protected void addSslContextParametersToRegistry(JndiRegistry registry) {
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setResource(this.getClass().getClassLoader().getResource("jsse/localhost.ks").toString());
ksp.setPassword(KEY_STORE_PASSWORD);
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setKeyPassword(KEY_STORE_PASSWORD);
kmp.setKeyStore(ksp);
TrustManagersParameters tmp = new TrustManagersParameters();
tmp.setKeyStore(ksp);
// NOTE: Needed since the client uses a loose trust configuration when no ssl context
// is provided. We turn on WANT client-auth to prefer using authentication
SSLContextServerParameters scsp = new SSLContextServerParameters();
scsp.setClientAuthentication(ClientAuthentication.WANT.name());
SSLContextParameters sslContextParameters = new SSLContextParameters();
sslContextParameters.setKeyManagers(kmp);
sslContextParameters.setTrustManagers(tmp);
sslContextParameters.setServerParameters(scsp);
// use SSLv3 to avoid issue with (eg disable TLS)
// Caused by: javax.net.ssl.SSLException: bad record MAC
sslContextParameters.setSecureSocketProtocol("SSLv3");
registry.bind("sslContextParameters", sslContextParameters);
}
public void testPropertyPlaceholders() throws Exception {
CamelContext camelContext = this.createPropertiesPlaceholderAwareContext();
KeyStoreParameters ksp = new KeyStoreParameters();
ksp.setCamelContext(camelContext);
ksp.setType("{{keyStoreParameters.type}}");
ksp.setProvider("{{keyStoreParameters.provider}}");
ksp.setResource("{{keyStoreParameters.resource}}");
ksp.setPassword("{{keyStoreParamerers.password}}");
KeyManagersParameters kmp = new KeyManagersParameters();
kmp.setCamelContext(camelContext);
kmp.setKeyStore(ksp);
kmp.setKeyPassword("{{keyManagersParameters.keyPassword}}");
kmp.setAlgorithm("{{keyManagersParameters.algorithm}}");
kmp.setProvider("{{keyManagersParameters.provider}}");
TrustManagersParameters tmp = new TrustManagersParameters();
tmp.setCamelContext(camelContext);
tmp.setKeyStore(ksp);
tmp.setAlgorithm("{{trustManagersParameters.algorithm}}");
tmp.setProvider("{{trustManagersParameters.provider}}");
CipherSuitesParameters csp = new CipherSuitesParameters();
csp.getCipherSuite().add("{{cipherSuite.0}}");
SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters();
sspp.getSecureSocketProtocol().add("{{secureSocketProtocol.0}}");
SSLContextServerParameters scsp = new SSLContextServerParameters();
scsp.setCamelContext(camelContext);
scsp.setClientAuthentication("{{sslContextServerParameters.clientAuthentication}}");
SSLContextParameters scp = new SSLContextParameters();
scp.setCamelContext(camelContext);
scp.setKeyManagers(kmp);
scp.setTrustManagers(tmp);
scp.setServerParameters(scsp);
scp.setProvider("{{sslContextParameters.provider}}");
scp.setSecureSocketProtocol("{{sslContextParameters.protocol}}");
scp.setSessionTimeout("{{sslContextParameters.sessionTimeout}}");
scp.setCipherSuites(csp);
scp.setSecureSocketProtocols(sspp);
SSLContext context = scp.createSSLContext();
SSLServerSocket serverSocket =
(SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(serverSocket.getNeedClientAuth());
context.getSocketFactory().createSocket();
context.createSSLEngine();
}
public void testServerParametersClientAuthentication() throws Exception {
SSLContext controlContext = SSLContext.getInstance("TLS");
controlContext.init(null, null, null);
SSLEngine controlEngine = controlContext.createSSLEngine();
SSLServerSocket controlServerSocket =
(SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();
SSLContextParameters scp = new SSLContextParameters();
SSLContextServerParameters scsp = new SSLContextServerParameters();
scp.setServerParameters(scsp);
SSLContext context = scp.createSSLContext();
SSLEngine engine = context.createSSLEngine();
SSLServerSocket serverSocket =
(SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(controlServerSocket.getWantClientAuth(), serverSocket.getWantClientAuth());
assertEquals(controlServerSocket.getNeedClientAuth(), serverSocket.getNeedClientAuth());
assertEquals(controlEngine.getWantClientAuth(), engine.getWantClientAuth());
assertEquals(controlEngine.getNeedClientAuth(), engine.getNeedClientAuth());
// ClientAuthentication - NONE
scsp.setClientAuthentication(ClientAuthentication.NONE.name());
context = scp.createSSLContext();
engine = context.createSSLEngine();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(false, serverSocket.getWantClientAuth());
assertEquals(false, serverSocket.getNeedClientAuth());
assertEquals(false, engine.getWantClientAuth());
assertEquals(false, engine.getNeedClientAuth());
// ClientAuthentication - WANT
scsp.setClientAuthentication(ClientAuthentication.WANT.name());
context = scp.createSSLContext();
engine = context.createSSLEngine();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(true, serverSocket.getWantClientAuth());
assertEquals(false, serverSocket.getNeedClientAuth());
assertEquals(true, engine.getWantClientAuth());
assertEquals(false, engine.getNeedClientAuth());
// ClientAuthentication - REQUIRE
scsp.setClientAuthentication(ClientAuthentication.REQUIRE.name());
context = scp.createSSLContext();
engine = context.createSSLEngine();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(false, serverSocket.getWantClientAuth());
assertEquals(true, serverSocket.getNeedClientAuth());
assertEquals(false, engine.getWantClientAuth());
assertEquals(true, engine.getNeedClientAuth());
}
public void testServerParameters() throws Exception {
SSLContext controlContext = SSLContext.getInstance("TLS");
controlContext.init(null, null, null);
SSLEngine controlEngine = controlContext.createSSLEngine();
SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket();
SSLServerSocket controlServerSocket =
(SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket();
SSLContextParameters scp = new SSLContextParameters();
SSLContextServerParameters scsp = new SSLContextServerParameters();
scp.setServerParameters(scsp);
SSLContext context = scp.createSSLContext();
SSLEngine engine = context.createSSLEngine();
SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket();
SSLServerSocket serverSocket =
(SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(
this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()),
serverSocket.getEnabledCipherSuites()));
assertEquals(controlServerSocket.getWantClientAuth(), serverSocket.getWantClientAuth());
assertEquals(controlServerSocket.getNeedClientAuth(), serverSocket.getNeedClientAuth());
// No csp or filter on server params passes through shared config
scp.setCipherSuites(new CipherSuitesParameters());
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(0, engine.getEnabledCipherSuites().length);
assertEquals(0, socket.getEnabledCipherSuites().length);
assertEquals(0, serverSocket.getEnabledCipherSuites().length);
// Csp on server params
scp.setCipherSuites(null);
CipherSuitesParameters csp = new CipherSuitesParameters();
scsp.setCipherSuites(csp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
assertEquals(0, serverSocket.getEnabledCipherSuites().length);
// Cipher suites filter on server params
FilterParameters filter = new FilterParameters();
filter.getExclude().add(".*");
scsp.setCipherSuites(null);
scsp.setCipherSuitesFilter(filter);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
assertEquals(0, serverSocket.getEnabledCipherSuites().length);
// Csp on server overrides cipher suites filter on server
filter.getInclude().add(".*");
filter.getExclude().clear();
scsp.setCipherSuites(csp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(
Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites()));
assertTrue(
Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites()));
assertEquals(0, serverSocket.getEnabledCipherSuites().length);
// Sspp on server params
SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters();
scsp.setSecureSocketProtocols(sspp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
assertEquals(0, serverSocket.getEnabledProtocols().length);
// Secure socket protocols filter on client params
filter = new FilterParameters();
filter.getExclude().add(".*");
scsp.setSecureSocketProtocols(null);
scsp.setSecureSocketProtocolsFilter(filter);
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
assertEquals(0, serverSocket.getEnabledProtocols().length);
// Sspp on client params overrides secure socket protocols filter on client
filter.getInclude().add(".*");
filter.getExclude().clear();
scsp.setSecureSocketProtocols(sspp);
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols()));
assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols()));
assertEquals(0, serverSocket.getEnabledProtocols().length);
// Server session timeout only affects server session configuration
scsp.setSessionTimeout("12345");
context = scp.createSSLContext();
engine = context.createSSLEngine();
socket = (SSLSocket) context.getSocketFactory().createSocket();
serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket();
assertEquals(
controlContext.getClientSessionContext().getSessionTimeout(),
context.getClientSessionContext().getSessionTimeout());
assertEquals(12345, context.getServerSessionContext().getSessionTimeout());
}
