------------------ */ |
| 969 | /** |
| 970 | * @param maxCertPathLength |
| 971 | * maximum number of intermediate certificates in |
| 972 | * the certification path (-1 for unlimited) |
| 973 | */ |
| 974 | public void setMaxCertPathLength(int maxCertPathLength) |
| 975 | { |
| 976 | checkNotStarted(); |
| 977 | |
| 978 | _maxCertPathLength = maxCertPathLength; |
| 979 | } |
| 980 | |
| 981 | /* ------------------------------------------------------------ */ |
| 982 | /** |
| 983 | * @return The SSLContext |
| 984 | */ |
| 985 | public SSLContext getSslContext() |
| 986 | { |
| 987 | if (!isStarted()) |
| 988 | throw new IllegalStateException(getState()); |
| 989 | return _context; |
| 990 | } |
| 991 | |
| 992 | /* ------------------------------------------------------------ */ |
| 993 | /** |
| 994 | * @param sslContext |
| 995 | * Set a preconfigured SSLContext |
| 996 | */ |
| 997 | public void setSslContext(SSLContext sslContext) |
| 998 | { |
| 999 | checkNotStarted(); |
| 1000 | |
| 1001 | _context = sslContext; |
| 1002 | } |
| 1003 | |
| 1004 | /* ------------------------------------------------------------ */ |
| 1005 | /** |
| 1006 | * Override this method to provide alternate way to load a keystore. |
| 1007 | * |
| 1008 | * @return the key store instance |
| 1009 | * @throws Exception if the keystore cannot be loaded |
| 1010 | */ |
| 1011 | protected KeyStore loadKeyStore() throws Exception |
| 1012 | { |
| 1013 | return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream, |
| 1014 | _keyStorePath, _keyStoreType, _keyStoreProvider, |
| 1015 | _keyStorePassword==null? null: _keyStorePassword.toString()); |
| 1016 | } |
| 1017 | |
| 1018 | /* ------------------------------------------------------------ */ |
| 1019 | /** |
| 1020 | * Override this method to provide alternate way to load a truststore. |
| 1021 | * |
| 1022 | * @return the key store instance |
| 1023 | * @throws Exception if the truststore cannot be loaded |
| 1024 | */ |
| 1025 | protected KeyStore loadTrustStore() throws Exception |
| 1026 | { |
| 1027 | return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream, |
| 1028 | _trustStorePath, _trustStoreType, _trustStoreProvider, |
| 1029 | _trustStorePassword==null? null: _trustStorePassword.toString()); |
| 1030 | } |
| 1031 | |
| 1032 | /* ------------------------------------------------------------ */ |
| 1033 | /** |
| 1034 | * Loads keystore using an input stream or a file path in the same |
| 1035 | * order of precedence. |
| 1036 | * |
| 1037 | * Required for integrations to be able to override the mechanism |
| 1038 | * used to load a keystore in order to provide their own implementation. |
| 1039 | * |
| 1040 | * @param storeStream keystore input stream |
| 1041 | * @param storePath path of keystore file |
| 1042 | * @param storeType keystore type |
| 1043 | * @param storeProvider keystore provider |
| 1044 | * @param storePassword keystore password |
| 1045 | * @return created keystore |
| 1046 | * @throws Exception if the keystore cannot be obtained |
| 1047 | * |
| 1048 | * @deprecated |
| 1049 | */ |
| 1050 | @Deprecated |
| 1051 | protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception |
| 1052 | { |
| 1053 | return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword); |
| 1054 | } |
| 1055 | |
| 1056 | /* ------------------------------------------------------------ */ |
| 1057 | /** |
| 1058 | * Loads certificate revocation list (CRL) from a file. |
| 1059 | * |
| 1060 | * Required for integrations to be able to override the mechanism used to |
| 1061 | * load CRL in order to provide their own implementation. |
| 1062 | * |
| 1063 | * @param crlPath path of certificate revocation list file |
| 1064 | * @return Collection of CRL's |
| 1065 | * @throws Exception if the certificate revocation list cannot be loaded |
| 1066 | */ |
| 1067 | protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception |
| 1068 | { |
| 1069 | return CertificateUtils.loadCRL(crlPath); |
| 1070 | } |
| 1071 | |
| 1072 | /* ------------------------------------------------------------ */ |
| 1073 | protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception |
| 1074 | { |
| 1075 | KeyManager[] managers = null; |
| 1076 | |
| 1077 | if (keyStore != null) |
| 1078 | { |
| 1079 | KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm); |
| 1080 | keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray()); |
| 1081 | managers = keyManagerFactory.getKeyManagers(); |
| 1082 | |
| 1083 | if (_certAlias != null) |
| 1084 | { |
| 1085 | for (int idx = 0; idx < managers.length; idx++) |
| 1086 | { |
| 1087 | if (managers[idx] instanceof X509KeyManager) |
| 1088 | { |
| 1089 | managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]); |
| 1090 | } |
| 1091 | } |
| 1092 | } |
| 1093 | } |
| 1094 | |
| 1095 | return managers; |
| 1096 | } |
| 1097 | |
| 1098 | /* ------------------------------------------------------------ */ |
| 1099 | protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception |
| 1100 | { |
| 1101 | TrustManager[] managers = null; |
| 1102 | if (trustStore != null) |
| 1103 | { |
| 1104 | // Revocation checking is only supported for PKIX algorithm |
| 1105 | if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX")) |
| 1106 | { |
| 1107 | PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector()); |
| 1108 | |
| 1109 | // Set maximum certification path length |
| 1110 | pbParams.setMaxPathLength(_maxCertPathLength); |
| 1111 | |
| 1112 | // Make sure revocation checking is enabled |
| 1113 | pbParams.setRevocationEnabled(true); |
| 1114 | |
| 1115 | if (crls != null && !crls.isEmpty()) |
| 1116 | { |
| 1117 | pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls))); |
| 1118 | } |
| 1119 | |
| 1120 | if (_enableCRLDP) |
| 1121 | { |
| 1122 | // Enable Certificate Revocation List Distribution Points (CRLDP) support |
| 1123 | System.setProperty("com.sun.security.enableCRLDP","true"); |
| 1124 | } |
| 1125 | |
| 1126 | if (_enableOCSP) |
| 1127 | { |
| 1128 | // Enable On-Line Certificate Status Protocol (OCSP) support |
| 1129 | Security.setProperty("ocsp.enable","true"); |
| 1130 | |
| 1131 | if (_ocspResponderURL != null) |
| 1132 | { |
| 1133 | // Override location of OCSP Responder |
| 1134 | Security.setProperty("ocsp.responderURL", _ocspResponderURL); |
| 1135 | } |
| 1136 | } |
| 1137 | |
| 1138 | TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); |
| 1139 | trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams)); |
| 1140 | |
| 1141 | managers = trustManagerFactory.getTrustManagers(); |
| 1142 | } |
| 1143 | else |
| 1144 | { |
| 1145 | TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm); |
| 1146 | trustManagerFactory.init(trustStore); |
| 1147 | |
| 1148 | managers = trustManagerFactory.getTrustManagers(); |
| 1149 | } |
| 1150 | } |
| 1151 | |
| 1152 | return managers; |
| 1153 | } |
| 1154 | |
| 1155 | /* ------------------------------------------------------------ */ |
| 1156 | /** |
| 1157 | * Check KeyStore Configuration. Ensures that if keystore has been |
| 1158 | * configured but there's no truststore, that keystore is |
| 1159 | * used as truststore. |
| 1160 | * @throws IllegalStateException if SslContextFactory configuration can't be used. |
| 1161 | */ |
| 1162 | public void checkKeyStore() |
| 1163 | { |
| 1164 | if (_context != null) |
| 1165 | return; //nothing to check if using preconfigured context |
| 1166 | |
| 1167 | |
| 1168 | if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null) |
| 1169 | throw new IllegalStateException("SSL doesn't have a valid keystore"); |
| 1170 | |
| 1171 | // if the keystore has been configured but there is no |
| 1172 | // truststore configured, use the keystore as the truststore |
| 1173 | if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null) |
| 1174 | { |
| 1175 | _trustStore = _keyStore; |
| 1176 | _trustStorePath = _keyStorePath; |
| 1177 | _trustStoreInputStream = _keyStoreInputStream; |
| 1178 | _trustStoreType = _keyStoreType; |
| 1179 | _trustStoreProvider = _keyStoreProvider; |
| 1180 | _trustStorePassword = _keyStorePassword; |
| 1181 | _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm; |
| 1182 | } |
| 1183 | |
| 1184 | // It's the same stream we cannot read it twice, so read it once in memory |
| 1185 | if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream) |
| 1186 | { |
| 1187 | try |
| 1188 | { |
| 1189 | ByteArrayOutputStream baos = new ByteArrayOutputStream(); |
| 1190 | IO.copy(_keyStoreInputStream, baos); |
| 1191 | _keyStoreInputStream.close(); |
| 1192 | |
| 1193 | _keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray()); |
| 1194 | _trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray()); |
| 1195 | } |
| 1196 | catch (Exception ex) |
| 1197 | { |
| 1198 | throw new IllegalStateException(ex); |
| 1199 | } |
| 1200 | } |
| 1201 | } |
| 1202 | |
| 1203 | /* ------------------------------------------------------------ */ |
| 1204 | /** |
| 1205 | * Select protocols to be used by the connector |
| 1206 | * based on configured inclusion and exclusion lists |
| 1207 | * as well as enabled and supported protocols. |
| 1208 | * @param enabledProtocols Array of enabled protocols |
| 1209 | * @param supportedProtocols Array of supported protocols |
| 1210 | * @return Array of protocols to enable |
| 1211 | */ |
| 1212 | public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols) |
| 1213 | { |
| 1214 | Set<String> selected_protocols = new LinkedHashSet<String>(); |
| 1215 | |
| 1216 | // Set the starting protocols - either from the included or enabled list |
| 1217 | if (_includeProtocols!=null) |
| 1218 | { |
| 1219 | // Use only the supported included protocols |
| 1220 | for (String protocol : _includeProtocols) |
| 1221 | if(Arrays.asList(supportedProtocols).contains(protocol)) |
| 1222 | selected_protocols.add(protocol); |
| 1223 | } |
| 1224 | else |
| 1225 | selected_protocols.addAll(Arrays.asList(enabledProtocols)); |
| 1226 | |
| 1227 | |
| 1228 | // Remove any excluded protocols |
| 1229 | if (_excludeProtocols != null) |
| 1230 | selected_protocols.removeAll(_excludeProtocols); |
| 1231 | |
| 1232 | return selected_protocols.toArray(new String[selected_protocols.size()]); |
| 1233 | } |
| 1234 | |
| 1235 | /* ------------------------------------------------------------ */ |
| 1236 | /** |
| 1237 | * Select cipher suites to be used by the connector |
| 1238 | * based on configured inclusion and exclusion lists |
| 1239 | * as well as enabled and supported cipher suite lists. |
| 1240 | * @param enabledCipherSuites Array of enabled cipher suites |
| 1241 | * @param supportedCipherSuites Array of supported cipher suites |
| 1242 | * @return Array of cipher suites to enable |
| 1243 | */ |
| 1244 | public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites) |
| 1245 | { |
| 1246 | Set<String> selected_ciphers = new LinkedHashSet<String>(); |
| 1247 | |
| 1248 | // Set the starting ciphers - either from the included or enabled list |
| 1249 | if (_includeCipherSuites!=null) |
| 1250 | { |
| 1251 | // Use only the supported included ciphers |
| 1252 | for (String cipherSuite : _includeCipherSuites) |
| 1253 | if(Arrays.asList(supportedCipherSuites).contains(cipherSuite)) |
| 1254 | selected_ciphers.add(cipherSuite); |
| 1255 | } |
| 1256 | else |
| 1257 | selected_ciphers.addAll(Arrays.asList(enabledCipherSuites)); |
| 1258 | |
| 1259 | |
| 1260 | // Remove any excluded ciphers |
| 1261 | if (_excludeCipherSuites != null) |
| 1262 | selected_ciphers.removeAll(_excludeCipherSuites); |
| 1263 | return selected_ciphers.toArray(new String[selected_ciphers.size()]); |
| 1264 | } |
| 1265 | |
| 1266 | /* ------------------------------------------------------------ */ |
| 1267 | /** |
| 1268 | * Check if the lifecycle has been started and throw runtime exception |
| 1269 | */ |
| 1270 | protected void checkNotStarted() |
| 1271 | { |
| 1272 | if (isStarted()) |
| 1273 | throw new IllegalStateException("Cannot modify configuration when "+getState()); |
| 1274 | } |
| 1275 | |
| 1276 | /* ------------------------------------------------------------ */ |
| 1277 | /** |
| 1278 | * @return true if CRL Distribution Points support is enabled |
| 1279 | */ |
| 1280 | public boolean isEnableCRLDP() |
| 1281 | { |
| 1282 | return _enableCRLDP; |
| 1283 | } |
| 1284 | |
| 1285 | /* ------------------------------------------------------------ */ |
| 1286 | /** Enables CRL Distribution Points Support |
| 1287 | * @param enableCRLDP true - turn on, false - turns off |
| 1288 | */ |
| 1289 | public void setEnableCRLDP(boolean enableCRLDP) |
| 1290 | { |
| 1291 | checkNotStarted(); |
| 1292 | |
| 1293 | _enableCRLDP = enableCRLDP; |
| 1294 | } |
| 1295 | |
| 1296 | /* ------------------------------------------------------------ */ |
| 1297 | /** |
| 1298 | * @return true if On-Line Certificate Status Protocol support is enabled |
| 1299 | */ |
| 1300 | public boolean isEnableOCSP() |
| 1301 | { |
| 1302 | return _enableOCSP; |
| 1303 | } |
| 1304 | |
| 1305 | /* ------------------------------------------------------------ */ |
| 1306 | /** Enables On-Line Certificate Status Protocol support |
| 1307 | * @param enableOCSP true - turn on, false - turn off |
| 1308 | */ |
| 1309 | public void setEnableOCSP(boolean enableOCSP) |
| 1310 | { |
| 1311 | checkNotStarted(); |
| 1312 | |
| 1313 | _enableOCSP = enableOCSP; |
| 1314 | } |
| 1315 | |
| 1316 | /* ------------------------------------------------------------ */ |
| 1317 | /** |
| 1318 | * @return Location of the OCSP Responder |
| 1319 | */ |
| 1320 | public String getOcspResponderURL() |
| 1321 | { |
| 1322 | return _ocspResponderURL; |
| 1323 | } |
| 1324 | |
| 1325 | /* ------------------------------------------------------------ */ |
| 1326 | /** Set the location of the OCSP Responder. |
| 1327 | * @param ocspResponderURL location of the OCSP Responder |
| 1328 | */ |
| 1329 | public void setOcspResponderURL(String ocspResponderURL) |
| 1330 | { |
| 1331 | checkNotStarted(); |
| 1332 | |
| 1333 | _ocspResponderURL = ocspResponderURL; |
| 1334 | } |
| 1335 | |
| 1336 | /* ------------------------------------------------------------ */ |
| 1337 | /** Set the key store. |
| 1338 | * @param keyStore the key store to set |
| 1339 | */ |
| 1340 | public void setKeyStore(KeyStore keyStore) |
| 1341 | { |
| 1342 | checkNotStarted(); |
| 1343 | |
| 1344 | _keyStore = keyStore; |
| 1345 | } |
| 1346 | |
| 1347 | /* ------------------------------------------------------------ */ |
| 1348 | /** Set the trust store. |
| 1349 | * @param trustStore the trust store to set |
| 1350 | */ |
| 1351 | public void setTrustStore(KeyStore trustStore) |
| 1352 | { |
| 1353 | checkNotStarted(); |
| 1354 | |
| 1355 | _trustStore = trustStore; |
| 1356 | } |
| 1357 | |
| 1358 | /* ------------------------------------------------------------ */ |
| 1359 | /** Set the key store resource. |
| 1360 | * @param resource the key store resource to set |
| 1361 | */ |
| 1362 | public void setKeyStoreResource(Resource resource) |
| 1363 | { |
| 1364 | checkNotStarted(); |
| 1365 | |
| 1366 | try |
| 1367 | { |
| 1368 | _keyStoreInputStream = resource.getInputStream(); |
| 1369 | } |
| 1370 | catch (IOException e) |
| 1371 | { |
| 1372 | throw new InvalidParameterException("Unable to get resource "+ |
| 1373 | "input stream for resource "+resource.toString()); |
| 1374 | } |
| 1375 | } |
| 1376 | |
| 1377 | /* ------------------------------------------------------------ */ |
| 1378 | /** Set the trust store resource. |
| 1379 | * @param resource the trust store resource to set |
| 1380 | */ |
| 1381 | public void setTrustStoreResource(Resource resource) |
| 1382 | { |
| 1383 | checkNotStarted(); |
| 1384 | |
| 1385 | try |
| 1386 | { |
| 1387 | _trustStoreInputStream = resource.getInputStream(); |
| 1388 | } |
| 1389 | catch (IOException e) |
| 1390 | { |
| 1391 | throw new InvalidParameterException("Unable to get resource "+ |
| 1392 | "input stream for resource "+resource.toString()); |
| 1393 | } |
| 1394 | } |
| 1395 | |
| 1396 | /* ------------------------------------------------------------ */ |
| 1397 | /** |
| 1398 | * @return true if SSL Session caching is enabled |
| 1399 | */ |
| 1400 | public boolean isSessionCachingEnabled() |
| 1401 | { |
| 1402 | return _sessionCachingEnabled; |
| 1403 | } |
| 1404 | |
| 1405 | /* ------------------------------------------------------------ */ |
| 1406 | /** Set the flag to enable SSL Session caching. |
| 1407 | * @param enableSessionCaching the value of the flag |
| 1408 | */ |
| 1409 | public void setSessionCachingEnabled(boolean enableSessionCaching) |
| 1410 | { |
| 1411 | _sessionCachingEnabled = enableSessionCaching; |
| 1412 | } |
| 1413 | |
| 1414 | /* ------------------------------------------------------------ */ |
| 1415 | /** Get SSL session cache size. |
| 1416 | * @return SSL session cache size |
| 1417 | */ |
| 1418 | public int getSslSessionCacheSize() |
| 1419 | { |
| 1420 | return _sslSessionCacheSize; |
| 1421 | } |
| 1422 | |
| 1423 | /* ------------------------------------------------------------ */ |
| 1424 | /** SEt SSL session cache size. |
| 1425 | * @param sslSessionCacheSize SSL session cache size to set |
| 1426 | */ |
| 1427 | public void setSslSessionCacheSize(int sslSessionCacheSize) |
| 1428 | { |
| 1429 | _sslSessionCacheSize = sslSessionCacheSize; |
| 1430 | } |
| 1431 | |
| 1432 | /* ------------------------------------------------------------ */ |
| 1433 | /** Get SSL session timeout. |
| 1434 | * @return SSL session timeout |
| 1435 | */ |
| 1436 | public int getSslSessionTimeout() |
| 1437 | { |
| 1438 | return _sslSessionTimeout; |
| 1439 | } |
| 1440 | |
| 1441 | /* ------------------------------------------------------------ */ |
| 1442 | /** Set SSL session timeout. |
| 1443 | * @param sslSessionTimeout SSL session timeout to set |
| 1444 | */ |
| 1445 | public void setSslSessionTimeout(int sslSessionTimeout) |
| 1446 | { |
| 1447 | _sslSessionTimeout = sslSessionTimeout; |
| 1448 | } |
| 1449 | |
| 1450 | |
| 1451 | /* ------------------------------------------------------------ */ |
| 1452 | public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException |
| 1453 | { |
| 1454 | SSLServerSocketFactory factory = _context.getServerSocketFactory(); |
| 1455 | |
| 1456 | SSLServerSocket socket = |
| 1457 | (SSLServerSocket) (host==null ? |
| 1458 | factory.createServerSocket(port,backlog): |
| 1459 | factory.createServerSocket(port,backlog,InetAddress.getByName(host))); |
| 1460 | |
| 1461 | if (getWantClientAuth()) |
| 1462 | socket.setWantClientAuth(getWantClientAuth()); |
| 1463 | if (getNeedClientAuth()) |
| 1464 | socket.setNeedClientAuth(getNeedClientAuth()); |
| 1465 | |
| 1466 | socket.setEnabledCipherSuites(selectCipherSuites( |
| 1467 | socket.getEnabledCipherSuites(), |
| 1468 | socket.getSupportedCipherSuites())); |
| 1469 | socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); |
| 1470 | |
| 1471 | return socket; |
| 1472 | } |
| 1473 | |
| 1474 | /* ------------------------------------------------------------ */ |
| 1475 | public SSLSocket newSslSocket() throws IOException |
| 1476 | { |
| 1477 | SSLSocketFactory factory = _context.getSocketFactory(); |
| 1478 | |
| 1479 | SSLSocket socket = (SSLSocket)factory.createSocket(); |
| 1480 | |
| 1481 | if (getWantClientAuth()) |
| 1482 | socket.setWantClientAuth(getWantClientAuth()); |
| 1483 | if (getNeedClientAuth()) |
| 1484 | socket.setNeedClientAuth(getNeedClientAuth()); |
| 1485 | |
| 1486 | socket.setEnabledCipherSuites(selectCipherSuites( |
| 1487 | socket.getEnabledCipherSuites(), |
| 1488 | socket.getSupportedCipherSuites())); |
| 1489 | socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols())); |
| 1490 | |
| 1491 | return socket; |
| 1492 | } |
| 1493 | |
| 1494 | /* ------------------------------------------------------------ */ |
| 1495 | public SSLEngine newSslEngine(String host,int port) |
| 1496 | { |
| 1497 | SSLEngine sslEngine=isSessionCachingEnabled() |
| 1498 | ?_context.createSSLEngine(host, port) |
| 1499 | :_context.createSSLEngine(); |
| 1500 | |
| 1501 | customize(sslEngine); |
| 1502 | return sslEngine; |
| 1503 | } |
| 1504 | |
| 1505 | /* ------------------------------------------------------------ */ |
| 1506 | public SSLEngine newSslEngine() |
| 1507 | { |
| 1508 | SSLEngine sslEngine=_context.createSSLEngine(); |
| 1509 | customize(sslEngine); |
| 1510 | return sslEngine; |
| 1511 | } |
| 1512 | |
| 1513 | /* ------------------------------------------------------------ */ |
| 1514 | public void customize(SSLEngine sslEngine) |
| 1515 | { |
| 1516 | if (getWantClientAuth()) |
| 1517 | sslEngine.setWantClientAuth(getWantClientAuth()); |
| 1518 | if (getNeedClientAuth()) |
| 1519 | sslEngine.setNeedClientAuth(getNeedClientAuth()); |
| 1520 | |
| 1521 | sslEngine.setEnabledCipherSuites(selectCipherSuites( |
| 1522 | sslEngine.getEnabledCipherSuites(), |
| 1523 | sslEngine.getSupportedCipherSuites())); |
| 1524 | |
| 1525 | sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols())); |
| 1526 | } |
| 1527 | |
| 1528 | /* ------------------------------------------------------------ */ |
| 1529 | public String toString() |
| 1530 | { |
| 1531 | return String.format("%s@%x(%s,%s)", |
| 1532 | getClass().getSimpleName(), |
| 1533 | hashCode(), |
| 1534 | _keyStorePath, |
| 1535 | _trustStorePath); |
| 1536 | } |
| 1537 | } |