1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.eclipse.jetty.util.ssl;
20
21 import java.io.ByteArrayInputStream;
22 import java.io.ByteArrayOutputStream;
23 import java.io.IOException;
24 import java.io.InputStream;
25 import java.net.InetAddress;
26 import java.net.InetSocketAddress;
27 import java.security.InvalidParameterException;
28 import java.security.KeyStore;
29 import java.security.SecureRandom;
30 import java.security.Security;
31 import java.security.cert.CRL;
32 import java.security.cert.CertStore;
33 import java.security.cert.Certificate;
34 import java.security.cert.CollectionCertStoreParameters;
35 import java.security.cert.PKIXBuilderParameters;
36 import java.security.cert.X509CertSelector;
37 import java.security.cert.X509Certificate;
38 import java.util.Arrays;
39 import java.util.Collection;
40 import java.util.Collections;
41 import java.util.LinkedHashSet;
42 import java.util.List;
43 import java.util.Set;
44 import java.util.concurrent.CopyOnWriteArraySet;
45 import java.util.regex.Matcher;
46 import java.util.regex.Pattern;
47 import javax.net.ssl.CertPathTrustManagerParameters;
48 import javax.net.ssl.KeyManager;
49 import javax.net.ssl.KeyManagerFactory;
50 import javax.net.ssl.SSLContext;
51 import javax.net.ssl.SSLEngine;
52 import javax.net.ssl.SSLParameters;
53 import javax.net.ssl.SSLPeerUnverifiedException;
54 import javax.net.ssl.SSLServerSocket;
55 import javax.net.ssl.SSLServerSocketFactory;
56 import javax.net.ssl.SSLSession;
57 import javax.net.ssl.SSLSocket;
58 import javax.net.ssl.SSLSocketFactory;
59 import javax.net.ssl.TrustManager;
60 import javax.net.ssl.TrustManagerFactory;
61 import javax.net.ssl.X509KeyManager;
62 import javax.net.ssl.X509TrustManager;
63
64 import org.eclipse.jetty.util.IO;
65 import org.eclipse.jetty.util.component.AbstractLifeCycle;
66 import org.eclipse.jetty.util.log.Log;
67 import org.eclipse.jetty.util.log.Logger;
68 import org.eclipse.jetty.util.resource.Resource;
69 import org.eclipse.jetty.util.security.CertificateUtils;
70 import org.eclipse.jetty.util.security.CertificateValidator;
71 import org.eclipse.jetty.util.security.Password;
72
73
74
75
76
77
78
79
80 public class SslContextFactory extends AbstractLifeCycle
81 {
82 public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager()
83 {
84 public java.security.cert.X509Certificate[] getAcceptedIssuers()
85 {
86 return new java.security.cert.X509Certificate[]{};
87 }
88
89 public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
90 {
91 }
92
93 public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
94 {
95 }
96 }};
97
98 static final Logger LOG = Log.getLogger(SslContextFactory.class);
99
100 public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
101 (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
102 KeyManagerFactory.getDefaultAlgorithm() : Security.getProperty("ssl.KeyManagerFactory.algorithm"));
103
104 public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM =
105 (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ?
106 TrustManagerFactory.getDefaultAlgorithm() : Security.getProperty("ssl.TrustManagerFactory.algorithm"));
107
108
109 public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
110
111
112 public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
113
114
115 private final Set<String> _excludeProtocols = new LinkedHashSet<>();
116
117
118 private Set<String> _includeProtocols = null;
119
120
121 private final Set<String> _excludeCipherSuites = new LinkedHashSet<>();
122
123 private Set<String> _includeCipherSuites = null;
124
125
126 private String _keyStorePath;
127
128 private String _keyStoreProvider;
129
130 private String _keyStoreType = "JKS";
131
132 private InputStream _keyStoreInputStream;
133
134
135 private String _certAlias;
136
137
138 private String _trustStorePath;
139
140 private String _trustStoreProvider;
141
142 private String _trustStoreType = "JKS";
143
144 private InputStream _trustStoreInputStream;
145
146
147 private boolean _needClientAuth = false;
148
149 private boolean _wantClientAuth = false;
150
151
152 private transient Password _keyStorePassword;
153
154 private transient Password _keyManagerPassword;
155
156 private transient Password _trustStorePassword;
157
158
159 private String _sslProvider;
160
161 private String _sslProtocol = "TLS";
162
163
164 private String _secureRandomAlgorithm;
165
166 private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
167
168 private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
169
170
171 private boolean _validateCerts;
172
173 private boolean _validatePeerCerts;
174
175 private int _maxCertPathLength = -1;
176
177 private String _crlPath;
178
179 private boolean _enableCRLDP = false;
180
181 private boolean _enableOCSP = false;
182
183 private String _ocspResponderURL;
184
185
186 private KeyStore _keyStore;
187
188 private KeyStore _trustStore;
189
190 private boolean _sessionCachingEnabled = true;
191
192 private int _sslSessionCacheSize;
193
194 private int _sslSessionTimeout;
195
196
197 private SSLContext _context;
198
199
200 private String _endpointIdentificationAlgorithm = null;
201
202
203 private boolean _trustAll;
204
205
206 private boolean _renegotiationAllowed = true;
207
208
209
210
211
212 public SslContextFactory()
213 {
214 this(false);
215 }
216
217
218
219
220
221
222
223 public SslContextFactory(boolean trustAll)
224 {
225 setTrustAll(trustAll);
226 }
227
228
229
230
231
232 public SslContextFactory(String keyStorePath)
233 {
234 _keyStorePath = keyStorePath;
235 }
236
237
238
239
240
241 @Override
242 protected void doStart() throws Exception
243 {
244 if (_context == null)
245 {
246 if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null &&
247 _trustStore==null && _trustStoreInputStream == null && _trustStorePath == null )
248 {
249 TrustManager[] trust_managers=null;
250
251 if (_trustAll)
252 {
253 LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
254
255 trust_managers = TRUST_ALL_CERTS;
256 }
257
258 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
259 SSLContext context = SSLContext.getInstance(_sslProtocol);
260 context.init(null, trust_managers, secureRandom);
261 _context = context;
262 }
263 else
264 {
265
266
267 checkKeyStore();
268
269 KeyStore keyStore = loadKeyStore();
270 KeyStore trustStore = loadTrustStore();
271
272 Collection<? extends CRL> crls = loadCRL(_crlPath);
273
274 if (_validateCerts && keyStore != null)
275 {
276 if (_certAlias == null)
277 {
278 List<String> aliases = Collections.list(keyStore.aliases());
279 _certAlias = aliases.size() == 1 ? aliases.get(0) : null;
280 }
281
282 Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias);
283 if (cert == null)
284 {
285 throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias));
286 }
287
288 CertificateValidator validator = new CertificateValidator(trustStore, crls);
289 validator.setMaxCertPathLength(_maxCertPathLength);
290 validator.setEnableCRLDP(_enableCRLDP);
291 validator.setEnableOCSP(_enableOCSP);
292 validator.setOcspResponderURL(_ocspResponderURL);
293 validator.validate(keyStore, cert);
294 }
295
296 KeyManager[] keyManagers = getKeyManagers(keyStore);
297 TrustManager[] trustManagers = getTrustManagers(trustStore,crls);
298
299 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
300 SSLContext context = _sslProvider == null ? SSLContext.getInstance(_sslProtocol) : SSLContext.getInstance(_sslProtocol,_sslProvider);
301 context.init(keyManagers,trustManagers,secureRandom);
302 _context = context;
303 }
304
305 SSLEngine engine = newSSLEngine();
306 LOG.debug("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols()));
307 if (LOG.isDebugEnabled())
308 LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites()));
309 }
310 }
311
312 @Override
313 protected void doStop() throws Exception
314 {
315 _context = null;
316 super.doStop();
317 }
318
319
320
321
322
323 public String[] getExcludeProtocols()
324 {
325 return _excludeProtocols.toArray(new String[_excludeProtocols.size()]);
326 }
327
328
329
330
331
332
333 public void setExcludeProtocols(String... protocols)
334 {
335 checkNotStarted();
336 _excludeProtocols.clear();
337 _excludeProtocols.addAll(Arrays.asList(protocols));
338 }
339
340
341
342
343 public void addExcludeProtocols(String... protocol)
344 {
345 checkNotStarted();
346 _excludeProtocols.addAll(Arrays.asList(protocol));
347 }
348
349
350
351
352
353 public String[] getIncludeProtocols()
354 {
355 return _includeProtocols.toArray(new String[_includeProtocols.size()]);
356 }
357
358
359
360
361
362
363 public void setIncludeProtocols(String... protocols)
364 {
365 checkNotStarted();
366 _includeProtocols = new LinkedHashSet<>(Arrays.asList(protocols));
367 }
368
369
370
371
372
373 public String[] getExcludeCipherSuites()
374 {
375 return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]);
376 }
377
378
379
380
381
382
383
384 public void setExcludeCipherSuites(String... cipherSuites)
385 {
386 checkNotStarted();
387 _excludeCipherSuites.clear();
388 _excludeCipherSuites.addAll(Arrays.asList(cipherSuites));
389 }
390
391
392
393
394 public void addExcludeCipherSuites(String... cipher)
395 {
396 checkNotStarted();
397 _excludeCipherSuites.addAll(Arrays.asList(cipher));
398 }
399
400
401
402
403
404 public String[] getIncludeCipherSuites()
405 {
406 return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]);
407 }
408
409
410
411
412
413
414
415 public void setIncludeCipherSuites(String... cipherSuites)
416 {
417 checkNotStarted();
418 _includeCipherSuites = new LinkedHashSet<>(Arrays.asList(cipherSuites));
419 }
420
421
422
423
424 public String getKeyStorePath()
425 {
426 return _keyStorePath;
427 }
428
429
430
431
432
433 public void setKeyStorePath(String keyStorePath)
434 {
435 checkNotStarted();
436 _keyStorePath = keyStorePath;
437 }
438
439
440
441
442 public String getKeyStoreProvider()
443 {
444 return _keyStoreProvider;
445 }
446
447
448
449
450
451 public void setKeyStoreProvider(String keyStoreProvider)
452 {
453 checkNotStarted();
454 _keyStoreProvider = keyStoreProvider;
455 }
456
457
458
459
460 public String getKeyStoreType()
461 {
462 return (_keyStoreType);
463 }
464
465
466
467
468
469 public void setKeyStoreType(String keyStoreType)
470 {
471 checkNotStarted();
472 _keyStoreType = keyStoreType;
473 }
474
475
476
477
478 public String getCertAlias()
479 {
480 return _certAlias;
481 }
482
483
484
485
486
487 public void setCertAlias(String certAlias)
488 {
489 checkNotStarted();
490 _certAlias = certAlias;
491 }
492
493
494
495
496 public String getTrustStore()
497 {
498 return _trustStorePath;
499 }
500
501
502
503
504
505 public void setTrustStorePath(String trustStorePath)
506 {
507 checkNotStarted();
508 _trustStorePath = trustStorePath;
509 }
510
511
512
513
514 public String getTrustStoreProvider()
515 {
516 return _trustStoreProvider;
517 }
518
519
520
521
522
523 public void setTrustStoreProvider(String trustStoreProvider)
524 {
525 checkNotStarted();
526 _trustStoreProvider = trustStoreProvider;
527 }
528
529
530
531
532 public String getTrustStoreType()
533 {
534 return _trustStoreType;
535 }
536
537
538
539
540
541 public void setTrustStoreType(String trustStoreType)
542 {
543 checkNotStarted();
544 _trustStoreType = trustStoreType;
545 }
546
547
548
549
550
551 public boolean getNeedClientAuth()
552 {
553 return _needClientAuth;
554 }
555
556
557
558
559
560
561 public void setNeedClientAuth(boolean needClientAuth)
562 {
563 checkNotStarted();
564 _needClientAuth = needClientAuth;
565 }
566
567
568
569
570
571 public boolean getWantClientAuth()
572 {
573 return _wantClientAuth;
574 }
575
576
577
578
579
580
581 public void setWantClientAuth(boolean wantClientAuth)
582 {
583 checkNotStarted();
584 _wantClientAuth = wantClientAuth;
585 }
586
587
588
589
590 public boolean isValidateCerts()
591 {
592 return _validateCerts;
593 }
594
595
596
597
598
599 public void setValidateCerts(boolean validateCerts)
600 {
601 checkNotStarted();
602 _validateCerts = validateCerts;
603 }
604
605
606
607
608 public boolean isValidatePeerCerts()
609 {
610 return _validatePeerCerts;
611 }
612
613
614
615
616
617 public void setValidatePeerCerts(boolean validatePeerCerts)
618 {
619 checkNotStarted();
620 _validatePeerCerts = validatePeerCerts;
621 }
622
623
624
625
626
627
628 public void setKeyStorePassword(String password)
629 {
630 checkNotStarted();
631 _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
632 }
633
634
635
636
637
638 public void setKeyManagerPassword(String password)
639 {
640 checkNotStarted();
641 _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
642 }
643
644
645
646
647
648 public void setTrustStorePassword(String password)
649 {
650 checkNotStarted();
651 _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
652 }
653
654
655
656
657
658 public String getProvider()
659 {
660 return _sslProvider;
661 }
662
663
664
665
666
667
668 public void setProvider(String provider)
669 {
670 checkNotStarted();
671 _sslProvider = provider;
672 }
673
674
675
676
677
678 public String getProtocol()
679 {
680 return _sslProtocol;
681 }
682
683
684
685
686
687
688 public void setProtocol(String protocol)
689 {
690 checkNotStarted();
691 _sslProtocol = protocol;
692 }
693
694
695
696
697
698
699 public String getSecureRandomAlgorithm()
700 {
701 return _secureRandomAlgorithm;
702 }
703
704
705
706
707
708
709
710 public void setSecureRandomAlgorithm(String algorithm)
711 {
712 checkNotStarted();
713 _secureRandomAlgorithm = algorithm;
714 }
715
716
717
718
719 public String getSslKeyManagerFactoryAlgorithm()
720 {
721 return (_keyManagerFactoryAlgorithm);
722 }
723
724
725
726
727
728 public void setSslKeyManagerFactoryAlgorithm(String algorithm)
729 {
730 checkNotStarted();
731 _keyManagerFactoryAlgorithm = algorithm;
732 }
733
734
735
736
737 public String getTrustManagerFactoryAlgorithm()
738 {
739 return (_trustManagerFactoryAlgorithm);
740 }
741
742
743
744
745 public boolean isTrustAll()
746 {
747 return _trustAll;
748 }
749
750
751
752
753 public void setTrustAll(boolean trustAll)
754 {
755 _trustAll = trustAll;
756 if(trustAll)
757 setEndpointIdentificationAlgorithm(null);
758 }
759
760
761
762
763
764
765 public void setTrustManagerFactoryAlgorithm(String algorithm)
766 {
767 checkNotStarted();
768 _trustManagerFactoryAlgorithm = algorithm;
769 }
770
771
772
773
774 public boolean isRenegotiationAllowed()
775 {
776 return _renegotiationAllowed;
777 }
778
779
780
781
782 public void setRenegotiationAllowed(boolean renegotiationAllowed)
783 {
784 _renegotiationAllowed = renegotiationAllowed;
785 }
786
787
788
789
790 public String getCrlPath()
791 {
792 return _crlPath;
793 }
794
795
796
797
798
799 public void setCrlPath(String crlPath)
800 {
801 checkNotStarted();
802 _crlPath = crlPath;
803 }
804
805
806
807
808
809 public int getMaxCertPathLength()
810 {
811 return _maxCertPathLength;
812 }
813
814
815
816
817
818
819 public void setMaxCertPathLength(int maxCertPathLength)
820 {
821 checkNotStarted();
822 _maxCertPathLength = maxCertPathLength;
823 }
824
825
826
827
828 public SSLContext getSslContext()
829 {
830 if (!isStarted())
831 throw new IllegalStateException(getState());
832 return _context;
833 }
834
835
836
837
838
839 public void setSslContext(SSLContext sslContext)
840 {
841 checkNotStarted();
842 _context = sslContext;
843 }
844
845
846
847
848
849
850 public void setEndpointIdentificationAlgorithm(String endpointIdentificationAlgorithm)
851 {
852 this._endpointIdentificationAlgorithm = endpointIdentificationAlgorithm;
853 }
854
855
856
857
858
859
860
861 protected KeyStore loadKeyStore() throws Exception
862 {
863 return _keyStore != null ? _keyStore : CertificateUtils.getKeyStore(_keyStoreInputStream,
864 _keyStorePath, _keyStoreType, _keyStoreProvider,
865 _keyStorePassword==null? null: _keyStorePassword.toString());
866 }
867
868
869
870
871
872
873
874 protected KeyStore loadTrustStore() throws Exception
875 {
876 return _trustStore != null ? _trustStore : CertificateUtils.getKeyStore(_trustStoreInputStream,
877 _trustStorePath, _trustStoreType, _trustStoreProvider,
878 _trustStorePassword==null? null: _trustStorePassword.toString());
879 }
880
881
882
883
884
885
886
887
888
889
890
891 protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception
892 {
893 return CertificateUtils.loadCRL(crlPath);
894 }
895
896 protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
897 {
898 KeyManager[] managers = null;
899
900 if (keyStore != null)
901 {
902 KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm);
903 keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray());
904 managers = keyManagerFactory.getKeyManagers();
905
906 if (_certAlias != null)
907 {
908 for (int idx = 0; idx < managers.length; idx++)
909 {
910 if (managers[idx] instanceof X509KeyManager)
911 {
912 managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]);
913 }
914 }
915 }
916 }
917
918 return managers;
919 }
920
921 protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
922 {
923 TrustManager[] managers = null;
924 if (trustStore != null)
925 {
926
927 if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX"))
928 {
929 PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector());
930
931
932 pbParams.setMaxPathLength(_maxCertPathLength);
933
934
935 pbParams.setRevocationEnabled(true);
936
937 if (crls != null && !crls.isEmpty())
938 {
939 pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls)));
940 }
941
942 if (_enableCRLDP)
943 {
944
945 System.setProperty("com.sun.security.enableCRLDP","true");
946 }
947
948 if (_enableOCSP)
949 {
950
951 Security.setProperty("ocsp.enable","true");
952
953 if (_ocspResponderURL != null)
954 {
955
956 Security.setProperty("ocsp.responderURL", _ocspResponderURL);
957 }
958 }
959
960 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
961 trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams));
962
963 managers = trustManagerFactory.getTrustManagers();
964 }
965 else
966 {
967 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
968 trustManagerFactory.init(trustStore);
969
970 managers = trustManagerFactory.getTrustManagers();
971 }
972 }
973
974 return managers;
975 }
976
977
978
979
980
981
982
983 public void checkKeyStore()
984 {
985 if (_context != null)
986 return;
987
988 if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null)
989 throw new IllegalStateException("SSL doesn't have a valid keystore");
990
991
992
993 if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null)
994 {
995 _trustStore = _keyStore;
996 _trustStorePath = _keyStorePath;
997 _trustStoreInputStream = _keyStoreInputStream;
998 _trustStoreType = _keyStoreType;
999 _trustStoreProvider = _keyStoreProvider;
1000 _trustStorePassword = _keyStorePassword;
1001 _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm;
1002 }
1003
1004
1005 if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream)
1006 {
1007 try
1008 {
1009 ByteArrayOutputStream baos = new ByteArrayOutputStream();
1010 IO.copy(_keyStoreInputStream, baos);
1011 _keyStoreInputStream.close();
1012
1013 _keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
1014 _trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
1015 }
1016 catch (Exception ex)
1017 {
1018 throw new IllegalStateException(ex);
1019 }
1020 }
1021 }
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031 public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
1032 {
1033 Set<String> selected_protocols = new LinkedHashSet<>();
1034
1035
1036 if (_includeProtocols!=null)
1037 {
1038
1039 for (String protocol : _includeProtocols)
1040 if(Arrays.asList(supportedProtocols).contains(protocol))
1041 selected_protocols.add(protocol);
1042 }
1043 else
1044 selected_protocols.addAll(Arrays.asList(enabledProtocols));
1045
1046
1047
1048 selected_protocols.removeAll(_excludeProtocols);
1049
1050 return selected_protocols.toArray(new String[selected_protocols.size()]);
1051 }
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061 public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
1062 {
1063 Set<String> selected_ciphers = new CopyOnWriteArraySet<>();
1064
1065
1066 if (_includeCipherSuites!=null)
1067 processIncludeCipherSuites(supportedCipherSuites, selected_ciphers);
1068 else
1069 selected_ciphers.addAll(Arrays.asList(enabledCipherSuites));
1070
1071 removeExcludedCipherSuites(selected_ciphers);
1072
1073 return selected_ciphers.toArray(new String[selected_ciphers.size()]);
1074 }
1075
1076 private void processIncludeCipherSuites(String[] supportedCipherSuites, Set<String> selected_ciphers)
1077 {
1078 for (String cipherSuite : _includeCipherSuites)
1079 {
1080 Pattern p = Pattern.compile(cipherSuite);
1081 for (String supportedCipherSuite : supportedCipherSuites)
1082 {
1083 Matcher m = p.matcher(supportedCipherSuite);
1084 if (m.matches())
1085 selected_ciphers.add(supportedCipherSuite);
1086 }
1087 }
1088 }
1089
1090 private void removeExcludedCipherSuites(Set<String> selected_ciphers)
1091 {
1092 for (String excludeCipherSuite : _excludeCipherSuites)
1093 {
1094 Pattern excludeCipherPattern = Pattern.compile(excludeCipherSuite);
1095 for (String selectedCipherSuite : selected_ciphers)
1096 {
1097 Matcher m = excludeCipherPattern.matcher(selectedCipherSuite);
1098 if (m.matches())
1099 selected_ciphers.remove(selectedCipherSuite);
1100 }
1101 }
1102 }
1103
1104
1105
1106
1107 protected void checkNotStarted()
1108 {
1109 if (isStarted())
1110 throw new IllegalStateException("Cannot modify configuration when "+getState());
1111 }
1112
1113
1114
1115
1116 public boolean isEnableCRLDP()
1117 {
1118 return _enableCRLDP;
1119 }
1120
1121
1122
1123
1124 public void setEnableCRLDP(boolean enableCRLDP)
1125 {
1126 checkNotStarted();
1127 _enableCRLDP = enableCRLDP;
1128 }
1129
1130
1131
1132
1133 public boolean isEnableOCSP()
1134 {
1135 return _enableOCSP;
1136 }
1137
1138
1139
1140
1141 public void setEnableOCSP(boolean enableOCSP)
1142 {
1143 checkNotStarted();
1144 _enableOCSP = enableOCSP;
1145 }
1146
1147
1148
1149
1150 public String getOcspResponderURL()
1151 {
1152 return _ocspResponderURL;
1153 }
1154
1155
1156
1157
1158 public void setOcspResponderURL(String ocspResponderURL)
1159 {
1160 checkNotStarted();
1161 _ocspResponderURL = ocspResponderURL;
1162 }
1163
1164
1165
1166
1167 public void setKeyStore(KeyStore keyStore)
1168 {
1169 checkNotStarted();
1170 _keyStore = keyStore;
1171 }
1172
1173
1174
1175
1176 public void setTrustStore(KeyStore trustStore)
1177 {
1178 checkNotStarted();
1179 _trustStore = trustStore;
1180 }
1181
1182
1183
1184
1185 public void setKeyStoreResource(Resource resource)
1186 {
1187 checkNotStarted();
1188 try
1189 {
1190 _keyStoreInputStream = resource.getInputStream();
1191 }
1192 catch (IOException e)
1193 {
1194 throw new InvalidParameterException("Unable to get resource "+
1195 "input stream for resource "+resource.toString());
1196 }
1197 }
1198
1199
1200
1201
1202 public void setTrustStoreResource(Resource resource)
1203 {
1204 checkNotStarted();
1205 try
1206 {
1207 _trustStoreInputStream = resource.getInputStream();
1208 }
1209 catch (IOException e)
1210 {
1211 throw new InvalidParameterException("Unable to get resource "+
1212 "input stream for resource "+resource.toString());
1213 }
1214 }
1215
1216
1217
1218
1219 public boolean isSessionCachingEnabled()
1220 {
1221 return _sessionCachingEnabled;
1222 }
1223
1224
1225
1226
1227 public void setSessionCachingEnabled(boolean enableSessionCaching)
1228 {
1229 _sessionCachingEnabled = enableSessionCaching;
1230 }
1231
1232
1233
1234
1235 public int getSslSessionCacheSize()
1236 {
1237 return _sslSessionCacheSize;
1238 }
1239
1240
1241
1242
1243 public void setSslSessionCacheSize(int sslSessionCacheSize)
1244 {
1245 _sslSessionCacheSize = sslSessionCacheSize;
1246 }
1247
1248
1249
1250
1251 public int getSslSessionTimeout()
1252 {
1253 return _sslSessionTimeout;
1254 }
1255
1256
1257
1258
1259 public void setSslSessionTimeout(int sslSessionTimeout)
1260 {
1261 _sslSessionTimeout = sslSessionTimeout;
1262 }
1263
1264
1265 public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException
1266 {
1267 SSLServerSocketFactory factory = _context.getServerSocketFactory();
1268
1269 SSLServerSocket socket =
1270 (SSLServerSocket) (host==null ?
1271 factory.createServerSocket(port,backlog):
1272 factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
1273
1274 if (getWantClientAuth())
1275 socket.setWantClientAuth(getWantClientAuth());
1276 if (getNeedClientAuth())
1277 socket.setNeedClientAuth(getNeedClientAuth());
1278
1279 socket.setEnabledCipherSuites(selectCipherSuites(
1280 socket.getEnabledCipherSuites(),
1281 socket.getSupportedCipherSuites()));
1282 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
1283
1284 return socket;
1285 }
1286
1287 public SSLSocket newSslSocket() throws IOException
1288 {
1289 SSLSocketFactory factory = _context.getSocketFactory();
1290
1291 SSLSocket socket = (SSLSocket)factory.createSocket();
1292
1293 if (getWantClientAuth())
1294 socket.setWantClientAuth(getWantClientAuth());
1295 if (getNeedClientAuth())
1296 socket.setNeedClientAuth(getNeedClientAuth());
1297
1298 socket.setEnabledCipherSuites(selectCipherSuites(
1299 socket.getEnabledCipherSuites(),
1300 socket.getSupportedCipherSuites()));
1301 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
1302
1303 return socket;
1304 }
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315 public SSLEngine newSSLEngine()
1316 {
1317 if (!isRunning())
1318 throw new IllegalStateException("!STARTED");
1319 SSLEngine sslEngine=_context.createSSLEngine();
1320 customize(sslEngine);
1321 return sslEngine;
1322 }
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332 public SSLEngine newSSLEngine(String host, int port)
1333 {
1334 if (!isRunning())
1335 throw new IllegalStateException("!STARTED");
1336 SSLEngine sslEngine=isSessionCachingEnabled()
1337 ? _context.createSSLEngine(host, port)
1338 : _context.createSSLEngine();
1339 customize(sslEngine);
1340 return sslEngine;
1341 }
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361 public SSLEngine newSSLEngine(InetSocketAddress address)
1362 {
1363 if (address == null)
1364 return newSSLEngine();
1365
1366 boolean useHostName = getNeedClientAuth();
1367 String hostName = useHostName ? address.getHostName() : address.getAddress().getHostAddress();
1368 return newSSLEngine(hostName, address.getPort());
1369 }
1370
1371 public void customize(SSLEngine sslEngine)
1372 {
1373 SSLParameters sslParams = sslEngine.getSSLParameters();
1374 sslParams.setEndpointIdentificationAlgorithm(_endpointIdentificationAlgorithm);
1375 sslEngine.setSSLParameters(sslParams);
1376
1377 if (getWantClientAuth())
1378 sslEngine.setWantClientAuth(getWantClientAuth());
1379 if (getNeedClientAuth())
1380 sslEngine.setNeedClientAuth(getNeedClientAuth());
1381
1382 sslEngine.setEnabledCipherSuites(selectCipherSuites(
1383 sslEngine.getEnabledCipherSuites(),
1384 sslEngine.getSupportedCipherSuites()));
1385
1386 sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols()));
1387 }
1388
1389 public static X509Certificate[] getCertChain(SSLSession sslSession)
1390 {
1391 try
1392 {
1393 javax.security.cert.X509Certificate javaxCerts[]=sslSession.getPeerCertificateChain();
1394 if (javaxCerts==null||javaxCerts.length==0)
1395 return null;
1396
1397 int length=javaxCerts.length;
1398 X509Certificate[] javaCerts=new X509Certificate[length];
1399
1400 java.security.cert.CertificateFactory cf=java.security.cert.CertificateFactory.getInstance("X.509");
1401 for (int i=0; i<length; i++)
1402 {
1403 byte bytes[]=javaxCerts[i].getEncoded();
1404 ByteArrayInputStream stream=new ByteArrayInputStream(bytes);
1405 javaCerts[i]=(X509Certificate)cf.generateCertificate(stream);
1406 }
1407
1408 return javaCerts;
1409 }
1410 catch (SSLPeerUnverifiedException pue)
1411 {
1412 return null;
1413 }
1414 catch (Exception e)
1415 {
1416 LOG.warn(Log.EXCEPTION,e);
1417 return null;
1418 }
1419 }
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447 public static int deduceKeyLength(String cipherSuite)
1448 {
1449
1450 if (cipherSuite == null)
1451 return 0;
1452 else if (cipherSuite.contains("WITH_AES_256_"))
1453 return 256;
1454 else if (cipherSuite.contains("WITH_RC4_128_"))
1455 return 128;
1456 else if (cipherSuite.contains("WITH_AES_128_"))
1457 return 128;
1458 else if (cipherSuite.contains("WITH_RC4_40_"))
1459 return 40;
1460 else if (cipherSuite.contains("WITH_3DES_EDE_CBC_"))
1461 return 168;
1462 else if (cipherSuite.contains("WITH_IDEA_CBC_"))
1463 return 128;
1464 else if (cipherSuite.contains("WITH_RC2_CBC_40_"))
1465 return 40;
1466 else if (cipherSuite.contains("WITH_DES40_CBC_"))
1467 return 40;
1468 else if (cipherSuite.contains("WITH_DES_CBC_"))
1469 return 56;
1470 else
1471 return 0;
1472 }
1473
1474 @Override
1475 public String toString()
1476 {
1477 return String.format("%s@%x(%s,%s)",
1478 getClass().getSimpleName(),
1479 hashCode(),
1480 _keyStorePath,
1481 _trustStorePath);
1482 }
1483 }