private static SslContextBuilder builderWithJdkProvider(KeyStore ks, String keyPassword) throws GeneralSecurityException { LOG.info("Initializing key manager..."); final KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); kmf.init(ks, keyPassword.toCharArray()); LOG.info("Initializing SSL context..."); return SslContextBuilder.forServer(kmf); }
public static SslContext build(File serverCert, File serverKey, String serverPass, SslProvider sslProvider) throws SSLException { if (serverPass == null || serverPass.isEmpty()) { return SslContextBuilder.forServer(serverCert, serverKey) .sslProvider(sslProvider) .build(); } else { return SslContextBuilder.forServer(serverCert, serverKey, serverPass) .sslProvider(sslProvider) .build(); } }
private SslServerChannelInitializer() throws SSLException { this.sslContext = SslContextBuilder.forServer(keyManager).clientAuth(ClientAuth.REQUIRE).trustManager(trustManager) .build(); }
public static SslContext build(File serverCert, File serverKey, String serverPass, SslProvider sslProvider, File clientCert) throws SSLException { log.info("Creating SSL context for cert '{}', key '{}', key pass '{}'", serverCert.getAbsolutePath(), serverKey.getAbsoluteFile(), serverPass); if (serverPass == null || serverPass.isEmpty()) { return SslContextBuilder.forServer(serverCert, serverKey) .sslProvider(sslProvider) .trustManager(clientCert) .build(); } else { return SslContextBuilder.forServer(serverCert, serverKey, serverPass) .sslProvider(sslProvider) .trustManager(clientCert) .build(); } } }
/** * The OpenSSL provider does not support the {@link KeyManagerFactory}, so we have to lookup the integration * certificate and key in order to provide it to OpenSSL. * <p> * TODO: SNI is currently not supported, we use only the first found private key. */ private static SslContextBuilder builderWithOpenSSLProvider(KeyStore ks, String keyPassword) throws GeneralSecurityException { for (String alias : Collections.list(ks.aliases())) { if (ks.entryInstanceOf(alias, KeyStore.PrivateKeyEntry.class)) { PrivateKey key = (PrivateKey) ks.getKey(alias, keyPassword.toCharArray()); Certificate[] chain = ks.getCertificateChain(alias); X509Certificate[] certChain = new X509Certificate[chain.length]; System.arraycopy(chain, 0, certChain, 0, chain.length); return SslContextBuilder.forServer(key, certChain); } } throw new KeyManagementException("the SSL key-store does not contain a private key"); }
public static SslContext createNettyContext(final String keystoreProvider, final String keystorePath, final String keystorePassword, final String trustStoreProvider, final String trustStorePath, final String trustStorePassword, final String sslProvider) throws Exception { KeyStore keyStore = SSLSupport.loadKeystore(keystoreProvider, keystorePath, keystorePassword); KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm()); keyManagerFactory.init(keyStore, keystorePassword.toCharArray()); return SslContextBuilder.forServer(keyManagerFactory).sslProvider(SslProvider.valueOf(sslProvider)).trustManager(SSLSupport.loadTrustManagerFactory(trustStoreProvider, trustStorePath, trustStorePassword, false, null)).build(); }
private SSLEngine createSslEngine(MessageInput input) throws IOException, CertificateException { final X509Certificate[] clientAuthCerts; if (EnumSet.of(ClientAuth.OPTIONAL, ClientAuth.REQUIRE).contains(clientAuth)) { if (clientAuthCertFile.exists()) { clientAuthCerts = KeyUtil.loadCertificates(clientAuthCertFile.toPath()).stream() .filter(certificate -> certificate instanceof X509Certificate) .map(certificate -> (X509Certificate) certificate) .toArray(X509Certificate[]::new); } else { LOG.warn("Client auth configured, but no authorized certificates / certificate authorities configured for input [{}/{}]", input.getName(), input.getId()); clientAuthCerts = null; } } else { clientAuthCerts = null; } final SslContext sslContext = SslContextBuilder.forServer(certFile, keyFile, Strings.emptyToNull(password)) .sslProvider(tlsProvider) .clientAuth(clientAuth) .trustManager(clientAuthCerts) .build(); // TODO: Use byte buffer allocator of channel return sslContext.newEngine(ByteBufAllocator.DEFAULT); } };
public static SslContext build(SslProvider sslProvider) throws CertificateException, SSLException { SelfSignedCertificate ssc = new SelfSignedCertificate(); return SslContextBuilder.forServer(ssc.certificate(), ssc.privateKey()) .sslProvider(sslProvider) .build(); }
public SslContext nettyServerContext() throws SSLException { return SslContextBuilder.forServer( privateKey, keyCertChain ) .sslProvider( sslProvider ) .clientAuth( forNetty( clientAuth ) ) .protocols( tlsVersions ) .ciphers( ciphers ) .trustManager( trustManagerFactory ) .build(); }
public static SslContext createNettySslContextForServer(boolean allowInsecureConnection, String trustCertsFilePath, String certFilePath, String keyFilePath, Set<String> ciphers, Set<String> protocols, boolean requireTrustedClientCertOnConnect) throws GeneralSecurityException, SSLException, FileNotFoundException, IOException { X509Certificate[] certificates = loadCertificatesFromPemFile(certFilePath); PrivateKey privateKey = loadPrivateKeyFromPemFile(keyFilePath); SslContextBuilder builder = SslContextBuilder.forServer(privateKey, (X509Certificate[]) certificates); setupCiphers(builder, ciphers); setupProtocols(builder, protocols); setupTrustCerts(builder, allowInsecureConnection, trustCertsFilePath); setupKeyManager(builder, privateKey, certificates); setupClientAuthentication(builder, requireTrustedClientCertOnConnect); return builder.build(); }
sslCtx = SslContextBuilder.forServer(new File(certFilePath), new File(privateKeyPath), privateKeyPassword).build();
sslCtx = SslContextBuilder.forServer(new File(certFilePath), new File(privateKeyPath), privateKeyPassword).build();
@Override public SslContextBuilder createBuilderForServer() { try { ArrayList<X509Certificate> trustedCerts = getTrustedX509Certificates(); SslProvider sslProvider = chooseSslProvider(); LOG.warn("Using SslProvider of type - " + sslProvider.name() + " for certChainFile - " + serverSslConfig.getCertChainFile()); InputStream certChainInput = new FileInputStream(serverSslConfig.getCertChainFile()); InputStream keyInput = getKeyInputStream(); SslContextBuilder builder = SslContextBuilder.forServer(certChainInput, keyInput) .ciphers(getCiphers(), getCiphersFilter()) .sessionTimeout(serverSslConfig.getSessionTimeout()) .sslProvider(sslProvider); if (serverSslConfig.getClientAuth() != null && isNotEmpty(trustedCerts)) { builder = builder .trustManager(trustedCerts.toArray(new X509Certificate[0])) .clientAuth(serverSslConfig.getClientAuth()); } return builder; } catch (Exception e) { throw new RuntimeException("Error configuring SslContext!", e); } }
/** * Create a KeyStore with a server certificate for the given domain and subject alternative names. */ private SslContext buildSslContext() throws Exception { keyAndCertificateFactory().buildAndSaveCertificates(); return SslContextBuilder.forServer( keyAndCertificateFactory().mockServerPrivateKey(), // do we need this password?? ConfigurationProperties.javaKeyStorePassword(), new X509Certificate[]{ keyAndCertificateFactory().mockServerX509Certificate(), keyAndCertificateFactory().mockServerCertificateAuthorityX509Certificate() } ).build(); }
SelfSignedCertificate selfSignedCertificate = new SelfSignedCertificate(); return SslContextBuilder .forServer(selfSignedCertificate.certificate(), selfSignedCertificate.privateKey()) .sslProvider(SslProvider.JDK) .clientAuth(ClientAuth.OPTIONAL) .build(); } else { SslContextBuilder sslContextBuilder = SslContextBuilder.forServer( !isNullOrEmpty(tlsServerCertPath) ? new FileInputStream(tlsServerCertPath) : null, !isNullOrEmpty(tlsServerKeyPath) ? decryptionStrategy.decryptPrivateKey(tlsServerKeyPath, false) : null,
protected SslContextBuilder getContextBuilder() { SslContextBuilder builder = SslContextBuilder .forServer(getKeyManagerFactory(this.ssl, this.sslStoreProvider)) .trustManager(getTrustManagerFactory(this.ssl, this.sslStoreProvider)); if (this.ssl.getEnabledProtocols() != null) { builder.protocols(this.ssl.getEnabledProtocols()); } if (this.ssl.getCiphers() != null) { builder.ciphers(Arrays.asList(this.ssl.getCiphers())); } if (this.ssl.getClientAuth() == Ssl.ClientAuth.NEED) { builder.clientAuth(ClientAuth.REQUIRE); } else if (this.ssl.getClientAuth() == Ssl.ClientAuth.WANT) { builder.clientAuth(ClientAuth.OPTIONAL); } return builder; }
@Override public SslContextBuilder createBuilderForServer() { try { ArrayList<X509Certificate> trustedCerts = getTrustedX509Certificates(); SslProvider sslProvider = chooseSslProvider(); LOG.warn("Using SslProvider of type - " + sslProvider.name() + " for certChainFile - " + serverSslConfig.getCertChainFile()); InputStream certChainInput = new FileInputStream(serverSslConfig.getCertChainFile()); InputStream keyInput = getKeyInputStream(); SslContextBuilder builder = SslContextBuilder.forServer(certChainInput, keyInput) .ciphers(getCiphers(), getCiphersFilter()) .sessionTimeout(serverSslConfig.getSessionTimeout()) .sslProvider(sslProvider); if (serverSslConfig.getClientAuth() != null && isNotEmpty(trustedCerts)) { builder = builder .trustManager(trustedCerts.toArray(new X509Certificate[0])) .clientAuth(serverSslConfig.getClientAuth()); } return builder; } catch (Exception e) { throw new RuntimeException("Error configuring SslContext!", e); } }
@Override protected void initServer() throws Exception { SelfSignedCertificate cert = new SelfSignedCertificate(); SslContextBuilder builder = SslContextBuilder.forServer(cert.certificate(), cert.privateKey()); this.reactorHandler = createHttpHandlerAdapter(); this.reactorServer = reactor.netty.http.server.HttpServer.create() .host(getHost()) .port(getPort()) .secure(spec -> spec.sslContext(builder).defaultConfiguration(DefaultConfigurationType.TCP)); }
@Override protected void configure(ServerBuilder sb) throws Exception { final SslContext sslContext = SslContextBuilder.forServer(serverCert.certificateFile(), serverCert.privateKeyFile()) .trustManager(InsecureTrustManagerFactory.INSTANCE) .clientAuth(ClientAuth.REQUIRE) .build(); sb.tls(sslContext) .service("/", (ctx, req) -> HttpResponse.of("success")) .decorator(new LoggingServiceBuilder().newDecorator()); } };