Fixes #327183 (Allow better configurability of HttpClient for TLS/SSL).

git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@2329 7e9141cc-0065-0410-87d8-b60c137991c4
2010-10-07 08:21:12 +00:00 · 2010-10-07 08:21:12 +00:00 · cd7926584d
parent e574ba8b13
commit cd7926584d
2 changed files with 89 additions and 52 deletions
--- a/VERSION.txt
+++ b/VERSION.txt
@ -1,20 +1,21 @@
-jetty-7.2.0.RC1-SNAPSHOT 
+jetty-7.2.0.RC1-SNAPSHOT
 + 289540 added javadoc into distribution
 + 297154 add source distribution artifact
 + 323985 Xmlconfiguration pulls start.jar config properties
 + 326734 Configure Digest maxNonceAge with Security handler init param
 + 327109 Fixed AJP handling of empty packets
+ + 327183 Allow better configurability of HttpClient for TLS/SSL

 jetty-7.2.0.RC0 1 Oct 2010
 + 314087 Simplified SelectorManager
 + 319334 Concurrent, sharable ResourceCache
 + 319370 WebAppClassLoader.Context
- + 319444 Two nulls are appended to log statements from ContextHanler$Context 
+ + 319444 Two nulls are appended to log statements from ContextHanler$Context
 + 320073 Reconsile configuration mechanism
 + 320112 Websocket in aggregate jars
 + 320264 Removed duplicate mime.property entries
 + 320457 Added rfc2045 support to B64Code
- + 321232 BasicAuthenticator ignores bad Authorization header. 
+ + 321232 BasicAuthenticator ignores bad Authorization header.
 + 321307 HashSessionManager calls passivation listeners.
 + 321730 SelectChannelEndPoint prints to System.err
 + 321735 HttpClient onException called for buffer overflow.
@ -67,8 +68,8 @@ jetty-7.2.0.RC0 1 Oct 2010

 jetty-7.1.6.v20100715
 + 319519 Warn about duplicate configuration files
- + 319655 Reset HEAD status 
- + JETTY-1247 synchronize recylcing of SSL NIO buffers 
+ + 319655 Reset HEAD status
+ + JETTY-1247 synchronize recylcing of SSL NIO buffers
 + JETTY-1248 fix parsing of bad multiparts
 + JETTY-1249 Apply max idle time to all connectors
 + JETTY-1251 Replace then close selector for JVM bugs
--- a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java
+++ b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpClient.java
@ -25,11 +25,9 @@ import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 import java.util.concurrent.ConcurrentMap;
-import javax.net.ssl.HostnameVerifier;
 import javax.net.ssl.KeyManager;
 import javax.net.ssl.KeyManagerFactory;
 import javax.net.ssl.SSLContext;
-import javax.net.ssl.SSLSession;
 import javax.net.ssl.TrustManager;
 import javax.net.ssl.TrustManagerFactory;
 import javax.net.ssl.X509TrustManager;
@ -101,7 +99,6 @@ public class HttpClient extends HttpBuffers implements Attributes
    private int _maxRedirects = 20;
    private LinkedList<String> _registeredListeners;

-    // TODO clean up and add getters/setters to some of this maybe
    private String _keyStoreLocation;
    private String _keyStoreType = "JKS";
    private String _keyStorePassword;
@ -111,13 +108,12 @@ public class HttpClient extends HttpBuffers implements Attributes
    private String _trustStoreType = "JKS";
    private String _trustStorePassword;
    private String _trustManagerAlgorithm = (Security.getProperty("ssl.TrustManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.TrustManagerFactory.algorithm"));
-
-    private SSLContext _sslContext;
-
    private String _protocol = "TLS";
    private String _provider;
    private String _secureRandomAlgorithm;

+    private SSLContext _sslContext;
+
    private RealmResolver _realmResolver;

    private AttributesMap _attributes=new AttributesMap();
@ -242,7 +238,7 @@ public class HttpClient extends HttpBuffers implements Attributes
    {
        _timeoutQ.schedule(task);
    }
-    
+
    public void schedule(Timeout.Task task, long timeout)
    {
        _timeoutQ.schedule(task, timeout);
@ -271,7 +267,7 @@ public class HttpClient extends HttpBuffers implements Attributes

    /* ------------------------------------------------------------ */
    /** Set a RealmResolver for client Authentication.
-     * If a realmResolver is set, then the HttpDestinations created by 
+     * If a realmResolver is set, then the HttpDestinations created by
     * this client will instantiate a {@link SecurityListener} so that
     * BASIC and DIGEST authentication can be performed.
     * @param resolver
@ -318,7 +314,7 @@ public class HttpClient extends HttpBuffers implements Attributes
        }
        _registeredListeners.add(listenerClass);
    }
-    
+
    /* ------------------------------------------------------------ */
    public LinkedList<String> getRegisteredListeners()
    {
@ -548,7 +544,6 @@ public class HttpClient extends HttpBuffers implements Attributes

    protected SSLContext getStrictSSLContext() throws IOException
    {
-
        try
        {
            if (_trustStoreLocation == null)
@ -557,45 +552,36 @@ public class HttpClient extends HttpBuffers implements Attributes
                _trustStoreType = _keyStoreType;
            }

-            KeyManager[] keyManagers = null;
-            InputStream keystoreInputStream = null;
-
-            keystoreInputStream = Resource.newResource(_keyStoreLocation).getInputStream();
+            InputStream keyStoreInputStream = Resource.newResource(_keyStoreLocation).getInputStream();
            KeyStore keyStore = KeyStore.getInstance(_keyStoreType);
-            keyStore.load(keystoreInputStream, _keyStorePassword == null ? null : _keyStorePassword.toString().toCharArray());
+            keyStore.load(keyStoreInputStream, _keyStorePassword == null ? null : _keyStorePassword.toCharArray());

            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(_keyManagerAlgorithm);
-            keyManagerFactory.init(keyStore, _keyManagerPassword == null ? null : _keyManagerPassword.toString().toCharArray());
-            keyManagers = keyManagerFactory.getKeyManagers();
+            keyManagerFactory.init(keyStore, _keyManagerPassword == null ? null : _keyManagerPassword.toCharArray());
+            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();

-            TrustManager[] trustManagers = null;
-            InputStream truststoreInputStream = null;
-
-            truststoreInputStream = Resource.newResource(_trustStoreLocation).getInputStream();
+            InputStream trustStoreInputStream = Resource.newResource(_trustStoreLocation).getInputStream();
            KeyStore trustStore = KeyStore.getInstance(_trustStoreType);
-            trustStore.load(truststoreInputStream, _trustStorePassword == null ? null : _trustStorePassword.toString().toCharArray());
+            trustStore.load(trustStoreInputStream, _trustStorePassword == null ? null : _trustStorePassword.toCharArray());

            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_trustManagerAlgorithm);
            trustManagerFactory.init(trustStore);
-            trustManagers = trustManagerFactory.getTrustManagers();
+            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();

            SecureRandom secureRandom = _secureRandomAlgorithm == null ? null : SecureRandom.getInstance(_secureRandomAlgorithm);
            SSLContext context = _provider == null ? SSLContext.getInstance(_protocol) : SSLContext.getInstance(_protocol, _provider);
            context.init(keyManagers, trustManagers, secureRandom);
            return context;
        }
-        catch (Exception e)
+        catch (Exception x)
        {
-            e.printStackTrace();
-            throw new IOException("error generating ssl context for " + _keyStoreLocation + " " + e.getMessage());
+            throw (IOException)new IOException("Error generating SSLContext for keystore " + _keyStoreLocation).initCause(x);
        }
    }

    protected SSLContext getLooseSSLContext() throws IOException
    {
-
-        // Create a trust manager that does not validate certificate
-        // chains
+        // Create a trust manager that does not validate certificate chains
        TrustManager[] trustAllCerts = new TrustManager[]{new X509TrustManager()
        {
            public java.security.cert.X509Certificate[] getAcceptedIssuers()
@ -612,26 +598,16 @@ public class HttpClient extends HttpBuffers implements Attributes
            }
        }};

-        HostnameVerifier hostnameVerifier = new HostnameVerifier()
-        {
-            public boolean verify(String urlHostName, SSLSession session)
-            {
-                Log.warn("Warning: URL Host: " + urlHostName + " vs." + session.getPeerHost());
-                return true;
-            }
-        };
-
        // Install the all-trusting trust manager
        try
        {
-            // TODO real trust manager
-            SSLContext sslContext = SSLContext.getInstance("SSL");
-            sslContext.init(null, trustAllCerts, new java.security.SecureRandom());
+            SSLContext sslContext = SSLContext.getInstance(_protocol);
+            sslContext.init(null, trustAllCerts, null);
            return sslContext;
        }
-        catch (Exception e)
+        catch (Exception x)
        {
-            throw new IOException("issue ignoring certs");
+            throw (IOException)new IOException("Error generating loose SSLContext").initCause(x);
        }
    }

@ -814,28 +790,88 @@ public class HttpClient extends HttpBuffers implements Attributes
    {
        this._trustStorePassword = new Password(trustStorePassword).toString();
    }
-    
+
    /* ------------------------------------------------------------ */
    public String getKeyStoreType()
    {
        return this._keyStoreType;
    }
-    
+
    /* ------------------------------------------------------------ */
    public void setKeyStoreType(String keyStoreType)
    {
        this._keyStoreType = keyStoreType;
    }
-    
+
    /* ------------------------------------------------------------ */
    public String getTrustStoreType()
    {
        return this._trustStoreType;
    }
-    
+
    /* ------------------------------------------------------------ */
    public void setTrustStoreType(String trustStoreType)
    {
        this._trustStoreType = trustStoreType;
    }
+
+    /* ------------------------------------------------------------ */
+    public String getKeyManagerAlgorithm()
+    {
+        return _keyManagerAlgorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    public void setKeyManagerAlgorithm(String keyManagerAlgorithm)
+    {
+        this._keyManagerAlgorithm = keyManagerAlgorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    public String getTrustManagerAlgorithm()
+    {
+        return _trustManagerAlgorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    public void setTrustManagerAlgorithm(String trustManagerAlgorithm)
+    {
+        this._trustManagerAlgorithm = trustManagerAlgorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    public String getProtocol()
+    {
+        return _protocol;
+    }
+
+    /* ------------------------------------------------------------ */
+    public void setProtocol(String protocol)
+    {
+        this._protocol = protocol;
+    }
+
+    /* ------------------------------------------------------------ */
+    public String getProvider()
+    {
+        return _provider;
+    }
+
+    /* ------------------------------------------------------------ */
+    public void setProvider(String provider)
+    {
+        this._provider = provider;
+    }
+
+    /* ------------------------------------------------------------ */
+    public String getSecureRandomAlgorithm()
+    {
+        return _secureRandomAlgorithm;
+    }
+
+    /* ------------------------------------------------------------ */
+    public void setSecureRandomAlgorithm(String secureRandomAlgorithm)
+    {
+        this._secureRandomAlgorithm = secureRandomAlgorithm;
+    }
 }