Beispiel #1
0
 /**
  * Create a new SSL context, configured from an option map and the given parameters.
  *
  * @param keyManagers the key managers to use, or {@code null} to configure from the option map
  * @param trustManagers the trust managers to use, or {@code null} to configure from the option
  *     map
  * @param secureRandom the secure RNG to use, or {@code null} to choose a system default
  * @param optionMap the SSL context options
  * @return a new context
  * @throws NoSuchProviderException if there is no matching provider
  * @throws NoSuchAlgorithmException if there is no matching algorithm
  * @throws KeyManagementException if the context initialization fails
  */
 public static SSLContext createSSLContext(
     KeyManager[] keyManagers,
     TrustManager[] trustManagers,
     SecureRandom secureRandom,
     OptionMap optionMap)
     throws NoSuchAlgorithmException, NoSuchProviderException, KeyManagementException {
   final String provider = optionMap.get(Options.SSL_PROVIDER);
   final String protocol = optionMap.get(Options.SSL_PROTOCOL);
   final SSLContext sslContext;
   if (protocol == null) {
     // Default context is initialized automatically
     return SSLContext.getDefault();
   } else if (provider == null) {
     sslContext = SSLContext.getInstance(protocol);
   } else {
     sslContext = SSLContext.getInstance(protocol, provider);
   }
   if (keyManagers == null) {
     final Sequence<Class<? extends KeyManager>> keyManagerClasses =
         optionMap.get(Options.SSL_JSSE_KEY_MANAGER_CLASSES);
     if (keyManagerClasses != null) {
       final int size = keyManagerClasses.size();
       keyManagers = new KeyManager[size];
       for (int i = 0; i < size; i++) {
         keyManagers[i] = instantiate(keyManagerClasses.get(i));
       }
     }
   }
   if (trustManagers == null) {
     final Sequence<Class<? extends TrustManager>> trustManagerClasses =
         optionMap.get(Options.SSL_JSSE_TRUST_MANAGER_CLASSES);
     if (trustManagerClasses != null) {
       final int size = trustManagerClasses.size();
       trustManagers = new TrustManager[size];
       for (int i = 0; i < size; i++) {
         trustManagers[i] = instantiate(trustManagerClasses.get(i));
       }
     }
   }
   sslContext.init(keyManagers, trustManagers, secureRandom);
   sslContext
       .getClientSessionContext()
       .setSessionCacheSize(optionMap.get(Options.SSL_CLIENT_SESSION_CACHE_SIZE, 0));
   sslContext
       .getClientSessionContext()
       .setSessionTimeout(optionMap.get(Options.SSL_CLIENT_SESSION_TIMEOUT, 0));
   sslContext
       .getServerSessionContext()
       .setSessionCacheSize(optionMap.get(Options.SSL_SERVER_SESSION_CACHE_SIZE, 0));
   sslContext
       .getServerSessionContext()
       .setSessionTimeout(optionMap.get(Options.SSL_SERVER_SESSION_TIMEOUT, 0));
   return sslContext;
 }
  public void testSessionTimeout() throws Exception {
    SSLContextParameters scp = new SSLContextParameters();
    scp.setSessionTimeout("60");

    SSLContext context = scp.createSSLContext();

    assertEquals(60, context.getClientSessionContext().getSessionTimeout());
    assertEquals(60, context.getServerSessionContext().getSessionTimeout());

    scp.setSessionTimeout("0");

    context = scp.createSSLContext();

    assertEquals(0, context.getClientSessionContext().getSessionTimeout());
    assertEquals(0, context.getServerSessionContext().getSessionTimeout());
  }
 @Override
 protected void configureSSLContext(SSLContext context) throws GeneralSecurityException {
   LOG.debug("Configuring server-side SSLContext parameters...");
   if (this.getSessionTimeout() != null) {
     LOG.debug("Configuring server-side SSLContext session timeout: " + this.getSessionTimeout());
     this.configureSessionContext(context.getServerSessionContext(), this.getSessionTimeout());
   }
   LOG.debug("Configured server-side SSLContext parameters.");
 }
Beispiel #4
0
 private static void trustAllHttpsCertificates() throws Exception {
   javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
   javax.net.ssl.TrustManager tm = new TrustAllTrustManager();
   trustAllCerts[0] = tm;
   javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");
   javax.net.ssl.SSLSessionContext sslsc = sc.getServerSessionContext();
   sslsc.setSessionTimeout(0);
   sc.init(null, trustAllCerts, null);
   javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
 }
Beispiel #5
0
  /**
   * Trust all certificates - must modify for production mode
   *
   * @throws Exception
   */
  public static void trustAllHttpsCertificates() throws Exception {
    // Create the TrustManager
    javax.net.ssl.TrustManager[] trustAllCerts = new javax.net.ssl.TrustManager[1];
    javax.net.ssl.TrustManager tm = new TrustAllManager();
    trustAllCerts[0] = tm;

    // Create the SSL context
    javax.net.ssl.SSLContext sc = javax.net.ssl.SSLContext.getInstance("SSL");

    // create the session context
    javax.net.ssl.SSLSessionContext sslsc = sc.getServerSessionContext();

    // Initialize the contexts; the session context takes the trust nanager
    sslsc.setSessionTimeout(0);
    sc.init(null, trustAllCerts, null);
    // use the default socket factory to create teh socket for teh secure connection
    javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    // set the default host name verifier to enable the connection

  }
  /** Reads the keystore and initializes the SSL socket factory. */
  void init() throws IOException {
    try {

      String clientAuthStr = endpoint.getClientAuth();
      if ("true".equalsIgnoreCase(clientAuthStr) || "yes".equalsIgnoreCase(clientAuthStr)) {
        requireClientAuth = true;
      } else if ("want".equalsIgnoreCase(clientAuthStr)) {
        wantClientAuth = true;
      }

      SSLContext context = createSSLContext();
      context.init(getKeyManagers(), getTrustManagers(), null);

      // Configure SSL session cache
      SSLSessionContext sessionContext = context.getServerSessionContext();
      if (sessionContext != null) {
        configureSessionContext(sessionContext);
      }

      // create proxy
      sslProxy = context.getServerSocketFactory();

      // Determine which cipher suites to enable
      enabledCiphers = getEnableableCiphers(context);
      enabledProtocols = getEnableableProtocols(context);

      allowUnsafeLegacyRenegotiation = "true".equals(endpoint.getAllowUnsafeLegacyRenegotiation());

      // Check the SSL config is OK
      checkConfig();

    } catch (Exception e) {
      if (e instanceof IOException) throw (IOException) e;
      throw new IOException(e.getMessage(), e);
    }
  }
  public SSLContext newInstance() throws Exception {
    KeyManagerFactory kmf = this.keyManagerFactory;
    TrustManagerFactory tmf = this.trustManagerFactory;

    if (kmf == null) {
      String algorithm = keyManagerFactoryAlgorithm;
      if (algorithm == null && keyManagerFactoryAlgorithmUseDefault) {
        algorithm = KeyManagerFactory.getDefaultAlgorithm();
      }
      if (algorithm != null) {
        if (keyManagerFactoryProvider == null) {
          kmf = KeyManagerFactory.getInstance(algorithm);
        } else {
          kmf = KeyManagerFactory.getInstance(algorithm, keyManagerFactoryProvider);
        }
      }
    }

    if (tmf == null) {
      String algorithm = trustManagerFactoryAlgorithm;
      if (algorithm == null && trustManagerFactoryAlgorithmUseDefault) {
        algorithm = TrustManagerFactory.getDefaultAlgorithm();
      }
      if (algorithm != null) {
        if (trustManagerFactoryProvider == null) {
          tmf = TrustManagerFactory.getInstance(algorithm);
        } else {
          tmf = TrustManagerFactory.getInstance(algorithm, trustManagerFactoryProvider);
        }
      }
    }

    KeyManager[] keyManagers = null;
    if (kmf != null) {
      kmf.init(keyManagerFactoryKeyStore, keyManagerFactoryKeyStorePassword);
      keyManagers = kmf.getKeyManagers();
    }
    TrustManager[] trustManagers = null;
    if (tmf != null) {
      if (trustManagerFactoryParameters != null) {
        tmf.init(trustManagerFactoryParameters);
      } else {
        tmf.init(trustManagerFactoryKeyStore);
      }
      trustManagers = tmf.getTrustManagers();
    }

    SSLContext context = null;
    if (provider == null) {
      context = SSLContext.getInstance(protocol);
    } else {
      context = SSLContext.getInstance(protocol, provider);
    }

    context.init(keyManagers, trustManagers, secureRandom);

    if (clientSessionCacheSize >= 0) {
      context.getClientSessionContext().setSessionCacheSize(clientSessionCacheSize);
    }

    if (clientSessionTimeout >= 0) {
      context.getClientSessionContext().setSessionTimeout(clientSessionTimeout);
    }

    if (serverSessionCacheSize >= 0) {
      context.getServerSessionContext().setSessionCacheSize(serverSessionCacheSize);
    }

    if (serverSessionTimeout >= 0) {
      context.getServerSessionContext().setSessionTimeout(serverSessionTimeout);
    }

    return context;
  }
  public void testClientParameters() throws Exception {
    SSLContext controlContext = SSLContext.getInstance("TLS");
    controlContext.init(null, null, null);
    SSLEngine controlEngine = controlContext.createSSLEngine();
    SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
    SSLServerSocket controlServerSocket =
        (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();

    SSLContextParameters scp = new SSLContextParameters();
    SSLContextClientParameters sccp = new SSLContextClientParameters();

    scp.setClientParameters(sccp);
    SSLContext context = scp.createSSLContext();

    SSLEngine engine = context.createSSLEngine();
    SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
    SSLServerSocket serverSocket =
        (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // No csp or filter on client params passes through shared config
    scp.setCipherSuites(new CipherSuitesParameters());
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(0, socket.getEnabledCipherSuites().length);

    // Csp on client params
    scp.setCipherSuites(null);
    CipherSuitesParameters csp = new CipherSuitesParameters();
    sccp.setCipherSuites(csp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // Cipher suites filter on client params
    FilterParameters filter = new FilterParameters();
    filter.getExclude().add(".*");
    sccp.setCipherSuites(null);
    sccp.setCipherSuitesFilter(filter);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // Csp on client overrides cipher suites filter on client
    filter.getInclude().add(".*");
    filter.getExclude().clear();
    sccp.setCipherSuites(csp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // Sspp on client params
    SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters();
    sccp.setSecureSocketProtocols(sspp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertEquals(0, socket.getEnabledProtocols().length);
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // Secure socket protocols filter on client params
    filter = new FilterParameters();
    filter.getExclude().add(".*");
    sccp.setSecureSocketProtocols(null);
    sccp.setSecureSocketProtocolsFilter(filter);
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertEquals(0, socket.getEnabledProtocols().length);
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // Sspp on client params overrides  secure socket protocols filter on client
    filter.getInclude().add(".*");
    filter.getExclude().clear();
    sccp.setSecureSocketProtocols(sspp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertEquals(0, socket.getEnabledProtocols().length);
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // Client session timeout only affects client session configuration
    sccp.setSessionTimeout("12345");
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(
        controlContext.getServerSessionContext().getSessionTimeout(),
        context.getServerSessionContext().getSessionTimeout());
    assertEquals(12345, context.getClientSessionContext().getSessionTimeout());
  }