Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

316382: support a more strict SSL option with certificates 

git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@2795 7e9141cc-0065-0410-87d8-b60c137991c4
This commit is contained in:
Michael Gorovoy 2011-02-16 01:00:03 +00:00
parent e78dcf94f2
commit 01955d7295
13 changed files with 1982 additions and 633 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
VERSION.txt
View File

@ -1,9 +1,11 @@
jetty-7.3.1-SNAPSHOT
+ 316382 Support a more strict SSL option with certificates
+ 335329 Moved blocking timeout handling to outside try catch
+ 336691 Possible wrong length returned by ChannelEndPoint.flush() in case of RandomAccessFileBuffer
+ 336781 If xml parser is not validating, turn off external dtd resolution
+ 336793 Tee data filled and flushed from endpoint
+ 337258 Scanner start and end cycle notification
+ 337268 Allow specifying alias of a certificate to be used by SSL connector
jetty-7.3.0.v20110203 3 February 2011
+ JETTY-1259 NullPointerException in JDBCSessionIdManager when invalidating session (further update)

28
jetty-client/pom.xml
View File

@ -12,6 +12,8 @@
<properties>
<bundle-symbolic-name>${project.groupId}.client</bundle-symbolic-name>
<jetty.test.keystore>1.1</jetty.test.keystore>
<jetty.test.keystore.loc>target/test-policy</jetty.test.keystore.loc>
</properties>
<build>
@ -53,6 +55,32 @@
<onlyAnalyze>org.eclipse.jetty.client.*</onlyAnalyze>
</configuration>
</plugin>
<plugin>
<groupId>org.apache.maven.plugins</groupId>
<artifactId>maven-dependency-plugin</artifactId>
<executions>
<execution>
<id>unpack</id>
<phase>generate-test-resources</phase>
<goals>
<goal>unpack</goal>
</goals>
<configuration>
<artifactItems>
<artifactItem>
<groupId>org.eclipse.jetty.toolchain</groupId>
<artifactId>jetty-test-policy</artifactId>
<version>${jetty.test.keystore}</version>
<type>jar</type>
<overWrite>true</overWrite>
<includes>**/*.keystore,**/*.pem</includes>
<outputDirectory>${jetty.test.keystore.loc}</outputDirectory>
</artifactItem>
</artifactItems>
</configuration>
</execution>
</executions>
</plugin>
</plugins>
</build>

270
jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java
View File

@ -13,33 +13,24 @@
package org.eclipse.jetty.client;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.Security;
import java.util.Enumeration;
import java.util.LinkedList;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.eclipse.jetty.client.security.Authentication;
import org.eclipse.jetty.client.security.RealmResolver;
import org.eclipse.jetty.client.security.SecurityListener;
import org.eclipse.jetty.http.HttpBuffers;
import org.eclipse.jetty.http.HttpSchemes;
import org.eclipse.jetty.http.security.Password;
import org.eclipse.jetty.http.ssl.SslContextFactory;
import org.eclipse.jetty.io.Buffer;
import org.eclipse.jetty.io.ByteArrayBuffer;
import org.eclipse.jetty.io.nio.DirectNIOBuffer;
@ -48,7 +39,6 @@ import org.eclipse.jetty.util.Attributes;
import org.eclipse.jetty.util.AttributesMap;
import org.eclipse.jetty.util.component.LifeCycle;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.eclipse.jetty.util.thread.ThreadPool;
import org.eclipse.jetty.util.thread.Timeout;
@ -101,26 +91,21 @@ public class HttpClient extends HttpBuffers implements Attributes
private int _maxRedirects = 20;
private LinkedList<String> _registeredListeners;
private String _keyStoreLocation;
private InputStream _keyStoreInputStream;
private String _keyStoreType = "JKS";
private String _keyStorePassword;
private String _keyManagerAlgorithm = (Security.getProperty("ssl.KeyManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.KeyManagerFactory.algorithm"));
private String _keyManagerPassword;
private String _trustStoreLocation;
private InputStream _trustStoreInputStream;
private String _trustStoreType = "JKS";
private String _trustStorePassword;
private String _trustManagerAlgorithm = (Security.getProperty("ssl.TrustManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.TrustManagerFactory.algorithm"));
private String _protocol = "TLS";
private String _provider;
private String _secureRandomAlgorithm;
private SSLContext _sslContext;
private SslContextFactory _sslContextFactory;
private RealmResolver _realmResolver;
private AttributesMap _attributes=new AttributesMap();
public HttpClient()
{
this(new SslContextFactory());
}
public HttpClient(SslContextFactory sslContextFactory)
{
_sslContextFactory = sslContextFactory;
}
/* ------------------------------------------------------------------------------- */
public void dump()
@ -458,7 +443,8 @@ public class HttpClient extends HttpBuffers implements Attributes
((LifeCycle)_threadPool).start();
}
_sslContextFactory.start();
if (_connectorType == CONNECTOR_SELECT_CHANNEL)
{
@ -503,6 +489,8 @@ public class HttpClient extends HttpBuffers implements Attributes
{
_connector.stop();
_connector = null;
_sslContextFactory.stop();
if (_threadPool instanceof LifeCycle)
{
((LifeCycle)_threadPool).stop();
@ -528,150 +516,21 @@ public class HttpClient extends HttpBuffers implements Attributes
* otherwise we simply ignore certificates and run with a loose ssl context.
*
* @return the SSL context
* @throws IOException
*/
protected SSLContext getSSLContext() throws IOException
protected SSLContext getSSLContext()
{
if (_sslContext == null)
{
if (_keyStoreInputStream == null && _keyStoreLocation == null &&
_trustStoreInputStream == null && _trustStoreLocation == null )
{
_sslContext = getLooseSSLContext();
}
else
{
_sslContext = getStrictSSLContext();
}
}
return _sslContext;
return _sslContextFactory.getSslContext();
}
protected SSLContext getStrictSSLContext() throws IOException
/* ------------------------------------------------------------ */
/**
* @return the instance of SslContextFactory associated with the client
*/
public SslContextFactory getSslContextFactory()
{
try
{
/*
* if the keystore exists but the trust store doesn't use the keystore as the trust store
*/
if (_keyStoreInputStream != null || _keyStoreLocation != null)
{
if (_trustStoreInputStream == null && _trustStoreLocation == null)
{
_trustStoreLocation = _keyStoreLocation;
_trustStoreInputStream = _keyStoreInputStream;
_trustStoreType = _keyStoreType;
}
}
InputStream keyStoreInputStream = null;
InputStream trustStoreInputStream = null;
// It's the same stream and we cannot read it twice, so we read it once in memory
if (_keyStoreInputStream != null && _keyStoreInputStream == _trustStoreInputStream)
{
ByteArrayOutputStream baos = new ByteArrayOutputStream();
byte[] buffer = new byte[1024];
int read;
while ((read = _keyStoreInputStream.read(buffer)) >= 0)
{
baos.write(buffer, 0, read);
}
_keyStoreInputStream.close();
keyStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
trustStoreInputStream = new ByteArrayInputStream(baos.toByteArray());
}
/*
* set the keystore input stream if it isn't set
*/
if (keyStoreInputStream == null && _keyStoreLocation != null )
{
keyStoreInputStream = _keyStoreInputStream == null ? Resource.newResource(_keyStoreLocation).getInputStream() : _keyStoreInputStream;
}
/*
* work out the key managers for the keystore, null if its not configured
*/
KeyManager[] keyManagers = null;
if (keyStoreInputStream != null)
{
KeyStore keyStore = KeyStore.getInstance(_keyStoreType);
keyStore.load(keyStoreInputStream,_keyStorePassword == null?null:_keyStorePassword.toCharArray());
keyStoreInputStream.close();
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerAlgorithm);
keyManagerFactory.init(keyStore,_keyManagerPassword == null?null:_keyManagerPassword.toCharArray());
keyManagers = keyManagerFactory.getKeyManagers();
}
/*
* trust store will always exist if this method has been called, either by being the only store specified or by being
* a duplicate of the keystore..
*
* this is behavior consistent with other aspects of jetty I believe so maintaining that consistency
*/
if (trustStoreInputStream == null)
{
trustStoreInputStream = _trustStoreInputStream == null ? Resource.newResource(_trustStoreLocation).getInputStream() : _trustStoreInputStream;
}
KeyStore trustStore = KeyStore.getInstance(_trustStoreType);
trustStore.load(trustStoreInputStream, _trustStorePassword == null ? null : _trustStorePassword.toCharArray());
trustStoreInputStream.close();
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerAlgorithm);
trustManagerFactory.init(trustStore);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
SecureRandom secureRandom = _secureRandomAlgorithm == null ? null : SecureRandom.getInstance(_secureRandomAlgorithm);
SSLContext context = _provider == null ? SSLContext.getInstance(_protocol) : SSLContext.getInstance(_protocol, _provider);
context.init(keyManagers, trustManagers, secureRandom);
return context;
}
catch (Exception x)
{
throw (IOException)new IOException("Error generating SSLContext for keystore " + _keyStoreLocation).initCause(x);
}
return _sslContextFactory;
}
protected SSLContext getLooseSSLContext() throws IOException
{
// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager()
{
public java.security.cert.X509Certificate[] getAcceptedIssuers()
{
return null;
}
public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType)
{
}
public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType)
{
}
}};
// Install the all-trusting trust manager
try
{
SSLContext sslContext = SSLContext.getInstance(_protocol);
sslContext.init(null, trustAllCerts, null);
return sslContext;
}
catch (Exception x)
{
throw (IOException)new IOException("Error generating loose SSLContext").initCause(x);
}
}
/* ------------------------------------------------------------ */
/**
* @return the period in milliseconds a {@link HttpConnection} can be idle for before it is closed.
@ -811,148 +670,175 @@ public class HttpClient extends HttpBuffers implements Attributes
}
/* ------------------------------------------------------------ */
@Deprecated
public String getTrustStoreLocation()
{
return _trustStoreLocation;
return _sslContextFactory.getTruststore();
}
/* ------------------------------------------------------------ */
@Deprecated
public void setTrustStoreLocation(String trustStoreLocation)
{
this._trustStoreLocation = trustStoreLocation;
_sslContextFactory.setTruststore(trustStoreLocation);
}
/* ------------------------------------------------------------ */
@Deprecated
public InputStream getTrustStoreInputStream()
{
return _trustStoreInputStream;
return _sslContextFactory.getTruststoreInputStream();
}
/* ------------------------------------------------------------ */
@Deprecated
public void setTrustStoreInputStream(InputStream trustStoreInputStream)
{
this._trustStoreInputStream = trustStoreInputStream;
_sslContextFactory.setTruststoreInputStream(trustStoreInputStream);
}
/* ------------------------------------------------------------ */
@Deprecated
public String getKeyStoreLocation()
{
return _keyStoreLocation;
return _sslContextFactory.getKeystore();
}
/* ------------------------------------------------------------ */
@Deprecated
public void setKeyStoreLocation(String keyStoreLocation)
{
this._keyStoreLocation = keyStoreLocation;
_sslContextFactory.setKeystore(keyStoreLocation);
}
@Deprecated
public InputStream getKeyStoreInputStream()
{
return _keyStoreInputStream;
return _sslContextFactory.getKeystoreInputStream();
}
@Deprecated
public void setKeyStoreInputStream(InputStream keyStoreInputStream)
{
this._keyStoreInputStream = keyStoreInputStream;
_sslContextFactory.setKeystoreInputStream(keyStoreInputStream);
}
/* ------------------------------------------------------------ */
@Deprecated
public void setKeyStorePassword(String keyStorePassword)
{
this._keyStorePassword = new Password(keyStorePassword).toString();
_sslContextFactory.setKeystorePassword(keyStorePassword);
}
/* ------------------------------------------------------------ */
@Deprecated
public void setKeyManagerPassword(String keyManagerPassword)
{
this._keyManagerPassword = new Password(keyManagerPassword).toString();
_sslContextFactory.setKeyManagerPassword(keyManagerPassword);
}
/* ------------------------------------------------------------ */
@Deprecated
public void setTrustStorePassword(String trustStorePassword)
{
this._trustStorePassword = new Password(trustStorePassword).toString();
_sslContextFactory.setTruststorePassword(trustStorePassword);
}
/* ------------------------------------------------------------ */
@Deprecated
public String getKeyStoreType()
{
return this._keyStoreType;
return _sslContextFactory.getKeystoreType();
}
/* ------------------------------------------------------------ */
@Deprecated
public void setKeyStoreType(String keyStoreType)
{
this._keyStoreType = keyStoreType;
_sslContextFactory.setKeystoreType(keyStoreType);
}
/* ------------------------------------------------------------ */
@Deprecated
public String getTrustStoreType()
{
return this._trustStoreType;
return _sslContextFactory.getTruststoreType();
}
/* ------------------------------------------------------------ */
@Deprecated
public void setTrustStoreType(String trustStoreType)
{
this._trustStoreType = trustStoreType;
_sslContextFactory.setTruststoreType(trustStoreType);
}
/* ------------------------------------------------------------ */
@Deprecated
public String getKeyManagerAlgorithm()
{
return _keyManagerAlgorithm;
return _sslContextFactory.getSslKeyManagerFactoryAlgorithm();
}
/* ------------------------------------------------------------ */
@Deprecated
public void setKeyManagerAlgorithm(String keyManagerAlgorithm)
{
this._keyManagerAlgorithm = keyManagerAlgorithm;
_sslContextFactory.setSslKeyManagerFactoryAlgorithm(keyManagerAlgorithm);
}
/* ------------------------------------------------------------ */
@Deprecated
public String getTrustManagerAlgorithm()
{
return _trustManagerAlgorithm;
return _sslContextFactory.getTrustManagerFactoryAlgorithm();
}
/* ------------------------------------------------------------ */
@Deprecated
public void setTrustManagerAlgorithm(String trustManagerAlgorithm)
{
this._trustManagerAlgorithm = trustManagerAlgorithm;
_sslContextFactory.setTrustManagerFactoryAlgorithm(trustManagerAlgorithm);
}
/* ------------------------------------------------------------ */
@Deprecated
public String getProtocol()
{
return _protocol;
return _sslContextFactory.getProtocol();
}
/* ------------------------------------------------------------ */
@Deprecated
public void setProtocol(String protocol)
{
this._protocol = protocol;
_sslContextFactory.setProtocol(protocol);
}
/* ------------------------------------------------------------ */
@Deprecated
public String getProvider()
{
return _provider;
return _sslContextFactory.getProvider();
}
/* ------------------------------------------------------------ */
@Deprecated
public void setProvider(String provider)
{
this._provider = provider;
setProvider(provider);
}
/* ------------------------------------------------------------ */
@Deprecated
public String getSecureRandomAlgorithm()
{
return _secureRandomAlgorithm;
return _sslContextFactory.getSecureRandomAlgorithm();
}
/* ------------------------------------------------------------ */
@Deprecated
public void setSecureRandomAlgorithm(String secureRandomAlgorithm)
{
this._secureRandomAlgorithm = secureRandomAlgorithm;
_sslContextFactory.setSecureRandomAlgorithm(secureRandomAlgorithm);
}
}

10
jetty-client/src/test/java/org/eclipse/jetty/client/ContentExchangeTest.java
View File

@ -213,12 +213,20 @@ public class ContentExchangeTest
throws Exception
{
_client = new HttpClient();
_client.setConnectorType(HttpClient.CONNECTOR_SELECT_CHANNEL);
configureClient(_client);
if (realm != null)
_client.setRealmResolver(new SimpleRealmResolver(realm));
_client.start();
}
protected void configureClient(HttpClient client)
throws Exception
{
client.setConnectorType(HttpClient.CONNECTOR_SELECT_CHANNEL);
}
protected void stopClient()
throws Exception
{

12
jetty-client/src/test/java/org/eclipse/jetty/client/SslSelectChannelValidationTest.java Normal file
View File

@ -0,0 +1,12 @@
package org.eclipse.jetty.client;
import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
public class SslSelectChannelValidationTest extends SslValidationTestBase
{
static
{
__klass = SslSelectChannelConnector.class;
__konnector = HttpClient.CONNECTOR_SELECT_CHANNEL;
}
}

12
jetty-client/src/test/java/org/eclipse/jetty/client/SslSocketValidationTest.java Normal file
View File

@ -0,0 +1,12 @@
package org.eclipse.jetty.client;
import org.eclipse.jetty.server.ssl.SslSocketConnector;
public class SslSocketValidationTest extends SslValidationTestBase
{
static
{
__klass = SslSocketConnector.class;
__konnector = HttpClient.CONNECTOR_SOCKET;
}
}

69
jetty-client/src/test/java/org/eclipse/jetty/client/SslValidationTestBase.java Normal file
View File

@ -0,0 +1,69 @@
package org.eclipse.jetty.client;
import java.io.File;
import java.lang.reflect.Constructor;
import org.eclipse.jetty.http.ssl.SslContextFactory;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.handler.HandlerCollection;
import org.eclipse.jetty.server.ssl.SslConnector;
import org.eclipse.jetty.servlet.DefaultServlet;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.servlet.ServletHolder;
import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
public abstract class SslValidationTestBase extends SslContentExchangeTest
{
protected static Class<? extends SslConnector> __klass;
protected static int __konnector;
@Override
protected void configureServer(Server server)
throws Exception
{
setProtocol("https");
// certificate is valid until Jan 1, 2050
String keypath = MavenTestingUtils.getTargetFile("test-policy/validation/jetty-valid.keystore").getAbsolutePath();
String trustpath = new File(System.getProperty("java.home"),"./lib/security/cacerts").getAbsolutePath();
String crlpath = MavenTestingUtils.getTargetFile("test-policy/validation/crlfile.pem").getAbsolutePath();
SslContextFactory srvFactory = new SslContextFactory();
srvFactory.setValidateCerts(true);
srvFactory.setKeystore(keypath);
srvFactory.setKeystorePassword("webtide");
srvFactory.setKeyManagerPassword("webtide");
srvFactory.setTruststore(trustpath);
srvFactory.setTruststorePassword("changeit");
srvFactory.setCrlPath(crlpath);
Constructor<? extends SslConnector> constructor = __klass.getConstructor(SslContextFactory.class);
SslConnector connector = constructor.newInstance(srvFactory);
connector.setMaxIdleTime(5000);
server.addConnector(connector);
Handler handler = new TestHandler(getBasePath());
ServletContextHandler root = new ServletContextHandler();
root.setContextPath("/");
root.setResourceBase(getBasePath());
ServletHolder servletHolder = new ServletHolder( new DefaultServlet() );
servletHolder.setInitParameter( "gzip", "true" );
root.addServlet( servletHolder, "/*" );
HandlerCollection handlers = new HandlerCollection();
handlers.setHandlers(new Handler[]{handler, root});
server.setHandler( handlers );
}
@Override
protected void configureClient(HttpClient client)
throws Exception
{
String trustpath = new File(System.getProperty("java.home"),"./lib/security/cacerts").getAbsolutePath();
client.setTrustStoreLocation(trustpath);
client.setTrustStorePassword("changeit");
client.setConnectorType(__konnector);
}
}

128
jetty-http/src/main/java/org/eclipse/jetty/http/ssl/AliasedX509ExtendedKeyManager.java Normal file
View File

@ -0,0 +1,128 @@
//========================================================================
//Copyright (c) Webtide LLC
//------------------------------------------------------------------------
//All rights reserved. This program and the accompanying materials
//are made available under the terms of the Eclipse Public License v1.0
//and Apache License v2.0 which accompanies this distribution.
//
//The Eclipse Public License is available at
//http://www.eclipse.org/legal/epl-v10.html
//
//The Apache License v2.0 is available at
//http://www.apache.org/licenses/LICENSE-2.0.txt
//
//You may elect to redistribute this code under either of these licenses.
//========================================================================
package org.eclipse.jetty.http.ssl;
import java.net.Socket;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509KeyManager;
/* ------------------------------------------------------------ */
/**
* KeyManager to select a key with desired alias
* while delegating processing to specified KeyManager
* Can be used both with server and client sockets
*/
public class AliasedX509ExtendedKeyManager extends X509ExtendedKeyManager
{
private String _keyAlias;
private X509KeyManager _keyManager;
/* ------------------------------------------------------------ */
/**
* Construct KeyManager instance
* @param keyAlias Alias of the key to be selected
* @param keyManager Instance of KeyManager to be wrapped
* @throws Exception
*/
public AliasedX509ExtendedKeyManager(String keyAlias, X509KeyManager keyManager) throws Exception
{
_keyAlias = keyAlias;
_keyManager = keyManager;
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509KeyManager#chooseClientAlias(java.lang.String[], java.security.Principal[], java.net.Socket)
*/
public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
{
return _keyAlias == null ? _keyManager.chooseClientAlias(keyType, issuers, socket) : _keyAlias;
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509KeyManager#chooseServerAlias(java.lang.String, java.security.Principal[], java.net.Socket)
*/
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
{
return _keyAlias == null ? _keyManager.chooseServerAlias(keyType, issuers, socket) : _keyAlias;
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509KeyManager#getClientAliases(java.lang.String, java.security.Principal[])
*/
public String[] getClientAliases(String keyType, Principal[] issuers)
{
return _keyManager.getClientAliases(keyType, issuers);
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509KeyManager#getServerAliases(java.lang.String, java.security.Principal[])
*/
public String[] getServerAliases(String keyType, Principal[] issuers)
{
return _keyManager.getServerAliases(keyType, issuers);
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509KeyManager#getCertificateChain(java.lang.String)
*/
public X509Certificate[] getCertificateChain(String alias)
{
return _keyManager.getCertificateChain(alias);
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509KeyManager#getPrivateKey(java.lang.String)
*/
public PrivateKey getPrivateKey(String alias)
{
return _keyManager.getPrivateKey(alias);
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509ExtendedKeyManager#chooseEngineServerAlias(java.lang.String, java.security.Principal[], javax.net.ssl.SSLEngine)
*/
@Override
public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
{
return _keyAlias == null ? super.chooseEngineServerAlias(keyType,issuers,engine) : _keyAlias;
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509ExtendedKeyManager#chooseEngineClientAlias(java.lang.String, java.security.Principal[], javax.net.ssl.SSLEngine)
*/
@Override
public String chooseEngineClientAlias(String keyType[], Principal[] issuers, SSLEngine engine)
{
return _keyAlias == null ? super.chooseEngineClientAlias(keyType,issuers,engine) : _keyAlias;
}
}

105
jetty-http/src/main/java/org/eclipse/jetty/http/ssl/AliasedX509KeyManager.java Normal file
View File

@ -0,0 +1,105 @@
//========================================================================
//Copyright (c) Webtide LLC
//------------------------------------------------------------------------
//All rights reserved. This program and the accompanying materials
//are made available under the terms of the Eclipse Public License v1.0
//and Apache License v2.0 which accompanies this distribution.
//
//The Eclipse Public License is available at
//http://www.eclipse.org/legal/epl-v10.html
//
//The Apache License v2.0 is available at
//http://www.apache.org/licenses/LICENSE-2.0.txt
//
//You may elect to redistribute this code under either of these licenses.
//========================================================================
package org.eclipse.jetty.http.ssl;
import java.net.Socket;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import javax.net.ssl.X509KeyManager;
/* ------------------------------------------------------------ */
/**
* KeyManager to select a key with desired alias
* while delegating processing to specified KeyManager
* Can be used both with server and client sockets
*/
public class AliasedX509KeyManager implements X509KeyManager
{
private String _keyAlias;
private X509KeyManager _keyManager;
/* ------------------------------------------------------------ */
/**
* Construct KeyManager instance
* @param keyAlias Alias of the key to be selected
* @param keyManager Instance of KeyManager to be wrapped
* @throws Exception
*/
public AliasedX509KeyManager(String keyAlias, X509KeyManager keyManager) throws Exception
{
_keyAlias = keyAlias;
_keyManager = keyManager;
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509KeyManager#chooseClientAlias(java.lang.String[], java.security.Principal[], java.net.Socket)
*/
public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
{
return _keyAlias == null ? _keyManager.chooseClientAlias(keyType, issuers, socket) : _keyAlias;
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509KeyManager#chooseServerAlias(java.lang.String, java.security.Principal[], java.net.Socket)
*/
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
{
return _keyAlias == null ?_keyManager.chooseServerAlias(keyType, issuers, socket) : _keyAlias;
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509KeyManager#getClientAliases(java.lang.String, java.security.Principal[])
*/
public String[] getClientAliases(String keyType, Principal[] issuers)
{
return _keyManager.getClientAliases(keyType, issuers);
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509KeyManager#getServerAliases(java.lang.String, java.security.Principal[])
*/
public String[] getServerAliases(String keyType, Principal[] issuers)
{
return _keyManager.getServerAliases(keyType, issuers);
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509KeyManager#getCertificateChain(java.lang.String)
*/
public X509Certificate[] getCertificateChain(String alias)
{
return _keyManager.getCertificateChain(alias);
}
/* ------------------------------------------------------------ */
/**
* @see javax.net.ssl.X509KeyManager#getPrivateKey(java.lang.String)
*/
public PrivateKey getPrivateKey(String alias)
{
return _keyManager.getPrivateKey(alias);
}
}

1032
jetty-http/src/main/java/org/eclipse/jetty/http/ssl/SslContextFactory.java Normal file
View File

File diff suppressed because it is too large Load Diff

87
jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslConnector.java
View File

@ -9,6 +9,7 @@ import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;
import org.eclipse.jetty.http.ssl.SslContextFactory;
import org.eclipse.jetty.server.Connector;
@ -18,135 +19,182 @@ import org.eclipse.jetty.server.Connector;
*/
public interface SslConnector extends Connector
{
@Deprecated
public static final String DEFAULT_KEYSTORE_ALGORITHM=(Security.getProperty("ssl.KeyManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.KeyManagerFactory.algorithm"));
@Deprecated
public static final String DEFAULT_TRUSTSTORE_ALGORITHM=(Security.getProperty("ssl.TrustManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.TrustManagerFactory.algorithm"));
/** Default value for the keystore location path. */
/** Default value for the keystore location path. @deprecated */
@Deprecated
public static final String DEFAULT_KEYSTORE = System.getProperty("user.home") + File.separator + ".keystore";
/** String name of key password property. */
/** String name of key password property. @deprecated */
@Deprecated
public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
/** String name of keystore password property. */
/** String name of keystore password property. @deprecated */
@Deprecated
public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
/* ------------------------------------------------------------ */
/**
* @return the instance of SslContextFactory associated with the connector
*/
public SslContextFactory getSslContextFactory();
/* ------------------------------------------------------------ */
/**
* @return The array of Ciphersuite names to exclude from
* {@link SSLEngine#setEnabledCipherSuites(String[])}
* @deprecated
*/
@Deprecated
public abstract String[] getExcludeCipherSuites();
/* ------------------------------------------------------------ */
/**
* @param cipherSuites The array of Ciphersuite names to exclude from
* {@link SSLEngine#setEnabledCipherSuites(String[])}
* @deprecated
*/
@Deprecated
public abstract void setExcludeCipherSuites(String[] cipherSuites);
/* ------------------------------------------------------------ */
/**
* @return The array of Ciphersuite names to include in
* {@link SSLEngine#setEnabledCipherSuites(String[])}
* @deprecated
*/
@Deprecated
public abstract String[] getIncludeCipherSuites();
/* ------------------------------------------------------------ */
/**
* @param cipherSuites The array of Ciphersuite names to include in
* {@link SSLEngine#setEnabledCipherSuites(String[])}
* @deprecated
*/
@Deprecated
public abstract void setIncludeCipherSuites(String[] cipherSuites);
/* ------------------------------------------------------------ */
/**
* @param password The password for the key store
* @deprecated
*/
@Deprecated
public abstract void setPassword(String password);
/* ------------------------------------------------------------ */
/**
* @param password The password for the trust store
* @deprecated
*/
@Deprecated
public abstract void setTrustPassword(String password);
/* ------------------------------------------------------------ */
/**
* @param password The password (if any) for the specific key within
* the key store
* @deprecated
*/
@Deprecated
public abstract void setKeyPassword(String password);
/* ------------------------------------------------------------ */
/**
* @return The SSL protocol (default "TLS") passed to {@link SSLContext#getInstance(String, String)}
* @deprecated
*/
@Deprecated
public abstract String getProtocol();
/* ------------------------------------------------------------ */
/**
* @param protocol The SSL protocol (default "TLS") passed to {@link SSLContext#getInstance(String, String)}
* @deprecated
*/
@Deprecated
public abstract void setProtocol(String protocol);
/* ------------------------------------------------------------ */
/**
* @param keystore The file or URL of the SSL Key store.
* @deprecated
*/
@Deprecated
public abstract void setKeystore(String keystore);
/* ------------------------------------------------------------ */
/**
* @return The file or URL of the SSL Key store.
* @deprecated
*/
@Deprecated
public abstract String getKeystore();
/* ------------------------------------------------------------ */
/**
* @return The type of the key store (default "JKS")
* @deprecated
*/
@Deprecated
public abstract String getKeystoreType();
/* ------------------------------------------------------------ */
/**
* @return True if SSL needs client authentication.
* @see SSLEngine#getNeedClientAuth()
* @deprecated
*/
@Deprecated
public abstract boolean getNeedClientAuth();
/* ------------------------------------------------------------ */
/**
* @return True if SSL wants client authentication.
* @see SSLEngine#getWantClientAuth()
* @deprecated
*/
@Deprecated
public abstract boolean getWantClientAuth();
/* ------------------------------------------------------------ */
/**
* @param needClientAuth True if SSL needs client authentication.
* @see SSLEngine#getNeedClientAuth()
* @deprecated
*/
@Deprecated
public abstract void setNeedClientAuth(boolean needClientAuth);
/* ------------------------------------------------------------ */
/**
* @param wantClientAuth True if SSL wants client authentication.
* @see SSLEngine#getWantClientAuth()
* @deprecated
*/
@Deprecated
public abstract void setWantClientAuth(boolean wantClientAuth);
/* ------------------------------------------------------------ */
/**
* @param keystoreType The type of the key store (default "JKS")
* @deprecated
*/
@Deprecated
public abstract void setKeystoreType(String keystoreType);
/* ------------------------------------------------------------ */
/**
* @return The SSL provider name, which if set is passed to
* {@link SSLContext#getInstance(String, String)}
* @deprecated
*/
@Deprecated
public abstract String getProvider();
/* ------------------------------------------------------------ */
@ -154,38 +202,50 @@ public interface SslConnector extends Connector
* @return The algorithm name, which if set is passed to
* {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom}
* instance passed to {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)}
* @deprecated
*/
@Deprecated
public abstract String getSecureRandomAlgorithm();
/* ------------------------------------------------------------ */
/**
* @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory}
* @deprecated
*/
@Deprecated
public abstract String getSslKeyManagerFactoryAlgorithm();
/* ------------------------------------------------------------ */
/**
* @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory}
* @deprecated
*/
@Deprecated
public abstract String getSslTrustManagerFactoryAlgorithm();
/* ------------------------------------------------------------ */
/**
* @return The file name or URL of the trust store location
* @deprecated
*/
@Deprecated
public abstract String getTruststore();
/* ------------------------------------------------------------ */
/**
* @return The type of the trust store (default "JKS")
* @deprecated
*/
@Deprecated
public abstract String getTruststoreType();
/* ------------------------------------------------------------ */
/**
* @param provider The SSL provider name, which if set is passed to
* {@link SSLContext#getInstance(String, String)}
* @deprecated
*/
@Deprecated
public abstract void setProvider(String provider);
/* ------------------------------------------------------------ */
@ -193,52 +253,67 @@ public interface SslConnector extends Connector
* @param algorithm The algorithm name, which if set is passed to
* {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom}
* instance passed to {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)}
* @deprecated
*/
@Deprecated
public abstract void setSecureRandomAlgorithm(String algorithm);
/* ------------------------------------------------------------ */
/**
* @param algorithm The algorithm name (default "SunX509") used by
* the {@link KeyManagerFactory}
* @deprecated
*/
@Deprecated
public abstract void setSslKeyManagerFactoryAlgorithm(String algorithm);
/* ------------------------------------------------------------ */
/**
* @param algorithm The algorithm name (default "SunX509") used by the {@link TrustManagerFactory}
* @deprecated
*/
@Deprecated
public abstract void setSslTrustManagerFactoryAlgorithm(String algorithm);
/* ------------------------------------------------------------ */
/**
* @param truststore The file name or URL of the trust store location
* @deprecated
*/
@Deprecated
public abstract void setTruststore(String truststore);
/* ------------------------------------------------------------ */
/**
* @param truststoreType The type of the trust store (default "JKS")
* @deprecated
*/
@Deprecated
public abstract void setTruststoreType(String truststoreType);
/* ------------------------------------------------------------ */
/**
* @param sslContext Set a preconfigured SSLContext
* @deprecated
*/
@Deprecated
public abstract void setSslContext(SSLContext sslContext);
/* ------------------------------------------------------------ */
/**
* @return The SSLContext
* @deprecated
*/
@Deprecated
public abstract SSLContext getSslContext();
/* ------------------------------------------------------------ */
/**
* @return True if SSL re-negotiation is allowed (default false)
* @deprecated
*/
@Deprecated
public boolean isAllowRenegotiate();
/* ------------------------------------------------------------ */
@ -248,6 +323,8 @@ public interface SslConnector extends Connector
* does not have CVE-2009-3555 fixed, then re-negotiation should
* not be allowed.
* @param allowRenegotiate true if re-negotiation is allowed (default false)
* @deprecated
*/
@Deprecated
public void setAllowRenegotiate(boolean allowRenegotiate);
}

386
jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java
View File

@ -14,26 +14,17 @@
package org.eclipse.jetty.server.ssl;
import java.io.IOException;
import java.io.InputStream;
import java.nio.channels.SelectionKey;
import java.nio.channels.SocketChannel;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.eclipse.jetty.http.HttpParser;
import org.eclipse.jetty.http.HttpSchemes;
import org.eclipse.jetty.http.security.Password;
import org.eclipse.jetty.http.ssl.SslContextFactory;
import org.eclipse.jetty.io.Buffer;
import org.eclipse.jetty.io.Buffers;
import org.eclipse.jetty.io.Connection;
@ -49,49 +40,28 @@ import org.eclipse.jetty.server.HttpConnection;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.nio.SelectChannelConnector;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.resource.Resource;
/* ------------------------------------------------------------ */
/**
* SslSelectChannelConnector.
*
* @org.apache.xbean.XBean element="sslConnector" description="Creates an NIO ssl connector"
*
*
*
*/
public class SslSelectChannelConnector extends SelectChannelConnector implements SslConnector
{
/** Default value for the excluded cipher Suites. */
private String _excludeCipherSuites[]=null;
/** Default value for the included cipher Suites. */
private String _includeCipherSuites[]=null;
/** Default value for the keystore location path. */
private String _keystorePath=DEFAULT_KEYSTORE;
private String _keystoreType="JKS"; // type of the key store
/** Set to true if we require client certificate authentication. */
private boolean _needClientAuth=false;
private boolean _wantClientAuth=false;
private boolean _allowRenegotiate=false;
private transient Password _password;
private transient Password _keyPassword;
private transient Password _trustPassword;
private String _protocol="TLS";
private String _provider;
private String _secureRandomAlgorithm; // cert algorithm
private String _sslKeyManagerFactoryAlgorithm=DEFAULT_KEYSTORE_ALGORITHM;
private String _sslTrustManagerFactoryAlgorithm=DEFAULT_TRUSTSTORE_ALGORITHM;
private String _truststorePath;
private String _truststoreType="JKS"; // type of the key store
private SSLContext _context;
private final SslContextFactory _sslContextFactory;
private Buffers _sslBuffers;
/* ------------------------------------------------------------ */
public SslSelectChannelConnector()
{
this(new SslContextFactory(SslContextFactory.DEFAULT_KEYSTORE_PATH));
}
/* ------------------------------------------------------------ */
public SslSelectChannelConnector(SslContextFactory sslContextFactory)
{
_sslContextFactory = sslContextFactory;
setUseDirectBuffers(false);
}
@ -137,10 +107,12 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
/* ------------------------------------------------------------ */
/**
* @return True if SSL re-negotiation is allowed (default false)
* @deprecated
*/
@Deprecated
public boolean isAllowRenegotiate()
{
return _allowRenegotiate;
return _sslContextFactory.isAllowRenegotiate();
}
/* ------------------------------------------------------------ */
@ -150,322 +122,389 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
* does not have CVE-2009-3555 fixed, then re-negotiation should
* not be allowed.
* @param allowRenegotiate true if re-negotiation is allowed (default false)
* @deprecated
*/
@Deprecated
public void setAllowRenegotiate(boolean allowRenegotiate)
{
_allowRenegotiate = allowRenegotiate;
_sslContextFactory.setAllowRenegotiate(allowRenegotiate);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
* @deprecated
*/
@Deprecated
public String[] getExcludeCipherSuites()
{
return _excludeCipherSuites;
return _sslContextFactory.getExcludeCipherSuites();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
* @deprecated
*/
@Deprecated
public void setExcludeCipherSuites(String[] cipherSuites)
{
this._excludeCipherSuites=cipherSuites;
_sslContextFactory.setExcludeCipherSuites(cipherSuites);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
* @deprecated
*/
@Deprecated
public String[] getIncludeCipherSuites()
{
return _includeCipherSuites;
return _sslContextFactory.getIncludeCipherSuites();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
* @deprecated
*/
@Deprecated
public void setIncludeCipherSuites(String[] cipherSuites)
{
this._includeCipherSuites=cipherSuites;
_sslContextFactory.setIncludeCipherSuites(cipherSuites);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setPassword(java.lang.String)
* @deprecated
*/
@Deprecated
public void setPassword(String password)
{
_password=Password.getPassword(PASSWORD_PROPERTY,password,null);
_sslContextFactory.setKeystorePassword(password);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setTrustPassword(java.lang.String)
* @deprecated
*/
@Deprecated
public void setTrustPassword(String password)
{
_trustPassword=Password.getPassword(PASSWORD_PROPERTY,password,null);
_sslContextFactory.setTruststorePassword(password);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setKeyPassword(java.lang.String)
* @deprecated
*/
@Deprecated
public void setKeyPassword(String password)
{
_keyPassword=Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
_sslContextFactory.setKeyManagerPassword(password);
}
/* ------------------------------------------------------------ */
/**
* @deprecated use {@link #getSslKeyManagerFactoryAlgorithm()} or
* {@link #getSslTrustManagerFactoryAlgorithm()}
* Unsupported.
*
* TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
* @deprecated
*/
@Deprecated
public String getAlgorithm()
{
return getSslKeyManagerFactoryAlgorithm();
throw new UnsupportedOperationException();
}
/* ------------------------------------------------------------ */
/**
* @deprecated use {@link #setSslKeyManagerFactoryAlgorithm(String)} or
* {@link #setSslTrustManagerFactoryAlgorithm(String)}
* Unsupported.
*
* TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
* @deprecated
*/
@Deprecated
public void setAlgorithm(String algorithm)
{
setSslKeyManagerFactoryAlgorithm(algorithm);
setSslTrustManagerFactoryAlgorithm(algorithm);
throw new UnsupportedOperationException();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getProtocol()
* @deprecated
*/
@Deprecated
public String getProtocol()
{
return _protocol;
return _sslContextFactory.getProtocol();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setProtocol(java.lang.String)
* @deprecated
*/
@Deprecated
public void setProtocol(String protocol)
{
_protocol=protocol;
_sslContextFactory.setProtocol(protocol);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setKeystore(java.lang.String)
* @deprecated
*/
@Deprecated
public void setKeystore(String keystore)
{
_keystorePath=keystore;
_sslContextFactory.setKeystore(keystore);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getKeystore()
* @deprecated
*/
@Deprecated
public String getKeystore()
{
return _keystorePath;
return _sslContextFactory.getKeystore();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getKeystoreType()
* @deprecated
*/
@Deprecated
public String getKeystoreType()
{
return (_keystoreType);
return _sslContextFactory.getKeystoreType();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getNeedClientAuth()
* @deprecated
*/
@Deprecated
public boolean getNeedClientAuth()
{
return _needClientAuth;
return _sslContextFactory.getNeedClientAuth();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getWantClientAuth()
* @deprecated
*/
@Deprecated
public boolean getWantClientAuth()
{
return _wantClientAuth;
return _sslContextFactory.getWantClientAuth();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setNeedClientAuth(boolean)
* @deprecated
*/
@Deprecated
public void setNeedClientAuth(boolean needClientAuth)
{
_needClientAuth=needClientAuth;
_sslContextFactory.setNeedClientAuth(needClientAuth);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setWantClientAuth(boolean)
* @deprecated
*/
@Deprecated
public void setWantClientAuth(boolean wantClientAuth)
{
_wantClientAuth=wantClientAuth;
_sslContextFactory.setWantClientAuth(wantClientAuth);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setKeystoreType(java.lang.String)
* @deprecated
*/
@Deprecated
public void setKeystoreType(String keystoreType)
{
_keystoreType=keystoreType;
_sslContextFactory.setKeystoreType(keystoreType);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getProvider()
* @deprecated
*/
@Deprecated
public String getProvider()
{
return _provider;
return _sslContextFactory.getProvider();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getSecureRandomAlgorithm()
* @deprecated
*/
@Deprecated
public String getSecureRandomAlgorithm()
{
return (this._secureRandomAlgorithm);
return _sslContextFactory.getSecureRandomAlgorithm();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getSslKeyManagerFactoryAlgorithm()
* @deprecated
*/
@Deprecated
public String getSslKeyManagerFactoryAlgorithm()
{
return (this._sslKeyManagerFactoryAlgorithm);
return _sslContextFactory.getSslKeyManagerFactoryAlgorithm();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getSslTrustManagerFactoryAlgorithm()
* @deprecated
*/
@Deprecated
public String getSslTrustManagerFactoryAlgorithm()
{
return (this._sslTrustManagerFactoryAlgorithm);
return _sslContextFactory.getTrustManagerFactoryAlgorithm();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getTruststore()
* @deprecated
*/
@Deprecated
public String getTruststore()
{
return _truststorePath;
return _sslContextFactory.getTruststore();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getTruststoreType()
* @deprecated
*/
@Deprecated
public String getTruststoreType()
{
return _truststoreType;
return _sslContextFactory.getTruststoreType();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setProvider(java.lang.String)
* @deprecated
*/
@Deprecated
public void setProvider(String provider)
{
_provider=provider;
_sslContextFactory.setProvider(provider);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setSecureRandomAlgorithm(java.lang.String)
* @deprecated
*/
@Deprecated
public void setSecureRandomAlgorithm(String algorithm)
{
this._secureRandomAlgorithm=algorithm;
_sslContextFactory.setSecureRandomAlgorithm(algorithm);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setSslKeyManagerFactoryAlgorithm(java.lang.String)
* @deprecated
*/
@Deprecated
public void setSslKeyManagerFactoryAlgorithm(String algorithm)
{
this._sslKeyManagerFactoryAlgorithm=algorithm;
_sslContextFactory.setSslKeyManagerFactoryAlgorithm(algorithm);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setSslTrustManagerFactoryAlgorithm(java.lang.String)
* @deprecated
*/
@Deprecated
public void setSslTrustManagerFactoryAlgorithm(String algorithm)
{
this._sslTrustManagerFactoryAlgorithm=algorithm;
_sslContextFactory.setTrustManagerFactoryAlgorithm(algorithm);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setTruststore(java.lang.String)
* @deprecated
*/
@Deprecated
public void setTruststore(String truststore)
{
_truststorePath=truststore;
_sslContextFactory.setTruststore(truststore);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setTruststoreType(java.lang.String)
* @deprecated
*/
@Deprecated
public void setTruststoreType(String truststoreType)
{
_truststoreType=truststoreType;
_sslContextFactory.setTruststoreType(truststoreType);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
* @deprecated
*/
@Deprecated
public void setSslContext(SSLContext sslContext)
{
_context = sslContext;
_sslContextFactory.setSslContext(sslContext);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
* @deprecated
*/
@Deprecated
public SSLContext getSslContext()
{
try
{
if (_context == null)
_context=createSSLContext();
}
catch(Exception e)
{
throw new RuntimeException(e);
}
return _sslContextFactory.getSslContext();
}
return _context;
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getSslContextFactory()
*/
// @Override
public SslContextFactory getSslContextFactory()
{
return _sslContextFactory;
}
/* ------------------------------------------------------------ */
@ -505,7 +544,7 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
protected SelectChannelEndPoint newEndPoint(SocketChannel channel, SelectSet selectSet, SelectionKey key) throws IOException
{
SslSelectChannelEndPoint endp = new SslSelectChannelEndPoint(_sslBuffers,channel,selectSet,key,createSSLEngine(), SslSelectChannelConnector.this._maxIdleTime);
endp.setAllowRenegotiate(_allowRenegotiate);
endp.setAllowRenegotiate(_sslContextFactory.isAllowRenegotiate());
return endp;
}
@ -524,59 +563,17 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
SSLEngine engine = null;
try
{
engine = _context.createSSLEngine();
engine = _sslContextFactory.getSslContext().createSSLEngine();
engine.setUseClientMode(false);
if (_wantClientAuth)
engine.setWantClientAuth(_wantClientAuth);
if (_needClientAuth)
engine.setNeedClientAuth(_needClientAuth);
if (_sslContextFactory.getWantClientAuth())
engine.setWantClientAuth(_sslContextFactory.getWantClientAuth());
if (_sslContextFactory.getNeedClientAuth())
engine.setNeedClientAuth(_sslContextFactory.getNeedClientAuth());
if ((_excludeCipherSuites != null && _excludeCipherSuites.length > 0) || (_includeCipherSuites != null && _includeCipherSuites.length > 0))
{
List<String> includedCSList;
if (_includeCipherSuites != null)
{
includedCSList = Arrays.asList(_includeCipherSuites);
}
else
{
includedCSList = new ArrayList<String>();
}
List<String> excludedCSList;
if (_excludeCipherSuites != null)
{
excludedCSList = Arrays.asList(_excludeCipherSuites);
}
else
{
excludedCSList = new ArrayList<String>();
}
String[] enabledCipherSuites = engine.getEnabledCipherSuites();
List<String> enabledCSList = new ArrayList<String>(Arrays.asList(enabledCipherSuites));
String[] supportedCipherSuites = engine.getSupportedCipherSuites();
List<String> supportedCSList = Arrays.asList(supportedCipherSuites);
for (String cipherName : includedCSList)
{
if ((!enabledCSList.contains(cipherName)) && supportedCSList.contains(cipherName))
{
enabledCSList.add(cipherName);
}
}
for (String cipherName : excludedCSList)
{
if (enabledCSList.contains(cipherName))
{
enabledCSList.remove(cipherName);
}
}
enabledCipherSuites = enabledCSList.toArray(new String[0]);
engine.setEnabledCipherSuites(enabledCipherSuites);
}
engine.setEnabledCipherSuites(
_sslContextFactory.selectCipherSuites(engine.getEnabledCipherSuites(),
engine.getSupportedCipherSuites()));
}
catch (Exception e)
{
@ -587,14 +584,31 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
return engine;
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.nio.SelectChannelConnector#doStart()
*/
@Override
protected void doStart() throws Exception
{
if (_context == null)
_context=createSSLContext();
if (!_sslContextFactory.checkConfig())
{
throw new IllegalStateException("SSL context is not configured correctly.");
}
_sslContextFactory.start();
SSLEngine sslEngine = _sslContextFactory.getSslContext().createSSLEngine();
SSLEngine engine=createSSLEngine();
SSLSession ssl_session=engine.getSession();
sslEngine.setUseClientMode(false);
sslEngine.setWantClientAuth(_sslContextFactory.getWantClientAuth());
sslEngine.setNeedClientAuth(_sslContextFactory.getNeedClientAuth());
sslEngine.setEnabledCipherSuites(_sslContextFactory.selectCipherSuites(
sslEngine.getEnabledCipherSuites(),
sslEngine.getSupportedCipherSuites()));
SSLSession sslSession = sslEngine.getSession();
ThreadLocalBuffers buffers = new ThreadLocalBuffers()
{
@ -618,76 +632,36 @@ public class SslSelectChannelConnector extends SelectChannelConnector implements
return true;
}
};
buffers.setBufferSize(ssl_session.getApplicationBufferSize());
buffers.setHeaderSize(ssl_session.getApplicationBufferSize());
buffers.setBufferSize(sslSession.getApplicationBufferSize());
buffers.setHeaderSize(sslSession.getApplicationBufferSize());
_sslBuffers=buffers;
if (getRequestHeaderSize()<ssl_session.getApplicationBufferSize())
setRequestHeaderSize(ssl_session.getApplicationBufferSize());
if (getRequestBufferSize()<ssl_session.getApplicationBufferSize())
setRequestBufferSize(ssl_session.getApplicationBufferSize());
if (getRequestHeaderSize()<sslSession.getApplicationBufferSize())
setRequestHeaderSize(sslSession.getApplicationBufferSize());
if (getRequestBufferSize()<sslSession.getApplicationBufferSize())
setRequestBufferSize(sslSession.getApplicationBufferSize());
super.doStart();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.nio.SelectChannelConnector#doStop()
*/
@Override
protected void doStop() throws Exception
{
_sslContextFactory.stop();
super.doStop();
}
/* ------------------------------------------------------------ */
/**
* @return SSL buffers
*/
public Buffers getSslBuffers()
{
return _sslBuffers;
}
/* ------------------------------------------------------------ */
protected SSLContext createSSLContext() throws Exception
{
KeyManager[] keyManagers=getKeyManagers();
TrustManager[] trustManagers=getTrustManagers();
SecureRandom secureRandom=_secureRandomAlgorithm==null?null:SecureRandom.getInstance(_secureRandomAlgorithm);
SSLContext context=_provider==null?SSLContext.getInstance(_protocol):SSLContext.getInstance(_protocol,_provider);
context.init(keyManagers,trustManagers,secureRandom);
return context;
}
/* ------------------------------------------------------------ */
protected KeyManager[] getKeyManagers() throws Exception
{
KeyStore keyStore = getKeyStore(_keystorePath, _keystoreType, _password==null?null:_password.toString());
KeyManagerFactory keyManagerFactory=KeyManagerFactory.getInstance(_sslKeyManagerFactoryAlgorithm);
keyManagerFactory.init(keyStore,_keyPassword==null?(_password==null?null:_password.toString().toCharArray()):_keyPassword.toString().toCharArray());
return keyManagerFactory.getKeyManagers();
}
/* ------------------------------------------------------------ */
protected TrustManager[] getTrustManagers() throws Exception
{
if (_truststorePath == null)
{
_truststorePath = _keystorePath;
_truststoreType = _keystoreType;
_trustPassword = _password;
_sslTrustManagerFactoryAlgorithm = _sslKeyManagerFactoryAlgorithm;
}
KeyStore trustStore = getKeyStore(_truststorePath, _truststoreType, _trustPassword == null ? null : _trustPassword.toString());
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_sslTrustManagerFactoryAlgorithm);
trustManagerFactory.init(trustStore);
return trustManagerFactory.getTrustManagers();
}
/* ------------------------------------------------------------ */
protected KeyStore getKeyStore(String keystorePath, String keystoreType, String keystorePassword) throws Exception
{
if (keystorePath == null)
return null;
InputStream keystoreInputStream = Resource.newResource(keystorePath).getInputStream();
try
{
KeyStore keystore = KeyStore.getInstance(keystoreType);
keystore.load(keystoreInputStream, keystorePassword == null ? null : keystorePassword.toCharArray());
return keystore;
}
finally
{
keystoreInputStream.close();
}
}
}

474
jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSocketConnector.java
View File

@ -14,37 +14,26 @@
package org.eclipse.jetty.server.ssl;
import java.io.IOException;
import java.io.InputStream;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.HandshakeCompletedEvent;
import javax.net.ssl.HandshakeCompletedListener;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.eclipse.jetty.http.HttpSchemes;
import org.eclipse.jetty.http.security.Password;
import org.eclipse.jetty.http.ssl.SslContextFactory;
import org.eclipse.jetty.io.EndPoint;
import org.eclipse.jetty.io.bio.SocketEndPoint;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.bio.SocketConnector;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.resource.Resource;
/* ------------------------------------------------------------ */
/**
@ -63,35 +52,8 @@ import org.eclipse.jetty.util.resource.Resource;
*/
public class SslSocketConnector extends SocketConnector implements SslConnector
{
/** Default value for the cipher Suites. */
private String _excludeCipherSuites[] = null;
/** Default value for the included cipher Suites. */
private String _includeCipherSuites[]=null;
/** Default value for the keystore location path. */
private String _keystorePath=DEFAULT_KEYSTORE ;
private String _keystoreType = "JKS"; // type of the key store
/** Set to true if we require client certificate authentication. */
private boolean _needClientAuth = false;
private transient Password _password;
private transient Password _keyPassword;
private transient Password _trustPassword;
private String _protocol= "TLS";
private String _provider;
private String _secureRandomAlgorithm; // cert algorithm
private String _sslKeyManagerFactoryAlgorithm = DEFAULT_KEYSTORE_ALGORITHM;
private String _sslTrustManagerFactoryAlgorithm = DEFAULT_TRUSTSTORE_ALGORITHM;
private String _truststorePath;
private String _truststoreType = "JKS"; // type of the key store
/** Set to true if we would like client certificate authentication. */
private boolean _wantClientAuth = false;
private final SslContextFactory _sslContextFactory;
private int _handshakeTimeout = 0; //0 means use maxIdleTime
private SSLContext _context;
private boolean _allowRenegotiate =false;
/* ------------------------------------------------------------ */
/**
@ -99,7 +61,12 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
*/
public SslSocketConnector()
{
super();
this(new SslContextFactory(SslContextFactory.DEFAULT_KEYSTORE_PATH));
}
public SslSocketConnector(SslContextFactory sslContextFactory)
{
_sslContextFactory = sslContextFactory;
}
/* ------------------------------------------------------------ */
@ -108,7 +75,7 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
*/
public boolean isAllowRenegotiate()
{
return _allowRenegotiate;
return _sslContextFactory.isAllowRenegotiate();
}
/* ------------------------------------------------------------ */
@ -121,7 +88,7 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
*/
public void setAllowRenegotiate(boolean allowRenegotiate)
{
_allowRenegotiate = allowRenegotiate;
_sslContextFactory.setAllowRenegotiate(allowRenegotiate);
}
/* ------------------------------------------------------------ */
@ -144,74 +111,6 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
super.configure(socket);
}
/* ------------------------------------------------------------ */
protected SSLContext createSSLContext() throws Exception
{
KeyManager[] keyManagers = getKeyManagers();
TrustManager[] trustManagers = getTrustManagers();
SecureRandom secureRandom = _secureRandomAlgorithm==null?null:SecureRandom.getInstance(_secureRandomAlgorithm);
SSLContext context = _provider==null?SSLContext.getInstance(_protocol):SSLContext.getInstance(_protocol, _provider);
context.init(keyManagers, trustManagers, secureRandom);
return context;
}
/* ------------------------------------------------------------ */
protected SSLServerSocketFactory createFactory()
throws Exception
{
if (_context==null)
_context=createSSLContext();
return _context.getServerSocketFactory();
}
/* ------------------------------------------------------------ */
protected KeyManager[] getKeyManagers() throws Exception
{
KeyStore keyStore = getKeyStore(_keystorePath, _keystoreType, _password==null?null:_password.toString());
KeyManagerFactory keyManagerFactory=KeyManagerFactory.getInstance(_sslKeyManagerFactoryAlgorithm);
keyManagerFactory.init(keyStore,_keyPassword==null?(_password==null?null:_password.toString().toCharArray()):_keyPassword.toString().toCharArray());
return keyManagerFactory.getKeyManagers();
}
protected TrustManager[] getTrustManagers() throws Exception
{
if (_truststorePath==null)
{
_truststorePath=_keystorePath;
_truststoreType=_keystoreType;
//TODO is this right? it wasn't in the code before refactoring
_trustPassword = _password;
_sslTrustManagerFactoryAlgorithm = _sslKeyManagerFactoryAlgorithm;
}
KeyStore trustStore = getKeyStore(_truststorePath, _truststoreType, _trustPassword==null?null:_trustPassword.toString());
TrustManagerFactory trustManagerFactory=TrustManagerFactory.getInstance(_sslTrustManagerFactoryAlgorithm);
trustManagerFactory.init(trustStore);
return trustManagerFactory.getTrustManagers();
}
protected KeyStore getKeyStore(String keystorePath, String keystoreType, String keystorePassword) throws Exception
{
KeyStore keystore;
InputStream keystoreInputStream = null;
try
{
if (keystorePath!=null)
keystoreInputStream = Resource.newResource(keystorePath).getInputStream();
keystore=KeyStore.getInstance(keystoreType);
keystore.load(keystoreInputStream,keystorePassword==null?null:keystorePassword.toString().toCharArray());
return keystore;
}
finally
{
if (keystoreInputStream != null)
keystoreInputStream.close();
}
}
/* ------------------------------------------------------------ */
/**
* Allow the Listener a chance to customise the request. before the server does its stuff. <br>
@ -247,79 +146,154 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
* @deprecated
*/
@Deprecated
public String[] getExcludeCipherSuites() {
return _excludeCipherSuites;
return _sslContextFactory.getExcludeCipherSuites();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getIncludeCipherSuites()
* @deprecated
*/
@Deprecated
public String[] getIncludeCipherSuites()
{
return _includeCipherSuites;
return _sslContextFactory.getIncludeCipherSuites();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getKeystore()
* @deprecated
*/
@Deprecated
public String getKeystore()
{
return _keystorePath;
return _sslContextFactory.getKeystore();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getKeystoreType()
* @deprecated
*/
@Deprecated
public String getKeystoreType()
{
return (_keystoreType);
return _sslContextFactory.getKeystoreType();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getNeedClientAuth()
* @deprecated
*/
@Deprecated
public boolean getNeedClientAuth()
{
return _needClientAuth;
return _sslContextFactory.getNeedClientAuth();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getProtocol()
* @deprecated
*/
@Deprecated
public String getProtocol()
{
return _protocol;
return _sslContextFactory.getProtocol();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getProvider()
* @deprecated
*/
@Deprecated
public String getProvider() {
return _provider;
return _sslContextFactory.getProvider();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getSecureRandomAlgorithm()
* @deprecated
*/
@Deprecated
public String getSecureRandomAlgorithm()
{
return (this._secureRandomAlgorithm);
return _sslContextFactory.getSecureRandomAlgorithm();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getSslKeyManagerFactoryAlgorithm()
* @deprecated
*/
@Deprecated
public String getSslKeyManagerFactoryAlgorithm()
{
return (this._sslKeyManagerFactoryAlgorithm);
return _sslContextFactory.getSslKeyManagerFactoryAlgorithm();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getSslTrustManagerFactoryAlgorithm()
* @deprecated
*/
@Deprecated
public String getSslTrustManagerFactoryAlgorithm()
{
return (this._sslTrustManagerFactoryAlgorithm);
return _sslContextFactory.getTrustManagerFactoryAlgorithm();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getTruststore()
* @deprecated
*/
@Deprecated
public String getTruststore()
{
return _truststorePath;
return _sslContextFactory.getTruststore();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getSslContextFactory()
*/
// @Override
public SslContextFactory getSslContextFactory()
{
return _sslContextFactory;
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getTruststoreType()
* @deprecated
*/
@Deprecated
public String getTruststoreType()
{
return _truststoreType;
return _sslContextFactory.getTruststoreType();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#getWantClientAuth()
* @deprecated
*/
@Deprecated
public boolean getWantClientAuth()
{
return _wantClientAuth;
return _sslContextFactory.getWantClientAuth();
}
/* ------------------------------------------------------------ */
@ -351,6 +325,35 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
final int integralPort = getIntegralPort();
return integralPort == 0 || integralPort == request.getServerPort();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.nio.SelectChannelConnector#doStart()
*/
@Override
protected void doStart() throws Exception
{
if (!_sslContextFactory.checkConfig())
{
throw new IllegalStateException("SSL context is not configured correctly.");
}
_sslContextFactory.start();
super.doStart();
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.bio.SocketConnector#doStop()
*/
@Override
protected void doStop() throws Exception
{
_sslContextFactory.stop();
super.doStop();
}
/* ------------------------------------------------------------ */
/**
@ -363,118 +366,80 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
* @see #setNeedClientAuth(boolean)
* @exception IOException
*/
/* ------------------------------------------------------------ */
@Override
protected ServerSocket newServerSocket(String host, int port,int backlog) throws IOException
{
SSLServerSocketFactory factory = null;
SSLServerSocket socket = null;
SSLServerSocketFactory factory = _sslContextFactory.getSslContext().getServerSocketFactory();
try
{
factory = createFactory();
SSLServerSocket socket =
(SSLServerSocket) (host==null ?
factory.createServerSocket(port,backlog):
factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
socket = (SSLServerSocket) (host==null?
factory.createServerSocket(port,backlog):
factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
if (_sslContextFactory.getWantClientAuth())
socket.setWantClientAuth(_sslContextFactory.getWantClientAuth());
if (_sslContextFactory.getNeedClientAuth())
socket.setNeedClientAuth(_sslContextFactory.getNeedClientAuth());
if (_wantClientAuth)
socket.setWantClientAuth(_wantClientAuth);
if (_needClientAuth)
socket.setNeedClientAuth(_needClientAuth);
if ((_excludeCipherSuites!=null&&_excludeCipherSuites.length>0)
|| (_includeCipherSuites!=null&&_includeCipherSuites.length>0))
{
List<String> includedCSList;
if (_includeCipherSuites!=null)
{
includedCSList = Arrays.asList(_includeCipherSuites);
} else {
includedCSList = new ArrayList<String>();
}
List<String> excludedCSList;
if (_excludeCipherSuites!=null)
{
excludedCSList = Arrays.asList(_excludeCipherSuites);
} else {
excludedCSList = new ArrayList<String>();
}
String[] enabledCipherSuites = socket.getEnabledCipherSuites();
List<String> enabledCSList = new ArrayList<String>(Arrays.asList(enabledCipherSuites));
String[] supportedCipherSuites = socket.getSupportedCipherSuites();
List<String> supportedCSList = Arrays.asList(supportedCipherSuites);
for (String cipherName : includedCSList)
{
if ((!enabledCSList.contains(cipherName))
&& supportedCSList.contains(cipherName))
{
enabledCSList.add(cipherName);
}
}
for (String cipherName : excludedCSList)
{
if (enabledCSList.contains(cipherName))
{
enabledCSList.remove(cipherName);
}
}
enabledCipherSuites = enabledCSList.toArray(new String[enabledCSList.size()]);
socket.setEnabledCipherSuites(enabledCipherSuites);
}
}
catch (IOException e)
{
throw e;
}
catch (Exception e)
{
Log.warn(e.toString());
Log.debug(e);
throw new IOException("!JsseListener: " + e);
}
socket.setEnabledCipherSuites(_sslContextFactory.selectCipherSuites(
socket.getEnabledCipherSuites(),
socket.getSupportedCipherSuites()));
return socket;
}
/* ------------------------------------------------------------ */
/**
*
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
* @deprecated
*/
public void setExcludeCipherSuites(String[] cipherSuites) {
this._excludeCipherSuites = cipherSuites;
@Deprecated
public void setExcludeCipherSuites(String[] cipherSuites)
{
_sslContextFactory.setExcludeCipherSuites(cipherSuites);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setIncludeCipherSuites(java.lang.String[])
* @deprecated
*/
@Deprecated
public void setIncludeCipherSuites(String[] cipherSuites)
{
this._includeCipherSuites=cipherSuites;
_sslContextFactory.setIncludeCipherSuites(cipherSuites);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setKeyPassword(java.lang.String)
* @deprecated
*/
@Deprecated
public void setKeyPassword(String password)
{
_keyPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
_sslContextFactory.setKeyManagerPassword(password);
}
/* ------------------------------------------------------------ */
/**
* @param keystore The resource path to the keystore, or null for built in keystores.
* @deprecated
*/
@Deprecated
public void setKeystore(String keystore)
{
_keystorePath = keystore;
_sslContextFactory.setKeystore(keystore);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setKeystoreType(java.lang.String)
* @deprecated
*/
@Deprecated
public void setKeystoreType(String keystoreType)
{
_keystoreType = keystoreType;
_sslContextFactory.setKeystoreType(keystoreType);
}
/* ------------------------------------------------------------ */
@ -482,87 +447,132 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
* Set the value of the needClientAuth property
*
* @param needClientAuth true iff we require client certificate authentication.
* @deprecated
*/
@Deprecated
public void setNeedClientAuth(boolean needClientAuth)
{
_needClientAuth = needClientAuth;
_sslContextFactory.setNeedClientAuth(needClientAuth);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setPassword(java.lang.String)
* @deprecated
*/
@Deprecated
public void setPassword(String password)
{
_password = Password.getPassword(PASSWORD_PROPERTY,password,null);
_sslContextFactory.setKeystorePassword(password);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setTrustPassword(java.lang.String)
* @deprecated
*/
@Deprecated
public void setTrustPassword(String password)
{
_trustPassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
_sslContextFactory.setTruststorePassword(password);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setProtocol(java.lang.String)
* @deprecated
*/
@Deprecated
public void setProtocol(String protocol)
{
_protocol = protocol;
_sslContextFactory.setProtocol(protocol);
}
/* ------------------------------------------------------------ */
public void setProvider(String _provider) {
this._provider = _provider;
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setProvider(java.lang.String)
* @deprecated
*/
@Deprecated
public void setProvider(String provider) {
_sslContextFactory.setProvider(provider);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setSecureRandomAlgorithm(java.lang.String)
* @deprecated
*/
@Deprecated
public void setSecureRandomAlgorithm(String algorithm)
{
this._secureRandomAlgorithm = algorithm;
_sslContextFactory.setSecureRandomAlgorithm(algorithm);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setSslKeyManagerFactoryAlgorithm(java.lang.String)
* @deprecated
*/
@Deprecated
public void setSslKeyManagerFactoryAlgorithm(String algorithm)
{
this._sslKeyManagerFactoryAlgorithm = algorithm;
_sslContextFactory.setSslKeyManagerFactoryAlgorithm(algorithm);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setSslTrustManagerFactoryAlgorithm(java.lang.String)
* @deprecated
*/
@Deprecated
public void setSslTrustManagerFactoryAlgorithm(String algorithm)
{
this._sslTrustManagerFactoryAlgorithm = algorithm;
_sslContextFactory.setTrustManagerFactoryAlgorithm(algorithm);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setTruststore(java.lang.String)
* @deprecated
*/
@Deprecated
public void setTruststore(String truststore)
{
_truststorePath = truststore;
_sslContextFactory.setTruststore(truststore);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setTruststoreType(java.lang.String)
* @deprecated
*/
@Deprecated
public void setTruststoreType(String truststoreType)
{
_truststoreType = truststoreType;
_sslContextFactory.setTruststoreType(truststoreType);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
* @deprecated
*/
@Deprecated
public void setSslContext(SSLContext sslContext)
{
_context = sslContext;
_sslContextFactory.setSslContext(sslContext);
}
/* ------------------------------------------------------------ */
/**
* @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
* @deprecated
*/
@Deprecated
public SSLContext getSslContext()
{
try
{
if (_context == null)
_context=createSSLContext();
}
catch(Exception e)
{
throw new RuntimeException(e);
}
return _context;
return _sslContextFactory.getSslContext();
}
/* ------------------------------------------------------------ */
@ -572,10 +582,12 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
*
* @param wantClientAuth true if we want client certificate authentication.
* @see SSLServerSocket#setWantClientAuth
* @deprecated
*/
@Deprecated
public void setWantClientAuth(boolean wantClientAuth)
{
_wantClientAuth = wantClientAuth;
_sslContextFactory.setWantClientAuth(wantClientAuth);
}
/* ------------------------------------------------------------ */
@ -628,7 +640,7 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
{
if (handshook)
{
if (!_allowRenegotiate)
if (!_sslContextFactory.isAllowRenegotiate())
{
Log.warn("SSL renegotiate denied: "+ssl);
try{ssl.close();}catch(IOException e){Log.warn(e);}
@ -665,7 +677,9 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
* Unsupported.
*
* TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
* @deprecated
*/
@Deprecated
public String getAlgorithm()
{
throw new UnsupportedOperationException();
@ -676,7 +690,9 @@ public class SslSocketConnector extends SocketConnector implements SslConnector
* Unsupported.
*
* TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
* @deprecated
*/
@Deprecated
public void setAlgorithm(String algorithm)
{
throw new UnsupportedOperationException();