Example #1
0
 /**
  * Create a new SSL context, configured from an option map and the given parameters.
  *
  * @param keyManagers the key managers to use, or {@code null} to configure from the option map
  * @param trustManagers the trust managers to use, or {@code null} to configure from the option
  *     map
  * @param secureRandom the secure RNG to use, or {@code null} to choose a system default
  * @param optionMap the SSL context options
  * @return a new context
  * @throws NoSuchProviderException if there is no matching provider
  * @throws NoSuchAlgorithmException if there is no matching algorithm
  * @throws KeyManagementException if the context initialization fails
  */
 public static SSLContext createSSLContext(
     KeyManager[] keyManagers,
     TrustManager[] trustManagers,
     SecureRandom secureRandom,
     OptionMap optionMap)
     throws NoSuchAlgorithmException, NoSuchProviderException, KeyManagementException {
   final String provider = optionMap.get(Options.SSL_PROVIDER);
   final String protocol = optionMap.get(Options.SSL_PROTOCOL);
   final SSLContext sslContext;
   if (protocol == null) {
     // Default context is initialized automatically
     return SSLContext.getDefault();
   } else if (provider == null) {
     sslContext = SSLContext.getInstance(protocol);
   } else {
     sslContext = SSLContext.getInstance(protocol, provider);
   }
   if (keyManagers == null) {
     final Sequence<Class<? extends KeyManager>> keyManagerClasses =
         optionMap.get(Options.SSL_JSSE_KEY_MANAGER_CLASSES);
     if (keyManagerClasses != null) {
       final int size = keyManagerClasses.size();
       keyManagers = new KeyManager[size];
       for (int i = 0; i < size; i++) {
         keyManagers[i] = instantiate(keyManagerClasses.get(i));
       }
     }
   }
   if (trustManagers == null) {
     final Sequence<Class<? extends TrustManager>> trustManagerClasses =
         optionMap.get(Options.SSL_JSSE_TRUST_MANAGER_CLASSES);
     if (trustManagerClasses != null) {
       final int size = trustManagerClasses.size();
       trustManagers = new TrustManager[size];
       for (int i = 0; i < size; i++) {
         trustManagers[i] = instantiate(trustManagerClasses.get(i));
       }
     }
   }
   sslContext.init(keyManagers, trustManagers, secureRandom);
   sslContext
       .getClientSessionContext()
       .setSessionCacheSize(optionMap.get(Options.SSL_CLIENT_SESSION_CACHE_SIZE, 0));
   sslContext
       .getClientSessionContext()
       .setSessionTimeout(optionMap.get(Options.SSL_CLIENT_SESSION_TIMEOUT, 0));
   sslContext
       .getServerSessionContext()
       .setSessionCacheSize(optionMap.get(Options.SSL_SERVER_SESSION_CACHE_SIZE, 0));
   sslContext
       .getServerSessionContext()
       .setSessionTimeout(optionMap.get(Options.SSL_SERVER_SESSION_TIMEOUT, 0));
   return sslContext;
 }
  public void testSessionTimeout() throws Exception {
    SSLContextParameters scp = new SSLContextParameters();
    scp.setSessionTimeout("60");

    SSLContext context = scp.createSSLContext();

    assertEquals(60, context.getClientSessionContext().getSessionTimeout());
    assertEquals(60, context.getServerSessionContext().getSessionTimeout());

    scp.setSessionTimeout("0");

    context = scp.createSSLContext();

    assertEquals(0, context.getClientSessionContext().getSessionTimeout());
    assertEquals(0, context.getServerSessionContext().getSessionTimeout());
  }
  public Socket connectSocket(
      final int connectTimeout,
      final Socket socket,
      final HttpHost host,
      final InetSocketAddress remoteAddress,
      final InetSocketAddress localAddress,
      final HttpContext context)
      throws IOException {
    if (LOG.isDebugEnabled()) {
      LOG.debug("connecting to " + remoteAddress.getAddress() + ":" + remoteAddress.getPort());
    }
    Socket connectedSocket;
    try {
      connectedSocket =
          super.connectSocket(connectTimeout, socket, host, remoteAddress, localAddress, context);
      if (!masterSecretValidator.isMasterSecretValid(connectedSocket)) {
        throw log(new IllegalStateException("Invalid SSL master secret"));
      }
    } catch (final SSLException sslEx) {
      if (shouldClearSslSessionsPredicate.test(sslEx)) {
        // clear any related sessions from our cache
        if (LOG.isDebugEnabled()) {
          LOG.debug("connection failed due to SSL error, clearing TLS session cache", sslEx);
        }
        clearSessionCache(sslContext.getClientSessionContext(), remoteAddress);
      }
      throw sslEx;
    }

    if (connectedSocket instanceof SSLSocket) {
      SdkSSLSocket sslSocket = new SdkSSLSocket((SSLSocket) connectedSocket);
      return AwsSdkMetrics.isHttpSocketReadMetricEnabled()
          ? new SdkSSLMetricsSocket(sslSocket)
          : sslSocket;
    }
    SdkSocket sdkSocket = new SdkSocket(connectedSocket);
    return AwsSdkMetrics.isHttpSocketReadMetricEnabled()
        ? new SdkMetricsSocket(sdkSocket)
        : sdkSocket;
  }
  public SSLContext newInstance() throws Exception {
    KeyManagerFactory kmf = this.keyManagerFactory;
    TrustManagerFactory tmf = this.trustManagerFactory;

    if (kmf == null) {
      String algorithm = keyManagerFactoryAlgorithm;
      if (algorithm == null && keyManagerFactoryAlgorithmUseDefault) {
        algorithm = KeyManagerFactory.getDefaultAlgorithm();
      }
      if (algorithm != null) {
        if (keyManagerFactoryProvider == null) {
          kmf = KeyManagerFactory.getInstance(algorithm);
        } else {
          kmf = KeyManagerFactory.getInstance(algorithm, keyManagerFactoryProvider);
        }
      }
    }

    if (tmf == null) {
      String algorithm = trustManagerFactoryAlgorithm;
      if (algorithm == null && trustManagerFactoryAlgorithmUseDefault) {
        algorithm = TrustManagerFactory.getDefaultAlgorithm();
      }
      if (algorithm != null) {
        if (trustManagerFactoryProvider == null) {
          tmf = TrustManagerFactory.getInstance(algorithm);
        } else {
          tmf = TrustManagerFactory.getInstance(algorithm, trustManagerFactoryProvider);
        }
      }
    }

    KeyManager[] keyManagers = null;
    if (kmf != null) {
      kmf.init(keyManagerFactoryKeyStore, keyManagerFactoryKeyStorePassword);
      keyManagers = kmf.getKeyManagers();
    }
    TrustManager[] trustManagers = null;
    if (tmf != null) {
      if (trustManagerFactoryParameters != null) {
        tmf.init(trustManagerFactoryParameters);
      } else {
        tmf.init(trustManagerFactoryKeyStore);
      }
      trustManagers = tmf.getTrustManagers();
    }

    SSLContext context = null;
    if (provider == null) {
      context = SSLContext.getInstance(protocol);
    } else {
      context = SSLContext.getInstance(protocol, provider);
    }

    context.init(keyManagers, trustManagers, secureRandom);

    if (clientSessionCacheSize >= 0) {
      context.getClientSessionContext().setSessionCacheSize(clientSessionCacheSize);
    }

    if (clientSessionTimeout >= 0) {
      context.getClientSessionContext().setSessionTimeout(clientSessionTimeout);
    }

    if (serverSessionCacheSize >= 0) {
      context.getServerSessionContext().setSessionCacheSize(serverSessionCacheSize);
    }

    if (serverSessionTimeout >= 0) {
      context.getServerSessionContext().setSessionTimeout(serverSessionTimeout);
    }

    return context;
  }
  public void testClientParameters() throws Exception {
    SSLContext controlContext = SSLContext.getInstance("TLS");
    controlContext.init(null, null, null);
    SSLEngine controlEngine = controlContext.createSSLEngine();
    SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
    SSLServerSocket controlServerSocket =
        (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();

    SSLContextParameters scp = new SSLContextParameters();
    SSLContextClientParameters sccp = new SSLContextClientParameters();

    scp.setClientParameters(sccp);
    SSLContext context = scp.createSSLContext();

    SSLEngine engine = context.createSSLEngine();
    SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
    SSLServerSocket serverSocket =
        (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // No csp or filter on client params passes through shared config
    scp.setCipherSuites(new CipherSuitesParameters());
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(0, socket.getEnabledCipherSuites().length);

    // Csp on client params
    scp.setCipherSuites(null);
    CipherSuitesParameters csp = new CipherSuitesParameters();
    sccp.setCipherSuites(csp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // Cipher suites filter on client params
    FilterParameters filter = new FilterParameters();
    filter.getExclude().add(".*");
    sccp.setCipherSuites(null);
    sccp.setCipherSuitesFilter(filter);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // Csp on client overrides cipher suites filter on client
    filter.getInclude().add(".*");
    filter.getExclude().clear();
    sccp.setCipherSuites(csp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));

    // Sspp on client params
    SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters();
    sccp.setSecureSocketProtocols(sspp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertEquals(0, socket.getEnabledProtocols().length);
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // Secure socket protocols filter on client params
    filter = new FilterParameters();
    filter.getExclude().add(".*");
    sccp.setSecureSocketProtocols(null);
    sccp.setSecureSocketProtocolsFilter(filter);
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertEquals(0, socket.getEnabledProtocols().length);
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // Sspp on client params overrides  secure socket protocols filter on client
    filter.getInclude().add(".*");
    filter.getExclude().clear();
    sccp.setSecureSocketProtocols(sspp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertEquals(0, socket.getEnabledProtocols().length);
    checkProtocols(controlServerSocket.getEnabledProtocols(), serverSocket.getEnabledProtocols());

    // Client session timeout only affects client session configuration
    sccp.setSessionTimeout("12345");
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(
        controlContext.getServerSessionContext().getSessionTimeout(),
        context.getServerSessionContext().getSessionTimeout());
    assertEquals(12345, context.getClientSessionContext().getSessionTimeout());
  }