Eclipse
/
jetty.project
mirror of https://github.com/jetty/jetty.project.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merged branch 'jetty-9.4.x' into 'master'.

This commit is contained in:
Simone Bordet 2017-10-05 23:02:50 +02:00
parent e9d813552b cebe2a7c4e
commit b1ba04ee0e
1 changed files with 52 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java
View File

@ -44,6 +44,7 @@ import java.util.Iterator;
import java.util.LinkedHashSet; import java.util.LinkedHashSet;
import java.util.List; import java.util.List;
import java.util.Map; import java.util.Map;
import java.util.Objects;
import java.util.Set; import java.util.Set;
import java.util.function.Consumer; import java.util.function.Consumer;
import java.util.regex.Matcher; import java.util.regex.Matcher;
@ -72,6 +73,8 @@ import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509TrustManager; import javax.net.ssl.X509TrustManager;
import org.eclipse.jetty.util.StringUtil; import org.eclipse.jetty.util.StringUtil;
import org.eclipse.jetty.util.annotation.ManagedAttribute;
import org.eclipse.jetty.util.annotation.ManagedObject;
import org.eclipse.jetty.util.component.AbstractLifeCycle; import org.eclipse.jetty.util.component.AbstractLifeCycle;
import org.eclipse.jetty.util.component.ContainerLifeCycle; import org.eclipse.jetty.util.component.ContainerLifeCycle;
import org.eclipse.jetty.util.component.Dumpable; import org.eclipse.jetty.util.component.Dumpable;
@ -88,6 +91,7 @@ import org.eclipse.jetty.util.security.Password;
* creates SSL context based on these parameters to be * creates SSL context based on these parameters to be
* used by the SSL connectors. * used by the SSL connectors.
*/ */
@ManagedObject
public class SslContextFactory extends AbstractLifeCycle implements Dumpable public class SslContextFactory extends AbstractLifeCycle implements Dumpable
{ {
public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager() public final static TrustManager[] TRUST_ALL_CERTS = new X509TrustManager[]{new X509TrustManager()
@ -396,11 +400,13 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
_certWilds.clear(); _certWilds.clear();
} }
@ManagedAttribute(value = "The selected TLS protocol versions", readonly = true)
public String[] getSelectedProtocols() public String[] getSelectedProtocols()
{ {
return Arrays.copyOf(_selectedProtocols, _selectedProtocols.length); return Arrays.copyOf(_selectedProtocols, _selectedProtocols.length);
} }
@ManagedAttribute(value = "The selected cipher suites", readonly = true)
public String[] getSelectedCipherSuites() public String[] getSelectedCipherSuites()
{ {
return Arrays.copyOf(_selectedCipherSuites, _selectedCipherSuites.length); return Arrays.copyOf(_selectedCipherSuites, _selectedCipherSuites.length);
@ -432,6 +438,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
* @return The array of protocol names to exclude from * @return The array of protocol names to exclude from
* {@link SSLEngine#setEnabledProtocols(String[])} * {@link SSLEngine#setEnabledProtocols(String[])}
*/ */
@ManagedAttribute("The excluded TLS protocols")
public String[] getExcludeProtocols() public String[] getExcludeProtocols()
{ {
return _excludeProtocols.toArray(new String[0]); return _excludeProtocols.toArray(new String[0]);
@ -459,6 +466,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
* @return The array of protocol names to include in * @return The array of protocol names to include in
* {@link SSLEngine#setEnabledProtocols(String[])} * {@link SSLEngine#setEnabledProtocols(String[])}
*/ */
@ManagedAttribute("The included TLS protocols")
public String[] getIncludeProtocols() public String[] getIncludeProtocols()
{ {
return _includeProtocols.toArray(new String[0]); return _includeProtocols.toArray(new String[0]);
@ -478,6 +486,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
* @return The array of cipher suite names to exclude from * @return The array of cipher suite names to exclude from
* {@link SSLEngine#setEnabledCipherSuites(String[])} * {@link SSLEngine#setEnabledCipherSuites(String[])}
*/ */
@ManagedAttribute("The excluded cipher suites")
public String[] getExcludeCipherSuites() public String[] getExcludeCipherSuites()
{ {
return _excludeCipherSuites.toArray(new String[0]); return _excludeCipherSuites.toArray(new String[0]);
@ -507,6 +516,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
* @return The array of cipher suite names to include in * @return The array of cipher suite names to include in
* {@link SSLEngine#setEnabledCipherSuites(String[])} * {@link SSLEngine#setEnabledCipherSuites(String[])}
*/ */
@ManagedAttribute("The included cipher suites")
public String[] getIncludeCipherSuites() public String[] getIncludeCipherSuites()
{ {
return _includeCipherSuites.toArray(new String[0]); return _includeCipherSuites.toArray(new String[0]);
@ -524,6 +534,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
_includeCipherSuites.addAll(Arrays.asList(cipherSuites)); _includeCipherSuites.addAll(Arrays.asList(cipherSuites));
} }
@ManagedAttribute("Whether to respect the cipher suites order")
public boolean isUseCipherSuitesOrder() public boolean isUseCipherSuitesOrder()
{ {
return _useCipherSuitesOrder; return _useCipherSuitesOrder;
@ -537,9 +548,10 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return The file or URL of the SSL Key store. * @return The file or URL of the SSL Key store.
*/ */
@ManagedAttribute("The keyStore path")
public String getKeyStorePath() public String getKeyStorePath()
{ {
return _keyStoreResource.toString(); return Objects.toString(_keyStoreResource, null);
} }
/** /**
@ -560,6 +572,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return The provider of the key store * @return The provider of the key store
*/ */
@ManagedAttribute("The keyStore provider name")
public String getKeyStoreProvider() public String getKeyStoreProvider()
{ {
return _keyStoreProvider; return _keyStoreProvider;
@ -576,6 +589,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return The type of the key store (default "JKS") * @return The type of the key store (default "JKS")
*/ */
@ManagedAttribute("The keyStore type")
public String getKeyStoreType() public String getKeyStoreType()
{ {
return (_keyStoreType); return (_keyStoreType);
@ -592,6 +606,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return Alias of SSL certificate for the connector * @return Alias of SSL certificate for the connector
*/ */
@ManagedAttribute("The certificate alias")
public String getCertAlias() public String getCertAlias()
{ {
return _certAlias; return _certAlias;
@ -611,6 +626,12 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
_certAlias = certAlias; _certAlias = certAlias;
} }
@ManagedAttribute("The trustStore path")
public String getTrustStorePath()
{
return Objects.toString(_trustStoreResource, null);
}
/** /**
* @param trustStorePath The file name or URL of the trust store location * @param trustStorePath The file name or URL of the trust store location
*/ */
@ -629,6 +650,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return The provider of the trust store * @return The provider of the trust store
*/ */
@ManagedAttribute("The trustStore provider name")
public String getTrustStoreProvider() public String getTrustStoreProvider()
{ {
return _trustStoreProvider; return _trustStoreProvider;
@ -645,6 +667,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return The type of the trust store (default "JKS") * @return The type of the trust store (default "JKS")
*/ */
@ManagedAttribute("The trustStore type")
public String getTrustStoreType() public String getTrustStoreType()
{ {
return _trustStoreType; return _trustStoreType;
@ -662,6 +685,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
* @return True if SSL needs client authentication. * @return True if SSL needs client authentication.
* @see SSLEngine#getNeedClientAuth() * @see SSLEngine#getNeedClientAuth()
*/ */
@ManagedAttribute("Whether client authentication is needed")
public boolean getNeedClientAuth() public boolean getNeedClientAuth()
{ {
return _needClientAuth; return _needClientAuth;
@ -680,6 +704,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
* @return True if SSL wants client authentication. * @return True if SSL wants client authentication.
* @see SSLEngine#getWantClientAuth() * @see SSLEngine#getWantClientAuth()
*/ */
@ManagedAttribute("Whether client authentication is wanted")
public boolean getWantClientAuth() public boolean getWantClientAuth()
{ {
return _wantClientAuth; return _wantClientAuth;
@ -697,6 +722,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return true if SSL certificate has to be validated * @return true if SSL certificate has to be validated
*/ */
@ManagedAttribute("Whether certificates are validated")
public boolean isValidateCerts() public boolean isValidateCerts()
{ {
return _validateCerts; return _validateCerts;
@ -713,6 +739,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return true if SSL certificates of the peer have to be validated * @return true if SSL certificates of the peer have to be validated
*/ */
@ManagedAttribute("Whether peer certificates are validated")
public boolean isValidatePeerCerts() public boolean isValidatePeerCerts()
{ {
return _validatePeerCerts; return _validatePeerCerts;
@ -764,6 +791,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
* @return The SSL provider name, which if set is passed to * @return The SSL provider name, which if set is passed to
* {@link SSLContext#getInstance(String, String)} * {@link SSLContext#getInstance(String, String)}
*/ */
@ManagedAttribute("The provider name")
public String getProvider() public String getProvider()
{ {
return _sslProvider; return _sslProvider;
@ -782,6 +810,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
* @return The SSL protocol (default "TLS") passed to * @return The SSL protocol (default "TLS") passed to
* {@link SSLContext#getInstance(String, String)} * {@link SSLContext#getInstance(String, String)}
*/ */
@ManagedAttribute("The TLS protocol")
public String getProtocol() public String getProtocol()
{ {
return _sslProtocol; return _sslProtocol;
@ -801,6 +830,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
* {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom} instance passed to
* {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)} * {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)}
*/ */
@ManagedAttribute("The SecureRandom algorithm")
public String getSecureRandomAlgorithm() public String getSecureRandomAlgorithm()
{ {
return _secureRandomAlgorithm; return _secureRandomAlgorithm;
@ -819,6 +849,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory} * @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory}
*/ */
@ManagedAttribute("The KeyManagerFactory algorithm")
public String getKeyManagerFactoryAlgorithm() public String getKeyManagerFactoryAlgorithm()
{ {
return _keyManagerFactoryAlgorithm; return _keyManagerFactoryAlgorithm;
@ -835,6 +866,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory} * @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory}
*/ */
@ManagedAttribute("The TrustManagerFactory algorithm")
public String getTrustManagerFactoryAlgorithm() public String getTrustManagerFactoryAlgorithm()
{ {
return _trustManagerFactoryAlgorithm; return _trustManagerFactoryAlgorithm;
@ -843,6 +875,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return True if all certificates should be trusted if there is no KeyStore or TrustStore * @return True if all certificates should be trusted if there is no KeyStore or TrustStore
*/ */
@ManagedAttribute("Whether certificates should be trusted even if they are invalid")
public boolean isTrustAll() public boolean isTrustAll()
{ {
return _trustAll; return _trustAll;
@ -870,6 +903,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return whether TLS renegotiation is allowed (true by default) * @return whether TLS renegotiation is allowed (true by default)
*/ */
@ManagedAttribute("Whether renegotiation is allowed")
public boolean isRenegotiationAllowed() public boolean isRenegotiationAllowed()
{ {
return _renegotiationAllowed; return _renegotiationAllowed;
@ -884,9 +918,10 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
} }
/** /**
* @return The number of renegotions allowed for this connection. When the limit * @return The number of renegotiations allowed for this connection. When the limit
* is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied. * is 0 renegotiation will be denied. If the limit is less than 0 then no limit is applied.
*/ */
@ManagedAttribute("The max number of renegotiations allowed")
public int getRenegotiationLimit() public int getRenegotiationLimit()
{ {
return _renegotiationLimit; return _renegotiationLimit;
@ -905,6 +940,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return Path to file that contains Certificate Revocation List * @return Path to file that contains Certificate Revocation List
*/ */
@ManagedAttribute("The path to the certificate revocation list file")
public String getCrlPath() public String getCrlPath()
{ {
return _crlPath; return _crlPath;
@ -922,6 +958,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
* @return Maximum number of intermediate certificates in * @return Maximum number of intermediate certificates in
* the certification path (-1 for unlimited) * the certification path (-1 for unlimited)
*/ */
@ManagedAttribute("The maximum number of intermediate certificates")
public int getMaxCertPathLength() public int getMaxCertPathLength()
{ {
return _maxCertPathLength; return _maxCertPathLength;
@ -961,6 +998,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return the endpoint identification algorithm * @return the endpoint identification algorithm
*/ */
@ManagedAttribute("The endpoint identification algorithm")
public String getEndpointIdentificationAlgorithm() public String getEndpointIdentificationAlgorithm()
{ {
return _endpointIdentificationAlgorithm; return _endpointIdentificationAlgorithm;
@ -995,7 +1033,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
*/ */
protected KeyStore loadKeyStore(Resource resource) throws Exception protected KeyStore loadKeyStore(Resource resource) throws Exception
{ {
String storePassword = _keyStorePassword == null ? null : _keyStorePassword.toString(); String storePassword = Objects.toString(_keyStorePassword, null);
return CertificateUtils.getKeyStore(resource, getKeyStoreType(), getKeyStoreProvider(), storePassword); return CertificateUtils.getKeyStore(resource, getKeyStoreType(), getKeyStoreProvider(), storePassword);
} }
@ -1010,7 +1048,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
{ {
String type = getTrustStoreType(); String type = getTrustStoreType();
String provider = getTrustStoreProvider(); String provider = getTrustStoreProvider();
String passwd = _trustStorePassword == null ? null : _trustStorePassword.toString(); String passwd = Objects.toString(_trustStorePassword, null);
if (resource == null || resource.equals(_keyStoreResource)) if (resource == null || resource.equals(_keyStoreResource))
{ {
resource = _keyStoreResource; resource = _keyStoreResource;
@ -1019,7 +1057,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
if (provider == null) if (provider == null)
provider = _keyStoreProvider; provider = _keyStoreProvider;
if (passwd == null) if (passwd == null)
passwd = _keyStorePassword == null ? null : _keyStorePassword.toString(); passwd = Objects.toString(_keyStorePassword, null);
} }
return CertificateUtils.getKeyStore(resource, type, provider, passwd); return CertificateUtils.getKeyStore(resource, type, provider, passwd);
} }
@ -1208,7 +1246,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
{ {
if (LOG.isDebugEnabled()) if (LOG.isDebugEnabled())
LOG.debug("Sorting selected ciphers with {}", comparator); LOG.debug("Sorting selected ciphers with {}", comparator);
Collections.sort(selected_ciphers, comparator); selected_ciphers.sort(comparator);
} }
_selectedCipherSuites = selected_ciphers.toArray(new String[0]); _selectedCipherSuites = selected_ciphers.toArray(new String[0]);
@ -1262,6 +1300,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return true if CRL Distribution Points support is enabled * @return true if CRL Distribution Points support is enabled
*/ */
@ManagedAttribute("Whether certificate revocation list distribution points is enabled")
public boolean isEnableCRLDP() public boolean isEnableCRLDP()
{ {
return _enableCRLDP; return _enableCRLDP;
@ -1280,6 +1319,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return true if On-Line Certificate Status Protocol support is enabled * @return true if On-Line Certificate Status Protocol support is enabled
*/ */
@ManagedAttribute("Whether online certificate status protocol support is enabled")
public boolean isEnableOCSP() public boolean isEnableOCSP()
{ {
return _enableOCSP; return _enableOCSP;
@ -1298,6 +1338,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return Location of the OCSP Responder * @return Location of the OCSP Responder
*/ */
@ManagedAttribute("The online certificate status protocol URL")
public String getOcspResponderURL() public String getOcspResponderURL()
{ {
return _ocspResponderURL; return _ocspResponderURL;
@ -1388,6 +1429,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
/** /**
* @return true if SSL Session caching is enabled * @return true if SSL Session caching is enabled
*/ */
@ManagedAttribute("Whether TLS session caching is enabled")
public boolean isSessionCachingEnabled() public boolean isSessionCachingEnabled()
{ {
return _sessionCachingEnabled; return _sessionCachingEnabled;
@ -1414,6 +1456,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
* *
* @return SSL session cache size * @return SSL session cache size
*/ */
@ManagedAttribute("The maximum TLS session cache size")
public int getSslSessionCacheSize() public int getSslSessionCacheSize()
{ {
return _sslSessionCacheSize; return _sslSessionCacheSize;
@ -1437,6 +1480,7 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
* *
* @return SSL session timeout * @return SSL session timeout
*/ */
@ManagedAttribute("The TLS session cache timeout, in seconds")
public int getSslSessionTimeout() public int getSslSessionTimeout()
{ {
return _sslSessionTimeout; return _sslSessionTimeout;
@ -1697,9 +1741,10 @@ public class SslContextFactory extends AbstractLifeCycle implements Dumpable
@Override @Override
public String toString() public String toString()
{ {
return String.format("%s@%x(%s,%s)", return String.format("%s@%x[provider=%s,keyStore=%s,trusStore=%s)",
getClass().getSimpleName(), getClass().getSimpleName(),
hashCode(), hashCode(),
_sslProvider,
_keyStoreResource, _keyStoreResource,
_trustStoreResource); _trustStoreResource);
} }