/** * */ public SslConfigurationWrapper() { this.wrappedSslConfig = new SslConfiguration(); }
@Override public String getCertAlias() { return this.wrappedSslConfig.getCertAlias(); }
@Override public String getCrlPath() { return this.wrappedSslConfig.getCrlPath(); }
/** * Override this method to provide alternate way to load a keystore. * * @return the key store instance * @throws Exception */ protected KeyStore loadKeyStore() throws Exception { return getKeyStore(keyStoreInputStream, sslConfig.getKeyStorePath(), sslConfig.getKeyStoreType(), sslConfig.getKeyStoreProvider(), sslConfig.getKeyStorePassword()); }
writer.write(this.wrappedSslConfig.getCertAlias(), CERT_ALIAS, String.class); writer.write(this.wrappedSslConfig.getCrlPath(), CRL_PATH, String.class); writer.write(this.wrappedSslConfig.getKeyManagerFactoryAlgorithm(), KEY_MANAGER_FACTORY_ALGORITHM, String.class); writer.write(this.wrappedSslConfig.getKeyManagerPassword(), KEY_MANAGER_PASSWORD, String.class); writer.write(this.wrappedSslConfig.getKeyStorePassword(), KEY_STORE_PASSWORD, String.class); writer.write(this.wrappedSslConfig.getKeyStoreProvider(), KEY_STORE_PROVIDER, String.class); writer.write(this.wrappedSslConfig.getKeyStorePath(), KEY_STORE_PATH, String.class); writer.write(this.wrappedSslConfig.getKeyStoreType(), KEY_STORE_TYPE, String.class); writer.write(this.wrappedSslConfig.getMaxCertPathLength(), MAX_CERT_PATH_LENGTH, Integer.class); writer.write(this.wrappedSslConfig.getNeedClientAuth(), NEED_CLIENT_AUTH, Boolean.class); writer.write(this.wrappedSslConfig.getOcspResponderURL(), OCS_RESPONDER_URL, String.class); writer.write(this.wrappedSslConfig.getProtocol(), PROTOCOL, String.class); writer.write(this.wrappedSslConfig.getProvider(), PROVIDER, String.class); writer.write(this.wrappedSslConfig.getSecureRandomAlgorithm(), SECURE_RANDOM_ALGORITHM, String.class); writer.write(this.wrappedSslConfig.getSslSessionCacheSize(), SSL_SESSION_CACHE_SIZE, Integer.class); writer.write(this.wrappedSslConfig.getSslSessionTimeout(), SSL_SESSION_TIMEOUT, Integer.class); writer.write(this.wrappedSslConfig.getTrustManagerFactoryAlgorithm(), TRUST_MANAGER_FACTORY_ALGORITHM, String.class); writer.write(this.wrappedSslConfig.getTrustStorePassword(), TRUST_STORE_PASSWORD, String.class); writer.write(this.wrappedSslConfig.getTrustStorePath(), TRUST_STORE_PATH, String.class); writer.write(this.wrappedSslConfig.getTrustStoreProvider(), TRUST_STORE_PROVIDER, String.class); writer.write(this.wrappedSslConfig.getTrustStoreType(), TRUST_STORE_TYPE, String.class); writer.write(this.wrappedSslConfig.getWantClientAuth(), WANT_CLIENT_AUTH, Boolean.class); writer.write(this.wrappedSslConfig.isAllowRenegotiate(), ALLOW_RENEGOTIATE, Boolean.class); writer.write(this.wrappedSslConfig.isEnableCRLDP(), ENABLE_CRLDP, Boolean.class); writer.write(this.wrappedSslConfig.isSessionCachingEnabled(), SESSION_CACHING_ENABLED, Boolean.class); writer.write(this.wrappedSslConfig.isTrustAll(), TRUST_ALL, Boolean.class); writer.write(this.wrappedSslConfig.isValidateCerts(), VALIDATE_CERTS, Boolean.class);
if (keyStoreInputStream == null && sslConfig.getKeyStorePath() == null && trustStoreInputStream == null && sslConfig.getTrustStorePath() == null) { TrustManager[] trust_managers = null; if (sslConfig.isTrustAll()) { logger.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!"); SecureRandom secureRandom = (sslConfig.getSecureRandomAlgorithm() == null)?null: SecureRandom.getInstance(sslConfig.getSecureRandomAlgorithm()); sslContext = SSLContext.getInstance(sslConfig.getProtocol()); sslContext.init(null, trust_managers, secureRandom); } else { Collection<? extends CRL> crls = loadCRL(sslConfig.getCrlPath()); if (sslConfig.isValidateCerts() && keyStore != null) { if (sslConfig.getCertAlias() == null) { List<String> aliases = Collections.list(keyStore.aliases()); sslConfig.setCertAlias(aliases.size() == 1 ? aliases.get(0) : null); Certificate cert = sslConfig.getCertAlias() == null?null: keyStore.getCertificate(sslConfig.getCertAlias()); if (cert == null) { throw new Exception("No certificate found in the keystore" + (sslConfig.getCertAlias() == null ? "":" for alias " + sslConfig.getCertAlias())); validator.setMaxCertPathLength(sslConfig.getMaxCertPathLength()); validator.setEnableCRLDP(sslConfig.isEnableCRLDP()); validator.setEnableOCSP(sslConfig.isEnableOCSP()); validator.setOcspResponderURL(sslConfig.getOcspResponderURL()); validator.validate(keyStore, cert);
sslConfig.getKeyStorePath() == null) { throw new IllegalStateException("SSL doesn't have a valid keystore"); if (trustStoreInputStream == null && sslConfig.getTrustStorePath() == null) { trustStoreInputStream = keyStoreInputStream; sslConfig.setTrustStorePath(sslConfig.getKeyStorePath()); sslConfig.setTrustStoreType(sslConfig.getKeyStoreType()); sslConfig.setTrustStoreProvider(sslConfig.getKeyStoreProvider()); sslConfig.setTrustStorePassword(sslConfig.getKeyStorePassword()); sslConfig.setTrustManagerFactoryAlgorithm(sslConfig.getKeyManagerFactoryAlgorithm());
if (trustStore != null) { if (sslConfig.isValidatePeerCerts() && sslConfig.getTrustManagerFactoryAlgorithm().equalsIgnoreCase("PKIX")) { PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); pbParams.setMaxPathLength(sslConfig.getMaxCertPathLength()); if (sslConfig.isEnableCRLDP()) { if (sslConfig.isEnableOCSP()) { if (sslConfig.getOcspResponderURL() != null) { Security.setProperty("ocsp.responderURL", sslConfig.getOcspResponderURL()); TrustManagerFactory.getInstance(sslConfig.getTrustManagerFactoryAlgorithm()); trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams)); managers = trustManagerFactory.getTrustManagers(); } else { TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(sslConfig.getTrustManagerFactoryAlgorithm()); trustManagerFactory.init(trustStore); managers = trustManagerFactory.getTrustManagers();
protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception { KeyManager[] managers = null; if (keyStore != null) { KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(sslConfig.getKeyManagerFactoryAlgorithm()); keyManagerFactory.init(keyStore, sslConfig.getKeyManagerPassword() == null? (sslConfig.getKeyStorePassword() == null?null: sslConfig.getKeyStorePassword().toCharArray()): sslConfig.getKeyManagerPassword().toCharArray()); managers = keyManagerFactory.getKeyManagers(); if (sslConfig.getCertAlias() != null) { for (int idx = 0; idx < managers.length; idx++) { if (managers[idx] instanceof X509KeyManager) { managers[idx] = new AliasedX509ExtendedKeyManager(sslConfig.getCertAlias(), (X509KeyManager)managers[idx]); } } } } return managers; }
@Override public String getKeyManagerPassword() { return this.wrappedSslConfig.getKeyManagerPassword(); }
@Override public String getKeyStoreType() { return this.wrappedSslConfig.getKeyStoreType(); }
@Override public String getKeyStoreProvider() { return this.wrappedSslConfig.getKeyStoreProvider(); }
@Override public String getKeyManagerFactoryAlgorithm() { return this.wrappedSslConfig.getKeyManagerFactoryAlgorithm(); }
@Override public String getKeyStorePassword() { return this.wrappedSslConfig.getKeyStorePassword(); }
@Override public String getKeyStorePath() { return this.wrappedSslConfig.getKeyStorePath(); }
@Override public int getMaxCertPathLength() { return this.wrappedSslConfig.getMaxCertPathLength(); }
writer.write(this.wrappedSslConfig.getCertAlias(), CERT_ALIAS, String.class); writer.write(this.wrappedSslConfig.getCrlPath(), CRL_PATH, String.class); writer.write(this.wrappedSslConfig.getKeyManagerFactoryAlgorithm(), KEY_MANAGER_FACTORY_ALGORITHM, String.class); writer.write(this.wrappedSslConfig.getKeyManagerPassword(), KEY_MANAGER_PASSWORD, String.class); writer.write(this.wrappedSslConfig.getKeyStorePassword(), KEY_STORE_PASSWORD, String.class); writer.write(this.wrappedSslConfig.getKeyStoreProvider(), KEY_STORE_PROVIDER, String.class); writer.write(this.wrappedSslConfig.getKeyStorePath(), KEY_STORE_PATH, String.class); writer.write(this.wrappedSslConfig.getKeyStoreType(), KEY_STORE_TYPE, String.class); writer.write(this.wrappedSslConfig.getMaxCertPathLength(), MAX_CERT_PATH_LENGTH, Integer.class); writer.write(this.wrappedSslConfig.getNeedClientAuth(), NEED_CLIENT_AUTH, Boolean.class); writer.write(this.wrappedSslConfig.getOcspResponderURL(), OCS_RESPONDER_URL, String.class); writer.write(this.wrappedSslConfig.getProtocol(), PROTOCOL, String.class); writer.write(this.wrappedSslConfig.getProvider(), PROVIDER, String.class); writer.write(this.wrappedSslConfig.getSecureRandomAlgorithm(), SECURE_RANDOM_ALGORITHM, String.class); writer.write(this.wrappedSslConfig.getSslSessionCacheSize(), SSL_SESSION_CACHE_SIZE, Integer.class); writer.write(this.wrappedSslConfig.getSslSessionTimeout(), SSL_SESSION_TIMEOUT, Integer.class); writer.write(this.wrappedSslConfig.getTrustManagerFactoryAlgorithm(), TRUST_MANAGER_FACTORY_ALGORITHM, String.class); writer.write(this.wrappedSslConfig.getTrustStorePassword(), TRUST_STORE_PASSWORD, String.class); writer.write(this.wrappedSslConfig.getTrustStorePath(), TRUST_STORE_PATH, String.class); writer.write(this.wrappedSslConfig.getTrustStoreProvider(), TRUST_STORE_PROVIDER, String.class); writer.write(this.wrappedSslConfig.getTrustStoreType(), TRUST_STORE_TYPE, String.class); writer.write(this.wrappedSslConfig.getWantClientAuth(), WANT_CLIENT_AUTH, Boolean.class); writer.write(this.wrappedSslConfig.isAllowRenegotiate(), ALLOW_RENEGOTIATE, Boolean.class); writer.write(this.wrappedSslConfig.isEnableCRLDP(), ENABLE_CRLDP, Boolean.class); writer.write(this.wrappedSslConfig.isSessionCachingEnabled(), SESSION_CACHING_ENABLED, Boolean.class); writer.write(this.wrappedSslConfig.isTrustAll(), TRUST_ALL, Boolean.class); writer.write(this.wrappedSslConfig.isValidateCerts(), VALIDATE_CERTS, Boolean.class);
if (keyStoreInputStream == null && sslConfig.getKeyStorePath() == null && trustStoreInputStream == null && sslConfig.getTrustStorePath() == null) { TrustManager[] trust_managers = null; if (sslConfig.isTrustAll()) { logger.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!"); SecureRandom secureRandom = (sslConfig.getSecureRandomAlgorithm() == null)?null: SecureRandom.getInstance(sslConfig.getSecureRandomAlgorithm()); sslContext = SSLContext.getInstance(sslConfig.getProtocol()); sslContext.init(null, trust_managers, secureRandom); } else { Collection<? extends CRL> crls = loadCRL(sslConfig.getCrlPath()); if (sslConfig.isValidateCerts() && keyStore != null) { if (sslConfig.getCertAlias() == null) { List<String> aliases = Collections.list(keyStore.aliases()); sslConfig.setCertAlias(aliases.size() == 1 ? aliases.get(0) : null); Certificate cert = sslConfig.getCertAlias() == null?null: keyStore.getCertificate(sslConfig.getCertAlias()); if (cert == null) { throw new Exception("No certificate found in the keystore" + (sslConfig.getCertAlias() == null ? "":" for alias " + sslConfig.getCertAlias())); validator.setMaxCertPathLength(sslConfig.getMaxCertPathLength()); validator.setEnableCRLDP(sslConfig.isEnableCRLDP()); validator.setEnableOCSP(sslConfig.isEnableOCSP()); validator.setOcspResponderURL(sslConfig.getOcspResponderURL()); validator.validate(keyStore, cert);
sslConfig.getKeyStorePath() == null) { throw new IllegalStateException("SSL doesn't have a valid keystore"); if (trustStoreInputStream == null && sslConfig.getTrustStorePath() == null) { trustStoreInputStream = keyStoreInputStream; sslConfig.setTrustStorePath(sslConfig.getKeyStorePath()); sslConfig.setTrustStoreType(sslConfig.getKeyStoreType()); sslConfig.setTrustStoreProvider(sslConfig.getKeyStoreProvider()); sslConfig.setTrustStorePassword(sslConfig.getKeyStorePassword()); sslConfig.setTrustManagerFactoryAlgorithm(sslConfig.getKeyManagerFactoryAlgorithm());
if (trustStore != null) { if (sslConfig.isValidatePeerCerts() && sslConfig.getTrustManagerFactoryAlgorithm().equalsIgnoreCase("PKIX")) { PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore, new X509CertSelector()); pbParams.setMaxPathLength(sslConfig.getMaxCertPathLength()); if (sslConfig.isEnableCRLDP()) { if (sslConfig.isEnableOCSP()) { if (sslConfig.getOcspResponderURL() != null) { Security.setProperty("ocsp.responderURL", sslConfig.getOcspResponderURL()); TrustManagerFactory.getInstance(sslConfig.getTrustManagerFactoryAlgorithm()); trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams)); managers = trustManagerFactory.getTrustManagers(); } else { TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(sslConfig.getTrustManagerFactoryAlgorithm()); trustManagerFactory.init(trustStore); managers = trustManagerFactory.getTrustManagers();