Example #1
0
  protected void addSslContextParametersToRegistry(JndiRegistry registry) {
    KeyStoreParameters ksp = new KeyStoreParameters();
    ksp.setResource(this.getClass().getClassLoader().getResource("jsse/localhost.ks").toString());
    ksp.setPassword(KEY_STORE_PASSWORD);

    KeyManagersParameters kmp = new KeyManagersParameters();
    kmp.setKeyPassword(KEY_STORE_PASSWORD);
    kmp.setKeyStore(ksp);

    TrustManagersParameters tmp = new TrustManagersParameters();
    tmp.setKeyStore(ksp);

    // NOTE: Needed since the client uses a loose trust configuration when no ssl context
    // is provided.  We turn on WANT client-auth to prefer using authentication
    SSLContextServerParameters scsp = new SSLContextServerParameters();
    scsp.setClientAuthentication(ClientAuthentication.WANT.name());

    SSLContextParameters sslContextParameters = new SSLContextParameters();
    sslContextParameters.setKeyManagers(kmp);
    sslContextParameters.setTrustManagers(tmp);
    sslContextParameters.setServerParameters(scsp);
    // use SSLv3 to avoid issue with (eg disable TLS)
    // Caused by: javax.net.ssl.SSLException: bad record MAC
    sslContextParameters.setSecureSocketProtocol("SSLv3");

    registry.bind("sslContextParameters", sslContextParameters);
  }
  public void testPropertyPlaceholders() throws Exception {

    CamelContext camelContext = this.createPropertiesPlaceholderAwareContext();

    KeyStoreParameters ksp = new KeyStoreParameters();
    ksp.setCamelContext(camelContext);

    ksp.setType("{{keyStoreParameters.type}}");
    ksp.setProvider("{{keyStoreParameters.provider}}");
    ksp.setResource("{{keyStoreParameters.resource}}");
    ksp.setPassword("{{keyStoreParamerers.password}}");

    KeyManagersParameters kmp = new KeyManagersParameters();
    kmp.setCamelContext(camelContext);
    kmp.setKeyStore(ksp);

    kmp.setKeyPassword("{{keyManagersParameters.keyPassword}}");
    kmp.setAlgorithm("{{keyManagersParameters.algorithm}}");
    kmp.setProvider("{{keyManagersParameters.provider}}");

    TrustManagersParameters tmp = new TrustManagersParameters();
    tmp.setCamelContext(camelContext);
    tmp.setKeyStore(ksp);

    tmp.setAlgorithm("{{trustManagersParameters.algorithm}}");
    tmp.setProvider("{{trustManagersParameters.provider}}");

    CipherSuitesParameters csp = new CipherSuitesParameters();
    csp.getCipherSuite().add("{{cipherSuite.0}}");

    SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters();
    sspp.getSecureSocketProtocol().add("{{secureSocketProtocol.0}}");

    SSLContextServerParameters scsp = new SSLContextServerParameters();
    scsp.setCamelContext(camelContext);
    scsp.setClientAuthentication("{{sslContextServerParameters.clientAuthentication}}");

    SSLContextParameters scp = new SSLContextParameters();
    scp.setCamelContext(camelContext);
    scp.setKeyManagers(kmp);
    scp.setTrustManagers(tmp);
    scp.setServerParameters(scsp);

    scp.setProvider("{{sslContextParameters.provider}}");
    scp.setSecureSocketProtocol("{{sslContextParameters.protocol}}");
    scp.setSessionTimeout("{{sslContextParameters.sessionTimeout}}");

    scp.setCipherSuites(csp);
    scp.setSecureSocketProtocols(sspp);

    SSLContext context = scp.createSSLContext();
    SSLServerSocket serverSocket =
        (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
    assertTrue(serverSocket.getNeedClientAuth());
    context.getSocketFactory().createSocket();
    context.createSSLEngine();
  }
  public void testServerParametersClientAuthentication() throws Exception {
    SSLContext controlContext = SSLContext.getInstance("TLS");
    controlContext.init(null, null, null);
    SSLEngine controlEngine = controlContext.createSSLEngine();
    SSLServerSocket controlServerSocket =
        (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();

    SSLContextParameters scp = new SSLContextParameters();
    SSLContextServerParameters scsp = new SSLContextServerParameters();

    scp.setServerParameters(scsp);
    SSLContext context = scp.createSSLContext();

    SSLEngine engine = context.createSSLEngine();
    SSLServerSocket serverSocket =
        (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(controlServerSocket.getWantClientAuth(), serverSocket.getWantClientAuth());
    assertEquals(controlServerSocket.getNeedClientAuth(), serverSocket.getNeedClientAuth());
    assertEquals(controlEngine.getWantClientAuth(), engine.getWantClientAuth());
    assertEquals(controlEngine.getNeedClientAuth(), engine.getNeedClientAuth());

    // ClientAuthentication - NONE
    scsp.setClientAuthentication(ClientAuthentication.NONE.name());
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(false, serverSocket.getWantClientAuth());
    assertEquals(false, serverSocket.getNeedClientAuth());
    assertEquals(false, engine.getWantClientAuth());
    assertEquals(false, engine.getNeedClientAuth());

    // ClientAuthentication - WANT
    scsp.setClientAuthentication(ClientAuthentication.WANT.name());
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(true, serverSocket.getWantClientAuth());
    assertEquals(false, serverSocket.getNeedClientAuth());
    assertEquals(true, engine.getWantClientAuth());
    assertEquals(false, engine.getNeedClientAuth());

    // ClientAuthentication - REQUIRE
    scsp.setClientAuthentication(ClientAuthentication.REQUIRE.name());
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(false, serverSocket.getWantClientAuth());
    assertEquals(true, serverSocket.getNeedClientAuth());
    assertEquals(false, engine.getWantClientAuth());
    assertEquals(true, engine.getNeedClientAuth());
  }
  public void testServerParameters() throws Exception {
    SSLContext controlContext = SSLContext.getInstance("TLS");
    controlContext.init(null, null, null);
    SSLEngine controlEngine = controlContext.createSSLEngine();
    SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
    SSLServerSocket controlServerSocket =
        (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();

    SSLContextParameters scp = new SSLContextParameters();
    SSLContextServerParameters scsp = new SSLContextServerParameters();

    scp.setServerParameters(scsp);
    SSLContext context = scp.createSSLContext();

    SSLEngine engine = context.createSSLEngine();
    SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
    SSLServerSocket serverSocket =
        (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(
            this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
            serverSocket.getEnabledCipherSuites()));
    assertEquals(controlServerSocket.getWantClientAuth(), serverSocket.getWantClientAuth());
    assertEquals(controlServerSocket.getNeedClientAuth(), serverSocket.getNeedClientAuth());

    // No csp or filter on server params passes through shared config
    scp.setCipherSuites(new CipherSuitesParameters());
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(0, engine.getEnabledCipherSuites().length);
    assertEquals(0, socket.getEnabledCipherSuites().length);
    assertEquals(0, serverSocket.getEnabledCipherSuites().length);

    // Csp on server params
    scp.setCipherSuites(null);
    CipherSuitesParameters csp = new CipherSuitesParameters();
    scsp.setCipherSuites(csp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
    assertEquals(0, serverSocket.getEnabledCipherSuites().length);

    // Cipher suites filter on server params
    FilterParameters filter = new FilterParameters();
    filter.getExclude().add(".*");
    scsp.setCipherSuites(null);
    scsp.setCipherSuitesFilter(filter);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
    assertEquals(0, serverSocket.getEnabledCipherSuites().length);

    // Csp on server overrides cipher suites filter on server
    filter.getInclude().add(".*");
    filter.getExclude().clear();
    scsp.setCipherSuites(csp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(
        Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
    assertTrue(
        Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
    assertEquals(0, serverSocket.getEnabledCipherSuites().length);

    // Sspp on server params
    SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters();
    scsp.setSecureSocketProtocols(sspp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
    assertEquals(0, serverSocket.getEnabledProtocols().length);

    // Secure socket protocols filter on client params
    filter = new FilterParameters();
    filter.getExclude().add(".*");
    scsp.setSecureSocketProtocols(null);
    scsp.setSecureSocketProtocolsFilter(filter);
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
    assertEquals(0, serverSocket.getEnabledProtocols().length);

    // Sspp on client params overrides  secure socket protocols filter on client
    filter.getInclude().add(".*");
    filter.getExclude().clear();
    scsp.setSecureSocketProtocols(sspp);
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
    assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
    assertEquals(0, serverSocket.getEnabledProtocols().length);

    // Server session timeout only affects server session configuration
    scsp.setSessionTimeout("12345");
    context = scp.createSSLContext();
    engine = context.createSSLEngine();
    socket = (SSLSocket) context.getSocketFactory().createSocket();
    serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();

    assertEquals(
        controlContext.getClientSessionContext().getSessionTimeout(),
        context.getClientSessionContext().getSessionTimeout());
    assertEquals(12345, context.getServerSessionContext().getSessionTimeout());
  }