1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.eclipse.jetty.http.ssl;
18
19 import java.io.ByteArrayInputStream;
20 import java.io.ByteArrayOutputStream;
21 import java.io.File;
22 import java.io.IOException;
23 import java.io.InputStream;
24 import java.net.InetAddress;
25 import java.security.InvalidParameterException;
26 import java.security.KeyStore;
27 import java.security.SecureRandom;
28 import java.security.Security;
29 import java.security.cert.CRL;
30 import java.security.cert.CertStore;
31 import java.security.cert.Certificate;
32 import java.security.cert.CollectionCertStoreParameters;
33 import java.security.cert.PKIXBuilderParameters;
34 import java.security.cert.X509CertSelector;
35 import java.util.Arrays;
36 import java.util.Collection;
37 import java.util.Collections;
38 import java.util.HashSet;
39 import java.util.List;
40 import java.util.Set;
41 import javax.net.ssl.CertPathTrustManagerParameters;
42 import javax.net.ssl.KeyManager;
43 import javax.net.ssl.KeyManagerFactory;
44 import javax.net.ssl.SSLContext;
45 import javax.net.ssl.SSLEngine;
46 import javax.net.ssl.SSLServerSocket;
47 import javax.net.ssl.SSLServerSocketFactory;
48 import javax.net.ssl.SSLSocket;
49 import javax.net.ssl.SSLSocketFactory;
50 import javax.net.ssl.TrustManager;
51 import javax.net.ssl.TrustManagerFactory;
52 import javax.net.ssl.X509KeyManager;
53 import javax.net.ssl.X509TrustManager;
54
55 import org.eclipse.jetty.http.security.Password;
56 import org.eclipse.jetty.util.IO;
57 import org.eclipse.jetty.util.component.AbstractLifeCycle;
58 import org.eclipse.jetty.util.log.Log;
59 import org.eclipse.jetty.util.log.Logger;
60 import org.eclipse.jetty.util.resource.Resource;
61 import org.eclipse.jetty.util.security.CertificateUtils;
62 import org.eclipse.jetty.util.security.CertificateValidator;
63
64
65
66
67
68
69
70
71
72 public class SslContextFactory extends AbstractLifeCycle
73 {
74 private static final Logger LOG = Log.getLogger(SslContextFactory.class);
75
76 public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
77 (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
78 "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm"));
79 public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM =
80 (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ?
81 "SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm"));
82
83
84 public static final String DEFAULT_KEYSTORE_PATH =
85 System.getProperty("user.home") + File.separator + ".keystore";
86
87
88 public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
89
90
91 public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
92
93
94 private final Set<String> _excludeProtocols = new HashSet<String>();
95
96
97 private Set<String> _includeProtocols = null;
98
99
100 private final Set<String> _excludeCipherSuites = new HashSet<String>();
101
102 private Set<String> _includeCipherSuites = null;
103
104
105 private String _keyStorePath;
106
107 private String _keyStoreProvider;
108
109 private String _keyStoreType = "JKS";
110
111 private InputStream _keyStoreInputStream;
112
113
114 private String _certAlias;
115
116
117 private String _trustStorePath;
118
119 private String _trustStoreProvider;
120
121 private String _trustStoreType = "JKS";
122
123 private InputStream _trustStoreInputStream;
124
125
126 private boolean _needClientAuth = false;
127
128 private boolean _wantClientAuth = false;
129
130
131 private boolean _allowRenegotiate = true;
132
133
134 private transient Password _keyStorePassword;
135
136 private transient Password _keyManagerPassword;
137
138 private transient Password _trustStorePassword;
139
140
141 private String _sslProvider;
142
143 private String _sslProtocol = "TLS";
144
145
146 private String _secureRandomAlgorithm;
147
148 private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
149
150 private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
151
152
153 private boolean _validateCerts;
154
155 private boolean _validatePeerCerts;
156
157 private int _maxCertPathLength = -1;
158
159 private String _crlPath;
160
161 private boolean _enableCRLDP = false;
162
163 private boolean _enableOCSP = false;
164
165 private String _ocspResponderURL;
166
167
168 private KeyStore _keyStore;
169
170 private KeyStore _trustStore;
171
172 private boolean _sessionCachingEnabled = true;
173
174 private int _sslSessionCacheSize;
175
176 private int _sslSessionTimeout;
177
178
179 private SSLContext _context;
180
181 private boolean _trustAll;
182
183
184
185
186
187
188 public SslContextFactory()
189 {
190 _trustAll=true;
191 }
192
193
194
195
196
197
198 public SslContextFactory(boolean trustAll)
199 {
200 _trustAll=trustAll;
201 }
202
203
204
205
206
207
208 public SslContextFactory(String keyStorePath)
209 {
210 _keyStorePath = keyStorePath;
211 }
212
213
214
215
216
217
218 @Override
219 protected void doStart() throws Exception
220 {
221 if (_context == null)
222 {
223 if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null &&
224 _trustStore==null && _trustStoreInputStream == null && _trustStorePath == null )
225 {
226 TrustManager[] trust_managers=null;
227
228 if (_trustAll)
229 {
230 LOG.info("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
231
232 TrustManager trustAllCerts = new X509TrustManager()
233 {
234 public java.security.cert.X509Certificate[] getAcceptedIssuers()
235 {
236 return null;
237 }
238
239 public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
240 {
241 }
242
243 public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
244 {
245 }
246 };
247 trust_managers = new TrustManager[] { trustAllCerts };
248 }
249
250 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
251 _context = SSLContext.getInstance(_sslProtocol);
252 _context.init(null, trust_managers, secureRandom);
253 }
254 else
255 {
256
257
258 try
259 {
260 checkKeyStore();
261 }
262 catch(IllegalStateException e)
263 {
264 LOG.ignore(e);
265 }
266
267 KeyStore keyStore = loadKeyStore();
268 KeyStore trustStore = loadTrustStore();
269
270 Collection<? extends CRL> crls = loadCRL(_crlPath);
271
272 if (_validateCerts && keyStore != null)
273 {
274 if (_certAlias == null)
275 {
276 List<String> aliases = Collections.list(keyStore.aliases());
277 _certAlias = aliases.size() == 1 ? aliases.get(0) : null;
278 }
279
280 Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias);
281 if (cert == null)
282 {
283 throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias));
284 }
285
286 CertificateValidator validator = new CertificateValidator(trustStore, crls);
287 validator.setMaxCertPathLength(_maxCertPathLength);
288 validator.setEnableCRLDP(_enableCRLDP);
289 validator.setEnableOCSP(_enableOCSP);
290 validator.setOcspResponderURL(_ocspResponderURL);
291 validator.validate(keyStore, cert);
292 }
293
294 KeyManager[] keyManagers = getKeyManagers(keyStore);
295 TrustManager[] trustManagers = getTrustManagers(trustStore,crls);
296
297 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
298 _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider);
299 _context.init(keyManagers,trustManagers,secureRandom);
300
301 SSLEngine engine=newSslEngine();
302
303 LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols()));
304 if (LOG.isDebugEnabled())
305 LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites()));
306 }
307 }
308 }
309
310
311
312
313
314
315 public String[] getExcludeProtocols()
316 {
317 return _excludeProtocols.toArray(new String[_excludeProtocols.size()]);
318 }
319
320
321
322
323
324
325
326 public void setExcludeProtocols(String... protocols)
327 {
328 checkNotStarted();
329
330 _excludeProtocols.clear();
331 _excludeProtocols.addAll(Arrays.asList(protocols));
332 }
333
334
335
336
337
338 public void addExcludeProtocols(String... protocol)
339 {
340 checkNotStarted();
341 _excludeProtocols.addAll(Arrays.asList(protocol));
342 }
343
344
345
346
347
348
349 public String[] getIncludeProtocols()
350 {
351 return _includeProtocols.toArray(new String[_includeProtocols.size()]);
352 }
353
354
355
356
357
358
359
360 public void setIncludeProtocols(String... protocols)
361 {
362 checkNotStarted();
363
364 _includeProtocols = new HashSet<String>(Arrays.asList(protocols));
365 }
366
367
368
369
370
371
372 public String[] getExcludeCipherSuites()
373 {
374 return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]);
375 }
376
377
378
379
380
381
382
383 public void setExcludeCipherSuites(String... cipherSuites)
384 {
385 checkNotStarted();
386 _excludeCipherSuites.clear();
387 _excludeCipherSuites.addAll(Arrays.asList(cipherSuites));
388 }
389
390
391
392
393
394 public void addExcludeCipherSuites(String... cipher)
395 {
396 checkNotStarted();
397 _excludeCipherSuites.addAll(Arrays.asList(cipher));
398 }
399
400
401
402
403
404
405 public String[] getIncludeCipherSuites()
406 {
407 return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]);
408 }
409
410
411
412
413
414
415
416 public void setIncludeCipherSuites(String... cipherSuites)
417 {
418 checkNotStarted();
419
420 _includeCipherSuites = new HashSet<String>(Arrays.asList(cipherSuites));
421 }
422
423
424
425
426
427 public String getKeyStorePath()
428 {
429 return _keyStorePath;
430 }
431
432
433 @Deprecated
434 public String getKeyStore()
435 {
436 return _keyStorePath;
437 }
438
439
440
441
442
443
444 public void setKeyStorePath(String keyStorePath)
445 {
446 checkNotStarted();
447
448 _keyStorePath = keyStorePath;
449 }
450
451
452
453
454
455
456 @Deprecated
457 public void setKeyStore(String keyStorePath)
458 {
459 checkNotStarted();
460
461 _keyStorePath = keyStorePath;
462 }
463
464
465
466
467
468 public String getKeyStoreProvider()
469 {
470 return _keyStoreProvider;
471 }
472
473
474
475
476
477
478 public void setKeyStoreProvider(String keyStoreProvider)
479 {
480 checkNotStarted();
481
482 _keyStoreProvider = keyStoreProvider;
483 }
484
485
486
487
488
489 public String getKeyStoreType()
490 {
491 return (_keyStoreType);
492 }
493
494
495
496
497
498
499 public void setKeyStoreType(String keyStoreType)
500 {
501 checkNotStarted();
502
503 _keyStoreType = keyStoreType;
504 }
505
506
507
508
509
510
511
512 @Deprecated
513 public InputStream getKeyStoreInputStream()
514 {
515 checkKeyStore();
516
517 return _keyStoreInputStream;
518 }
519
520
521
522
523
524
525
526 @Deprecated
527 public void setKeyStoreInputStream(InputStream keyStoreInputStream)
528 {
529 checkNotStarted();
530
531 _keyStoreInputStream = keyStoreInputStream;
532 }
533
534
535
536
537
538 public String getCertAlias()
539 {
540 return _certAlias;
541 }
542
543
544
545
546
547
548 public void setCertAlias(String certAlias)
549 {
550 checkNotStarted();
551
552 _certAlias = certAlias;
553 }
554
555
556
557
558
559 public String getTrustStore()
560 {
561 return _trustStorePath;
562 }
563
564
565
566
567
568
569 public void setTrustStore(String trustStorePath)
570 {
571 checkNotStarted();
572
573 _trustStorePath = trustStorePath;
574 }
575
576
577
578
579
580 public String getTrustStoreProvider()
581 {
582 return _trustStoreProvider;
583 }
584
585
586
587
588
589
590 public void setTrustStoreProvider(String trustStoreProvider)
591 {
592 checkNotStarted();
593
594 _trustStoreProvider = trustStoreProvider;
595 }
596
597
598
599
600
601 public String getTrustStoreType()
602 {
603 return _trustStoreType;
604 }
605
606
607
608
609
610
611 public void setTrustStoreType(String trustStoreType)
612 {
613 checkNotStarted();
614
615 _trustStoreType = trustStoreType;
616 }
617
618
619
620
621
622
623
624 @Deprecated
625 public InputStream getTrustStoreInputStream()
626 {
627 checkKeyStore();
628
629 return _trustStoreInputStream;
630 }
631
632
633
634
635
636
637
638 @Deprecated
639 public void setTrustStoreInputStream(InputStream trustStoreInputStream)
640 {
641 checkNotStarted();
642
643 _trustStoreInputStream = trustStoreInputStream;
644 }
645
646
647
648
649
650
651 public boolean getNeedClientAuth()
652 {
653 return _needClientAuth;
654 }
655
656
657
658
659
660
661
662 public void setNeedClientAuth(boolean needClientAuth)
663 {
664 checkNotStarted();
665
666 _needClientAuth = needClientAuth;
667 }
668
669
670
671
672
673
674 public boolean getWantClientAuth()
675 {
676 return _wantClientAuth;
677 }
678
679
680
681
682
683
684
685 public void setWantClientAuth(boolean wantClientAuth)
686 {
687 checkNotStarted();
688
689 _wantClientAuth = wantClientAuth;
690 }
691
692
693
694
695
696
697 @Deprecated
698 public boolean getValidateCerts()
699 {
700 return _validateCerts;
701 }
702
703
704
705
706
707 public boolean isValidateCerts()
708 {
709 return _validateCerts;
710 }
711
712
713
714
715
716
717 public void setValidateCerts(boolean validateCerts)
718 {
719 checkNotStarted();
720
721 _validateCerts = validateCerts;
722 }
723
724
725
726
727
728 public boolean isValidatePeerCerts()
729 {
730 return _validatePeerCerts;
731 }
732
733
734
735
736
737
738 public void setValidatePeerCerts(boolean validatePeerCerts)
739 {
740 checkNotStarted();
741
742 _validatePeerCerts = validatePeerCerts;
743 }
744
745
746
747
748
749 public boolean isAllowRenegotiate()
750 {
751 return _allowRenegotiate;
752 }
753
754
755
756
757
758
759
760
761
762
763
764
765 public void setAllowRenegotiate(boolean allowRenegotiate)
766 {
767 checkNotStarted();
768
769 _allowRenegotiate = allowRenegotiate;
770 }
771
772
773
774
775
776
777 public void setKeyStorePassword(String password)
778 {
779 checkNotStarted();
780
781 _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
782 }
783
784
785
786
787
788
789 public void setKeyManagerPassword(String password)
790 {
791 checkNotStarted();
792
793 _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
794 }
795
796
797
798
799
800
801 public void setTrustStorePassword(String password)
802 {
803 checkNotStarted();
804
805 _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
806 }
807
808
809
810
811
812
813 public String getProvider()
814 {
815 return _sslProvider;
816 }
817
818
819
820
821
822
823
824 public void setProvider(String provider)
825 {
826 checkNotStarted();
827
828 _sslProvider = provider;
829 }
830
831
832
833
834
835
836 public String getProtocol()
837 {
838 return _sslProtocol;
839 }
840
841
842
843
844
845
846
847 public void setProtocol(String protocol)
848 {
849 checkNotStarted();
850
851 _sslProtocol = protocol;
852 }
853
854
855
856
857
858
859
860 public String getSecureRandomAlgorithm()
861 {
862 return _secureRandomAlgorithm;
863 }
864
865
866
867
868
869
870
871
872 public void setSecureRandomAlgorithm(String algorithm)
873 {
874 checkNotStarted();
875
876 _secureRandomAlgorithm = algorithm;
877 }
878
879
880
881
882
883 public String getSslKeyManagerFactoryAlgorithm()
884 {
885 return (_keyManagerFactoryAlgorithm);
886 }
887
888
889
890
891
892
893 public void setSslKeyManagerFactoryAlgorithm(String algorithm)
894 {
895 checkNotStarted();
896
897 _keyManagerFactoryAlgorithm = algorithm;
898 }
899
900
901
902
903
904 public String getTrustManagerFactoryAlgorithm()
905 {
906 return (_trustManagerFactoryAlgorithm);
907 }
908
909
910
911
912
913 public boolean isTrustAll()
914 {
915 return _trustAll;
916 }
917
918
919
920
921
922 public void setTrustAll(boolean trustAll)
923 {
924 _trustAll = trustAll;
925 }
926
927
928
929
930
931
932
933 public void setTrustManagerFactoryAlgorithm(String algorithm)
934 {
935 checkNotStarted();
936
937 _trustManagerFactoryAlgorithm = algorithm;
938 }
939
940
941
942
943
944 public String getCrlPath()
945 {
946 return _crlPath;
947 }
948
949
950
951
952
953
954 public void setCrlPath(String crlPath)
955 {
956 checkNotStarted();
957
958 _crlPath = crlPath;
959 }
960
961
962
963
964
965
966 public int getMaxCertPathLength()
967 {
968 return _maxCertPathLength;
969 }
970
971
972
973
974
975
976
977 public void setMaxCertPathLength(int maxCertPathLength)
978 {
979 checkNotStarted();
980
981 _maxCertPathLength = maxCertPathLength;
982 }
983
984
985
986
987
988 public SSLContext getSslContext()
989 {
990 if (!isStarted())
991 throw new IllegalStateException(getState());
992 return _context;
993 }
994
995
996
997
998
999
1000 public void setSslContext(SSLContext sslContext)
1001 {
1002 checkNotStarted();
1003
1004 _context = sslContext;
1005 }
1006
1007
1008
1009
1010
1011
1012
1013
1014 protected KeyStore loadKeyStore() throws Exception
1015 {
1016 return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream,
1017 _keyStorePath, _keyStoreType, _keyStoreProvider,
1018 _keyStorePassword==null? null: _keyStorePassword.toString());
1019 }
1020
1021
1022
1023
1024
1025
1026
1027
1028 protected KeyStore loadTrustStore() throws Exception
1029 {
1030 return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream,
1031 _trustStorePath, _trustStoreType, _trustStoreProvider,
1032 _trustStorePassword==null? null: _trustStorePassword.toString());
1033 }
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053 @Deprecated
1054 protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception
1055 {
1056 return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword);
1057 }
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070 protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception
1071 {
1072 return CertificateUtils.loadCRL(crlPath);
1073 }
1074
1075
1076 protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
1077 {
1078 KeyManager[] managers = null;
1079
1080 if (keyStore != null)
1081 {
1082 KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm);
1083 keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray());
1084 managers = keyManagerFactory.getKeyManagers();
1085
1086 if (_certAlias != null)
1087 {
1088 for (int idx = 0; idx < managers.length; idx++)
1089 {
1090 if (managers[idx] instanceof X509KeyManager)
1091 {
1092 managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]);
1093 }
1094 }
1095 }
1096 }
1097
1098 return managers;
1099 }
1100
1101
1102 protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
1103 {
1104 TrustManager[] managers = null;
1105 if (trustStore != null)
1106 {
1107
1108 if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX"))
1109 {
1110 PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector());
1111
1112
1113 pbParams.setMaxPathLength(_maxCertPathLength);
1114
1115
1116 pbParams.setRevocationEnabled(true);
1117
1118 if (crls != null && !crls.isEmpty())
1119 {
1120 pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls)));
1121 }
1122
1123 if (_enableCRLDP)
1124 {
1125
1126 System.setProperty("com.sun.security.enableCRLDP","true");
1127 }
1128
1129 if (_enableOCSP)
1130 {
1131
1132 Security.setProperty("ocsp.enable","true");
1133
1134 if (_ocspResponderURL != null)
1135 {
1136
1137 Security.setProperty("ocsp.responderURL", _ocspResponderURL);
1138 }
1139 }
1140
1141 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
1142 trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams));
1143
1144 managers = trustManagerFactory.getTrustManagers();
1145 }
1146 else
1147 {
1148 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
1149 trustManagerFactory.init(trustStore);
1150
1151 managers = trustManagerFactory.getTrustManagers();
1152 }
1153 }
1154
1155 return managers;
1156 }
1157
1158
1159
1160
1161
1162
1163
1164
1165 public void checkKeyStore()
1166 {
1167 if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null)
1168 throw new IllegalStateException("SSL doesn't have a valid keystore");
1169
1170
1171
1172 if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null)
1173 {
1174 _trustStore = _keyStore;
1175 _trustStorePath = _keyStorePath;
1176 _trustStoreInputStream = _keyStoreInputStream;
1177 _trustStoreType = _keyStoreType;
1178 _trustStoreProvider = _keyStoreProvider;
1179 _trustStorePassword = _keyStorePassword;
1180 _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm;
1181 }
1182
1183
1184 if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream)
1185 {
1186 try
1187 {
1188 ByteArrayOutputStream baos = new ByteArrayOutputStream();
1189 IO.copy(_keyStoreInputStream, baos);
1190 _keyStoreInputStream.close();
1191
1192 _keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
1193 _trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
1194 }
1195 catch (Exception ex)
1196 {
1197 throw new IllegalStateException(ex);
1198 }
1199 }
1200 }
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211 public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
1212 {
1213 Set<String> selected_protocols = new HashSet<String>();
1214
1215
1216 if (_includeProtocols!=null)
1217 {
1218
1219 for (String protocol : supportedProtocols)
1220 if (_includeProtocols.contains(protocol))
1221 selected_protocols.add(protocol);
1222 }
1223 else
1224 selected_protocols.addAll(Arrays.asList(enabledProtocols));
1225
1226
1227
1228 if (_excludeProtocols != null)
1229 selected_protocols.removeAll(_excludeProtocols);
1230
1231 return selected_protocols.toArray(new String[selected_protocols.size()]);
1232 }
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243 public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
1244 {
1245 Set<String> selected_ciphers = new HashSet<String>();
1246
1247
1248 if (_includeCipherSuites!=null)
1249 {
1250
1251 for (String cipherSuite : supportedCipherSuites)
1252 if (_includeCipherSuites.contains(cipherSuite))
1253 selected_ciphers.add(cipherSuite);
1254 }
1255 else
1256 selected_ciphers.addAll(Arrays.asList(enabledCipherSuites));
1257
1258
1259
1260 if (_excludeCipherSuites != null)
1261 selected_ciphers.removeAll(_excludeCipherSuites);
1262 return selected_ciphers.toArray(new String[selected_ciphers.size()]);
1263 }
1264
1265
1266
1267
1268
1269 protected void checkNotStarted()
1270 {
1271 if (isStarted())
1272 throw new IllegalStateException("Cannot modify configuration when "+getState());
1273 }
1274
1275
1276
1277
1278
1279 public boolean isEnableCRLDP()
1280 {
1281 return _enableCRLDP;
1282 }
1283
1284
1285
1286
1287
1288 public void setEnableCRLDP(boolean enableCRLDP)
1289 {
1290 checkNotStarted();
1291
1292 _enableCRLDP = enableCRLDP;
1293 }
1294
1295
1296
1297
1298
1299 public boolean isEnableOCSP()
1300 {
1301 return _enableOCSP;
1302 }
1303
1304
1305
1306
1307
1308 public void setEnableOCSP(boolean enableOCSP)
1309 {
1310 checkNotStarted();
1311
1312 _enableOCSP = enableOCSP;
1313 }
1314
1315
1316
1317
1318
1319 public String getOcspResponderURL()
1320 {
1321 return _ocspResponderURL;
1322 }
1323
1324
1325
1326
1327
1328 public void setOcspResponderURL(String ocspResponderURL)
1329 {
1330 checkNotStarted();
1331
1332 _ocspResponderURL = ocspResponderURL;
1333 }
1334
1335
1336
1337
1338
1339 public void setKeyStore(KeyStore keyStore)
1340 {
1341 checkNotStarted();
1342
1343 _keyStore = keyStore;
1344 }
1345
1346
1347
1348
1349
1350 public void setTrustStore(KeyStore trustStore)
1351 {
1352 checkNotStarted();
1353
1354 _trustStore = trustStore;
1355 }
1356
1357
1358
1359
1360
1361 public void setKeyStoreResource(Resource resource)
1362 {
1363 checkNotStarted();
1364
1365 try
1366 {
1367 _keyStoreInputStream = resource.getInputStream();
1368 }
1369 catch (IOException e)
1370 {
1371 throw new InvalidParameterException("Unable to get resource "+
1372 "input stream for resource "+resource.toString());
1373 }
1374 }
1375
1376
1377
1378
1379
1380 public void setTrustStore(Resource resource)
1381 {
1382 checkNotStarted();
1383
1384 try
1385 {
1386 _trustStoreInputStream = resource.getInputStream();
1387 }
1388 catch (IOException e)
1389 {
1390 throw new InvalidParameterException("Unable to get resource "+
1391 "input stream for resource "+resource.toString());
1392 }
1393 }
1394
1395
1396
1397
1398
1399 public boolean isSessionCachingEnabled()
1400 {
1401 return _sessionCachingEnabled;
1402 }
1403
1404
1405
1406
1407
1408 public void setSessionCachingEnabled(boolean enableSessionCaching)
1409 {
1410 _sessionCachingEnabled = enableSessionCaching;
1411 }
1412
1413
1414
1415
1416
1417 public int getSslSessionCacheSize()
1418 {
1419 return _sslSessionCacheSize;
1420 }
1421
1422
1423
1424
1425
1426 public void setSslSessionCacheSize(int sslSessionCacheSize)
1427 {
1428 _sslSessionCacheSize = sslSessionCacheSize;
1429 }
1430
1431
1432
1433
1434
1435 public int getSslSessionTimeout()
1436 {
1437 return _sslSessionTimeout;
1438 }
1439
1440
1441
1442
1443
1444 public void setSslSessionTimeout(int sslSessionTimeout)
1445 {
1446 _sslSessionTimeout = sslSessionTimeout;
1447 }
1448
1449
1450
1451 public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException
1452 {
1453 SSLServerSocketFactory factory = _context.getServerSocketFactory();
1454
1455 SSLServerSocket socket =
1456 (SSLServerSocket) (host==null ?
1457 factory.createServerSocket(port,backlog):
1458 factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
1459
1460 if (getWantClientAuth())
1461 socket.setWantClientAuth(getWantClientAuth());
1462 if (getNeedClientAuth())
1463 socket.setNeedClientAuth(getNeedClientAuth());
1464
1465 socket.setEnabledCipherSuites(selectCipherSuites(
1466 socket.getEnabledCipherSuites(),
1467 socket.getSupportedCipherSuites()));
1468 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
1469
1470 return socket;
1471 }
1472
1473
1474 public SSLSocket newSslSocket() throws IOException
1475 {
1476 SSLSocketFactory factory = _context.getSocketFactory();
1477
1478 SSLSocket socket = (SSLSocket)factory.createSocket();
1479
1480 if (getWantClientAuth())
1481 socket.setWantClientAuth(getWantClientAuth());
1482 if (getNeedClientAuth())
1483 socket.setNeedClientAuth(getNeedClientAuth());
1484
1485 socket.setEnabledCipherSuites(selectCipherSuites(
1486 socket.getEnabledCipherSuites(),
1487 socket.getSupportedCipherSuites()));
1488 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
1489
1490 return socket;
1491 }
1492
1493
1494 public SSLEngine newSslEngine(String host,int port)
1495 {
1496 SSLEngine sslEngine=isSessionCachingEnabled()
1497 ?_context.createSSLEngine(host, port)
1498 :_context.createSSLEngine();
1499
1500 customize(sslEngine);
1501 return sslEngine;
1502 }
1503
1504
1505 public SSLEngine newSslEngine()
1506 {
1507 SSLEngine sslEngine=_context.createSSLEngine();
1508 customize(sslEngine);
1509 return sslEngine;
1510 }
1511
1512
1513 public void customize(SSLEngine sslEngine)
1514 {
1515 if (getWantClientAuth())
1516 sslEngine.setWantClientAuth(getWantClientAuth());
1517 if (getNeedClientAuth())
1518 sslEngine.setNeedClientAuth(getNeedClientAuth());
1519
1520 sslEngine.setEnabledCipherSuites(selectCipherSuites(
1521 sslEngine.getEnabledCipherSuites(),
1522 sslEngine.getSupportedCipherSuites()));
1523
1524 sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols()));
1525 }
1526
1527 }