CredSspScheme to require a valid SSLContext
This commit is contained in:
Oleg Kalnichevski
parent
0c6aaee0b6
commit
8f8efa9d6e
|
|
@ -31,12 +31,9 @@ import java.nio.ByteBuffer;
|
|||
import java.nio.CharBuffer;
|
||||
import java.nio.charset.Charset;
|
||||
import java.nio.charset.StandardCharsets;
|
||||
import java.security.KeyManagementException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
import java.security.Principal;
|
||||
import java.security.PublicKey;
|
||||
import java.security.cert.Certificate;
|
||||
import java.security.cert.CertificateException;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.Arrays;
|
||||
|
||||
|
|
@ -48,8 +45,6 @@ import javax.net.ssl.SSLEngineResult.Status;
|
|||
import javax.net.ssl.SSLException;
|
||||
import javax.net.ssl.SSLPeerUnverifiedException;
|
||||
import javax.net.ssl.SSLSession;
|
||||
import javax.net.ssl.TrustManager;
|
||||
import javax.net.ssl.X509TrustManager;
|
||||
|
||||
import org.apache.commons.codec.binary.Base64;
|
||||
import org.apache.hc.client5.http.auth.AuthChallenge;
|
||||
|
|
@ -64,8 +59,6 @@ import org.apache.hc.core5.annotation.Experimental;
|
|||
import org.apache.hc.core5.http.HttpHost;
|
||||
import org.apache.hc.core5.http.HttpRequest;
|
||||
import org.apache.hc.core5.http.protocol.HttpContext;
|
||||
import org.apache.hc.core5.ssl.SSLContexts;
|
||||
import org.apache.hc.core5.ssl.SSLInitializationException;
|
||||
import org.apache.hc.core5.util.Args;
|
||||
import org.apache.logging.log4j.LogManager;
|
||||
import org.apache.logging.log4j.Logger;
|
||||
|
|
@ -119,6 +112,7 @@ public class CredSspScheme implements AuthScheme
|
|||
CREDENTIALS_SENT;
|
||||
}
|
||||
|
||||
private final SSLContext sslContext;
|
||||
private State state;
|
||||
private SSLEngine sslEngine;
|
||||
private NTCredentials ntcredentials;
|
||||
|
|
@ -131,7 +125,8 @@ public class CredSspScheme implements AuthScheme
|
|||
private byte[] peerPublicKey;
|
||||
|
||||
|
||||
public CredSspScheme() {
|
||||
public CredSspScheme(final SSLContext sslContext) {
|
||||
this.sslContext = Args.notNull(sslContext, "SSL context");
|
||||
state = State.UNINITIATED;
|
||||
}
|
||||
|
||||
|
|
@ -169,53 +164,6 @@ public class CredSspScheme implements AuthScheme
|
|||
|
||||
private SSLEngine createSSLEngine()
|
||||
{
|
||||
final SSLContext sslContext;
|
||||
try
|
||||
{
|
||||
sslContext = SSLContexts.custom().build();
|
||||
}
|
||||
catch (final NoSuchAlgorithmException | KeyManagementException ex )
|
||||
{
|
||||
throw new SSLInitializationException( "Error creating SSL Context: " + ex.getMessage(), ex );
|
||||
}
|
||||
|
||||
final X509TrustManager tm = new X509TrustManager()
|
||||
{
|
||||
|
||||
@Override
|
||||
public void checkClientTrusted( final X509Certificate[] chain, final String authType )
|
||||
throws CertificateException
|
||||
{
|
||||
// Nothing to do.
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public void checkServerTrusted( final X509Certificate[] chain, final String authType )
|
||||
throws CertificateException
|
||||
{
|
||||
// Nothing to do, accept all. CredSSP server is using its own certificate without any
|
||||
// binding to the PKI trust chains. The public key is verified as part of the CredSSP
|
||||
// protocol exchange.
|
||||
}
|
||||
|
||||
|
||||
@Override
|
||||
public X509Certificate[] getAcceptedIssuers()
|
||||
{
|
||||
return null;
|
||||
}
|
||||
|
||||
};
|
||||
try
|
||||
{
|
||||
sslContext.init( null, new TrustManager[]
|
||||
{ tm }, null );
|
||||
}
|
||||
catch ( final KeyManagementException e )
|
||||
{
|
||||
throw new SSLInitializationException( "SSL Context initialization error: " + e.getMessage(), e );
|
||||
}
|
||||
final SSLEngine sslEngine = sslContext.createSSLEngine();
|
||||
sslEngine.setUseClientMode( true );
|
||||
return sslEngine;
|
||||
|
|
|
|||
|
|
@ -27,18 +27,47 @@
|
|||
|
||||
package org.apache.hc.client5.http.impl.auth;
|
||||
|
||||
import java.security.KeyManagementException;
|
||||
import java.security.KeyStoreException;
|
||||
import java.security.NoSuchAlgorithmException;
|
||||
|
||||
import javax.net.ssl.SSLContext;
|
||||
|
||||
import org.apache.hc.client5.http.auth.AuthScheme;
|
||||
import org.apache.hc.client5.http.auth.AuthSchemeProvider;
|
||||
import org.apache.hc.client5.http.ssl.TrustAllStrategy;
|
||||
import org.apache.hc.core5.annotation.Experimental;
|
||||
import org.apache.hc.core5.http.protocol.HttpContext;
|
||||
import org.apache.hc.core5.ssl.SSLContexts;
|
||||
import org.apache.hc.core5.ssl.SSLInitializationException;
|
||||
|
||||
@Experimental
|
||||
public class CredSspSchemeFactory implements AuthSchemeProvider
|
||||
{
|
||||
|
||||
private final SSLContext sslContext;
|
||||
|
||||
public CredSspSchemeFactory() {
|
||||
this(createDefaultContext());
|
||||
}
|
||||
|
||||
public CredSspSchemeFactory(final SSLContext sslContext) {
|
||||
this.sslContext = sslContext != null ? sslContext : createDefaultContext();
|
||||
}
|
||||
|
||||
private static SSLContext createDefaultContext() throws SSLInitializationException {
|
||||
try {
|
||||
return SSLContexts.custom()
|
||||
.loadTrustMaterial(new TrustAllStrategy())
|
||||
.build();
|
||||
} catch (final NoSuchAlgorithmException | KeyManagementException | KeyStoreException ex) {
|
||||
throw new SSLInitializationException(ex.getMessage(), ex);
|
||||
}
|
||||
}
|
||||
|
||||
@Override
|
||||
public AuthScheme create(final HttpContext context) {
|
||||
return new CredSspScheme();
|
||||
return new CredSspScheme(sslContext);
|
||||
}
|
||||
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue