Exemplo n.º 1
0
 /*
  * Gets the SSL server's keystore password.
  */
 protected String getKeystorePassword() {
   String keystorePass = endpoint.getKeystorePass();
   if (keystorePass == null) {
     keystorePass = endpoint.getKeyPass();
   }
   if (keystorePass == null) {
     keystorePass = DEFAULT_KEY_PASS;
   }
   return keystorePass;
 }
Exemplo n.º 2
0
  @Override
  public KeyManager[] getKeyManagers() throws Exception {
    String keystoreType = endpoint.getKeystoreType();
    if (keystoreType == null) {
      keystoreType = defaultKeystoreType;
    }

    String algorithm = endpoint.getAlgorithm();
    if (algorithm == null) {
      algorithm = KeyManagerFactory.getDefaultAlgorithm();
    }

    return getKeyManagers(
        keystoreType, endpoint.getKeystoreProvider(), algorithm, endpoint.getKeyAlias());
  }
Exemplo n.º 3
0
  /*
   * Gets the SSL server's keystore.
   */
  protected KeyStore getKeystore(String type, String provider, String pass) throws IOException {

    String keystoreFile = endpoint.getKeystoreFile();
    if (keystoreFile == null) keystoreFile = defaultKeystoreFile;

    return getStore(type, provider, keystoreFile, pass);
  }
Exemplo n.º 4
0
  /** Gets the initialized key managers. */
  protected KeyManager[] getKeyManagers(
      String keystoreType, String keystoreProvider, String algorithm, String keyAlias)
      throws Exception {

    KeyManager[] kms = null;

    String keystorePass = getKeystorePassword();

    KeyStore ks = getKeystore(keystoreType, keystoreProvider, keystorePass);
    if (keyAlias != null && !ks.isKeyEntry(keyAlias)) {
      throw new IOException(sm.getString("jsse.alias_no_key_entry", keyAlias));
    }

    KeyManagerFactory kmf = KeyManagerFactory.getInstance(algorithm);
    String keyPass = endpoint.getKeyPass();
    if (keyPass == null) {
      keyPass = keystorePass;
    }
    kmf.init(ks, keyPass.toCharArray());

    kms = kmf.getKeyManagers();
    if (keyAlias != null) {
      String alias = keyAlias;
      if (JSSESocketFactory.defaultKeystoreType.equals(keystoreType)) {
        alias = alias.toLowerCase(Locale.ENGLISH);
      }
      for (int i = 0; i < kms.length; i++) {
        kms[i] = new JSSEKeyManager((X509KeyManager) kms[i], alias);
      }
    }

    return kms;
  }
Exemplo n.º 5
0
  /**
   * Return the initialization parameters for the TrustManager. Currently, only the default <code>
   * PKIX</code> is supported.
   *
   * @param algorithm The algorithm to get parameters for.
   * @param crlf The path to the CRL file.
   * @param trustStore The configured TrustStore.
   * @return The parameters including the CRLs and TrustStore.
   */
  protected CertPathParameters getParameters(String algorithm, String crlf, KeyStore trustStore)
      throws Exception {
    CertPathParameters params = null;
    if ("PKIX".equalsIgnoreCase(algorithm)) {
      PKIXBuilderParameters xparams = new PKIXBuilderParameters(trustStore, new X509CertSelector());
      Collection<? extends CRL> crls = getCRLs(crlf);
      CertStoreParameters csp = new CollectionCertStoreParameters(crls);
      CertStore store = CertStore.getInstance("Collection", csp);
      xparams.addCertStore(store);
      xparams.setRevocationEnabled(true);
      String trustLength = endpoint.getTrustMaxCertLength();
      if (trustLength != null) {
        try {
          xparams.setMaxPathLength(Integer.parseInt(trustLength));
        } catch (Exception ex) {
          log.warn("Bad maxCertLength: " + trustLength);
        }
      }

      params = xparams;
    } else {
      throw new CRLException("CRLs not supported for type: " + algorithm);
    }
    return params;
  }
Exemplo n.º 6
0
  @Override
  public String[] getEnableableProtocols(SSLContext context) {
    String[] requestedProtocols = endpoint.getSslEnabledProtocolsArray();
    if ((requestedProtocols == null) || (requestedProtocols.length == 0)) {
      return defaultServerProtocols;
    }

    List<String> protocols = new ArrayList<String>(Arrays.asList(requestedProtocols));
    protocols.retainAll(Arrays.asList(context.getSupportedSSLParameters().getProtocols()));

    if (protocols.isEmpty()) {
      log.warn(
          sm.getString(
              "jsse.requested_protocols_not_supported", Arrays.asList(requestedProtocols)));
    }
    if (log.isDebugEnabled()) {
      log.debug(sm.getString("jsse.enableable_protocols", protocols));
      if (protocols.size() != requestedProtocols.length) {
        List<String> skipped = new ArrayList<String>(Arrays.asList(requestedProtocols));
        skipped.removeAll(protocols);
        log.debug(sm.getString("jsse.unsupported_protocols", skipped));
      }
    }
    return protocols.toArray(new String[protocols.size()]);
  }
Exemplo n.º 7
0
  @Override
  public void configureSessionContext(SSLSessionContext sslSessionContext) {
    int sessionCacheSize;
    if (endpoint.getSessionCacheSize() != null) {
      sessionCacheSize = Integer.parseInt(endpoint.getSessionCacheSize());
    } else {
      sessionCacheSize = defaultSessionCacheSize;
    }

    int sessionTimeout;
    if (endpoint.getSessionTimeout() != null) {
      sessionTimeout = Integer.parseInt(endpoint.getSessionTimeout());
    } else {
      sessionTimeout = defaultSessionTimeout;
    }

    sslSessionContext.setSessionCacheSize(sessionCacheSize);
    sslSessionContext.setSessionTimeout(sessionTimeout);
  }
Exemplo n.º 8
0
 @Override
 public void stop() throws Exception {
   if (getLog().isInfoEnabled())
     getLog().info(sm.getString("abstractProtocolHandler.stop", getName()));
   try {
     endpoint.stop();
   } catch (Exception ex) {
     getLog().error(sm.getString("abstractProtocolHandler.stopError", getName()), ex);
     throw ex;
   }
 }
Exemplo n.º 9
0
  @Override
  public TrustManager[] getTrustManagers() throws Exception {
    String truststoreType = endpoint.getTruststoreType();
    if (truststoreType == null) {
      truststoreType = System.getProperty("javax.net.ssl.trustStoreType");
    }
    if (truststoreType == null) {
      truststoreType = endpoint.getKeystoreType();
    }
    if (truststoreType == null) {
      truststoreType = defaultKeystoreType;
    }

    String algorithm = endpoint.getTruststoreAlgorithm();
    if (algorithm == null) {
      algorithm = TrustManagerFactory.getDefaultAlgorithm();
    }

    return getTrustManagers(truststoreType, endpoint.getKeystoreProvider(), algorithm);
  }
Exemplo n.º 10
0
  /**
   * Configures SSLEngine to honor cipher suites ordering based upon endpoint configuration.
   *
   * @throws InvalidAlgorithmParameterException If the runtime JVM doesn't support this setting.
   */
  protected void configureUseServerCipherSuitesOrder(SSLServerSocket socket) {
    String useServerCipherSuitesOrderStr = endpoint.getUseServerCipherSuitesOrder().trim();

    // Only use this feature if the user explicitly requested its use.
    if (!"".equals(useServerCipherSuitesOrderStr)) {
      boolean useServerCipherSuitesOrder =
          ("true".equalsIgnoreCase(useServerCipherSuitesOrderStr)
              || "yes".equalsIgnoreCase(useServerCipherSuitesOrderStr));
      JreCompat jreCompat = JreCompat.getInstance();
      jreCompat.setUseServerCipherSuitesOrder(socket, useServerCipherSuitesOrder);
    }
  }
Exemplo n.º 11
0
  @Override
  public SSLContext createSSLContext() throws Exception {

    // SSL protocol variant (e.g., TLS, SSL v3, etc.)
    String protocol = endpoint.getSslProtocol();
    if (protocol == null) {
      protocol = defaultProtocol;
    }

    SSLContext context = SSLContext.getInstance(protocol);

    return context;
  }
Exemplo n.º 12
0
  @Override
  public void init() throws Exception {
    if (getLog().isInfoEnabled())
      getLog().info(sm.getString("abstractProtocolHandler.init", getName()));

    if (oname == null) {
      // Component not pre-registered so register it
      oname = createObjectName();
      if (oname != null) {
        Registry.getRegistry(null, null).registerComponent(this, oname, null);
      }
    }

    if (this.domain != null) {
      try {
        tpOname = new ObjectName(domain + ":" + "type=ThreadPool,name=" + getName());
        Registry.getRegistry(null, null).registerComponent(endpoint, tpOname, null);
      } catch (Exception e) {
        getLog()
            .error(
                sm.getString("abstractProtocolHandler.mbeanRegistrationFailed", tpOname, getName()),
                e);
      }
      rgOname = new ObjectName(domain + ":type=GlobalRequestProcessor,name=" + getName());
      Registry.getRegistry(null, null).registerComponent(getHandler().getGlobal(), rgOname, null);
    }

    String endpointName = getName();
    endpoint.setName(endpointName.substring(1, endpointName.length() - 1));

    try {
      endpoint.init();
    } catch (Exception ex) {
      getLog().error(sm.getString("abstractProtocolHandler.initError", getName()), ex);
      throw ex;
    }
  }
Exemplo n.º 13
0
  /** Reads the keystore and initializes the SSL socket factory. */
  void init() throws IOException {
    try {

      String clientAuthStr = endpoint.getClientAuth();
      if ("true".equalsIgnoreCase(clientAuthStr) || "yes".equalsIgnoreCase(clientAuthStr)) {
        requireClientAuth = true;
      } else if ("want".equalsIgnoreCase(clientAuthStr)) {
        wantClientAuth = true;
      }

      SSLContext context = createSSLContext();
      context.init(getKeyManagers(), getTrustManagers(), null);

      // Configure SSL session cache
      SSLSessionContext sessionContext = context.getServerSessionContext();
      if (sessionContext != null) {
        configureSessionContext(sessionContext);
      }

      // create proxy
      sslProxy = context.getServerSocketFactory();

      // Determine which cipher suites to enable
      enabledCiphers = getEnableableCiphers(context);
      enabledProtocols = getEnableableProtocols(context);

      allowUnsafeLegacyRenegotiation = "true".equals(endpoint.getAllowUnsafeLegacyRenegotiation());

      // Check the SSL config is OK
      checkConfig();

    } catch (Exception e) {
      if (e instanceof IOException) throw (IOException) e;
      throw new IOException(e.getMessage(), e);
    }
  }
Exemplo n.º 14
0
  /** Gets the initialized trust managers. */
  protected TrustManager[] getTrustManagers(
      String keystoreType, String keystoreProvider, String algorithm) throws Exception {
    String crlf = endpoint.getCrlFile();

    String className = endpoint.getTrustManagerClassName();
    if (className != null && className.length() > 0) {
      ClassLoader classLoader = getClass().getClassLoader();
      Class<?> clazz = classLoader.loadClass(className);
      if (!(TrustManager.class.isAssignableFrom(clazz))) {
        throw new InstantiationException(
            sm.getString("jsse.invalidTrustManagerClassName", className));
      }
      Object trustManagerObject = clazz.newInstance();
      TrustManager trustManager = (TrustManager) trustManagerObject;
      return new TrustManager[] {trustManager};
    }

    TrustManager[] tms = null;

    KeyStore trustStore = getTrustStore(keystoreType, keystoreProvider);
    if (trustStore != null || endpoint.getTrustManagerClassName() != null) {
      if (crlf == null) {
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
        tmf.init(trustStore);
        tms = tmf.getTrustManagers();
      } else {
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(algorithm);
        CertPathParameters params = getParameters(algorithm, crlf, trustStore);
        ManagerFactoryParameters mfp = new CertPathTrustManagerParameters(params);
        tmf.init(mfp);
        tms = tmf.getTrustManagers();
      }
    }

    return tms;
  }
Exemplo n.º 15
0
  @Override
  public void destroy() {
    if (getLog().isInfoEnabled()) {
      getLog().info(sm.getString("abstractProtocolHandler.destroy", getName()));
    }
    try {
      endpoint.destroy();
    } catch (Exception e) {
      getLog().error(sm.getString("abstractProtocolHandler.destroyError", getName()), e);
    }

    if (oname != null) {
      Registry.getRegistry(null, null).unregisterComponent(oname);
    }

    if (tpOname != null) Registry.getRegistry(null, null).unregisterComponent(tpOname);
    if (rgOname != null) Registry.getRegistry(null, null).unregisterComponent(rgOname);
  }
Exemplo n.º 16
0
  @Override
  public String[] getEnableableCiphers(SSLContext context) {
    String requestedCiphersStr = endpoint.getCiphers();

    if (ALLOW_ALL_SUPPORTED_CIPHERS.equals(requestedCiphersStr)) {
      return context.getSupportedSSLParameters().getCipherSuites();
    }
    if ((requestedCiphersStr == null) || (requestedCiphersStr.trim().length() == 0)) {
      return defaultServerCipherSuites;
    }

    List<String> requestedCiphers = new ArrayList<String>();
    for (String rc : requestedCiphersStr.split(",")) {
      final String cipher = rc.trim();
      if (cipher.length() > 0) {
        requestedCiphers.add(cipher);
      }
    }
    if (requestedCiphers.isEmpty()) {
      return defaultServerCipherSuites;
    }
    List<String> ciphers = new ArrayList<String>(requestedCiphers);
    ciphers.retainAll(Arrays.asList(context.getSupportedSSLParameters().getCipherSuites()));

    if (ciphers.isEmpty()) {
      log.warn(sm.getString("jsse.requested_ciphers_not_supported", requestedCiphersStr));
    }
    if (log.isDebugEnabled()) {
      log.debug(sm.getString("jsse.enableable_ciphers", ciphers));
      if (ciphers.size() != requestedCiphers.size()) {
        List<String> skipped = new ArrayList<String>(requestedCiphers);
        skipped.removeAll(ciphers);
        log.debug(sm.getString("jsse.unsupported_ciphers", skipped));
      }
    }

    return ciphers.toArray(new String[ciphers.size()]);
  }
Exemplo n.º 17
0
  public JSSESocketFactory(AbstractEndpoint<?> endpoint) {
    this.endpoint = endpoint;

    String sslProtocol = endpoint.getSslProtocol();
    if (sslProtocol == null) {
      sslProtocol = defaultProtocol;
    }

    SSLContext context;
    try {
      context = SSLContext.getInstance(sslProtocol);
      context.init(null, null, null);
    } catch (NoSuchAlgorithmException e) {
      // This is fatal for the connector so throw an exception to prevent
      // it from starting
      throw new IllegalArgumentException(e);
    } catch (KeyManagementException e) {
      // This is fatal for the connector so throw an exception to prevent
      // it from starting
      throw new IllegalArgumentException(e);
    }

    // Supported cipher suites aren't accessible directly from the
    // SSLContext so use the SSL server socket factory
    SSLServerSocketFactory ssf = context.getServerSocketFactory();
    String supportedCiphers[] = ssf.getSupportedCipherSuites();
    boolean found = false;
    for (String cipher : supportedCiphers) {
      if ("TLS_EMPTY_RENEGOTIATION_INFO_SCSV".equals(cipher)) {
        found = true;
        break;
      }
    }
    rfc5746Supported = found;

    // There is no standard way to determine the default protocols and
    // cipher suites so create a server socket to see what the defaults are
    SSLServerSocket socket;
    try {
      socket = (SSLServerSocket) ssf.createServerSocket();
    } catch (IOException e) {
      // This is very likely to be fatal but there is a slim chance that
      // the JSSE implementation just doesn't like creating unbound
      // sockets so allow the code to proceed.
      defaultServerCipherSuites = new String[0];
      defaultServerProtocols = new String[0];
      log.warn(sm.getString("jsse.noDefaultCiphers", endpoint.getName()));
      log.warn(sm.getString("jsse.noDefaultProtocols", endpoint.getName()));
      return;
    }

    try {
      defaultServerCipherSuites = socket.getEnabledCipherSuites();
      if (defaultServerCipherSuites.length == 0) {
        log.warn(sm.getString("jsse.noDefaultCiphers", endpoint.getName()));
      }

      // Filter out all the SSL protocols (SSLv2 and SSLv3) from the defaults
      // since they are no longer considered secure
      List<String> filteredProtocols = new ArrayList<String>();
      for (String protocol : socket.getEnabledProtocols()) {
        if (protocol.toUpperCase(Locale.ENGLISH).contains("SSL")) {
          log.debug(sm.getString("jsse.excludeDefaultProtocol", protocol));
          continue;
        }
        filteredProtocols.add(protocol);
      }
      defaultServerProtocols = filteredProtocols.toArray(new String[filteredProtocols.size()]);
      if (defaultServerProtocols.length == 0) {
        log.warn(sm.getString("jsse.noDefaultProtocols", endpoint.getName()));
      }
    } finally {
      try {
        socket.close();
      } catch (IOException e) {
        log.warn(sm.getString("jsse.exceptionOnClose"), e);
      }
    }
  }
Exemplo n.º 18
0
 public int getLocalPort() {
   return endpoint.getLocalPort();
 }
Exemplo n.º 19
0
 public void setPort(int port) {
   endpoint.setPort(port);
 }
Exemplo n.º 20
0
 public void setConnectionTimeout(int timeout) {
   // Note that the endpoint uses the alternative name
   endpoint.setSoTimeout(timeout);
 }
Exemplo n.º 21
0
 /*
  * When Tomcat expects data from the client, this is the time Tomcat will
  * wait for that data to arrive before closing the connection.
  */
 public int getConnectionTimeout() {
   // Note that the endpoint uses the alternative name
   return endpoint.getSoTimeout();
 }
Exemplo n.º 22
0
 public void setMaxHeaderCount(int maxHeaderCount) {
   endpoint.setMaxHeaderCount(maxHeaderCount);
 }
Exemplo n.º 23
0
 public int getMaxHeaderCount() {
   return endpoint.getMaxHeaderCount();
 }
Exemplo n.º 24
0
 public long getConnectionCount() {
   return endpoint.getConnectionCount();
 }
Exemplo n.º 25
0
 /**
  * Generic property setter used by the digester. Other code should not need to use this. The
  * digester will only use this method if it can't find a more specific setter. That means the
  * property belongs to the Endpoint, the ServerSocketFactory or some other lower level component.
  * This method ensures that it is visible to both.
  */
 public boolean setProperty(String name, String value) {
   return endpoint.setProperty(name, value);
 }
Exemplo n.º 26
0
  /*
   * Gets the SSL server's truststore.
   */
  protected KeyStore getTrustStore(String keystoreType, String keystoreProvider)
      throws IOException {
    KeyStore trustStore = null;

    String truststoreFile = endpoint.getTruststoreFile();
    if (truststoreFile == null) {
      truststoreFile = System.getProperty("javax.net.ssl.trustStore");
    }
    if (log.isDebugEnabled()) {
      log.debug("Truststore = " + truststoreFile);
    }

    String truststorePassword = endpoint.getTruststorePass();
    if (truststorePassword == null) {
      truststorePassword = System.getProperty("javax.net.ssl.trustStorePassword");
    }
    if (log.isDebugEnabled()) {
      log.debug("TrustPass = "******"javax.net.ssl.trustStoreType");
    }
    if (truststoreType == null) {
      truststoreType = keystoreType;
    }
    if (log.isDebugEnabled()) {
      log.debug("trustType = " + truststoreType);
    }

    String truststoreProvider = endpoint.getTruststoreProvider();
    if (truststoreProvider == null) {
      truststoreProvider = System.getProperty("javax.net.ssl.trustStoreProvider");
    }
    if (truststoreProvider == null) {
      truststoreProvider = keystoreProvider;
    }
    if (log.isDebugEnabled()) {
      log.debug("trustProvider = " + truststoreProvider);
    }

    if (truststoreFile != null) {
      try {
        trustStore =
            getStore(truststoreType, truststoreProvider, truststoreFile, truststorePassword);
      } catch (IOException ioe) {
        Throwable cause = ioe.getCause();
        if (cause instanceof UnrecoverableKeyException) {
          // Log a warning we had a password issue
          log.warn(sm.getString("jsse.invalid_truststore_password"), cause);
          // Re-try
          trustStore = getStore(truststoreType, truststoreProvider, truststoreFile, null);
        } else {
          // Something else went wrong - re-throw
          throw ioe;
        }
      }
    }

    return trustStore;
  }
Exemplo n.º 27
0
 /** Generic property getter used by the digester. Other code should not need to use this. */
 public String getProperty(String name) {
   return endpoint.getProperty(name);
 }
Exemplo n.º 28
0
 public int getPort() {
   return endpoint.getPort();
 }
 /** Obtain the Executor used by the underlying endpoint. */
 @Override
 public Executor getExecutor() {
   return endpoint.getExecutor();
 }
Exemplo n.º 30
0
 public void setAddress(InetAddress ia) {
   endpoint.setAddress(ia);
 }