1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17 package org.eclipse.jetty.util.ssl;
18
19 import java.io.ByteArrayInputStream;
20 import java.io.ByteArrayOutputStream;
21 import java.io.File;
22 import java.io.IOException;
23 import java.io.InputStream;
24 import java.net.InetAddress;
25 import java.security.InvalidParameterException;
26 import java.security.KeyStore;
27 import java.security.SecureRandom;
28 import java.security.Security;
29 import java.security.cert.CRL;
30 import java.security.cert.CertStore;
31 import java.security.cert.Certificate;
32 import java.security.cert.CollectionCertStoreParameters;
33 import java.security.cert.PKIXBuilderParameters;
34 import java.security.cert.X509CertSelector;
35 import java.util.Arrays;
36 import java.util.Collection;
37 import java.util.Collections;
38 import java.util.LinkedHashSet;
39 import java.util.List;
40 import java.util.Set;
41 import javax.net.ssl.CertPathTrustManagerParameters;
42 import javax.net.ssl.KeyManager;
43 import javax.net.ssl.KeyManagerFactory;
44 import javax.net.ssl.SSLContext;
45 import javax.net.ssl.SSLEngine;
46 import javax.net.ssl.SSLServerSocket;
47 import javax.net.ssl.SSLServerSocketFactory;
48 import javax.net.ssl.SSLSocket;
49 import javax.net.ssl.SSLSocketFactory;
50 import javax.net.ssl.TrustManager;
51 import javax.net.ssl.TrustManagerFactory;
52 import javax.net.ssl.X509KeyManager;
53 import javax.net.ssl.X509TrustManager;
54
55 import org.eclipse.jetty.util.IO;
56 import org.eclipse.jetty.util.component.AbstractLifeCycle;
57 import org.eclipse.jetty.util.log.Log;
58 import org.eclipse.jetty.util.log.Logger;
59 import org.eclipse.jetty.util.resource.Resource;
60 import org.eclipse.jetty.util.security.CertificateUtils;
61 import org.eclipse.jetty.util.security.CertificateValidator;
62 import org.eclipse.jetty.util.security.Password;
63
64
65
66
67
68
69
70
71
72 public class SslContextFactory extends AbstractLifeCycle
73 {
74 public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager()
75 {
76 public java.security.cert.X509Certificate[] getAcceptedIssuers()
77 {
78 return new java.security.cert.X509Certificate[]{};
79 }
80
81 public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
82 {
83 }
84
85 public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
86 {
87 }
88 }};
89
90 private static final Logger LOG = Log.getLogger(SslContextFactory.class);
91
92 public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
93 (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
94 "SunX509" : Security.getProperty("ssl.KeyManagerFactory.algorithm"));
95 public static final String DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM =
96 (Security.getProperty("ssl.TrustManagerFactory.algorithm") == null ?
97 "SunX509" : Security.getProperty("ssl.TrustManagerFactory.algorithm"));
98
99
100 public static final String DEFAULT_KEYSTORE_PATH =
101 System.getProperty("user.home") + File.separator + ".keystore";
102
103
104 public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
105
106
107 public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
108
109
110 private final Set<String> _excludeProtocols = new LinkedHashSet<String>();
111
112 private Set<String> _includeProtocols = null;
113
114
115 private final Set<String> _excludeCipherSuites = new LinkedHashSet<String>();
116
117 private Set<String> _includeCipherSuites = null;
118
119
120 private String _keyStorePath;
121
122 private String _keyStoreProvider;
123
124 private String _keyStoreType = "JKS";
125
126 private InputStream _keyStoreInputStream;
127
128
129 private String _certAlias;
130
131
132 private String _trustStorePath;
133
134 private String _trustStoreProvider;
135
136 private String _trustStoreType = "JKS";
137
138 private InputStream _trustStoreInputStream;
139
140
141 private boolean _needClientAuth = false;
142
143 private boolean _wantClientAuth = false;
144
145
146 private boolean _allowRenegotiate = true;
147
148
149 private transient Password _keyStorePassword;
150
151 private transient Password _keyManagerPassword;
152
153 private transient Password _trustStorePassword;
154
155
156 private String _sslProvider;
157
158 private String _sslProtocol = "TLS";
159
160
161 private String _secureRandomAlgorithm;
162
163 private String _keyManagerFactoryAlgorithm = DEFAULT_KEYMANAGERFACTORY_ALGORITHM;
164
165 private String _trustManagerFactoryAlgorithm = DEFAULT_TRUSTMANAGERFACTORY_ALGORITHM;
166
167
168 private boolean _validateCerts;
169
170 private boolean _validatePeerCerts;
171
172 private int _maxCertPathLength = -1;
173
174 private String _crlPath;
175
176 private boolean _enableCRLDP = false;
177
178 private boolean _enableOCSP = false;
179
180 private String _ocspResponderURL;
181
182
183 private KeyStore _keyStore;
184
185 private KeyStore _trustStore;
186
187 private boolean _sessionCachingEnabled = true;
188
189 private int _sslSessionCacheSize;
190
191 private int _sslSessionTimeout;
192
193
194 private SSLContext _context;
195
196 private boolean _trustAll;
197
198
199
200
201
202
203 public SslContextFactory()
204 {
205 _trustAll=true;
206 }
207
208
209
210
211
212
213
214
215 public SslContextFactory(boolean trustAll)
216 {
217 _trustAll=trustAll;
218 }
219
220
221
222
223
224
225 public SslContextFactory(String keyStorePath)
226 {
227 _keyStorePath = keyStorePath;
228 }
229
230
231
232
233
234
235 @Override
236 protected void doStart() throws Exception
237 {
238 if (_context == null)
239 {
240 if (_keyStore==null && _keyStoreInputStream == null && _keyStorePath == null &&
241 _trustStore==null && _trustStoreInputStream == null && _trustStorePath == null )
242 {
243 TrustManager[] trust_managers=null;
244
245 if (_trustAll)
246 {
247 LOG.debug("No keystore or trust store configured. ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
248
249 trust_managers = TRUST_ALL_CERTS;
250 }
251
252 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
253 _context = SSLContext.getInstance(_sslProtocol);
254 _context.init(null, trust_managers, secureRandom);
255 }
256 else
257 {
258
259
260 checkKeyStore();
261
262 KeyStore keyStore = loadKeyStore();
263 KeyStore trustStore = loadTrustStore();
264
265 Collection<? extends CRL> crls = loadCRL(_crlPath);
266
267 if (_validateCerts && keyStore != null)
268 {
269 if (_certAlias == null)
270 {
271 List<String> aliases = Collections.list(keyStore.aliases());
272 _certAlias = aliases.size() == 1 ? aliases.get(0) : null;
273 }
274
275 Certificate cert = _certAlias == null?null:keyStore.getCertificate(_certAlias);
276 if (cert == null)
277 {
278 throw new Exception("No certificate found in the keystore" + (_certAlias==null ? "":" for alias " + _certAlias));
279 }
280
281 CertificateValidator validator = new CertificateValidator(trustStore, crls);
282 validator.setMaxCertPathLength(_maxCertPathLength);
283 validator.setEnableCRLDP(_enableCRLDP);
284 validator.setEnableOCSP(_enableOCSP);
285 validator.setOcspResponderURL(_ocspResponderURL);
286 validator.validate(keyStore, cert);
287 }
288
289 KeyManager[] keyManagers = getKeyManagers(keyStore);
290 TrustManager[] trustManagers = getTrustManagers(trustStore,crls);
291
292 SecureRandom secureRandom = (_secureRandomAlgorithm == null)?null:SecureRandom.getInstance(_secureRandomAlgorithm);
293 _context = (_sslProvider == null)?SSLContext.getInstance(_sslProtocol):SSLContext.getInstance(_sslProtocol,_sslProvider);
294 _context.init(keyManagers,trustManagers,secureRandom);
295
296 SSLEngine engine=newSslEngine();
297
298 LOG.info("Enabled Protocols {} of {}",Arrays.asList(engine.getEnabledProtocols()),Arrays.asList(engine.getSupportedProtocols()));
299 if (LOG.isDebugEnabled())
300 LOG.debug("Enabled Ciphers {} of {}",Arrays.asList(engine.getEnabledCipherSuites()),Arrays.asList(engine.getSupportedCipherSuites()));
301 }
302 }
303 }
304
305
306
307
308
309
310 public String[] getExcludeProtocols()
311 {
312 return _excludeProtocols.toArray(new String[_excludeProtocols.size()]);
313 }
314
315
316
317
318
319
320
321 public void setExcludeProtocols(String... protocols)
322 {
323 checkNotStarted();
324
325 _excludeProtocols.clear();
326 _excludeProtocols.addAll(Arrays.asList(protocols));
327 }
328
329
330
331
332
333 public void addExcludeProtocols(String... protocol)
334 {
335 checkNotStarted();
336 _excludeProtocols.addAll(Arrays.asList(protocol));
337 }
338
339
340
341
342
343
344 public String[] getIncludeProtocols()
345 {
346 return _includeProtocols.toArray(new String[_includeProtocols.size()]);
347 }
348
349
350
351
352
353
354
355 public void setIncludeProtocols(String... protocols)
356 {
357 checkNotStarted();
358
359 _includeProtocols = new LinkedHashSet<String>(Arrays.asList(protocols));
360 }
361
362
363
364
365
366
367 public String[] getExcludeCipherSuites()
368 {
369 return _excludeCipherSuites.toArray(new String[_excludeCipherSuites.size()]);
370 }
371
372
373
374
375
376
377
378 public void setExcludeCipherSuites(String... cipherSuites)
379 {
380 checkNotStarted();
381 _excludeCipherSuites.clear();
382 _excludeCipherSuites.addAll(Arrays.asList(cipherSuites));
383 }
384
385
386
387
388
389 public void addExcludeCipherSuites(String... cipher)
390 {
391 checkNotStarted();
392 _excludeCipherSuites.addAll(Arrays.asList(cipher));
393 }
394
395
396
397
398
399
400 public String[] getIncludeCipherSuites()
401 {
402 return _includeCipherSuites.toArray(new String[_includeCipherSuites.size()]);
403 }
404
405
406
407
408
409
410
411 public void setIncludeCipherSuites(String... cipherSuites)
412 {
413 checkNotStarted();
414
415 _includeCipherSuites = new LinkedHashSet<String>(Arrays.asList(cipherSuites));
416 }
417
418
419
420
421
422 public String getKeyStorePath()
423 {
424 return _keyStorePath;
425 }
426
427
428 @Deprecated
429 public String getKeyStore()
430 {
431 return _keyStorePath;
432 }
433
434
435
436
437
438
439 public void setKeyStorePath(String keyStorePath)
440 {
441 checkNotStarted();
442
443 _keyStorePath = keyStorePath;
444 }
445
446
447
448
449
450
451 @Deprecated
452 public void setKeyStore(String keyStorePath)
453 {
454 checkNotStarted();
455
456 _keyStorePath = keyStorePath;
457 }
458
459
460
461
462
463 public String getKeyStoreProvider()
464 {
465 return _keyStoreProvider;
466 }
467
468
469
470
471
472
473 public void setKeyStoreProvider(String keyStoreProvider)
474 {
475 checkNotStarted();
476
477 _keyStoreProvider = keyStoreProvider;
478 }
479
480
481
482
483
484 public String getKeyStoreType()
485 {
486 return (_keyStoreType);
487 }
488
489
490
491
492
493
494 public void setKeyStoreType(String keyStoreType)
495 {
496 checkNotStarted();
497
498 _keyStoreType = keyStoreType;
499 }
500
501
502
503
504
505
506
507 @Deprecated
508 public InputStream getKeyStoreInputStream()
509 {
510 checkKeyStore();
511
512 return _keyStoreInputStream;
513 }
514
515
516
517
518
519
520
521 @Deprecated
522 public void setKeyStoreInputStream(InputStream keyStoreInputStream)
523 {
524 checkNotStarted();
525
526 _keyStoreInputStream = keyStoreInputStream;
527 }
528
529
530
531
532
533 public String getCertAlias()
534 {
535 return _certAlias;
536 }
537
538
539
540
541
542
543 public void setCertAlias(String certAlias)
544 {
545 checkNotStarted();
546
547 _certAlias = certAlias;
548 }
549
550
551
552
553
554 public String getTrustStore()
555 {
556 return _trustStorePath;
557 }
558
559
560
561
562
563
564 public void setTrustStore(String trustStorePath)
565 {
566 checkNotStarted();
567
568 _trustStorePath = trustStorePath;
569 }
570
571
572
573
574
575 public String getTrustStoreProvider()
576 {
577 return _trustStoreProvider;
578 }
579
580
581
582
583
584
585 public void setTrustStoreProvider(String trustStoreProvider)
586 {
587 checkNotStarted();
588
589 _trustStoreProvider = trustStoreProvider;
590 }
591
592
593
594
595
596 public String getTrustStoreType()
597 {
598 return _trustStoreType;
599 }
600
601
602
603
604
605
606 public void setTrustStoreType(String trustStoreType)
607 {
608 checkNotStarted();
609
610 _trustStoreType = trustStoreType;
611 }
612
613
614
615
616
617
618
619 @Deprecated
620 public InputStream getTrustStoreInputStream()
621 {
622 checkKeyStore();
623
624 return _trustStoreInputStream;
625 }
626
627
628
629
630
631
632
633 @Deprecated
634 public void setTrustStoreInputStream(InputStream trustStoreInputStream)
635 {
636 checkNotStarted();
637
638 _trustStoreInputStream = trustStoreInputStream;
639 }
640
641
642
643
644
645
646 public boolean getNeedClientAuth()
647 {
648 return _needClientAuth;
649 }
650
651
652
653
654
655
656
657 public void setNeedClientAuth(boolean needClientAuth)
658 {
659 checkNotStarted();
660
661 _needClientAuth = needClientAuth;
662 }
663
664
665
666
667
668
669 public boolean getWantClientAuth()
670 {
671 return _wantClientAuth;
672 }
673
674
675
676
677
678
679
680 public void setWantClientAuth(boolean wantClientAuth)
681 {
682 checkNotStarted();
683
684 _wantClientAuth = wantClientAuth;
685 }
686
687
688
689
690
691
692 @Deprecated
693 public boolean getValidateCerts()
694 {
695 return _validateCerts;
696 }
697
698
699
700
701
702 public boolean isValidateCerts()
703 {
704 return _validateCerts;
705 }
706
707
708
709
710
711
712 public void setValidateCerts(boolean validateCerts)
713 {
714 checkNotStarted();
715
716 _validateCerts = validateCerts;
717 }
718
719
720
721
722
723 public boolean isValidatePeerCerts()
724 {
725 return _validatePeerCerts;
726 }
727
728
729
730
731
732
733 public void setValidatePeerCerts(boolean validatePeerCerts)
734 {
735 checkNotStarted();
736
737 _validatePeerCerts = validatePeerCerts;
738 }
739
740
741
742
743
744 public boolean isAllowRenegotiate()
745 {
746 return _allowRenegotiate;
747 }
748
749
750
751
752
753
754
755
756
757
758
759
760 public void setAllowRenegotiate(boolean allowRenegotiate)
761 {
762 checkNotStarted();
763
764 _allowRenegotiate = allowRenegotiate;
765 }
766
767
768
769
770
771
772 public void setKeyStorePassword(String password)
773 {
774 checkNotStarted();
775
776 _keyStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
777 }
778
779
780
781
782
783
784 public void setKeyManagerPassword(String password)
785 {
786 checkNotStarted();
787
788 _keyManagerPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
789 }
790
791
792
793
794
795
796 public void setTrustStorePassword(String password)
797 {
798 checkNotStarted();
799
800 _trustStorePassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
801 }
802
803
804
805
806
807
808 public String getProvider()
809 {
810 return _sslProvider;
811 }
812
813
814
815
816
817
818
819 public void setProvider(String provider)
820 {
821 checkNotStarted();
822
823 _sslProvider = provider;
824 }
825
826
827
828
829
830
831 public String getProtocol()
832 {
833 return _sslProtocol;
834 }
835
836
837
838
839
840
841
842 public void setProtocol(String protocol)
843 {
844 checkNotStarted();
845
846 _sslProtocol = protocol;
847 }
848
849
850
851
852
853
854
855 public String getSecureRandomAlgorithm()
856 {
857 return _secureRandomAlgorithm;
858 }
859
860
861
862
863
864
865
866
867 public void setSecureRandomAlgorithm(String algorithm)
868 {
869 checkNotStarted();
870
871 _secureRandomAlgorithm = algorithm;
872 }
873
874
875
876
877
878 public String getSslKeyManagerFactoryAlgorithm()
879 {
880 return (_keyManagerFactoryAlgorithm);
881 }
882
883
884
885
886
887
888 public void setSslKeyManagerFactoryAlgorithm(String algorithm)
889 {
890 checkNotStarted();
891
892 _keyManagerFactoryAlgorithm = algorithm;
893 }
894
895
896
897
898
899 public String getTrustManagerFactoryAlgorithm()
900 {
901 return (_trustManagerFactoryAlgorithm);
902 }
903
904
905
906
907
908 public boolean isTrustAll()
909 {
910 return _trustAll;
911 }
912
913
914
915
916
917 public void setTrustAll(boolean trustAll)
918 {
919 _trustAll = trustAll;
920 }
921
922
923
924
925
926
927
928 public void setTrustManagerFactoryAlgorithm(String algorithm)
929 {
930 checkNotStarted();
931
932 _trustManagerFactoryAlgorithm = algorithm;
933 }
934
935
936
937
938
939 public String getCrlPath()
940 {
941 return _crlPath;
942 }
943
944
945
946
947
948
949 public void setCrlPath(String crlPath)
950 {
951 checkNotStarted();
952
953 _crlPath = crlPath;
954 }
955
956
957
958
959
960
961 public int getMaxCertPathLength()
962 {
963 return _maxCertPathLength;
964 }
965
966
967
968
969
970
971
972 public void setMaxCertPathLength(int maxCertPathLength)
973 {
974 checkNotStarted();
975
976 _maxCertPathLength = maxCertPathLength;
977 }
978
979
980
981
982
983 public SSLContext getSslContext()
984 {
985 if (!isStarted())
986 throw new IllegalStateException(getState());
987 return _context;
988 }
989
990
991
992
993
994
995 public void setSslContext(SSLContext sslContext)
996 {
997 checkNotStarted();
998
999 _context = sslContext;
1000 }
1001
1002
1003
1004
1005
1006
1007
1008
1009 protected KeyStore loadKeyStore() throws Exception
1010 {
1011 return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream,
1012 _keyStorePath, _keyStoreType, _keyStoreProvider,
1013 _keyStorePassword==null? null: _keyStorePassword.toString());
1014 }
1015
1016
1017
1018
1019
1020
1021
1022
1023 protected KeyStore loadTrustStore() throws Exception
1024 {
1025 return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream,
1026 _trustStorePath, _trustStoreType, _trustStoreProvider,
1027 _trustStorePassword==null? null: _trustStorePassword.toString());
1028 }
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048 @Deprecated
1049 protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception
1050 {
1051 return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword);
1052 }
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065 protected Collection<? extends CRL> loadCRL(String crlPath) throws Exception
1066 {
1067 return CertificateUtils.loadCRL(crlPath);
1068 }
1069
1070
1071 protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
1072 {
1073 KeyManager[] managers = null;
1074
1075 if (keyStore != null)
1076 {
1077 KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerFactoryAlgorithm);
1078 keyManagerFactory.init(keyStore,_keyManagerPassword == null?(_keyStorePassword == null?null:_keyStorePassword.toString().toCharArray()):_keyManagerPassword.toString().toCharArray());
1079 managers = keyManagerFactory.getKeyManagers();
1080
1081 if (_certAlias != null)
1082 {
1083 for (int idx = 0; idx < managers.length; idx++)
1084 {
1085 if (managers[idx] instanceof X509KeyManager)
1086 {
1087 managers[idx] = new AliasedX509ExtendedKeyManager(_certAlias,(X509KeyManager)managers[idx]);
1088 }
1089 }
1090 }
1091 }
1092
1093 return managers;
1094 }
1095
1096
1097 protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
1098 {
1099 TrustManager[] managers = null;
1100 if (trustStore != null)
1101 {
1102
1103 if (_validatePeerCerts && _trustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX"))
1104 {
1105 PKIXBuilderParameters pbParams = new PKIXBuilderParameters(trustStore,new X509CertSelector());
1106
1107
1108 pbParams.setMaxPathLength(_maxCertPathLength);
1109
1110
1111 pbParams.setRevocationEnabled(true);
1112
1113 if (crls != null && !crls.isEmpty())
1114 {
1115 pbParams.addCertStore(CertStore.getInstance("Collection",new CollectionCertStoreParameters(crls)));
1116 }
1117
1118 if (_enableCRLDP)
1119 {
1120
1121 System.setProperty("com.sun.security.enableCRLDP","true");
1122 }
1123
1124 if (_enableOCSP)
1125 {
1126
1127 Security.setProperty("ocsp.enable","true");
1128
1129 if (_ocspResponderURL != null)
1130 {
1131
1132 Security.setProperty("ocsp.responderURL", _ocspResponderURL);
1133 }
1134 }
1135
1136 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
1137 trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams));
1138
1139 managers = trustManagerFactory.getTrustManagers();
1140 }
1141 else
1142 {
1143 TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerFactoryAlgorithm);
1144 trustManagerFactory.init(trustStore);
1145
1146 managers = trustManagerFactory.getTrustManagers();
1147 }
1148 }
1149
1150 return managers;
1151 }
1152
1153
1154
1155
1156
1157
1158
1159
1160 public void checkKeyStore()
1161 {
1162 if (_context != null)
1163 return;
1164
1165
1166 if (_keyStore == null && _keyStoreInputStream == null && _keyStorePath == null)
1167 throw new IllegalStateException("SSL doesn't have a valid keystore");
1168
1169
1170
1171 if (_trustStore == null && _trustStoreInputStream == null && _trustStorePath == null)
1172 {
1173 _trustStore = _keyStore;
1174 _trustStorePath = _keyStorePath;
1175 _trustStoreInputStream = _keyStoreInputStream;
1176 _trustStoreType = _keyStoreType;
1177 _trustStoreProvider = _keyStoreProvider;
1178 _trustStorePassword = _keyStorePassword;
1179 _trustManagerFactoryAlgorithm = _keyManagerFactoryAlgorithm;
1180 }
1181
1182
1183 if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream)
1184 {
1185 try
1186 {
1187 ByteArrayOutputStream baos = new ByteArrayOutputStream();
1188 IO.copy(_keyStoreInputStream, baos);
1189 _keyStoreInputStream.close();
1190
1191 _keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
1192 _trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
1193 }
1194 catch (Exception ex)
1195 {
1196 throw new IllegalStateException(ex);
1197 }
1198 }
1199 }
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210 public String[] selectProtocols(String[] enabledProtocols, String[] supportedProtocols)
1211 {
1212 Set<String> selected_protocols = new LinkedHashSet<String>();
1213
1214
1215 if (_includeProtocols!=null)
1216 {
1217
1218 for (String protocol : supportedProtocols)
1219 if (_includeProtocols.contains(protocol))
1220 selected_protocols.add(protocol);
1221 }
1222 else
1223 selected_protocols.addAll(Arrays.asList(enabledProtocols));
1224
1225
1226
1227 if (_excludeProtocols != null)
1228 selected_protocols.removeAll(_excludeProtocols);
1229
1230 return selected_protocols.toArray(new String[selected_protocols.size()]);
1231 }
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242 public String[] selectCipherSuites(String[] enabledCipherSuites, String[] supportedCipherSuites)
1243 {
1244 Set<String> selected_ciphers = new LinkedHashSet<String>();
1245
1246
1247 if (_includeCipherSuites!=null)
1248 {
1249
1250 for (String cipherSuite : supportedCipherSuites)
1251 if (_includeCipherSuites.contains(cipherSuite))
1252 selected_ciphers.add(cipherSuite);
1253 }
1254 else
1255 selected_ciphers.addAll(Arrays.asList(enabledCipherSuites));
1256
1257
1258
1259 if (_excludeCipherSuites != null)
1260 selected_ciphers.removeAll(_excludeCipherSuites);
1261 return selected_ciphers.toArray(new String[selected_ciphers.size()]);
1262 }
1263
1264
1265
1266
1267
1268 protected void checkNotStarted()
1269 {
1270 if (isStarted())
1271 throw new IllegalStateException("Cannot modify configuration when "+getState());
1272 }
1273
1274
1275
1276
1277
1278 public boolean isEnableCRLDP()
1279 {
1280 return _enableCRLDP;
1281 }
1282
1283
1284
1285
1286
1287 public void setEnableCRLDP(boolean enableCRLDP)
1288 {
1289 checkNotStarted();
1290
1291 _enableCRLDP = enableCRLDP;
1292 }
1293
1294
1295
1296
1297
1298 public boolean isEnableOCSP()
1299 {
1300 return _enableOCSP;
1301 }
1302
1303
1304
1305
1306
1307 public void setEnableOCSP(boolean enableOCSP)
1308 {
1309 checkNotStarted();
1310
1311 _enableOCSP = enableOCSP;
1312 }
1313
1314
1315
1316
1317
1318 public String getOcspResponderURL()
1319 {
1320 return _ocspResponderURL;
1321 }
1322
1323
1324
1325
1326
1327 public void setOcspResponderURL(String ocspResponderURL)
1328 {
1329 checkNotStarted();
1330
1331 _ocspResponderURL = ocspResponderURL;
1332 }
1333
1334
1335
1336
1337
1338 public void setKeyStore(KeyStore keyStore)
1339 {
1340 checkNotStarted();
1341
1342 _keyStore = keyStore;
1343 }
1344
1345
1346
1347
1348
1349 public void setTrustStore(KeyStore trustStore)
1350 {
1351 checkNotStarted();
1352
1353 _trustStore = trustStore;
1354 }
1355
1356
1357
1358
1359
1360 public void setKeyStoreResource(Resource resource)
1361 {
1362 checkNotStarted();
1363
1364 try
1365 {
1366 _keyStoreInputStream = resource.getInputStream();
1367 }
1368 catch (IOException e)
1369 {
1370 throw new InvalidParameterException("Unable to get resource "+
1371 "input stream for resource "+resource.toString());
1372 }
1373 }
1374
1375
1376
1377
1378
1379 public void setTrustStoreResource(Resource resource)
1380 {
1381 checkNotStarted();
1382
1383 try
1384 {
1385 _trustStoreInputStream = resource.getInputStream();
1386 }
1387 catch (IOException e)
1388 {
1389 throw new InvalidParameterException("Unable to get resource "+
1390 "input stream for resource "+resource.toString());
1391 }
1392 }
1393
1394
1395
1396
1397
1398 public boolean isSessionCachingEnabled()
1399 {
1400 return _sessionCachingEnabled;
1401 }
1402
1403
1404
1405
1406
1407 public void setSessionCachingEnabled(boolean enableSessionCaching)
1408 {
1409 _sessionCachingEnabled = enableSessionCaching;
1410 }
1411
1412
1413
1414
1415
1416 public int getSslSessionCacheSize()
1417 {
1418 return _sslSessionCacheSize;
1419 }
1420
1421
1422
1423
1424
1425 public void setSslSessionCacheSize(int sslSessionCacheSize)
1426 {
1427 _sslSessionCacheSize = sslSessionCacheSize;
1428 }
1429
1430
1431
1432
1433
1434 public int getSslSessionTimeout()
1435 {
1436 return _sslSessionTimeout;
1437 }
1438
1439
1440
1441
1442
1443 public void setSslSessionTimeout(int sslSessionTimeout)
1444 {
1445 _sslSessionTimeout = sslSessionTimeout;
1446 }
1447
1448
1449
1450 public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException
1451 {
1452 SSLServerSocketFactory factory = _context.getServerSocketFactory();
1453
1454 SSLServerSocket socket =
1455 (SSLServerSocket) (host==null ?
1456 factory.createServerSocket(port,backlog):
1457 factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
1458
1459 if (getWantClientAuth())
1460 socket.setWantClientAuth(getWantClientAuth());
1461 if (getNeedClientAuth())
1462 socket.setNeedClientAuth(getNeedClientAuth());
1463
1464 socket.setEnabledCipherSuites(selectCipherSuites(
1465 socket.getEnabledCipherSuites(),
1466 socket.getSupportedCipherSuites()));
1467 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
1468
1469 return socket;
1470 }
1471
1472
1473 public SSLSocket newSslSocket() throws IOException
1474 {
1475 SSLSocketFactory factory = _context.getSocketFactory();
1476
1477 SSLSocket socket = (SSLSocket)factory.createSocket();
1478
1479 if (getWantClientAuth())
1480 socket.setWantClientAuth(getWantClientAuth());
1481 if (getNeedClientAuth())
1482 socket.setNeedClientAuth(getNeedClientAuth());
1483
1484 socket.setEnabledCipherSuites(selectCipherSuites(
1485 socket.getEnabledCipherSuites(),
1486 socket.getSupportedCipherSuites()));
1487 socket.setEnabledProtocols(selectProtocols(socket.getEnabledProtocols(),socket.getSupportedProtocols()));
1488
1489 return socket;
1490 }
1491
1492
1493 public SSLEngine newSslEngine(String host,int port)
1494 {
1495 SSLEngine sslEngine=isSessionCachingEnabled()
1496 ?_context.createSSLEngine(host, port)
1497 :_context.createSSLEngine();
1498
1499 customize(sslEngine);
1500 return sslEngine;
1501 }
1502
1503
1504 public SSLEngine newSslEngine()
1505 {
1506 SSLEngine sslEngine=_context.createSSLEngine();
1507 customize(sslEngine);
1508 return sslEngine;
1509 }
1510
1511
1512 public void customize(SSLEngine sslEngine)
1513 {
1514 if (getWantClientAuth())
1515 sslEngine.setWantClientAuth(getWantClientAuth());
1516 if (getNeedClientAuth())
1517 sslEngine.setNeedClientAuth(getNeedClientAuth());
1518
1519 sslEngine.setEnabledCipherSuites(selectCipherSuites(
1520 sslEngine.getEnabledCipherSuites(),
1521 sslEngine.getSupportedCipherSuites()));
1522
1523 sslEngine.setEnabledProtocols(selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols()));
1524 }
1525
1526
1527 public String toString()
1528 {
1529 return String.format("%s@%x(%s,%s)",
1530 getClass().getSimpleName(),
1531 hashCode(),
1532 _keyStorePath,
1533 _trustStorePath);
1534 }
1535 }