private boolean validateIfTrusted(X509Certificate[] certificates, String authType) { if (trustManager == null) { trustManager = ServerX509TrustManager.init(null); } try { trustManager.checkServerTrusted(certificates, authType); return true; } catch (CertificateException e) { Utils.log(getClass(), CertificateException.class.getSimpleName(), Level.FINE, "%s", Utils.toString(e)); return false; } }
public static ServerX509TrustManager create(ServiceHost host) { if (INSTANCE != null) { return INSTANCE; } synchronized (ServerX509TrustManager.class) { if (INSTANCE == null) { ServerX509TrustManager tm = new ServerX509TrustManager(host); tm.start(); INSTANCE = tm; } } return INSTANCE; }
addTrustManager("default-CA", cacerts, customTrustStorePassword); } else { addTrustManager("default-CA", cacerts, DEFAULT_JAVA_CACERTS_PASSWORD); addTrustManager("custom-CA", customTrustStore, customTrustStorePassword); addTrustManager("default-CA", cacerts, customTrustStorePassword);
protected KubernetesRemoteApiClient getApiClient() { synchronized (AbstractKubernetesAdapterService.class) { ServerX509TrustManager trustManager = ServerX509TrustManager.create(getHost()); return KubernetesRemoteApiClient.create(getHost(), trustManager); } }
private void createOrUpdateTargetSsl(KubernetesContext context) { URI uri = UriUtils.buildUri(context.host.address); if (!isSecure(uri)) { return; } String sslTrust = context.SSLTrustCertificate; if (sslTrust != null && trustManager != null) { String trustAlias = context.SSLTrustAlias; trustManager.putDelegate(trustAlias, sslTrust); } if (context.credentials == null || !AuthCredentialsType.PublicKey.name().equals(context.credentials.type)) { return; } String clientKey = EncryptionUtils.decrypt(context.credentials.privateKey); String clientCert = context.credentials.publicKey; String alias = context.host.address.toLowerCase(); if (clientKey != null && !clientKey.isEmpty()) { X509ExtendedKeyManager delegateKeyManager = (X509ExtendedKeyManager) CertificateUtil .getKeyManagers(alias, clientKey, clientCert)[0]; keyManager.putDelegate(alias, delegateKeyManager); } }
@Override public ServiceHost start() throws Throwable { ServerX509TrustManager trustManager = ServerX509TrustManager.init(this); ServiceClient serviceClient = createServiceClient(CertificateUtil.createSSLContext( trustManager, null), 0); trustManager.start(); setAuthorizationContext(null); return this;
@BeforeClass public static void setUp() throws Throwable { // Force a custom trust store... that shouldn't override the Java default cacerts. URI customStore = ServerX509TrustManagerTest.class .getResource("/certs/trusted_certificates.jks").toURI(); File f = new File(customStore.getPath()); originalTrustStoreProp = System.setProperty(JAVAX_NET_SSL_TRUST_STORE, f.getPath()); originalTrustStorePasswordProp = System.setProperty(JAVAX_NET_SSL_TRUST_STORE_PASSWORD, "changeit"); // Fake host, not really needed for the purpose of the trust manager test. ServiceHost host = new ServiceHost() { }; ServerX509TrustManager.invalidate(); trustManager = ServerX509TrustManager.init(host); }
/** * This method only initialize the ServerX509TrustManager, does not start it. The method is * intended to be use only on server start. */ public static ServerX509TrustManager init(ServiceHost host) { if (INSTANCE != null) { return INSTANCE; } synchronized (ServerX509TrustManager.class) { if (INSTANCE == null) { INSTANCE = new ServerX509TrustManager(host); } } return INSTANCE; }
private void initClient() { ServerX509TrustManager trustManager = ServerX509TrustManager.create(getHost()); try { new PKSRemoteClientService(trustManager, getHost()); } catch (IllegalStateException ignored) { // ignore already initialized exception } }
private void loadCertificate(SslTrustCertificateState sslTrustCert) { try { self.putDelegate(sslTrustCert.getAlias(), sslTrustCert.certificate); Utils.log(getClass(), "Self Signed Trust Store", Level.FINE, "Certificate with alias %s updated", sslTrustCert.getAlias()); } catch (Throwable e) { Utils.logWarning( "Exception during certificate reload with alias: %s. Error: %s", sslTrustCert.getAlias(), Utils.toString(e)); } }
protected DockerAdapterCommandExecutor getCommandExecutor() { ServerX509TrustManager trustManager = ServerX509TrustManager.create(getHost()); return RemoteApiDockerAdapterCommandExecutorImpl.create(getHost(), trustManager); }
TrustManager[] trustManagers = new TrustManager[]{ServerX509TrustManager.init(null)};
private void createOrUpdateTargetSsl(CommandInput input, DelegatingX509KeyManager keyM, ServerX509TrustManager trustM) { if (!isSecure(input.getDockerUri())) { return; } String sslTrust = (String) input.getProperties().get(SSL_TRUST_CERT_PROP_NAME); String trustAlias = (String) input.getProperties().get(SSL_TRUST_ALIAS_PROP_NAME); if (trustAlias == null) { logger.warning("No trust alias property set, not using certificate."); return; } if (sslTrust != null && trustM != null) { trustM.putDelegate(trustAlias, sslTrust); } if (input.getCredentials() == null) { return; } String clientKey = EncryptionUtils.decrypt(input.getCredentials().privateKey); String clientCert = input.getCredentials().publicKey; // TODO use an LRU cache to limit the number of stored // KeyManagers while minimizing time wasted repeatedly // recreating them if (clientKey != null && !clientKey.isEmpty()) { X509ExtendedKeyManager delegateKeyManager = (X509ExtendedKeyManager) CertificateUtil .getKeyManagers(trustAlias, clientKey, clientCert)[0]; keyM.putDelegate(trustAlias, delegateKeyManager); } }
@Override public void handleStart(Operation post) { trustManager = ServerX509TrustManager.create(getHost()); serviceClientNoProxyList = new HashSet<>(); DeferredResult.allOf(Arrays.asList(getProperty(REGISTRY_PROXY_PARAM_NAME), getProperty(REGISTRY_NO_PROXY_LIST_PARAM_NAME))) .whenComplete((p, ex) -> { if (ex != null) { logSevere("Registry proxy properties not provided", ex); initProxyClient(null); initNoProxyClient(null); } else { Map<String, String> props = p.stream() .collect(Collectors.toMap(s -> s.key, s -> s.value)); initProxyClient(props); initNoProxyClient(props); } super.handleStart(post); }); }
@Test public void testCreateInstance() { try { PKSRemoteClientService.getInstance(); Assert.fail("should not reach here"); } catch (Exception e) { assertTrue(e instanceof IllegalStateException); } ServerX509TrustManager trustManager = ServerX509TrustManager.init(host); PKSRemoteClientService client = new PKSRemoteClientService(trustManager, host); assertNotNull(client); try { new PKSRemoteClientService(null, null); Assert.fail("should not reach here"); } catch (Exception e) { assertTrue(e instanceof IllegalStateException); } PKSRemoteClientService client2 = PKSRemoteClientService.getInstance(); assertSame(client, client2); }
if (sslTrust != null) { String trustAlias = context.request.customProperties.get(SSL_TRUST_ALIAS_PROP_NAME); trustManager.putDelegate(trustAlias, sslTrust);
@Override public void handleStart(Operation startOp) { startOp.complete(); getConfigProperty(Harbor.CONFIGURATION_USER_PROPERTY_NAME, (state) -> harborUser = state.value); getConfigProperty(Harbor.CONFIGURATION_PASS_PROPERTY_NAME, (state) -> harborPassword = state.value); getConfigProperty(Harbor.CONFIGURATION_URL_PROPERTY_NAME, (state) -> { String harborUrl = state.value; logInfo("Harbor url is %s", harborUrl); if (harborUrl != null && !harborUrl.trim().isEmpty()) { ServerX509TrustManager trustManager = ServerX509TrustManager.create(getHost()); client = ServiceClientFactory.createServiceClient(trustManager, null); harborUri = UriUtils.buildUri(harborUrl); } }); }
ServerX509TrustManager trustM = ServerX509TrustManager.create(host); createOrUpdateTargetSsl(input, keyM, trustM); ServiceClient serviceClientPing = ServiceClientFactory.createServiceClient(trustM, keyM);