Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of ssh://git.eclipse.org/gitroot/jetty/org.eclipse.jetty.project 

Conflicts:
	jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
This commit is contained in:
Greg Wilkins 2015-05-21 01:54:07 +10:00
parent bd27e7d2d4 1a666e1bd2
commit aa8ad7d4f4
1 changed files with 55 additions and 53 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
View File

@ -111,15 +111,15 @@ public class SslContextFactory extends AbstractLifeCycle
/* /*
* @see {@link X509Certificate#getKeyUsage()} * @see {@link X509Certificate#getKeyUsage()}
*/ */
private static final int KEY_USAGE__KEY_CERT_SIGN=5; private static final int KEY_USAGE__KEY_CERT_SIGN=5;
/* /*
* *
* @see {@link X509Certificate#getSubjectAlternativeNames()} * @see {@link X509Certificate#getSubjectAlternativeNames()}
*/ */
private static final int SUBJECT_ALTERNATIVE_NAMES__DNS_NAME=2; private static final int SUBJECT_ALTERNATIVE_NAMES__DNS_NAME=2;
public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM = public static final String DEFAULT_KEYMANAGERFACTORY_ALGORITHM =
(Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ? (Security.getProperty("ssl.KeyManagerFactory.algorithm") == null ?
KeyManagerFactory.getDefaultAlgorithm() : Security.getProperty("ssl.KeyManagerFactory.algorithm")); KeyManagerFactory.getDefaultAlgorithm() : Security.getProperty("ssl.KeyManagerFactory.algorithm"));
@ -145,7 +145,7 @@ public class SslContextFactory extends AbstractLifeCycle
/** Excluded cipher suites. */ /** Excluded cipher suites. */
private final Set<String> _excludeCipherSuites = new LinkedHashSet<>(); private final Set<String> _excludeCipherSuites = new LinkedHashSet<>();
/** Included cipher suites. */ /** Included cipher suites. */
private final List<String> _includeCipherSuites = new ArrayList<String>(); private final List<String> _includeCipherSuites = new ArrayList<String>();
private boolean _useCipherSuitesOrder=true; private boolean _useCipherSuitesOrder=true;
@ -155,7 +155,7 @@ public class SslContextFactory extends AbstractLifeCycle
/** Selected cipher suites. Combination of includes, excludes, available and ordering */ /** Selected cipher suites. Combination of includes, excludes, available and ordering */
private String[] _selectedCipherSuites; private String[] _selectedCipherSuites;
/** Keystore path. */ /** Keystore path. */
private Resource _keyStoreResource; private Resource _keyStoreResource;
/** Keystore provider name */ /** Keystore provider name */
@ -238,8 +238,10 @@ public class SslContextFactory extends AbstractLifeCycle
private boolean _renegotiationAllowed = true; private boolean _renegotiationAllowed = true;
protected Factory _factory; protected Factory _factory;
/** /**
* Construct an instance of SslContextFactory * Construct an instance of SslContextFactory
* Default constructor for use in XmlConfiguration files * Default constructor for use in XmlConfiguration files
@ -267,7 +269,7 @@ public class SslContextFactory extends AbstractLifeCycle
"SSL_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA", "SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA",
"SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA"); "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA");
} }
/** /**
* Construct an instance of SslContextFactory * Construct an instance of SslContextFactory
@ -310,7 +312,7 @@ public class SslContextFactory extends AbstractLifeCycle
SSLContext context = _setContext; SSLContext context = _setContext;
KeyStore keyStore = _setKeyStore; KeyStore keyStore = _setKeyStore;
KeyStore trustStore = _setTrustStore; KeyStore trustStore = _setTrustStore;
if (context == null) if (context == null)
{ {
// Is this an empty factory? // Is this an empty factory?
@ -365,21 +367,21 @@ public class SslContextFactory extends AbstractLifeCycle
_certAliases.clear(); _certAliases.clear();
if (keyStore!=null) if (keyStore!=null)
{ {
loop: for (String alias : Collections.list(keyStore.aliases())) for (String alias : Collections.list(keyStore.aliases()))
{ {
Certificate certificate = keyStore.getCertificate(alias); Certificate certificate = keyStore.getCertificate(alias);
if ("X.509".equals(certificate.getType())) if ("X.509".equals(certificate.getType()))
{ {
X509Certificate x509 = (X509Certificate)certificate; X509Certificate x509 = (X509Certificate)certificate;
// Exclude certificates with special uses // Exclude certificates with special uses
if (x509.getKeyUsage()!=null) if (x509.getKeyUsage()!=null)
{ {
boolean[] b=x509.getKeyUsage(); boolean[] b=x509.getKeyUsage();
if (b[KEY_USAGE__KEY_CERT_SIGN]) if (b[KEY_USAGE__KEY_CERT_SIGN])
continue loop; continue;
} }
// Look for alternative name extensions // Look for alternative name extensions
boolean named=false; boolean named=false;
Collection<List<?>> altNames = x509.getSubjectAlternativeNames(); Collection<List<?>> altNames = x509.getSubjectAlternativeNames();
@ -400,7 +402,7 @@ public class SslContextFactory extends AbstractLifeCycle
} }
} }
} }
// If no names found, look up the cn from the subject // If no names found, look up the cn from the subject
if (!named) if (!named)
{ {
@ -417,18 +419,18 @@ public class SslContextFactory extends AbstractLifeCycle
} }
} }
} }
} }
} }
} }
// find wild aliases // find wild aliases
_certWilds.clear(); _certWilds.clear();
for (String name : _certAliases.keySet()) for (String name : _certAliases.keySet())
if (name.startsWith("*.")) if (name.startsWith("*."))
_certWilds.put(name.substring(1),_certAliases.get(name)); _certWilds.put(name.substring(1),_certAliases.get(name));
LOG.info("x509={} wild={} alias={} for {}",_certAliases,_certWilds,_certAlias,this); LOG.info("x509={} wild={} alias={} for {}",_certAliases,_certWilds,_certAlias,this);
// Instantiate key and trust managers // Instantiate key and trust managers
KeyManager[] keyManagers = getKeyManagers(keyStore); KeyManager[] keyManagers = getKeyManagers(keyStore);
TrustManager[] trustManagers = getTrustManagers(trustStore,crls); TrustManager[] trustManagers = getTrustManagers(trustStore,crls);
@ -446,14 +448,14 @@ public class SslContextFactory extends AbstractLifeCycle
sslEngine.getEnabledCipherSuites(), sslEngine.getEnabledCipherSuites(),
sslEngine.getSupportedCipherSuites()); sslEngine.getSupportedCipherSuites());
selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols()); selectProtocols(sslEngine.getEnabledProtocols(),sslEngine.getSupportedProtocols());
_factory = new Factory(keyStore,trustStore,context); _factory = new Factory(keyStore,trustStore,context);
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
{ {
LOG.debug("Selected Protocols {} of {}",Arrays.asList(_selectedProtocols),Arrays.asList(sslEngine.getSupportedProtocols())); LOG.debug("Selected Protocols {} of {}",Arrays.asList(_selectedProtocols),Arrays.asList(sslEngine.getSupportedProtocols()));
LOG.debug("Selected Ciphers {} of {}",Arrays.asList(_selectedCipherSuites),Arrays.asList(sslEngine.getSupportedCipherSuites())); LOG.debug("Selected Ciphers {} of {}",Arrays.asList(_selectedCipherSuites),Arrays.asList(sslEngine.getSupportedCipherSuites()));
} }
} }
@Override @Override
@ -578,7 +580,7 @@ public class SslContextFactory extends AbstractLifeCycle
{ {
_useCipherSuitesOrder = useCipherSuitesOrder; _useCipherSuitesOrder = useCipherSuitesOrder;
} }
/** /**
* @return The file or URL of the SSL Key store. * @return The file or URL of the SSL Key store.
*/ */
@ -662,7 +664,7 @@ public class SslContextFactory extends AbstractLifeCycle
checkNotStarted(); checkNotStarted();
_certAlias = certAlias; _certAlias = certAlias;
} }
/** /**
* @param trustStorePath * @param trustStorePath
* The file name or URL of the trust store location * The file name or URL of the trust store location
@ -794,7 +796,7 @@ public class SslContextFactory extends AbstractLifeCycle
/** /**
* @param password * @param password
* The password for the key store. If null is passed then * The password for the key store. If null is passed then
* the {@link Password#getPassword(String, String, String)} is used to * the {@link Password#getPassword(String, String, String)} is used to
* obtain a password either from the "org.eclipse.jetty.ssl.password" * obtain a password either from the "org.eclipse.jetty.ssl.password"
* System property or by prompting for manual entry. * System property or by prompting for manual entry.
@ -802,7 +804,7 @@ public class SslContextFactory extends AbstractLifeCycle
public void setKeyStorePassword(String password) public void setKeyStorePassword(String password)
{ {
checkNotStarted(); checkNotStarted();
_keyStorePassword = password==null _keyStorePassword = password==null
?Password.getPassword(PASSWORD_PROPERTY,null,null) ?Password.getPassword(PASSWORD_PROPERTY,null,null)
:new Password(password); :new Password(password);
@ -811,7 +813,7 @@ public class SslContextFactory extends AbstractLifeCycle
/** /**
* @param password * @param password
* The password (if any) for the specific key within the key store. * The password (if any) for the specific key within the key store.
* If null is passed then * If null is passed then
* the {@link Password#getPassword(String, String, String)} is used to * the {@link Password#getPassword(String, String, String)} is used to
* obtain a password either from the "org.eclipse.jetty.ssl.keypassword" * obtain a password either from the "org.eclipse.jetty.ssl.keypassword"
* System property or by prompting for manual entry. * System property or by prompting for manual entry.
@ -826,7 +828,7 @@ public class SslContextFactory extends AbstractLifeCycle
/** /**
* @param password * @param password
* The password for the trust store. If null is passed then * The password for the trust store. If null is passed then
* the {@link Password#getPassword(String, String, String)} is used to * the {@link Password#getPassword(String, String, String)} is used to
* obtain a password either from the "org.eclipse.jetty.ssl.password" * obtain a password either from the "org.eclipse.jetty.ssl.password"
* System property or by prompting for manual entry. * System property or by prompting for manual entry.
@ -1040,8 +1042,8 @@ public class SslContextFactory extends AbstractLifeCycle
/** /**
* Override this method to provide alternate way to load a keystore. * Override this method to provide alternate way to load a keystore.
* *
* @param resource the resource to load the keystore from * @param resource the resource to load the keystore from
* @return the key store instance * @return the key store instance
* @throws Exception if the keystore cannot be loaded * @throws Exception if the keystore cannot be loaded
*/ */
@ -1052,8 +1054,8 @@ public class SslContextFactory extends AbstractLifeCycle
/** /**
* Override this method to provide alternate way to load a truststore. * Override this method to provide alternate way to load a truststore.
* *
* @param resource the resource to load the truststore from * @param resource the resource to load the truststore from
* @return the key store instance * @return the key store instance
* @throws Exception if the truststore cannot be loaded * @throws Exception if the truststore cannot be loaded
*/ */
@ -1097,7 +1099,7 @@ public class SslContextFactory extends AbstractLifeCycle
managers[idx] = new AliasedX509ExtendedKeyManager((X509ExtendedKeyManager)managers[idx],_certAlias); managers[idx] = new AliasedX509ExtendedKeyManager((X509ExtendedKeyManager)managers[idx],_certAlias);
} }
} }
if (_certAliases.isEmpty() || !_certWilds.isEmpty()) if (_certAliases.isEmpty() || !_certWilds.isEmpty())
{ {
for (int idx = 0; idx < managers.length; idx++) for (int idx = 0; idx < managers.length; idx++)
@ -1110,7 +1112,7 @@ public class SslContextFactory extends AbstractLifeCycle
} }
LOG.debug("managers={} for {}",managers,this); LOG.debug("managers={} for {}",managers,this);
return managers; return managers;
} }
@ -1264,7 +1266,7 @@ public class SslContextFactory extends AbstractLifeCycle
if (isStarted()) if (isStarted())
throw new IllegalStateException("Cannot modify configuration when "+getState()); throw new IllegalStateException("Cannot modify configuration when "+getState());
} }
/** /**
* Check if the lifecycle has been started and throw runtime exception * Check if the lifecycle has been started and throw runtime exception
*/ */
@ -1273,7 +1275,7 @@ public class SslContextFactory extends AbstractLifeCycle
if (!isStarted()) if (!isStarted())
throw new IllegalStateException("!STARTED: "+this); throw new IllegalStateException("!STARTED: "+this);
} }
/** /**
* Check if the lifecycle has been started and throw runtime exception * Check if the lifecycle has been started and throw runtime exception
*/ */
@ -1347,7 +1349,7 @@ public class SslContextFactory extends AbstractLifeCycle
{ {
return isStarted()?_factory._keyStore:_setKeyStore; return isStarted()?_factory._keyStore:_setKeyStore;
} }
/** Set the trust store. /** Set the trust store.
* @param trustStore the trust store to set * @param trustStore the trust store to set
*/ */
@ -1375,7 +1377,7 @@ public class SslContextFactory extends AbstractLifeCycle
{ {
return _keyStoreResource; return _keyStoreResource;
} }
/** Set the trust store resource. /** Set the trust store resource.
* @param resource the trust store resource to set * @param resource the trust store resource to set
*/ */
@ -1389,7 +1391,7 @@ public class SslContextFactory extends AbstractLifeCycle
{ {
return _keyStoreResource; return _keyStoreResource;
} }
/** /**
* @return true if SSL Session caching is enabled * @return true if SSL Session caching is enabled
*/ */
@ -1442,7 +1444,7 @@ public class SslContextFactory extends AbstractLifeCycle
public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException public SSLServerSocket newSslServerSocket(String host,int port,int backlog) throws IOException
{ {
checkIsStarted(); checkIsStarted();
SSLServerSocketFactory factory = _factory._context.getServerSocketFactory(); SSLServerSocketFactory factory = _factory._context.getServerSocketFactory();
SSLServerSocket socket = SSLServerSocket socket =
@ -1547,7 +1549,7 @@ public class SslContextFactory extends AbstractLifeCycle
{ {
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
LOG.debug("Customize {}",sslEngine); LOG.debug("Customize {}",sslEngine);
SSLParameters sslParams = sslEngine.getSSLParameters(); SSLParameters sslParams = sslEngine.getSSLParameters();
sslParams.setEndpointIdentificationAlgorithm(_endpointIdentificationAlgorithm); sslParams.setEndpointIdentificationAlgorithm(_endpointIdentificationAlgorithm);
sslParams.setUseCipherSuitesOrder(_useCipherSuitesOrder); sslParams.setUseCipherSuitesOrder(_useCipherSuitesOrder);
@ -1555,7 +1557,7 @@ public class SslContextFactory extends AbstractLifeCycle
{ {
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
LOG.debug("Enable SNI matching {}",sslEngine); LOG.debug("Enable SNI matching {}",sslEngine);
sslParams.setSNIMatchers(Collections.singletonList((SNIMatcher)new AliasSNIMatcher())); sslParams.setSNIMatchers(Collections.singletonList((SNIMatcher)new AliasSNIMatcher()));
} }
if (getWantClientAuth()) if (getWantClientAuth())
@ -1664,15 +1666,15 @@ public class SslContextFactory extends AbstractLifeCycle
_keyStoreResource, _keyStoreResource,
_trustStoreResource); _trustStoreResource);
} }
protected class Factory protected class Factory
{ {
final KeyStore _keyStore; final KeyStore _keyStore;
final KeyStore _trustStore; final KeyStore _trustStore;
final SSLContext _context; final SSLContext _context;
public Factory(KeyStore keyStore, KeyStore trustStore, SSLContext context) public Factory(KeyStore keyStore, KeyStore trustStore, SSLContext context)
{ {
super(); super();
@ -1680,7 +1682,7 @@ public class SslContextFactory extends AbstractLifeCycle
_trustStore = trustStore; _trustStore = trustStore;
_context = context; _context = context;
} }
@Override @Override
public String toString() public String toString()
{ {
@ -1692,7 +1694,7 @@ public class SslContextFactory extends AbstractLifeCycle
{ {
private String _alias; private String _alias;
private SNIHostName _name; private SNIHostName _name;
protected AliasSNIMatcher() protected AliasSNIMatcher()
{ {
super(StandardConstants.SNI_HOST_NAME); super(StandardConstants.SNI_HOST_NAME);
@ -1702,14 +1704,14 @@ public class SslContextFactory extends AbstractLifeCycle
public boolean matches(SNIServerName serverName) public boolean matches(SNIServerName serverName)
{ {
LOG.debug("matches={} for {}",serverName,this); LOG.debug("matches={} for {}",serverName,this);
if (serverName instanceof SNIHostName) if (serverName instanceof SNIHostName)
{ {
_name=(SNIHostName)serverName; _name=(SNIHostName)serverName;
// If we don't have a SNI name, or didn't see any certificate aliases, // If we don't have a SNI name, or didn't see any certificate aliases,
// just say true as it will either somehow work or fail elsewhere // just say true as it will either somehow work or fail elsewhere
if (_name==null || _certAliases.size()==0) if (_certAliases.size()==0)
return true; return true;
// Try an exact match // Try an exact match
@ -1720,14 +1722,14 @@ public class SslContextFactory extends AbstractLifeCycle
LOG.debug("matched {}->{}",_name.getAsciiName(),_alias); LOG.debug("matched {}->{}",_name.getAsciiName(),_alias);
return true; return true;
} }
// Try wild card matches // Try wild card matches
String domain = _name.getAsciiName(); String domain = _name.getAsciiName();
int dot=domain.indexOf('.'); int dot=domain.indexOf('.');
if (dot>=0) if (dot>=0)
{ {
domain=domain.substring(dot); domain=domain.substring(dot);
_alias = _certWilds.get(domain); _alias = _certWilds.get(domain);
if (_alias!=null) if (_alias!=null)
{ {
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
@ -1738,7 +1740,7 @@ public class SslContextFactory extends AbstractLifeCycle
} }
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
LOG.debug("No match for {}",_name.getAsciiName()); LOG.debug("No match for {}",_name.getAsciiName());
// Return true and allow the KeyManager to accept or reject when choosing a certificate. // Return true and allow the KeyManager to accept or reject when choosing a certificate.
return true; return true;
} }
@ -1747,7 +1749,7 @@ public class SslContextFactory extends AbstractLifeCycle
{ {
return _alias; return _alias;
} }
public String getServerName() public String getServerName()
{ {
return _name==null?null:_name.getAsciiName(); return _name==null?null:_name.getAsciiName();