Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[Bug 393933] remove deprecated classes/methods and consolidate some static methods to SslContextFactory

This commit is contained in:
Jesse McConnell 2013-01-28 16:15:34 -06:00
parent 06563d01b3
commit a086451bc7
6 changed files with 94 additions and 573 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java
View File

@ -26,11 +26,10 @@ import javax.net.ssl.SSLSession;
import org.eclipse.jetty.http.HttpScheme;
import org.eclipse.jetty.io.ssl.SslConnection;
import org.eclipse.jetty.io.ssl.SslConnection.DecryptedEndPoint;
import org.eclipse.jetty.server.ssl.ServletSSL;
import org.eclipse.jetty.server.ssl.SslCertificates;
import org.eclipse.jetty.util.TypeUtil;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
import org.eclipse.jetty.util.ssl.SslContextFactory;
public class SecureRequestCustomizer implements HttpConfiguration.Customizer
{
@ -99,10 +98,10 @@ public class SecureRequestCustomizer implements HttpConfiguration.Customizer
certs=cachedInfo.getCerts();
idStr=cachedInfo.getIdStr();
}
else
else
{
keySize=new Integer(ServletSSL.deduceKeyLength(cipherSuite));
certs=SslCertificates.getCertChain(sslSession);
keySize=new Integer(SslContextFactory.deduceKeyLength(cipherSuite));
certs=SslContextFactory.getCertChain(sslSession);
byte[] bytes = sslSession.getId();
idStr = TypeUtil.toHexString(bytes);
cachedInfo=new CachedInfo(keySize,certs,idStr);

88
jetty-server/src/main/java/org/eclipse/jetty/server/ssl/ServletSSL.java
View File

@ -1,88 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.server.ssl;
/* --------------------------------------------------------------------- */
/**
* Jetty Servlet SSL support utilities.
* <p>
* A collection of utilities required to support the SSL requirements of the Servlet 2.2 and 2.3
* specs.
*
* <p>
* Used by the SSL listener classes.
*
*
*/
public class ServletSSL
{
/* ------------------------------------------------------------ */
/**
* Given the name of a TLS/SSL cipher suite, return an int representing it effective stream
* cipher key strength. i.e. How much entropy material is in the key material being fed into the
* encryption routines.
*
* <p>
* This is based on the information on effective key lengths in RFC 2246 - The TLS Protocol
* Version 1.0, Appendix C. CipherSuite definitions:
*
* <pre>
* Effective
* Cipher Type Key Bits
*
* NULL * Stream 0
* IDEA_CBC Block 128
* RC2_CBC_40 * Block 40
* RC4_40 * Stream 40
* RC4_128 Stream 128
* DES40_CBC * Block 40
* DES_CBC Block 56
* 3DES_EDE_CBC Block 168
* </pre>
*
* @param cipherSuite String name of the TLS cipher suite.
* @return int indicating the effective key entropy bit-length.
*/
public static int deduceKeyLength(String cipherSuite)
{
// Roughly ordered from most common to least common.
if (cipherSuite == null)
return 0;
else if (cipherSuite.indexOf("WITH_AES_256_") >= 0)
return 256;
else if (cipherSuite.indexOf("WITH_RC4_128_") >= 0)
return 128;
else if (cipherSuite.indexOf("WITH_AES_128_") >= 0)
return 128;
else if (cipherSuite.indexOf("WITH_RC4_40_") >= 0)
return 40;
else if (cipherSuite.indexOf("WITH_3DES_EDE_CBC_") >= 0)
return 168;
else if (cipherSuite.indexOf("WITH_IDEA_CBC_") >= 0)
return 128;
else if (cipherSuite.indexOf("WITH_RC2_CBC_40_") >= 0)
return 40;
else if (cipherSuite.indexOf("WITH_DES40_CBC_") >= 0)
return 40;
else if (cipherSuite.indexOf("WITH_DES_CBC_") >= 0)
return 56;
else
return 0;
}
}

67
jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslCertificates.java
View File

@ -1,67 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.server.ssl;
import java.io.ByteArrayInputStream;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLSession;
import org.eclipse.jetty.util.log.Log;
import org.eclipse.jetty.util.log.Logger;
public class SslCertificates
{
private static final Logger LOG = Log.getLogger(SslCertificates.class);
public static X509Certificate[] getCertChain(SSLSession sslSession)
{
try
{
javax.security.cert.X509Certificate javaxCerts[]=sslSession.getPeerCertificateChain();
if (javaxCerts==null||javaxCerts.length==0)
return null;
int length=javaxCerts.length;
X509Certificate[] javaCerts=new X509Certificate[length];
java.security.cert.CertificateFactory cf=java.security.cert.CertificateFactory.getInstance("X.509");
for (int i=0; i<length; i++)
{
byte bytes[]=javaxCerts[i].getEncoded();
ByteArrayInputStream stream=new ByteArrayInputStream(bytes);
javaCerts[i]=(X509Certificate)cf.generateCertificate(stream);
}
return javaCerts;
}
catch (SSLPeerUnverifiedException pue)
{
return null;
}
catch (Exception e)
{
LOG.warn(Log.EXCEPTION,e);
return null;
}
}
}

348
jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslConnector.java
View File

@ -1,348 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.server.ssl;
import java.io.File;
import java.security.SecureRandom;
import java.security.Security;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManagerFactory;
import org.eclipse.jetty.util.ssl.SslContextFactory;
/* ------------------------------------------------------------ */
/** The interface for SSL connectors and their configuration methods.
*
*/
@Deprecated
interface SslConnector
{
@Deprecated
public static final String DEFAULT_KEYSTORE_ALGORITHM=(Security.getProperty("ssl.KeyManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.KeyManagerFactory.algorithm"));
@Deprecated
public static final String DEFAULT_TRUSTSTORE_ALGORITHM=(Security.getProperty("ssl.TrustManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.TrustManagerFactory.algorithm"));
/** Default value for the keystore location path. @deprecated */
@Deprecated
public static final String DEFAULT_KEYSTORE = System.getProperty("user.home") + File.separator + ".keystore";
/** String name of key password property. @deprecated */
@Deprecated
public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
/** String name of keystore password property. @deprecated */
@Deprecated
public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
/* ------------------------------------------------------------ */
/**
* @return the instance of SslContextFactory associated with the connector
*/
public SslContextFactory getSslContextFactory();
/* ------------------------------------------------------------ */
/**
* @return The array of Ciphersuite names to exclude from
* {@link SSLEngine#setEnabledCipherSuites(String[])}
* @deprecated
*/
@Deprecated
public abstract String[] getExcludeCipherSuites();
/* ------------------------------------------------------------ */
/**
* @param cipherSuites The array of Ciphersuite names to exclude from
* {@link SSLEngine#setEnabledCipherSuites(String[])}
* @deprecated
*/
@Deprecated
public abstract void setExcludeCipherSuites(String[] cipherSuites);
/* ------------------------------------------------------------ */
/**
* @return The array of Ciphersuite names to include in
* {@link SSLEngine#setEnabledCipherSuites(String[])}
* @deprecated
*/
@Deprecated
public abstract String[] getIncludeCipherSuites();
/* ------------------------------------------------------------ */
/**
* @param cipherSuites The array of Ciphersuite names to include in
* {@link SSLEngine#setEnabledCipherSuites(String[])}
* @deprecated
*/
@Deprecated
public abstract void setIncludeCipherSuites(String[] cipherSuites);
/* ------------------------------------------------------------ */
/**
* @param password The password for the key store
* @deprecated
*/
@Deprecated
public abstract void setPassword(String password);
/* ------------------------------------------------------------ */
/**
* @param password The password for the trust store
* @deprecated
*/
@Deprecated
public abstract void setTrustPassword(String password);
/* ------------------------------------------------------------ */
/**
* @param password The password (if any) for the specific key within
* the key store
* @deprecated
*/
@Deprecated
public abstract void setKeyPassword(String password);
/* ------------------------------------------------------------ */
/**
* @return The SSL protocol (default "TLS") passed to {@link SSLContext#getInstance(String, String)}
* @deprecated
*/
@Deprecated
public abstract String getProtocol();
/* ------------------------------------------------------------ */
/**
* @param protocol The SSL protocol (default "TLS") passed to {@link SSLContext#getInstance(String, String)}
* @deprecated
*/
@Deprecated
public abstract void setProtocol(String protocol);
/* ------------------------------------------------------------ */
/**
* @param keystore The file or URL of the SSL Key store.
* @deprecated
*/
@Deprecated
public abstract void setKeystore(String keystore);
/* ------------------------------------------------------------ */
/**
* @return The file or URL of the SSL Key store.
* @deprecated
*/
@Deprecated
public abstract String getKeystore();
/* ------------------------------------------------------------ */
/**
* @return The type of the key store (default "JKS")
* @deprecated
*/
@Deprecated
public abstract String getKeystoreType();
/* ------------------------------------------------------------ */
/**
* @return True if SSL needs client authentication.
* @see SSLEngine#getNeedClientAuth()
* @deprecated
*/
@Deprecated
public abstract boolean getNeedClientAuth();
/* ------------------------------------------------------------ */
/**
* @return True if SSL wants client authentication.
* @see SSLEngine#getWantClientAuth()
* @deprecated
*/
@Deprecated
public abstract boolean getWantClientAuth();
/* ------------------------------------------------------------ */
/**
* @param needClientAuth True if SSL needs client authentication.
* @see SSLEngine#getNeedClientAuth()
* @deprecated
*/
@Deprecated
public abstract void setNeedClientAuth(boolean needClientAuth);
/* ------------------------------------------------------------ */
/**
* @param wantClientAuth True if SSL wants client authentication.
* @see SSLEngine#getWantClientAuth()
* @deprecated
*/
@Deprecated
public abstract void setWantClientAuth(boolean wantClientAuth);
/* ------------------------------------------------------------ */
/**
* @param keystoreType The type of the key store (default "JKS")
* @deprecated
*/
@Deprecated
public abstract void setKeystoreType(String keystoreType);
/* ------------------------------------------------------------ */
/**
* @return The SSL provider name, which if set is passed to
* {@link SSLContext#getInstance(String, String)}
* @deprecated
*/
@Deprecated
public abstract String getProvider();
/* ------------------------------------------------------------ */
/**
* @return The algorithm name, which if set is passed to
* {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom}
* instance passed to {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)}
* @deprecated
*/
@Deprecated
public abstract String getSecureRandomAlgorithm();
/* ------------------------------------------------------------ */
/**
* @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory}
* @deprecated
*/
@Deprecated
public abstract String getSslKeyManagerFactoryAlgorithm();
/* ------------------------------------------------------------ */
/**
* @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory}
* @deprecated
*/
@Deprecated
public abstract String getSslTrustManagerFactoryAlgorithm();
/* ------------------------------------------------------------ */
/**
* @return The file name or URL of the trust store location
* @deprecated
*/
@Deprecated
public abstract String getTruststore();
/* ------------------------------------------------------------ */
/**
* @return The type of the trust store (default "JKS")
* @deprecated
*/
@Deprecated
public abstract String getTruststoreType();
/* ------------------------------------------------------------ */
/**
* @param provider The SSL provider name, which if set is passed to
* {@link SSLContext#getInstance(String, String)}
* @deprecated
*/
@Deprecated
public abstract void setProvider(String provider);
/* ------------------------------------------------------------ */
/**
* @param algorithm The algorithm name, which if set is passed to
* {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom}
* instance passed to {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)}
* @deprecated
*/
@Deprecated
public abstract void setSecureRandomAlgorithm(String algorithm);
/* ------------------------------------------------------------ */
/**
* @param algorithm The algorithm name (default "SunX509") used by
* the {@link KeyManagerFactory}
* @deprecated
*/
@Deprecated
public abstract void setSslKeyManagerFactoryAlgorithm(String algorithm);
/* ------------------------------------------------------------ */
/**
* @param algorithm The algorithm name (default "SunX509") used by the {@link TrustManagerFactory}
* @deprecated
*/
@Deprecated
public abstract void setSslTrustManagerFactoryAlgorithm(String algorithm);
/* ------------------------------------------------------------ */
/**
* @param truststore The file name or URL of the trust store location
* @deprecated
*/
@Deprecated
public abstract void setTruststore(String truststore);
/* ------------------------------------------------------------ */
/**
* @param truststoreType The type of the trust store (default "JKS")
* @deprecated
*/
@Deprecated
public abstract void setTruststoreType(String truststoreType);
/* ------------------------------------------------------------ */
/**
* @param sslContext Set a preconfigured SSLContext
* @deprecated
*/
@Deprecated
public abstract void setSslContext(SSLContext sslContext);
/* ------------------------------------------------------------ */
/**
* @return The SSLContext
* @deprecated
*/
@Deprecated
public abstract SSLContext getSslContext();
/* ------------------------------------------------------------ */
/**
* @return True if SSL re-negotiation is allowed (default false)
* @deprecated
*/
@Deprecated
public boolean isAllowRenegotiate();
/* ------------------------------------------------------------ */
/**
* Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
* a vulnerability in SSL/TLS with re-negotiation. If your JVM
* does not have CVE-2009-3555 fixed, then re-negotiation should
* not be allowed.
* @param allowRenegotiate true if re-negotiation is allowed (default false)
* @deprecated
*/
@Deprecated
public void setAllowRenegotiate(boolean allowRenegotiate);
}

40
jetty-server/src/main/java/org/eclipse/jetty/server/ssl/SslSelectChannelConnector.java
View File

@ -1,40 +0,0 @@
//
// ========================================================================
// Copyright (c) 1995-2013 Mort Bay Consulting Pty. Ltd.
// ------------------------------------------------------------------------
// All rights reserved. This program and the accompanying materials
// are made available under the terms of the Eclipse Public License v1.0
// and Apache License v2.0 which accompanies this distribution.
//
// The Eclipse Public License is available at
// http://www.eclipse.org/legal/epl-v10.html
//
// The Apache License v2.0 is available at
// http://www.opensource.org/licenses/apache2.0.php
//
// You may elect to redistribute this code under either of these licenses.
// ========================================================================
//
package org.eclipse.jetty.server.ssl;
import org.eclipse.jetty.server.AbstractConnectionFactory;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.util.ssl.SslContextFactory;
/* ------------------------------------------------------------ */
/**
* SslSelectChannelConnector.
*
* @deprecated use SelectChannelConnector with {@link SslContextFactory}
* @org.apache.xbean.XBean element="sslConnector" description="Creates an NIO ssl connector"
*/
public class SslSelectChannelConnector extends ServerConnector
{
public SslSelectChannelConnector(Server server)
{
super(server,null,null,null,0,0,AbstractConnectionFactory.getFactories(new SslContextFactory(),new HttpConnectionFactory()));
}
}

115
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
View File

@ -35,6 +35,7 @@ import java.security.cert.Certificate;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
@ -47,8 +48,10 @@ import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSession;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
@ -837,7 +840,7 @@ public class SslContextFactory extends AbstractLifeCycle
*/
protected KeyStore loadKeyStore() throws Exception
{
return _keyStore != null ? _keyStore : getKeyStore(_keyStoreInputStream,
return _keyStore != null ? _keyStore : CertificateUtils.getKeyStore(_keyStoreInputStream,
_keyStorePath, _keyStoreType, _keyStoreProvider,
_keyStorePassword==null? null: _keyStorePassword.toString());
}
@ -850,34 +853,11 @@ public class SslContextFactory extends AbstractLifeCycle
*/
protected KeyStore loadTrustStore() throws Exception
{
return _trustStore != null ? _trustStore : getKeyStore(_trustStoreInputStream,
return _trustStore != null ? _trustStore : CertificateUtils.getKeyStore(_trustStoreInputStream,
_trustStorePath, _trustStoreType, _trustStoreProvider,
_trustStorePassword==null? null: _trustStorePassword.toString());
}
/**
* Loads keystore using an input stream or a file path in the same
* order of precedence.
*
* Required for integrations to be able to override the mechanism
* used to load a keystore in order to provide their own implementation.
*
* @param storeStream keystore input stream
* @param storePath path of keystore file
* @param storeType keystore type
* @param storeProvider keystore provider
* @param storePassword keystore password
* @return created keystore
* @throws Exception if the keystore cannot be obtained
*
* @deprecated
*/
@Deprecated
protected KeyStore getKeyStore(InputStream storeStream, String storePath, String storeType, String storeProvider, String storePassword) throws Exception
{
return CertificateUtils.getKeyStore(storeStream, storePath, storeType, storeProvider, storePassword);
}
/**
* Loads certificate revocation list (CRL) from a file.
*
@ -1327,6 +1307,91 @@ public class SslContextFactory extends AbstractLifeCycle
return address != null ? newSSLEngine(address.getAddress().getHostAddress(), address.getPort()) : newSSLEngine();
}
public static X509Certificate[] getCertChain(SSLSession sslSession)
{
try
{
javax.security.cert.X509Certificate javaxCerts[]=sslSession.getPeerCertificateChain();
if (javaxCerts==null||javaxCerts.length==0)
return null;
int length=javaxCerts.length;
X509Certificate[] javaCerts=new X509Certificate[length];
java.security.cert.CertificateFactory cf=java.security.cert.CertificateFactory.getInstance("X.509");
for (int i=0; i<length; i++)
{
byte bytes[]=javaxCerts[i].getEncoded();
ByteArrayInputStream stream=new ByteArrayInputStream(bytes);
javaCerts[i]=(X509Certificate)cf.generateCertificate(stream);
}
return javaCerts;
}
catch (SSLPeerUnverifiedException pue)
{
return null;
}
catch (Exception e)
{
LOG.warn(Log.EXCEPTION,e);
return null;
}
}
/**
* Given the name of a TLS/SSL cipher suite, return an int representing it effective stream
* cipher key strength. i.e. How much entropy material is in the key material being fed into the
* encryption routines.
*
* <p>
* This is based on the information on effective key lengths in RFC 2246 - The TLS Protocol
* Version 1.0, Appendix C. CipherSuite definitions:
*
* <pre>
* Effective
* Cipher Type Key Bits
*
* NULL * Stream 0
* IDEA_CBC Block 128
* RC2_CBC_40 * Block 40
* RC4_40 * Stream 40
* RC4_128 Stream 128
* DES40_CBC * Block 40
* DES_CBC Block 56
* 3DES_EDE_CBC Block 168
* </pre>
*
* @param cipherSuite String name of the TLS cipher suite.
* @return int indicating the effective key entropy bit-length.
*/
public static int deduceKeyLength(String cipherSuite)
{
// Roughly ordered from most common to least common.
if (cipherSuite == null)
return 0;
else if (cipherSuite.indexOf("WITH_AES_256_") >= 0)
return 256;
else if (cipherSuite.indexOf("WITH_RC4_128_") >= 0)
return 128;
else if (cipherSuite.indexOf("WITH_AES_128_") >= 0)
return 128;
else if (cipherSuite.indexOf("WITH_RC4_40_") >= 0)
return 40;
else if (cipherSuite.indexOf("WITH_3DES_EDE_CBC_") >= 0)
return 168;
else if (cipherSuite.indexOf("WITH_IDEA_CBC_") >= 0)
return 128;
else if (cipherSuite.indexOf("WITH_RC2_CBC_40_") >= 0)
return 40;
else if (cipherSuite.indexOf("WITH_DES40_CBC_") >= 0)
return 40;
else if (cipherSuite.indexOf("WITH_DES_CBC_") >= 0)
return 56;
else
return 0;
}
@Override
public String toString()
{