/**
* Create a new SSL context, configured from an option map and the given parameters.
*
* @param keyManagers the key managers to use, or {@code null} to configure from the option map
* @param trustManagers the trust managers to use, or {@code null} to configure from the option
* map
* @param secureRandom the secure RNG to use, or {@code null} to choose a system default
* @param optionMap the SSL context options
* @return a new context
* @throws NoSuchProviderException if there is no matching provider
* @throws NoSuchAlgorithmException if there is no matching algorithm
* @throws KeyManagementException if the context initialization fails
*/
public static SSLContext createSSLContext(
KeyManager[] keyManagers,
TrustManager[] trustManagers,
SecureRandom secureRandom,
OptionMap optionMap)
throws NoSuchAlgorithmException, NoSuchProviderException, KeyManagementException {
final String provider = optionMap.get(Options.SSL_PROVIDER);
final String protocol = optionMap.get(Options.SSL_PROTOCOL);
final SSLContext sslContext;
if (protocol == null) {
// Default context is initialized automatically
return SSLContext.getDefault();
} else if (provider == null) {
sslContext = SSLContext.getInstance(protocol);
} else {
sslContext = SSLContext.getInstance(protocol, provider);
}
if (keyManagers == null) {
final Sequence<Class<? extends KeyManager>> keyManagerClasses =
optionMap.get(Options.SSL_JSSE_KEY_MANAGER_CLASSES);
if (keyManagerClasses != null) {
final int size = keyManagerClasses.size();
keyManagers = new KeyManager[size];
for (int i = 0; i < size; i++) {
keyManagers[i] = instantiate(keyManagerClasses.get(i));
}
}
}
if (trustManagers == null) {
final Sequence<Class<? extends TrustManager>> trustManagerClasses =
optionMap.get(Options.SSL_JSSE_TRUST_MANAGER_CLASSES);
if (trustManagerClasses != null) {
final int size = trustManagerClasses.size();
trustManagers = new TrustManager[size];
for (int i = 0; i < size; i++) {
trustManagers[i] = instantiate(trustManagerClasses.get(i));
}
}
}
sslContext.init(keyManagers, trustManagers, secureRandom);
sslContext
.getClientSessionContext()
.setSessionCacheSize(optionMap.get(Options.SSL_CLIENT_SESSION_CACHE_SIZE, 0));
sslContext
.getClientSessionContext()
.setSessionTimeout(optionMap.get(Options.SSL_CLIENT_SESSION_TIMEOUT, 0));
sslContext
.getServerSessionContext()
.setSessionCacheSize(optionMap.get(Options.SSL_SERVER_SESSION_CACHE_SIZE, 0));
sslContext
.getServerSessionContext()
.setSessionTimeout(optionMap.get(Options.SSL_SERVER_SESSION_TIMEOUT, 0));
return sslContext;
}
public void testSessionTimeout() throws Exception {
SSLContextParameters scp = new SSLContextParameters();
scp.setSessionTimeout("60");
SSLContext context = scp.createSSLContext();
assertEquals(60, context.getClientSessionContext().getSessionTimeout());
assertEquals(60, context.getServerSessionContext().getSessionTimeout());
scp.setSessionTimeout("0");
context = scp.createSSLContext();
assertEquals(0, context.getClientSessionContext().getSessionTimeout());
assertEquals(0, context.getServerSessionContext().getSessionTimeout());
}
public Socket connectSocket(
final int connectTimeout,
final Socket socket,
final HttpHost host,
final InetSocketAddress remoteAddress,
final InetSocketAddress localAddress,
final HttpContext context)
throws IOException {
if (LOG.isDebugEnabled()) {
LOG.debug("connecting to " + remoteAddress.getAddress() + ":" + remoteAddress.getPort());
}
Socket connectedSocket;
try {
connectedSocket =
super.connectSocket(connectTimeout, socket, host, remoteAddress, localAddress, context);
if (!masterSecretValidator.isMasterSecretValid(connectedSocket)) {
throw log(new IllegalStateException("Invalid SSL master secret"));
}
} catch (final SSLException sslEx) {
if (shouldClearSslSessionsPredicate.test(sslEx)) {
// clear any related sessions from our cache
if (LOG.isDebugEnabled()) {
LOG.debug("connection failed due to SSL error, clearing TLS session cache", sslEx);
}
clearSessionCache(sslContext.getClientSessionContext(), remoteAddress);
}
throw sslEx;
}
if (connectedSocket instanceof SSLSocket) {
SdkSSLSocket sslSocket = new SdkSSLSocket((SSLSocket) connectedSocket);
return AwsSdkMetrics.isHttpSocketReadMetricEnabled()
? new SdkSSLMetricsSocket(sslSocket)
: sslSocket;
}
SdkSocket sdkSocket = new SdkSocket(connectedSocket);
return AwsSdkMetrics.isHttpSocketReadMetricEnabled()
? new SdkMetricsSocket(sdkSocket)
: sdkSocket;
}
public SSLContext newInstance() throws Exception {
KeyManagerFactory kmf = this.keyManagerFactory;
TrustManagerFactory tmf = this.trustManagerFactory;
if (kmf == null) {
String algorithm = keyManagerFactoryAlgorithm;
if (algorithm == null && keyManagerFactoryAlgorithmUseDefault) {
algorithm = KeyManagerFactory.getDefaultAlgorithm();
}
if (algorithm != null) {
if (keyManagerFactoryProvider == null) {
kmf = KeyManagerFactory.getInstance(algorithm);
} else {
kmf = KeyManagerFactory.getInstance(algorithm, keyManagerFactoryProvider);
}
}
}
if (tmf == null) {
String algorithm = trustManagerFactoryAlgorithm;
if (algorithm == null && trustManagerFactoryAlgorithmUseDefault) {
algorithm = TrustManagerFactory.getDefaultAlgorithm();
}
if (algorithm != null) {
if (trustManagerFactoryProvider == null) {
tmf = TrustManagerFactory.getInstance(algorithm);
} else {
tmf = TrustManagerFactory.getInstance(algorithm, trustManagerFactoryProvider);
}
}
}
KeyManager[] keyManagers = null;
if (kmf != null) {
kmf.init(keyManagerFactoryKeyStore, keyManagerFactoryKeyStorePassword);
keyManagers = kmf.getKeyManagers();
}
TrustManager[] trustManagers = null;
if (tmf != null) {
if (trustManagerFactoryParameters != null) {
tmf.init(trustManagerFactoryParameters);
} else {
tmf.init(trustManagerFactoryKeyStore);
}
trustManagers = tmf.getTrustManagers();
}
SSLContext context = null;
if (provider == null) {
context = SSLContext.getInstance(protocol);
} else {
context = SSLContext.getInstance(protocol, provider);
}
context.init(keyManagers, trustManagers, secureRandom);
if (clientSessionCacheSize >= 0) {
context.getClientSessionContext().setSessionCacheSize(clientSessionCacheSize);
}
if (clientSessionTimeout >= 0) {
context.getClientSessionContext().setSessionTimeout(clientSessionTimeout);
}
if (serverSessionCacheSize >= 0) {
context.getServerSessionContext().setSessionCacheSize(serverSessionCacheSize);
}
if (serverSessionTimeout >= 0) {
context.getServerSessionContext().setSessionTimeout(serverSessionTimeout);
}
return context;
}
public void testClientParameters() throws Exception {
SSLContext controlContext = SSLContext.getInstance("TLS");
controlContext.init(null, null, null);
SSLEngine controlEngine = controlContext.createSSLEngine();
SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
SSLServerSocket controlServerSocket =
(SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();
SSLContextParameters scp = new SSLContextParameters();
SSLContextClientParameters sccp = new SSLContextClientParameters();
scp.setClientParameters(sccp);
SSLContext context = scp.createSSLContext();
SSLEngine engine = context.createSSLEngine();
SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
SSLServerSocket serverSocket =
(SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// No csp or filter on client params passes through shared config
scp.setCipherSuites(new CipherSuitesParameters());
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(0, socket.getEnabledCipherSuites().length);
// Csp on client params
scp.setCipherSuites(null);
CipherSuitesParameters csp = new CipherSuitesParameters();
sccp.setCipherSuites(csp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertEquals(0, socket.getEnabledCipherSuites().length);
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// Cipher suites filter on client params
FilterParameters filter = new FilterParameters();
filter.getExclude().add(".*");
sccp.setCipherSuites(null);
sccp.setCipherSuitesFilter(filter);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertEquals(0, socket.getEnabledCipherSuites().length);
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// Csp on client overrides cipher suites filter on client
filter.getInclude().add(".*");
filter.getExclude().clear();
sccp.setCipherSuites(csp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertEquals(0, socket.getEnabledCipherSuites().length);
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
// Sspp on client params
SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters();
sccp.setSecureSocketProtocols(sspp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
assertEquals(0, socket.getEnabledProtocols().length);
checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
// Secure socket protocols filter on client params
filter = new FilterParameters();
filter.getExclude().add(".*");
sccp.setSecureSocketProtocols(null);
sccp.setSecureSocketProtocolsFilter(filter);
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
assertEquals(0, socket.getEnabledProtocols().length);
checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
// Sspp on client params overrides secure socket protocols filter on client
filter.getInclude().add(".*");
filter.getExclude().clear();
sccp.setSecureSocketProtocols(sspp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
assertEquals(0, socket.getEnabledProtocols().length);
checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());
// Client session timeout only affects client session configuration
sccp.setSessionTimeout("12345");
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(
controlContext.getServerSessionContext().getSessionTimeout(),
context.getServerSessionContext().getSessionTimeout());
assertEquals(12345, context.getClientSessionContext().getSessionTimeout());
}
