protected void addSslContextParametersToRegistry(JndiRegistry registry) { KeyStoreParameters ksp = new KeyStoreParameters(); ksp.setResource(this.getClass().getClassLoader().getResource("jsse/localhost.ks").toString()); ksp.setPassword(KEY_STORE_PASSWORD); KeyManagersParameters kmp = new KeyManagersParameters(); kmp.setKeyPassword(KEY_STORE_PASSWORD); kmp.setKeyStore(ksp); TrustManagersParameters tmp = new TrustManagersParameters(); tmp.setKeyStore(ksp); // NOTE: Needed since the client uses a loose trust configuration when no ssl context // is provided. We turn on WANT client-auth to prefer using authentication SSLContextServerParameters scsp = new SSLContextServerParameters(); scsp.setClientAuthentication(ClientAuthentication.WANT.name()); SSLContextParameters sslContextParameters = new SSLContextParameters(); sslContextParameters.setKeyManagers(kmp); sslContextParameters.setTrustManagers(tmp); sslContextParameters.setServerParameters(scsp); // use SSLv3 to avoid issue with (eg disable TLS) // Caused by: javax.net.ssl.SSLException: bad record MAC sslContextParameters.setSecureSocketProtocol("SSLv3"); registry.bind("sslContextParameters", sslContextParameters); }
public void testPropertyPlaceholders() throws Exception { CamelContext camelContext = this.createPropertiesPlaceholderAwareContext(); KeyStoreParameters ksp = new KeyStoreParameters(); ksp.setCamelContext(camelContext); ksp.setType("{{keyStoreParameters.type}}"); ksp.setProvider("{{keyStoreParameters.provider}}"); ksp.setResource("{{keyStoreParameters.resource}}"); ksp.setPassword("{{keyStoreParamerers.password}}"); KeyManagersParameters kmp = new KeyManagersParameters(); kmp.setCamelContext(camelContext); kmp.setKeyStore(ksp); kmp.setKeyPassword("{{keyManagersParameters.keyPassword}}"); kmp.setAlgorithm("{{keyManagersParameters.algorithm}}"); kmp.setProvider("{{keyManagersParameters.provider}}"); TrustManagersParameters tmp = new TrustManagersParameters(); tmp.setCamelContext(camelContext); tmp.setKeyStore(ksp); tmp.setAlgorithm("{{trustManagersParameters.algorithm}}"); tmp.setProvider("{{trustManagersParameters.provider}}"); CipherSuitesParameters csp = new CipherSuitesParameters(); csp.getCipherSuite().add("{{cipherSuite.0}}"); SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters(); sspp.getSecureSocketProtocol().add("{{secureSocketProtocol.0}}"); SSLContextServerParameters scsp = new SSLContextServerParameters(); scsp.setCamelContext(camelContext); scsp.setClientAuthentication("{{sslContextServerParameters.clientAuthentication}}"); SSLContextParameters scp = new SSLContextParameters(); scp.setCamelContext(camelContext); scp.setKeyManagers(kmp); scp.setTrustManagers(tmp); scp.setServerParameters(scsp); scp.setProvider("{{sslContextParameters.provider}}"); scp.setSecureSocketProtocol("{{sslContextParameters.protocol}}"); scp.setSessionTimeout("{{sslContextParameters.sessionTimeout}}"); scp.setCipherSuites(csp); scp.setSecureSocketProtocols(sspp); SSLContext context = scp.createSSLContext(); SSLServerSocket serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue(serverSocket.getNeedClientAuth()); context.getSocketFactory().createSocket(); context.createSSLEngine(); }
public void testServerParametersClientAuthentication() throws Exception { SSLContext controlContext = SSLContext.getInstance("TLS"); controlContext.init(null, null, null); SSLEngine controlEngine = controlContext.createSSLEngine(); SSLServerSocket controlServerSocket = (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket(); SSLContextParameters scp = new SSLContextParameters(); SSLContextServerParameters scsp = new SSLContextServerParameters(); scp.setServerParameters(scsp); SSLContext context = scp.createSSLContext(); SSLEngine engine = context.createSSLEngine(); SSLServerSocket serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertEquals(controlServerSocket.getWantClientAuth(), serverSocket.getWantClientAuth()); assertEquals(controlServerSocket.getNeedClientAuth(), serverSocket.getNeedClientAuth()); assertEquals(controlEngine.getWantClientAuth(), engine.getWantClientAuth()); assertEquals(controlEngine.getNeedClientAuth(), engine.getNeedClientAuth()); // ClientAuthentication - NONE scsp.setClientAuthentication(ClientAuthentication.NONE.name()); context = scp.createSSLContext(); engine = context.createSSLEngine(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertEquals(false, serverSocket.getWantClientAuth()); assertEquals(false, serverSocket.getNeedClientAuth()); assertEquals(false, engine.getWantClientAuth()); assertEquals(false, engine.getNeedClientAuth()); // ClientAuthentication - WANT scsp.setClientAuthentication(ClientAuthentication.WANT.name()); context = scp.createSSLContext(); engine = context.createSSLEngine(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertEquals(true, serverSocket.getWantClientAuth()); assertEquals(false, serverSocket.getNeedClientAuth()); assertEquals(true, engine.getWantClientAuth()); assertEquals(false, engine.getNeedClientAuth()); // ClientAuthentication - REQUIRE scsp.setClientAuthentication(ClientAuthentication.REQUIRE.name()); context = scp.createSSLContext(); engine = context.createSSLEngine(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertEquals(false, serverSocket.getWantClientAuth()); assertEquals(true, serverSocket.getNeedClientAuth()); assertEquals(false, engine.getWantClientAuth()); assertEquals(true, engine.getNeedClientAuth()); }
public void testServerParameters() throws Exception { SSLContext controlContext = SSLContext.getInstance("TLS"); controlContext.init(null, null, null); SSLEngine controlEngine = controlContext.createSSLEngine(); SSLSocket controlSocket = (SSLSocket) controlContext.getSocketFactory().createSocket(); SSLServerSocket controlServerSocket = (SSLServerSocket) controlContext.getServerSocketFactory().createServerSocket(); SSLContextParameters scp = new SSLContextParameters(); SSLContextServerParameters scsp = new SSLContextServerParameters(); scp.setServerParameters(scsp); SSLContext context = scp.createSSLContext(); SSLEngine engine = context.createSSLEngine(); SSLSocket socket = (SSLSocket) context.getSocketFactory().createSocket(); SSLServerSocket serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue( Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites())); assertTrue( Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites())); assertTrue( Arrays.equals( this.getDefaultCipherSuiteIncludes(controlServerSocket.getSupportedCipherSuites()), serverSocket.getEnabledCipherSuites())); assertEquals(controlServerSocket.getWantClientAuth(), serverSocket.getWantClientAuth()); assertEquals(controlServerSocket.getNeedClientAuth(), serverSocket.getNeedClientAuth()); // No csp or filter on server params passes through shared config scp.setCipherSuites(new CipherSuitesParameters()); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertEquals(0, engine.getEnabledCipherSuites().length); assertEquals(0, socket.getEnabledCipherSuites().length); assertEquals(0, serverSocket.getEnabledCipherSuites().length); // Csp on server params scp.setCipherSuites(null); CipherSuitesParameters csp = new CipherSuitesParameters(); scsp.setCipherSuites(csp); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue( Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites())); assertTrue( Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites())); assertEquals(0, serverSocket.getEnabledCipherSuites().length); // Cipher suites filter on server params FilterParameters filter = new FilterParameters(); filter.getExclude().add(".*"); scsp.setCipherSuites(null); scsp.setCipherSuitesFilter(filter); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue( Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites())); assertTrue( Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites())); assertEquals(0, serverSocket.getEnabledCipherSuites().length); // Csp on server overrides cipher suites filter on server filter.getInclude().add(".*"); filter.getExclude().clear(); scsp.setCipherSuites(csp); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue( Arrays.equals(controlEngine.getEnabledCipherSuites(), engine.getEnabledCipherSuites())); assertTrue( Arrays.equals(controlSocket.getEnabledCipherSuites(), socket.getEnabledCipherSuites())); assertEquals(0, serverSocket.getEnabledCipherSuites().length); // Sspp on server params SecureSocketProtocolsParameters sspp = new SecureSocketProtocolsParameters(); scsp.setSecureSocketProtocols(sspp); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols())); assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols())); assertEquals(0, serverSocket.getEnabledProtocols().length); // Secure socket protocols filter on client params filter = new FilterParameters(); filter.getExclude().add(".*"); scsp.setSecureSocketProtocols(null); scsp.setSecureSocketProtocolsFilter(filter); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols())); assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols())); assertEquals(0, serverSocket.getEnabledProtocols().length); // Sspp on client params overrides secure socket protocols filter on client filter.getInclude().add(".*"); filter.getExclude().clear(); scsp.setSecureSocketProtocols(sspp); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertTrue(Arrays.equals(controlEngine.getEnabledProtocols(), engine.getEnabledProtocols())); assertTrue(Arrays.equals(controlSocket.getEnabledProtocols(), socket.getEnabledProtocols())); assertEquals(0, serverSocket.getEnabledProtocols().length); // Server session timeout only affects server session configuration scsp.setSessionTimeout("12345"); context = scp.createSSLContext(); engine = context.createSSLEngine(); socket = (SSLSocket) context.getSocketFactory().createSocket(); serverSocket = (SSLServerSocket) context.getServerSocketFactory().createServerSocket(); assertEquals( controlContext.getClientSessionContext().getSessionTimeout(), context.getClientSessionContext().getSessionTimeout()); assertEquals(12345, context.getServerSessionContext().getSessionTimeout()); }