1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19 package org.eclipse.jetty.util.ssl;
20
21 import java.io.ByteArrayInputStream;
22 import java.io.ByteArrayOutputStream;
23 import java.io.File;
24 import java.io.IOException;
25 import java.io.InputStream;
26 import java.net.InetAddress;
27 import java.security.InvalidParameterException;
28 import java.security.KeyStore;
29 import java.security.SecureRandom;
30 import java.security.Security;
31 import java.security.cert.CRL;
32 import java.security.cert.CertStore;
33 import java.security.cert.Certificate;
34 import java.security.cert.CollectionCertStoreParameters;
35 import java.security.cert.PKIXBuilderParameters;
36 import java.security.cert.X509CertSelector;
37 import java.util.Arrays;
38 import java.util.Collection;
39 import java.util.Collections;
40 import java.util.LinkedHashSet;
41 import java.util.List;
42 import java.util.Set;
43 import javax.net.ssl.CertPathTrustManagerParameters;
44 import javax.net.ssl.KeyManager;
45 import javax.net.ssl.KeyManagerFactory;
46 import javax.net.ssl.SSLContext;
47 import javax.net.ssl.SSLEngine;
48 import javax.net.ssl.SSLServerSocket;
49 import javax.net.ssl.SSLServerSocketFactory;
50 import javax.net.ssl.SSLSocket;
51 import javax.net.ssl.SSLSocketFactory;
52 import javax.net.ssl.TrustManager;
53 import javax.net.ssl.TrustManagerFactory;
54 import javax.net.ssl.X509KeyManager;
55 import javax.net.ssl.X509TrustManager;
56
57 import org.eclipse.jetty.util.IO;
58 import org.eclipse.jetty.util.component.AbstractLifeCycle;
59 import org.eclipse.jetty.util.log.Log;
60 import org.eclipse.jetty.util.log.Logger;
61 import org.eclipse.jetty.util.resource.Resource;
62 import org.eclipse.jetty.util.security.CertificateUtils;
63 import org.eclipse.jetty.util.security.CertificateValidator;
64 import org.eclipse.jetty.util.security.Password;
65
66
67
68
69
70
71
72
73
74 public class SslContextFactory extends AbstractLifeCycle
75 {
76 public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager()
77 {
78 public java.security.cert.X509Certificate[] getAcceptedIssuers()
79 {
80 return new java.security.cert.X509Certificate[]{};
81 }
82
83 public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
84 {
85 }
86
87 public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
88 {
89 }
90 }};
91
92 private static final Logger LOG = Log.getLogger(SslContextFactory.class);
93
94 public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
95 (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
96 "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm"));
97 public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM =
98 (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ?
99 "SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm"));
100
101
102 public static final String DEFAULT_KEYSTORE_PATH =
103 System.getProperty("user.home") + File.separator + ".keystore";
104
105
106 public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
107
108
109 public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
110
111
112 private final Set<String> _excludeProtocols = new LinkedHashSet<String>();
113
114 private Set<String> _includeProtocols = null;
115
116
117 private final Set<String> _excludeCipherSuites = new LinkedHashSet<String>();
118
119 private Set<String> _includeCipherSuites = null;
120
121
122 private String _keyStorePath;
123
124 private String _keyStoreProvider;
125
126 private String _keyStoreType = "JKS";
127
128 private InputStream _keyStoreInputStream;
129
130
131 private String _certAlias;
132
133
134 private String _trustStorePath;
135
136 private String _trustStoreProvider;
137
138 private String _trustStoreType = "JKS";
139
140 private InputStream _trustStoreInputStream;
141
142
143 private boolean _needClientAuth = false;
144
145 private boolean _wantClientAuth = false;
146
147
148 private boolean _allowRenegotiate = true;
149
150
151 private transient Password _keyStorePassword;
152
153 private transient Password _keyManagerPassword;
154
155 private transient Password _trustStorePassword;
156
157
158 private String _sslProvider;
159
160 private String _sslProtocol = "TLS";
161
162
163 private String _secureRandomAlgorithm;
164
165 private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
166
167 private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
168
169
170 private boolean _validateCerts;
171
172 private boolean _validatePeerCerts;
173
174 private int _maxCertPathLength = -1;
175
176 private String _crlPath;
177
178 private boolean _enableCRLDP = false;
179
180 private boolean _enableOCSP = false;
181
182 private String _ocspResponderURL;
183
184
185 private KeyStore _keyStore;
186
187 private KeyStore _trustStore;
188
189 private boolean _sessionCachingEnabled = true;
190
191 private int _sslSessionCacheSize;
192
193 private int _sslSessionTimeout;
194
195
196 private SSLContext _context;
197
198 private boolean _trustAll;
199
200
201
202
203
204
205 public SslContextFactory()
206 {
207 _trustAll=true;
208 }
209
210
211
212
213
214
215
216
217 public SslContextFactory(boolean trustAll)
218 {
219 _trustAll=trustAll;
220 }
221
222
223
224
225
226
227 public SslContextFactory(String keyStorePath)
228 {
229 _keyStorePath = keyStorePath;
230 }
231
232
233
234
235
236
237 @Override
238 protected void doStart() throws Exception
239 {
240 if (_context == null)
241 {
242 if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null &&
243 _trustStore==null && _trustStoreInputStream == null && _trustStorePath == null )
244 {
245 TrustManager[] trust_managers=null;
246
247 if (_trustAll)
248 {
249 LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
250
251 trust_managers = TRUST_ALL_CERTS;
252 }
253
254 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
255 _context = SSLContext.getInstance(_sslProtocol);
256 _context.init(null, trust_managers, secureRandom);
257 }
258 else
259 {
260
261
262 checkKeyStore();
263
264 KeyStore keyStore = loadKeyStore();
265 KeyStore trustStore = loadTrustStore();
266
267 Collection<? extends CRL> crls = loadCRL(_crlPath);
268
269 if (_validateCerts && keyStore != null)
270 {
271 if (_certAlias == null)
272 {
273 List<String> aliases = Collections.list(keyStore.aliases());
274 _certAlias = aliases.size() == 1 ? aliases.get(0) : null;
275 }
276
277 Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias);
278 if (cert == null)
279 {
280 throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias));
281 }
282
283 CertificateValidator validator = new CertificateValidator(trustStore, crls);
284 validator.setMaxCertPathLength(_maxCertPathLength);
285 validator.setEnableCRLDP(_enableCRLDP);
286 validator.setEnableOCSP(_enableOCSP);
287 validator.setOcspResponderURL(_ocspResponderURL);
288 validator.validate(keyStore, cert);
289 }
290
291 KeyManager[] keyManagers = getKeyManagers(keyStore);
292 TrustManager[] trustManagers = getTrustManagers(trustStore,crls);
293
294 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
295 _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider);
296 _context.init(keyManagers,trustManagers,secureRandom);
297
298 SSLEngine engine=newSslEngine();
299
300 LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols()));
301 if (LOG.isDebugEnabled())
302 LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites()));
303 }
304 }
305 }
306
307
308
309
310
311
312 public String[] getExcludeProtocols()
313 {
314 return _excludeProtocols.toArray(new String[_excludeProtocols.size()]);
315 }
316
317
318
319
320
321
322
323 public void setExcludeProtocols(String... protocols)
324 {
325 checkNotStarted();
326
327 _excludeProtocols.clear();
328 _excludeProtocols.addAll(Arrays.asList(protocols));
329 }
330
331
332
333
334
335 public void addExcludeProtocols(String... protocol)
336 {
337 checkNotStarted();
338 _excludeProtocols.addAll(Arrays.asList(protocol));
339 }
340
341
342
343
344
345
346 public String[] getIncludeProtocols()
347 {
348 return _includeProtocols.toArray(new String[_includeProtocols.size()]);
349 }
350
351
352
353
354
355
356
357 public void setIncludeProtocols(String... protocols)
358 {
359 checkNotStarted();
360
361 _includeProtocols = new LinkedHashSet<String>(Arrays.asList(protocols));
362 }
363
364
365
366
367
368
369 public String[] getExcludeCipherSuites()
370 {
371 return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]);
372 }
373
374
375
376
377
378
379
380 public void setExcludeCipherSuites(String... cipherSuites)
381 {
382 checkNotStarted();
383 _excludeCipherSuites.clear();
384 _excludeCipherSuites.addAll(Arrays.asList(cipherSuites));
385 }
386
387
388
389
390
391 public void addExcludeCipherSuites(String... cipher)
392 {
393 checkNotStarted();
394 _excludeCipherSuites.addAll(Arrays.asList(cipher));
395 }
396
397
398
399
400
401
402 public String[] getIncludeCipherSuites()
403 {
404 return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]);
405 }
406
407
408
409
410
411
412
413 public void setIncludeCipherSuites(String... cipherSuites)
414 {
415 checkNotStarted();
416
417 _includeCipherSuites = new LinkedHashSet<String>(Arrays.asList(cipherSuites));
418 }
419
420
421
422
423
424 public String getKeyStorePath()
425 {
426 return _keyStorePath;
427 }
428
429
430 @Deprecated
431 public String getKeyStore()
432 {
433 return _keyStorePath;
434 }
435
436
437
438
439
440
441 public void setKeyStorePath(String keyStorePath)
442 {
443 checkNotStarted();
444
445 _keyStorePath = keyStorePath;
446 }
447
448
449
450
451
452
453 @Deprecated
454 public void setKeyStore(String keyStorePath)
455 {
456 checkNotStarted();
457
458 _keyStorePath = keyStorePath;
459 }
460
461
462
463
464
465 public String getKeyStoreProvider()
466 {
467 return _keyStoreProvider;
468 }
469
470
471
472
473
474
475 public void setKeyStoreProvider(String keyStoreProvider)
476 {
477 checkNotStarted();
478
479 _keyStoreProvider = keyStoreProvider;
480 }
481
482
483
484
485
486 public String getKeyStoreType()
487 {
488 return (_keyStoreType);
489 }
490
491
492
493
494
495
496 public void setKeyStoreType(String keyStoreType)
497 {
498 checkNotStarted();
499
500 _keyStoreType = keyStoreType;
501 }
502
503
504
505
506
507
508
509 @Deprecated
510 public InputStream getKeyStoreInputStream()
511 {
512 checkKeyStore();
513
514 return _keyStoreInputStream;
515 }
516
517
518
519
520
521
522
523 @Deprecated
524 public void setKeyStoreInputStream(InputStream keyStoreInputStream)
525 {
526 checkNotStarted();
527
528 _keyStoreInputStream = keyStoreInputStream;
529 }
530
531
532
533
534
535 public String getCertAlias()
536 {
537 return _certAlias;
538 }
539
540
541
542
543
544
545 public void setCertAlias(String certAlias)
546 {
547 checkNotStarted();
548
549 _certAlias = certAlias;
550 }
551
552
553
554
555
556 public String getTrustStore()
557 {
558 return _trustStorePath;
559 }
560
561
562
563
564
565
566 public void setTrustStore(String trustStorePath)
567 {
568 checkNotStarted();
569
570 _trustStorePath = trustStorePath;
571 }
572
573
574
575
576
577 public String getTrustStoreProvider()
578 {
579 return _trustStoreProvider;
580 }
581
582
583
584
585
586
587 public void setTrustStoreProvider(String trustStoreProvider)
588 {
589 checkNotStarted();
590
591 _trustStoreProvider = trustStoreProvider;
592 }
593
594
595
596
597
598 public String getTrustStoreType()
599 {
600 return _trustStoreType;
601 }
602
603
604
605
606
607
608 public void setTrustStoreType(String trustStoreType)
609 {
610 checkNotStarted();
611
612 _trustStoreType = trustStoreType;
613 }
614
615
616
617
618
619
620
621 @Deprecated
622 public InputStream getTrustStoreInputStream()
623 {
624 checkKeyStore();
625
626 return _trustStoreInputStream;
627 }
628
629
630
631
632
633
634
635 @Deprecated
636 public void setTrustStoreInputStream(InputStream trustStoreInputStream)
637 {
638 checkNotStarted();
639
640 _trustStoreInputStream = trustStoreInputStream;
641 }
642
643
644
645
646
647
648 public boolean getNeedClientAuth()
649 {
650 return _needClientAuth;
651 }
652
653
654
655
656
657
658
659 public void setNeedClientAuth(boolean needClientAuth)
660 {
661 checkNotStarted();
662
663 _needClientAuth = needClientAuth;
664 }
665
666
667
668
669
670
671 public boolean getWantClientAuth()
672 {
673 return _wantClientAuth;
674 }
675
676
677
678
679
680
681
682 public void setWantClientAuth(boolean wantClientAuth)
683 {
684 checkNotStarted();
685
686 _wantClientAuth = wantClientAuth;
687 }
688
689
690
691
692
693
694 @Deprecated
695 public boolean getValidateCerts()
696 {
697 return _validateCerts;
698 }
699
700
701
702
703
704 public boolean isValidateCerts()
705 {
706 return _validateCerts;
707 }
708
709
710
711
712
713
714 public void setValidateCerts(boolean validateCerts)
715 {
716 checkNotStarted();
717
718 _validateCerts = validateCerts;
719 }
720
721
722
723
724
725 public boolean isValidatePeerCerts()
726 {
727 return _validatePeerCerts;
728 }
729
730
731
732
733
734
735 public void setValidatePeerCerts(boolean validatePeerCerts)
736 {
737 checkNotStarted();
738
739 _validatePeerCerts = validatePeerCerts;
740 }
741
742
743
744
745
746 public boolean isAllowRenegotiate()
747 {
748 return _allowRenegotiate;
749 }
750
751
752
753
754
755
756
757
758
759
760
761
762 public void setAllowRenegotiate(boolean allowRenegotiate)
763 {
764 checkNotStarted();
765
766 _allowRenegotiate = allowRenegotiate;
767 }
768
769
770
771
772
773
774 public void setKeyStorePassword(String password)
775 {
776 checkNotStarted();
777
778 _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
779 }
780
781
782
783
784
785
786 public void setKeyManagerPassword(String password)
787 {
788 checkNotStarted();
789
790 _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
791 }
792
793
794
795
796
797
798 public void setTrustStorePassword(String password)
799 {
800 checkNotStarted();
801
802 _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
803 }
804
805
806
807
808
809
810 public String getProvider()
811 {
812 return _sslProvider;
813 }
814
815
816
817
818
819
820
821 public void setProvider(String provider)
822 {
823 checkNotStarted();
824
825 _sslProvider = provider;
826 }
827
828
829
830
831
832
833 public String getProtocol()
834 {
835 return _sslProtocol;
836 }
837
838
839
840
841
842
843
844 public void setProtocol(String protocol)
845 {
846 checkNotStarted();
847
848 _sslProtocol = protocol;
849 }
850
851
852
853
854
855
856
857 public String getSecureRandomAlgorithm()
858 {
859 return _secureRandomAlgorithm;
860 }
861
862
863
864
865
866
867
868
869 public void setSecureRandomAlgorithm(String algorithm)
870 {
871 checkNotStarted();
872
873 _secureRandomAlgorithm = algorithm;
874 }
875
876
877
878
879
880 public String getSslKeyManagerFactoryAlgorithm()
881 {
882 return (_keyManagerFactoryAlgorithm);
883 }
884
885
886
887
888
889
890 public void setSslKeyManagerFactoryAlgorithm(String algorithm)
891 {
892 checkNotStarted();
893
894 _keyManagerFactoryAlgorithm = algorithm;
895 }
896
897
898
899
900
901 public String getTrustManagerFactoryAlgorithm()
902 {
903 return (_trustManagerFactoryAlgorithm);
904 }
905
906
907
908
909
910 public boolean isTrustAll()
911 {
912 return _trustAll;
913 }
914
915
916
917
918
919 public void setTrustAll(boolean trustAll)
920 {
921 _trustAll = trustAll;
922 }
923
924
925
926
927
928
929
930 public void setTrustManagerFactoryAlgorithm(String algorithm)
931 {
932 checkNotStarted();
933
934 _trustManagerFactoryAlgorithm = algorithm;
935 }
936
937
938
939
940
941 public String getCrlPath()
942 {
943 return _crlPath;
944 }
945
946
947
948
949
950
951 public void setCrlPath(String crlPath)
952 {
953 checkNotStarted();
954
955 _crlPath = crlPath;
956 }
957
958
959
960
961
962
963 public int getMaxCertPathLength()
964 {
965 return _maxCertPathLength;
966 }
967
968
969
970
971
972
973
974 public void setMaxCertPathLength(int maxCertPathLength)
975 {
976 checkNotStarted();
977
978 _maxCertPathLength = maxCertPathLength;
979 }
980
981
982
983
984
985 public SSLContext getSslContext()
986 {
987 if (!isStarted())
988 throw new IllegalStateException(getState());
989 return _context;
990 }
991
992
993
994
995
996
997 public void setSslContext(SSLContext sslContext)
998 {
999 checkNotStarted();
1000
1001 _context = sslContext;
1002 }
1003
1004
1005
1006
1007
1008
1009
1010
1011 protected KeyStore loadKeyStore() throws Exception
1012 {
1013 return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream,
1014 _keyStorePath, _keyStoreType, _keyStoreProvider,
1015 _keyStorePassword==null? null: _keyStorePassword.toString());
1016 }
1017
1018
1019
1020
1021
1022
1023
1024
1025 protected KeyStore loadTrustStore() throws Exception
1026 {
1027 return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream,
1028 _trustStorePath, _trustStoreType, _trustStoreProvider,
1029 _trustStorePassword==null? null: _trustStorePassword.toString());
1030 }
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050 @Deprecated
1051 protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception
1052 {
1053 return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword);
1054 }
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067 protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception
1068 {
1069 return CertificateUtils.loadCRL(crlPath);
1070 }
1071
1072
1073 protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
1074 {
1075 KeyManager[] managers = null;
1076
1077 if (keyStore != null)
1078 {
1079 KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm);
1080 keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray());
1081 managers = keyManagerFactory.getKeyManagers();
1082
1083 if (_certAlias != null)
1084 {
1085 for (int idx = 0; idx < managers.length; idx++)
1086 {
1087 if (managers[idx] instanceof X509KeyManager)
1088 {
1089 managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]);
1090 }
1091 }
1092 }
1093 }
1094
1095 return managers;
1096 }
1097
1098
1099 protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
1100 {
1101 TrustManager[] managers = null;
1102 if (trustStore != null)
1103 {
1104
1105 if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX"))
1106 {
1107 PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector());
1108
1109
1110 pbParams.setMaxPathLength(_maxCertPathLength);
1111
1112
1113 pbParams.setRevocationEnabled(true);
1114
1115 if (crls != null && !crls.isEmpty())
1116 {
1117 pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls)));
1118 }
1119
1120 if (_enableCRLDP)
1121 {
1122
1123 System.setProperty("com.sun.security.enableCRLDP","true");
1124 }
1125
1126 if (_enableOCSP)
1127 {
1128
1129 Security.setProperty("ocsp.enable","true");
1130
1131 if (_ocspResponderURL != null)
1132 {
1133
1134 Security.setProperty("ocsp.responderURL", _ocspResponderURL);
1135 }
1136 }
1137
1138 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
1139 trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams));
1140
1141 managers = trustManagerFactory.getTrustManagers();
1142 }
1143 else
1144 {
1145 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
1146 trustManagerFactory.init(trustStore);
1147
1148 managers = trustManagerFactory.getTrustManagers();
1149 }
1150 }
1151
1152 return managers;
1153 }
1154
1155
1156
1157
1158
1159
1160
1161
1162 public void checkKeyStore()
1163 {
1164 if (_context != null)
1165 return;
1166
1167
1168 if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null)
1169 throw new IllegalStateException("SSL doesn't have a valid keystore");
1170
1171
1172
1173 if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null)
1174 {
1175 _trustStore = _keyStore;
1176 _trustStorePath = _keyStorePath;
1177 _trustStoreInputStream = _keyStoreInputStream;
1178 _trustStoreType = _keyStoreType;
1179 _trustStoreProvider = _keyStoreProvider;
1180 _trustStorePassword = _keyStorePassword;
1181 _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm;
1182 }
1183
1184
1185 if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream)
1186 {
1187 try
1188 {
1189 ByteArrayOutputStream baos = new ByteArrayOutputStream();
1190 IO.copy(_keyStoreInputStream, baos);
1191 _keyStoreInputStream.close();
1192
1193 _keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
1194 _trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
1195 }
1196 catch (Exception ex)
1197 {
1198 throw new IllegalStateException(ex);
1199 }
1200 }
1201 }
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212 public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
1213 {
1214 Set<String> selected_protocols = new LinkedHashSet<String>();
1215
1216
1217 if (_includeProtocols!=null)
1218 {
1219
1220 for (String protocol : _includeProtocols)
1221 if(Arrays.asList(supportedProtocols).contains(protocol))
1222 selected_protocols.add(protocol);
1223 }
1224 else
1225 selected_protocols.addAll(Arrays.asList(enabledProtocols));
1226
1227
1228
1229 if (_excludeProtocols != null)
1230 selected_protocols.removeAll(_excludeProtocols);
1231
1232 return selected_protocols.toArray(new String[selected_protocols.size()]);
1233 }
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244 public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
1245 {
1246 Set<String> selected_ciphers = new LinkedHashSet<String>();
1247
1248
1249 if (_includeCipherSuites!=null)
1250 {
1251
1252 for (String cipherSuite : _includeCipherSuites)
1253 if(Arrays.asList(supportedCipherSuites).contains(cipherSuite))
1254 selected_ciphers.add(cipherSuite);
1255 }
1256 else
1257 selected_ciphers.addAll(Arrays.asList(enabledCipherSuites));
1258
1259
1260
1261 if (_excludeCipherSuites != null)
1262 selected_ciphers.removeAll(_excludeCipherSuites);
1263 return selected_ciphers.toArray(new String[selected_ciphers.size()]);
1264 }
1265
1266
1267
1268
1269
1270 protected void checkNotStarted()
1271 {
1272 if (isStarted())
1273 throw new IllegalStateException("Cannot modify configuration when "+getState());
1274 }
1275
1276
1277
1278
1279
1280 public boolean isEnableCRLDP()
1281 {
1282 return _enableCRLDP;
1283 }
1284
1285
1286
1287
1288
1289 public void setEnableCRLDP(boolean enableCRLDP)
1290 {
1291 checkNotStarted();
1292
1293 _enableCRLDP = enableCRLDP;
1294 }
1295
1296
1297
1298
1299
1300 public boolean isEnableOCSP()
1301 {
1302 return _enableOCSP;
1303 }
1304
1305
1306
1307
1308
1309 public void setEnableOCSP(boolean enableOCSP)
1310 {
1311 checkNotStarted();
1312
1313 _enableOCSP = enableOCSP;
1314 }
1315
1316
1317
1318
1319
1320 public String getOcspResponderURL()
1321 {
1322 return _ocspResponderURL;
1323 }
1324
1325
1326
1327
1328
1329 public void setOcspResponderURL(String ocspResponderURL)
1330 {
1331 checkNotStarted();
1332
1333 _ocspResponderURL = ocspResponderURL;
1334 }
1335
1336
1337
1338
1339
1340 public void setKeyStore(KeyStore keyStore)
1341 {
1342 checkNotStarted();
1343
1344 _keyStore = keyStore;
1345 }
1346
1347
1348
1349
1350
1351 public void setTrustStore(KeyStore trustStore)
1352 {
1353 checkNotStarted();
1354
1355 _trustStore = trustStore;
1356 }
1357
1358
1359
1360
1361
1362 public void setKeyStoreResource(Resource resource)
1363 {
1364 checkNotStarted();
1365
1366 try
1367 {
1368 _keyStoreInputStream = resource.getInputStream();
1369 }
1370 catch (IOException e)
1371 {
1372 throw new InvalidParameterException("Unable to get resource "+
1373 "input stream for resource "+resource.toString());
1374 }
1375 }
1376
1377
1378
1379
1380
1381 public void setTrustStoreResource(Resource resource)
1382 {
1383 checkNotStarted();
1384
1385 try
1386 {
1387 _trustStoreInputStream = resource.getInputStream();
1388 }
1389 catch (IOException e)
1390 {
1391 throw new InvalidParameterException("Unable to get resource "+
1392 "input stream for resource "+resource.toString());
1393 }
1394 }
1395
1396
1397
1398
1399
1400 public boolean isSessionCachingEnabled()
1401 {
1402 return _sessionCachingEnabled;
1403 }
1404
1405
1406
1407
1408
1409 public void setSessionCachingEnabled(boolean enableSessionCaching)
1410 {
1411 _sessionCachingEnabled = enableSessionCaching;
1412 }
1413
1414
1415
1416
1417
1418 public int getSslSessionCacheSize()
1419 {
1420 return _sslSessionCacheSize;
1421 }
1422
1423
1424
1425
1426
1427 public void setSslSessionCacheSize(int sslSessionCacheSize)
1428 {
1429 _sslSessionCacheSize = sslSessionCacheSize;
1430 }
1431
1432
1433
1434
1435
1436 public int getSslSessionTimeout()
1437 {
1438 return _sslSessionTimeout;
1439 }
1440
1441
1442
1443
1444
1445 public void setSslSessionTimeout(int sslSessionTimeout)
1446 {
1447 _sslSessionTimeout = sslSessionTimeout;
1448 }
1449
1450
1451
1452 public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException
1453 {
1454 SSLServerSocketFactory factory = _context.getServerSocketFactory();
1455
1456 SSLServerSocket socket =
1457 (SSLServerSocket) (host==null ?
1458 factory.createServerSocket(port,backlog):
1459 factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
1460
1461 if (getWantClientAuth())
1462 socket.setWantClientAuth(getWantClientAuth());
1463 if (getNeedClientAuth())
1464 socket.setNeedClientAuth(getNeedClientAuth());
1465
1466 socket.setEnabledCipherSuites(selectCipherSuites(
1467 socket.getEnabledCipherSuites(),
1468 socket.getSupportedCipherSuites()));
1469 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
1470
1471 return socket;
1472 }
1473
1474
1475 public SSLSocket newSslSocket() throws IOException
1476 {
1477 SSLSocketFactory factory = _context.getSocketFactory();
1478
1479 SSLSocket socket = (SSLSocket)factory.createSocket();
1480
1481 if (getWantClientAuth())
1482 socket.setWantClientAuth(getWantClientAuth());
1483 if (getNeedClientAuth())
1484 socket.setNeedClientAuth(getNeedClientAuth());
1485
1486 socket.setEnabledCipherSuites(selectCipherSuites(
1487 socket.getEnabledCipherSuites(),
1488 socket.getSupportedCipherSuites()));
1489 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
1490
1491 return socket;
1492 }
1493
1494
1495 public SSLEngine newSslEngine(String host,int port)
1496 {
1497 SSLEngine sslEngine=isSessionCachingEnabled()
1498 ?_context.createSSLEngine(host, port)
1499 :_context.createSSLEngine();
1500
1501 customize(sslEngine);
1502 return sslEngine;
1503 }
1504
1505
1506 public SSLEngine newSslEngine()
1507 {
1508 SSLEngine sslEngine=_context.createSSLEngine();
1509 customize(sslEngine);
1510 return sslEngine;
1511 }
1512
1513
1514 public void customize(SSLEngine sslEngine)
1515 {
1516 if (getWantClientAuth())
1517 sslEngine.setWantClientAuth(getWantClientAuth());
1518 if (getNeedClientAuth())
1519 sslEngine.setNeedClientAuth(getNeedClientAuth());
1520
1521 sslEngine.setEnabledCipherSuites(selectCipherSuites(
1522 sslEngine.getEnabledCipherSuites(),
1523 sslEngine.getSupportedCipherSuites()));
1524
1525 sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols()));
1526 }
1527
1528
1529 public String toString()
1530 {
1531 return String.format("%s@%x(%s,%s)",
1532 getClass().getSimpleName(),
1533 hashCode(),
1534 _keyStorePath,
1535 _trustStorePath);
1536 }
1537 }