From cebe2a7c4ea510306946d1cfdb37a593a8690c03 Mon Sep 17 00:00:00 2001 From: Simone Bordet Date: Thu, 5 Oct 2017 23:02:02 +0200 Subject: [PATCH] Fixes #1871 - JMXify SslContextFactory. --- .../jetty/util/ssl/SslContextFactory.java | 59 ++++++++++++++++--- 1 file changed, 52 insertions(+), 7 deletions(-) diff --git a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java index e976164fad0..66011b2c10b 100644 --- a/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java +++ b/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java @@ -44,6 +44,7 @@ import java.util.Iterator; import java.util.LinkedHashSet; import java.util.List; import java.util.Map; +import java.util.Objects; import java.util.Set; import java.util.function.Consumer; import java.util.regex.Matcher; @@ -72,6 +73,8 @@ import javax.net.ssl.X509ExtendedKeyManager; import javax.net.ssl.X509TrustManager; import org.eclipse.jetty.util.StringUtil; +import org.eclipse.jetty.util.annotation.ManagedAttribute; +import org.eclipse.jetty.util.annotation.ManagedObject; import org.eclipse.jetty.util.component.AbstractLifeCycle; import org.eclipse.jetty.util.component.ContainerLifeCycle; import org.eclipse.jetty.util.component.Dumpable; @@ -88,6 +91,7 @@ import org.eclipse.jetty.util.security.Password; * creates SSL context based on these parameters to be * used by the SSL connectors. */ +@ManagedObject public class SslContextFactory extends AbstractLifeCycle implements Dumpable { public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager() @@ -396,11 +400,13 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable _certWilds.clear(); } + @ManagedAttribute(value = "The selected TLS protocol versions", readonly = true) public String[] getSelectedProtocols() { return Arrays.copyOf(_selectedProtocols, _selectedProtocols.length); } + @ManagedAttribute(value = "The selected cipher suites", readonly = true) public String[] getSelectedCipherSuites() { return Arrays.copyOf(_selectedCipherSuites, _selectedCipherSuites.length); @@ -432,6 +438,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable * @return The array of protocol names to exclude from * {@link SSLEngine#setEnabledProtocols(String[])} */ + @ManagedAttribute("The excluded TLS protocols") public String[] getExcludeProtocols() { return _excludeProtocols.toArray(new String[0]); @@ -459,6 +466,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable * @return The array of protocol names to include in * {@link SSLEngine#setEnabledProtocols(String[])} */ + @ManagedAttribute("The included TLS protocols") public String[] getIncludeProtocols() { return _includeProtocols.toArray(new String[0]); @@ -478,6 +486,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable * @return The array of cipher suite names to exclude from * {@link SSLEngine#setEnabledCipherSuites(String[])} */ + @ManagedAttribute("The excluded cipher suites") public String[] getExcludeCipherSuites() { return _excludeCipherSuites.toArray(new String[0]); @@ -507,6 +516,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable * @return The array of cipher suite names to include in * {@link SSLEngine#setEnabledCipherSuites(String[])} */ + @ManagedAttribute("The included cipher suites") public String[] getIncludeCipherSuites() { return _includeCipherSuites.toArray(new String[0]); @@ -524,6 +534,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable _includeCipherSuites.addAll(Arrays.asList(cipherSuites)); } + @ManagedAttribute("Whether to respect the cipher suites order") public boolean isUseCipherSuitesOrder() { return _useCipherSuitesOrder; @@ -537,9 +548,10 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return The file or URL of the SSL Key store. */ + @ManagedAttribute("The keyStore path") public String getKeyStorePath() { - return _keyStoreResource.toString(); + return Objects.toString(_keyStoreResource, null); } /** @@ -560,6 +572,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return The provider of the key store */ + @ManagedAttribute("The keyStore provider name") public String getKeyStoreProvider() { return _keyStoreProvider; @@ -576,6 +589,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return The type of the key store (default "JKS") */ + @ManagedAttribute("The keyStore type") public String getKeyStoreType() { return (_keyStoreType); @@ -592,6 +606,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return Alias of SSL certificate for the connector */ + @ManagedAttribute("The certificate alias") public String getCertAlias() { return _certAlias; @@ -611,6 +626,12 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable _certAlias = certAlias; } + @ManagedAttribute("The trustStore path") + public String getTrustStorePath() + { + return Objects.toString(_trustStoreResource, null); + } + /** * @param trustStorePath The file name or URL of the trust store location */ @@ -629,6 +650,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return The provider of the trust store */ + @ManagedAttribute("The trustStore provider name") public String getTrustStoreProvider() { return _trustStoreProvider; @@ -645,6 +667,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return The type of the trust store (default "JKS") */ + @ManagedAttribute("The trustStore type") public String getTrustStoreType() { return _trustStoreType; @@ -662,6 +685,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable * @return True if SSL needs client authentication. * @see SSLEngine#getNeedClientAuth() */ + @ManagedAttribute("Whether client authentication is needed") public boolean getNeedClientAuth() { return _needClientAuth; @@ -680,6 +704,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable * @return True if SSL wants client authentication. * @see SSLEngine#getWantClientAuth() */ + @ManagedAttribute("Whether client authentication is wanted") public boolean getWantClientAuth() { return _wantClientAuth; @@ -697,6 +722,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return true if SSL certificate has to be validated */ + @ManagedAttribute("Whether certificates are validated") public boolean isValidateCerts() { return _validateCerts; @@ -713,6 +739,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return true if SSL certificates of the peer have to be validated */ + @ManagedAttribute("Whether peer certificates are validated") public boolean isValidatePeerCerts() { return _validatePeerCerts; @@ -795,6 +822,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable * @return The SSL provider name, which if set is passed to * {@link SSLContext#getInstance(String, String)} */ + @ManagedAttribute("The provider name") public String getProvider() { return _sslProvider; @@ -813,6 +841,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable * @return The SSL protocol (default "TLS") passed to * {@link SSLContext#getInstance(String, String)} */ + @ManagedAttribute("The TLS protocol") public String getProtocol() { return _sslProtocol; @@ -832,6 +861,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} */ + @ManagedAttribute("The SecureRandom algorithm") public String getSecureRandomAlgorithm() { return _secureRandomAlgorithm; @@ -850,6 +880,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} */ + @ManagedAttribute("The KeyManagerFactory algorithm") public String getKeyManagerFactoryAlgorithm() { return _keyManagerFactoryAlgorithm; @@ -866,6 +897,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} */ + @ManagedAttribute("The TrustManagerFactory algorithm") public String getTrustManagerFactoryAlgorithm() { return _trustManagerFactoryAlgorithm; @@ -874,6 +906,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return True if all certificates should be trusted if there is no KeyStore or TrustStore */ + @ManagedAttribute("Whether certificates should be trusted even if they are invalid") public boolean isTrustAll() { return _trustAll; @@ -901,6 +934,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return whether TLS renegotiation is allowed (true by default) */ + @ManagedAttribute("Whether renegotiation is allowed") public boolean isRenegotiationAllowed() { return _renegotiationAllowed; @@ -915,9 +949,10 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable } /** - * @return The number of renegotions allowed for this connection. When the limit + * @return The number of renegotiations allowed for this connection. When the limit * is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied. */ + @ManagedAttribute("The max number of renegotiations allowed") public int getRenegotiationLimit() { return _renegotiationLimit; @@ -936,6 +971,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return Path to file that contains Certificate Revocation List */ + @ManagedAttribute("The path to the certificate revocation list file") public String getCrlPath() { return _crlPath; @@ -953,6 +989,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable * @return Maximum number of intermediate certificates in * the certification path (-1 for unlimited) */ + @ManagedAttribute("The maximum number of intermediate certificates") public int getMaxCertPathLength() { return _maxCertPathLength; @@ -992,6 +1029,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return the endpoint identification algorithm */ + @ManagedAttribute("The endpoint identification algorithm") public String getEndpointIdentificationAlgorithm() { return _endpointIdentificationAlgorithm; @@ -1026,7 +1064,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable */ protected KeyStore loadKeyStore(Resource resource) throws Exception { - String storePassword = _keyStorePassword == null ? null : _keyStorePassword.toString(); + String storePassword = Objects.toString(_keyStorePassword, null); return CertificateUtils.getKeyStore(resource, getKeyStoreType(), getKeyStoreProvider(), storePassword); } @@ -1041,7 +1079,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable { String type = getTrustStoreType(); String provider = getTrustStoreProvider(); - String passwd = _trustStorePassword == null ? null : _trustStorePassword.toString(); + String passwd = Objects.toString(_trustStorePassword, null); if (resource == null || resource.equals(_keyStoreResource)) { resource = _keyStoreResource; @@ -1050,7 +1088,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable if (provider == null) provider = _keyStoreProvider; if (passwd == null) - passwd = _keyStorePassword == null ? null : _keyStorePassword.toString(); + passwd = Objects.toString(_keyStorePassword, null); } return CertificateUtils.getKeyStore(resource, type, provider, passwd); } @@ -1239,7 +1277,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable { if (LOG.isDebugEnabled()) LOG.debug("Sorting selected ciphers with {}", comparator); - Collections.sort(selected_ciphers, comparator); + selected_ciphers.sort(comparator); } _selectedCipherSuites = selected_ciphers.toArray(new String[0]); @@ -1293,6 +1331,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return true if CRL Distribution Points support is enabled */ + @ManagedAttribute("Whether certificate revocation list distribution points is enabled") public boolean isEnableCRLDP() { return _enableCRLDP; @@ -1311,6 +1350,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return true if On-Line Certificate Status Protocol support is enabled */ + @ManagedAttribute("Whether online certificate status protocol support is enabled") public boolean isEnableOCSP() { return _enableOCSP; @@ -1329,6 +1369,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return Location of the OCSP Responder */ + @ManagedAttribute("The online certificate status protocol URL") public String getOcspResponderURL() { return _ocspResponderURL; @@ -1419,6 +1460,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable /** * @return true if SSL Session caching is enabled */ + @ManagedAttribute("Whether TLS session caching is enabled") public boolean isSessionCachingEnabled() { return _sessionCachingEnabled; @@ -1445,6 +1487,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable * * @return SSL session cache size */ + @ManagedAttribute("The maximum TLS session cache size") public int getSslSessionCacheSize() { return _sslSessionCacheSize; @@ -1468,6 +1511,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable * * @return SSL session timeout */ + @ManagedAttribute("The TLS session cache timeout, in seconds") public int getSslSessionTimeout() { return _sslSessionTimeout; @@ -1727,9 +1771,10 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable @Override public String toString() { - return String.format("%s@%x(%s,%s)", + return String.format("%s@%x[provider=%s,keyStore=%s,trusStore=%s)", getClass().getSimpleName(), hashCode(), + _sslProvider, _keyStoreResource, _trustStoreResource); }