Certification Path Validation feature initial version
git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/sandbox/trunk@2741 7e9141cc-0065-0410-87d8-b60c137991c4
diff --git a/jetty-exssl/config/etc/jetty-exssl.xml b/jetty-exssl/config/etc/jetty-exssl.xml
new file mode 100644
index 0000000..3f5e87c
--- /dev/null
+++ b/jetty-exssl/config/etc/jetty-exssl.xml
@@ -0,0 +1,32 @@
+<?xml version="1.0"?>
+<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd">
+
+<!-- =============================================================== -->
+<!-- Configure SSL for the Jetty Server -->
+<!-- this configuration file should be used in combination with -->
+<!-- other configuration files. e.g. -->
+<!-- java -jar start.jar etc/jetty-ssl.xml -->
+<!-- -->
+<!-- alternately, add to the start.ini for easier usage -->
+<!-- =============================================================== -->
+<Configure id="Server" class="org.eclipse.jetty.server.Server">
+
+ <!-- if NIO is not available, use org.eclipse.jetty.server.ssl.SslSocketConnector -->
+
+ <Call name="addConnector">
+ <Arg>
+ <New class="org.eclipse.jetty.exssl.EnhancedSslSelectChannelConnector">
+ <Set name="Port">8443</Set>
+ <Set name="maxIdleTime">30000</Set>
+ <Set name="Acceptors">2</Set>
+ <Set name="AcceptQueueSize">100</Set>
+ <Set name="Keystore"><Property name="jetty.home" default="." />/etc/jetty.keystore</Set>
+ <Set name="Password">webtide</Set>
+ <Set name="KeyPassword">webtide</Set>
+ <Set name="truststore"><Property name="jetty.home" default="." />/etc/jetty.keystore</Set>
+ <Set name="trustPassword">webtide</Set>
+ <Set name="crlPath"><Property name="jetty.home" default="." />/etc/crlfile.pem</Set>
+ </New>
+ </Arg>
+ </Call>
+</Configure>
diff --git a/jetty-exssl/pom.xml b/jetty-exssl/pom.xml
new file mode 100644
index 0000000..d5cc4b1
--- /dev/null
+++ b/jetty-exssl/pom.xml
@@ -0,0 +1,97 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+ <parent>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-project</artifactId>
+ <version>7.3.1-SNAPSHOT</version>
+ </parent>
+ <modelVersion>4.0.0</modelVersion>
+ <artifactId>jetty-exssl</artifactId>
+ <name>Jetty :: SSL Enhancements</name>
+ <description>SSL Enhancements for certificate validation.</description>
+ <url>${jetty.url}</url>
+ <properties>
+ <bundle-symbolic-name>${project.groupId}.exssl</bundle-symbolic-name>
+ </properties>
+ <build>
+ <plugins>
+ <plugin>
+ <groupId>org.apache.felix</groupId>
+ <artifactId>maven-bundle-plugin</artifactId>
+ <version>${felix.bundle.version}</version>
+ <extensions>true</extensions>
+ <executions>
+ <execution>
+ <id>generate-manifest</id>
+ <goals>
+ <goal>manifest</goal>
+ </goals>
+ <configuration>
+ <instructions>
+ <Import-Package>javax.servlet.*;version="[2.5,3.0)",org.eclipse.jetty.jmx.*;version="[7.3,8)";resolution:=optional,*</Import-Package>
+ </instructions>
+ </configuration>
+ </execution>
+ </executions>
+ </plugin>
+ <plugin>
+ <groupId>org.apache.maven.plugins</groupId>
+ <artifactId>maven-jar-plugin</artifactId>
+ <executions>
+ <execution>
+ <id>artifact-jar</id>
+ <goals>
+ <goal>jar</goal>
+ </goals>
+ </execution>
+ <execution>
+ <id>test-jar</id>
+ <goals>
+ <goal>test-jar</goal>
+ </goals>
+ </execution>
+ </executions>
+ <configuration>
+ <archive>
+ <manifestFile>${project.build.outputDirectory}/META-INF/MANIFEST.MF</manifestFile>
+ </archive>
+ </configuration>
+ </plugin>
+ <plugin>
+ <groupId>org.codehaus.mojo</groupId>
+ <artifactId>findbugs-maven-plugin</artifactId>
+ <configuration>
+ <onlyAnalyze>org.eclipse.jetty.exssl.*</onlyAnalyze>
+ </configuration>
+ </plugin>
+ </plugins>
+ </build>
+ <dependencies>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>${junit4-version}</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>javax.servlet</groupId>
+ <artifactId>servlet-api</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-server</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-http</artifactId>
+ <version>${project.version}</version>
+ </dependency>
+ <dependency>
+ <groupId>org.eclipse.jetty</groupId>
+ <artifactId>jetty-jmx</artifactId>
+ <version>${project.version}</version>
+ <optional>true</optional>
+ </dependency>
+ </dependencies>
+</project>
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/CertificateValidator.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/CertificateValidator.java
new file mode 100644
index 0000000..0826292
--- /dev/null
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/CertificateValidator.java
@@ -0,0 +1,150 @@
+package org.eclipse.jetty.exssl;
+
+import java.security.KeyStore;
+import java.security.KeyStoreException;
+import java.security.cert.CRL;
+import java.security.cert.CertPathBuilder;
+import java.security.cert.CertPathBuilderException;
+import java.security.cert.CertPathBuilderResult;
+import java.security.cert.CertPathValidator;
+import java.security.cert.CertPathValidatorException;
+import java.security.cert.CertPathValidatorResult;
+import java.security.cert.CertStore;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateException;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.X509CertSelector;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Collection;
+
+import org.eclipse.jetty.util.log.Log;
+
+public class CertificateValidator
+{
+ private KeyStore _keyStore;
+ private KeyStore _trustStore;
+ private Collection<? extends CRL> _crls;
+ private int _maxCertPathLength = -1;
+
+ public CertificateValidator(KeyStore keyStore, KeyStore trustStore, Collection<? extends CRL> crls)
+ {
+ _keyStore = keyStore;
+ _trustStore = trustStore;
+ _crls = crls;
+ }
+
+ public String validate(String keyAlias) throws CertificateException
+ {
+ String result = null;
+
+ if (keyAlias != null)
+ {
+ try
+ {
+ validate(_keyStore.getCertificate(keyAlias));
+ }
+ catch (KeyStoreException ex)
+ {
+ CertificateException crtex =
+ new CertificateException("Unable to validate certificate for alias " +
+ keyAlias + ": " + ex.toString());
+ crtex.initCause(ex);
+ throw crtex;
+ }
+ result = keyAlias;
+ }
+
+ return result;
+ }
+
+ public void validate(Certificate cert) throws CertificateException
+ {
+ if (cert != null && cert instanceof X509Certificate)
+ {
+ ((X509Certificate)cert).checkValidity();
+
+ String certAlias = "[none]";
+ try
+ {
+ certAlias = _keyStore.getCertificateAlias((X509Certificate)cert);
+ Certificate[] certChain = _keyStore.getCertificateChain(certAlias);
+
+ ArrayList<X509Certificate> certList = new ArrayList<X509Certificate>();
+ for (Certificate item : certChain)
+ {
+ if (!(item instanceof X509Certificate))
+ {
+ throw new CertificateException("Invalid certificate type in chain");
+ }
+ certList.add((X509Certificate)item);
+ }
+
+ if (certList.isEmpty())
+ {
+ throw new CertificateException("Invalid certificate chain");
+
+ }
+
+ X509CertSelector certSelect = new X509CertSelector();
+ certSelect.setCertificate(certList.get(0));
+
+ // Configure certification path builder parameters
+ PKIXBuilderParameters pbParams = new PKIXBuilderParameters(_trustStore, certSelect);
+ pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(certList)));
+
+ // Set static Certificate Revocation List
+ if (_crls != null && !_crls.isEmpty())
+ {
+ pbParams.addCertStore(CertStore.getInstance("Collection", new CollectionCertStoreParameters(_crls)));
+ }
+
+ // Enable revocation checking
+ pbParams.setRevocationEnabled(true);
+
+ // Set maximum certification path length
+ pbParams.setMaxPathLength(_maxCertPathLength);
+
+ // Build certification path
+ CertPathBuilderResult buildResult = CertPathBuilder.getInstance("PKIX").build(pbParams);
+
+ // Validate certification path
+ CertPathValidator.getInstance("PKIX").validate(buildResult.getCertPath(),pbParams);
+ }
+ catch (Exception ex)
+ {
+ CertificateException crtex =
+ new CertificateException("Unable to validate certificate for alias " +
+ certAlias + ": " + ex.toString());
+ crtex.initCause(ex);
+ throw crtex;
+ }
+ }
+ }
+
+ public int getMaxCertPathLength()
+ {
+ return _maxCertPathLength;
+ }
+
+ public void setMaxCertPathLength(int maxCertPathLength)
+ {
+ _maxCertPathLength = maxCertPathLength;
+ }
+
+ public KeyStore getKeyStore()
+ {
+ return _keyStore;
+ }
+
+ public KeyStore getTrustStore()
+ {
+ return _trustStore;
+ }
+
+ public Collection<? extends CRL> getCrls()
+ {
+ return _crls;
+ }
+}
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslConnector.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslConnector.java
new file mode 100644
index 0000000..2b781c9
--- /dev/null
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslConnector.java
@@ -0,0 +1,291 @@
+package org.eclipse.jetty.exssl;
+
+import java.io.File;
+import java.security.SecureRandom;
+import java.security.Security;
+
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.TrustManagerFactory;
+
+import org.eclipse.jetty.server.Connector;
+
+
+/* ------------------------------------------------------------ */
+/** The interface for SSL connectors and their configuration methods.
+ *
+ */
+public interface EnhancedSslConnector extends Connector
+{
+ public static final String DEFAULT_KEYSTORE_ALGORITHM=(Security.getProperty("ssl.KeyManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.KeyManagerFactory.algorithm"));
+ public static final String DEFAULT_TRUSTSTORE_ALGORITHM=(Security.getProperty("ssl.TrustManagerFactory.algorithm")==null?"SunX509":Security.getProperty("ssl.TrustManagerFactory.algorithm"));
+
+ /** Default value for the keystore location path. */
+ public static final String DEFAULT_KEYSTORE = System.getProperty("user.home") + File.separator + ".keystore";
+
+ /** String name of key password property. */
+ public static final String KEYPASSWORD_PROPERTY = "org.eclipse.jetty.ssl.keypassword";
+
+ /** String name of keystore password property. */
+ public static final String PASSWORD_PROPERTY = "org.eclipse.jetty.ssl.password";
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The array of Ciphersuite names to exclude from
+ * {@link SSLEngine#setEnabledCipherSuites(String[])}
+ */
+ public abstract String[] getExcludeCipherSuites();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param cipherSuites The array of Ciphersuite names to exclude from
+ * {@link SSLEngine#setEnabledCipherSuites(String[])}
+ */
+ public abstract void setExcludeCipherSuites(String[] cipherSuites);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The array of Ciphersuite names to include in
+ * {@link SSLEngine#setEnabledCipherSuites(String[])}
+ */
+ public abstract String[] getIncludeCipherSuites();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param cipherSuites The array of Ciphersuite names to include in
+ * {@link SSLEngine#setEnabledCipherSuites(String[])}
+ */
+ public abstract void setIncludeCipherSuites(String[] cipherSuites);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param password The password for the key store
+ */
+ public abstract void setPassword(String password);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param password The password for the trust store
+ */
+ public abstract void setTrustPassword(String password);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param password The password (if any) for the specific key within
+ * the key store
+ */
+ public abstract void setKeyPassword(String password);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The SSL protocol (default "TLS") passed to {@link SSLContext#getInstance(String, String)}
+ */
+ public abstract String getProtocol();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param protocol The SSL protocol (default "TLS") passed to {@link SSLContext#getInstance(String, String)}
+
+ */
+ public abstract void setProtocol(String protocol);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param keystore The file or URL of the SSL Key store.
+ */
+ public abstract void setKeystore(String keystore);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The file or URL of the SSL Key store.
+ */
+ public abstract String getKeystore();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The type of the key store (default "JKS")
+ */
+ public abstract String getKeystoreType();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return True if SSL needs client authentication.
+ * @see SSLEngine#getNeedClientAuth()
+ */
+ public abstract boolean getNeedClientAuth();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return True if SSL wants client authentication.
+ * @see SSLEngine#getWantClientAuth()
+ */
+ public abstract boolean getWantClientAuth();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param needClientAuth True if SSL needs client authentication.
+ * @see SSLEngine#getNeedClientAuth()
+ */
+ public abstract void setNeedClientAuth(boolean needClientAuth);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param wantClientAuth True if SSL wants client authentication.
+ * @see SSLEngine#getWantClientAuth()
+ */
+ public abstract void setWantClientAuth(boolean wantClientAuth);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param keystoreType The type of the key store (default "JKS")
+ */
+ public abstract void setKeystoreType(String keystoreType);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The SSL provider name, which if set is passed to
+ * {@link SSLContext#getInstance(String, String)}
+ */
+ public abstract String getProvider();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The algorithm name, which if set is passed to
+ * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom}
+ * instance passed to {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)}
+ */
+ public abstract String getSecureRandomAlgorithm();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The algorithm name (default "SunX509") used by the {@link KeyManagerFactory}
+ */
+ public abstract String getSslKeyManagerFactoryAlgorithm();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The algorithm name (default "SunX509") used by the {@link TrustManagerFactory}
+ */
+ public abstract String getSslTrustManagerFactoryAlgorithm();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The file name or URL of the trust store location
+ */
+ public abstract String getTruststore();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The type of the trust store (default "JKS")
+ */
+ public abstract String getTruststoreType();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param provider The SSL provider name, which if set is passed to
+ * {@link SSLContext#getInstance(String, String)}
+ */
+ public abstract void setProvider(String provider);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param algorithm The algorithm name, which if set is passed to
+ * {@link SecureRandom#getInstance(String)} to obtain the {@link SecureRandom}
+ * instance passed to {@link SSLContext#init(javax.net.ssl.KeyManager[], javax.net.ssl.TrustManager[], SecureRandom)}
+
+ */
+ public abstract void setSecureRandomAlgorithm(String algorithm);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param algorithm The algorithm name (default "SunX509") used by
+ * the {@link KeyManagerFactory}
+ */
+ public abstract void setSslKeyManagerFactoryAlgorithm(String algorithm);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param algorithm The algorithm name (default "SunX509") used by the {@link TrustManagerFactory}
+ */
+ public abstract void setSslTrustManagerFactoryAlgorithm(String algorithm);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param truststore The file name or URL of the trust store location
+ */
+ public abstract void setTruststore(String truststore);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param truststoreType The type of the trust store (default "JKS")
+ */
+ public abstract void setTruststoreType(String truststoreType);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param sslContext Set a preconfigured SSLContext
+ */
+ public abstract void setSslContext(SSLContext sslContext);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The SSLContext
+ */
+ public abstract SSLContext getSslContext();
+
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return True if SSL re-negotiation is allowed (default false)
+ */
+ public boolean isAllowRenegotiate();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
+ * a vulnerability in SSL/TLS with re-negotiation. If your JVM
+ * does not have CVE-2009-3555 fixed, then re-negotiation should
+ * not be allowed.
+ * @param allowRenegotiate true if re-negotiation is allowed (default false)
+ */
+ public void setAllowRenegotiate(boolean allowRenegotiate);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param keystoreProvider The provider of the key store
+ */
+ public abstract void setKeystoreProvider(String keystoreProvider);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The provider of the key store
+ */
+ public abstract String getKeystoreProvider();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param truststoreProvider The provider of the trust store
+ */
+ public abstract void setTruststoreProvider(String truststoreProvider);
+
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return The provider of the trust store
+ */
+ public abstract String getTruststoreProvider();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param crlPath Path to file that contains Certificate Revocation List
+ */
+ public abstract void setCrlPath(String crlPath);
+
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return Path to file that contains Certificate Revocation List
+ */
+ public abstract String getCrlPath();
+}
\ No newline at end of file
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSelectChannelConnector.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSelectChannelConnector.java
new file mode 100644
index 0000000..fce4b9d
--- /dev/null
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSelectChannelConnector.java
@@ -0,0 +1,871 @@
+// ========================================================================
+// Copyright (c) 2004-2009 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+
+package org.eclipse.jetty.exssl;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.nio.channels.SelectionKey;
+import java.nio.channels.SocketChannel;
+import java.security.KeyStore;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.cert.CRL;
+import java.security.cert.CertStore;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.X509CertSelector;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+
+import javax.net.ssl.CertPathTrustManagerParameters;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
+
+import org.eclipse.jetty.http.HttpParser;
+import org.eclipse.jetty.http.HttpSchemes;
+import org.eclipse.jetty.http.security.Password;
+import org.eclipse.jetty.io.Buffer;
+import org.eclipse.jetty.io.Buffers;
+import org.eclipse.jetty.io.Connection;
+import org.eclipse.jetty.io.EndPoint;
+import org.eclipse.jetty.io.ThreadLocalBuffers;
+import org.eclipse.jetty.io.bio.SocketEndPoint;
+import org.eclipse.jetty.io.nio.DirectNIOBuffer;
+import org.eclipse.jetty.io.nio.IndirectNIOBuffer;
+import org.eclipse.jetty.io.nio.SelectChannelEndPoint;
+import org.eclipse.jetty.io.nio.SelectorManager.SelectSet;
+import org.eclipse.jetty.io.nio.SslSelectChannelEndPoint;
+import org.eclipse.jetty.server.HttpConnection;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.nio.SelectChannelConnector;
+import org.eclipse.jetty.server.ssl.SslCertificates;
+import org.eclipse.jetty.util.log.Log;
+import org.eclipse.jetty.util.resource.Resource;
+
+/* ------------------------------------------------------------ */
+/**
+ * SslSelectChannelConnector.
+ *
+ * @org.apache.xbean.XBean element="sslConnector" description="Creates an NIO ssl connector"
+ *
+ *
+ *
+ */
+public class EnhancedSslSelectChannelConnector extends SelectChannelConnector implements EnhancedSslConnector
+{
+ /** Excluded cipher suites. */
+ private String _excludeCipherSuites[]=null;
+ /** Included cipher suites. */
+ private String _includeCipherSuites[]=null;
+
+ /** KeyStore path. */
+ private String _keystorePath=DEFAULT_KEYSTORE;
+ /** KeyStore provider name */
+ private String _keystoreProvider;
+ /** KeyStore type */
+ private String _keystoreType="JKS";
+ /** SSL key alias */
+ private String _keyAlias;
+
+ /** TrustStore path */
+ private String _truststorePath;
+ /** TrustStore provider name */
+ private String _truststoreProvider;
+ /** TrustStore type */
+ private String _truststoreType="JKS";
+
+ /** Set to true if client certificate authentication is required */
+ private boolean _needClientAuth=false;
+ /** Set to true if client certificate authentication is desired */
+ private boolean _wantClientAuth=false;
+ /** Set to true if renegotiation is allowed */
+ private boolean _allowRenegotiate=false;
+
+ /** KeyStore password */
+ private transient Password _password;
+ /** Key password */
+ private transient Password _keyPassword;
+ /** TrustStore password */
+ private transient Password _trustPassword;
+
+ /** SSL Provider name */
+ private String _sslProvider;
+ /** SSL Protocol name */
+ private String _sslProtocol="TLS";
+
+ /** SecureRandom algorithm */
+ private String _secureRandomAlgorithm;
+ /** KeyManager factory algorithm */
+ private String _sslKeyManagerFactoryAlgorithm=DEFAULT_KEYSTORE_ALGORITHM;
+ /** TrustManager factory algorithm */
+ private String _sslTrustManagerFactoryAlgorithm=DEFAULT_TRUSTSTORE_ALGORITHM;
+
+ /** Path to file that contains Certificate Revocation List */
+ private String _crlPath;
+ /** Maximum certification path length (n - number of intermediate certs, -1 for unlimited) */
+ private int _maxCertPathLength = -1;
+
+ /** SSL context */
+ private SSLContext _context;
+ private Buffers _sslBuffers;
+
+ /* ------------------------------------------------------------ */
+ public EnhancedSslSelectChannelConnector()
+ {
+ setUseDirectBuffers(false);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Allow the Listener a chance to customise the request. before the server
+ * does its stuff. <br>
+ * This allows the required attributes to be set for SSL requests. <br>
+ * The requirements of the Servlet specs are:
+ * <ul>
+ * <li> an attribute named "javax.servlet.request.ssl_session_id" of type
+ * String (since Servlet Spec 3.0).</li>
+ * <li> an attribute named "javax.servlet.request.cipher_suite" of type
+ * String.</li>
+ * <li> an attribute named "javax.servlet.request.key_size" of type Integer.</li>
+ * <li> an attribute named "javax.servlet.request.X509Certificate" of type
+ * java.security.cert.X509Certificate[]. This is an array of objects of type
+ * X509Certificate, the order of this array is defined as being in ascending
+ * order of trust. The first certificate in the chain is the one set by the
+ * client, the next is the one used to authenticate the first, and so on.
+ * </li>
+ * </ul>
+ *
+ * @param endpoint
+ * The Socket the request arrived on. This should be a
+ * {@link SocketEndPoint} wrapping a {@link SSLSocket}.
+ * @param request
+ * HttpRequest to be customised.
+ */
+ @Override
+ public void customize(EndPoint endpoint, Request request) throws IOException
+ {
+ request.setScheme(HttpSchemes.HTTPS);
+ super.customize(endpoint,request);
+
+ SslSelectChannelEndPoint sslHttpChannelEndpoint=(SslSelectChannelEndPoint)endpoint;
+ SSLEngine sslEngine=sslHttpChannelEndpoint.getSSLEngine();
+ SSLSession sslSession=sslEngine.getSession();
+
+ SslCertificates.customize(sslSession,endpoint,request);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return True if SSL re-negotiation is allowed (default false)
+ */
+ public boolean isAllowRenegotiate()
+ {
+ return _allowRenegotiate;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
+ * a vulnerability in SSL/TLS with re-negotiation. If your JVM
+ * does not have CVE-2009-3555 fixed, then re-negotiation should
+ * not be allowed.
+ * @param allowRenegotiate true if re-negotiation is allowed (default false)
+ */
+ public void setAllowRenegotiate(boolean allowRenegotiate)
+ {
+ _allowRenegotiate = allowRenegotiate;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
+ */
+ public String[] getExcludeCipherSuites()
+ {
+ return _excludeCipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
+ */
+ public void setExcludeCipherSuites(String[] cipherSuites)
+ {
+ this._excludeCipherSuites=cipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
+ */
+ public String[] getIncludeCipherSuites()
+ {
+ return _includeCipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
+ */
+ public void setIncludeCipherSuites(String[] cipherSuites)
+ {
+ this._includeCipherSuites=cipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setPassword(java.lang.String)
+ */
+ public void setPassword(String password)
+ {
+ _password=Password.getPassword(PASSWORD_PROPERTY,password,null);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setTrustPassword(java.lang.String)
+ */
+ public void setTrustPassword(String password)
+ {
+ _trustPassword=Password.getPassword(PASSWORD_PROPERTY,password,null);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setKeyPassword(java.lang.String)
+ */
+ public void setKeyPassword(String password)
+ {
+ _keyPassword=Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @deprecated use {@link #getSslKeyManagerFactoryAlgorithm()} or
+ * {@link #getSslTrustManagerFactoryAlgorithm()}
+ */
+ @Deprecated
+ public String getAlgorithm()
+ {
+ return getSslKeyManagerFactoryAlgorithm();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @deprecated use {@link #setSslKeyManagerFactoryAlgorithm(String)} or
+ * {@link #setSslTrustManagerFactoryAlgorithm(String)}
+ */
+ @Deprecated
+ public void setAlgorithm(String algorithm)
+ {
+ setSslKeyManagerFactoryAlgorithm(algorithm);
+ setSslTrustManagerFactoryAlgorithm(algorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getProtocol()
+ */
+ public String getProtocol()
+ {
+ return _sslProtocol;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setProtocol(java.lang.String)
+ */
+ public void setProtocol(String protocol)
+ {
+ _sslProtocol=protocol;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystore(java.lang.String)
+ */
+ public void setKeystore(String keystore)
+ {
+ _keystorePath=keystore;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystore()
+ */
+ public String getKeystore()
+ {
+ return _keystorePath;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystoreType()
+ */
+ public String getKeystoreType()
+ {
+ return (_keystoreType);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getNeedClientAuth()
+ */
+ public boolean getNeedClientAuth()
+ {
+ return _needClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getWantClientAuth()
+ */
+ public boolean getWantClientAuth()
+ {
+ return _wantClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setNeedClientAuth(boolean)
+ */
+ public void setNeedClientAuth(boolean needClientAuth)
+ {
+ _needClientAuth=needClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setWantClientAuth(boolean)
+ */
+ public void setWantClientAuth(boolean wantClientAuth)
+ {
+ _wantClientAuth=wantClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystoreType(java.lang.String)
+ */
+ public void setKeystoreType(String keystoreType)
+ {
+ _keystoreType=keystoreType;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getProvider()
+ */
+ public String getProvider()
+ {
+ return _sslProvider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getSecureRandomAlgorithm()
+ */
+ public String getSecureRandomAlgorithm()
+ {
+ return (this._secureRandomAlgorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getSslKeyManagerFactoryAlgorithm()
+ */
+ public String getSslKeyManagerFactoryAlgorithm()
+ {
+ return (this._sslKeyManagerFactoryAlgorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getSslTrustManagerFactoryAlgorithm()
+ */
+ public String getSslTrustManagerFactoryAlgorithm()
+ {
+ return (this._sslTrustManagerFactoryAlgorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststore()
+ */
+ public String getTruststore()
+ {
+ return _truststorePath;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststoreType()
+ */
+ public String getTruststoreType()
+ {
+ return _truststoreType;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setProvider(java.lang.String)
+ */
+ public void setProvider(String provider)
+ {
+ _sslProvider=provider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSecureRandomAlgorithm(java.lang.String)
+ */
+ public void setSecureRandomAlgorithm(String algorithm)
+ {
+ this._secureRandomAlgorithm=algorithm;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSslKeyManagerFactoryAlgorithm(java.lang.String)
+ */
+ public void setSslKeyManagerFactoryAlgorithm(String algorithm)
+ {
+ this._sslKeyManagerFactoryAlgorithm=algorithm;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSslTrustManagerFactoryAlgorithm(java.lang.String)
+ */
+ public void setSslTrustManagerFactoryAlgorithm(String algorithm)
+ {
+ this._sslTrustManagerFactoryAlgorithm=algorithm;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststore(java.lang.String)
+ */
+ public void setTruststore(String truststore)
+ {
+ _truststorePath=truststore;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststoreType(java.lang.String)
+ */
+ public void setTruststoreType(String truststoreType)
+ {
+ _truststoreType=truststoreType;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
+ */
+ public void setSslContext(SSLContext sslContext)
+ {
+ _context = sslContext;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
+ */
+ public SSLContext getSslContext()
+ {
+ try
+ {
+ if (_context == null)
+ _context=createSSLContext();
+ }
+ catch(Exception e)
+ {
+ throw new RuntimeException(e);
+ }
+
+ return _context;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * By default, we're confidential, given we speak SSL. But, if we've been
+ * told about an confidential port, and said port is not our port, then
+ * we're not. This allows separation of listeners providing INTEGRAL versus
+ * CONFIDENTIAL constraints, such as one SSL listener configured to require
+ * client certs providing CONFIDENTIAL, whereas another SSL listener not
+ * requiring client certs providing mere INTEGRAL constraints.
+ */
+ @Override
+ public boolean isConfidential(Request request)
+ {
+ final int confidentialPort=getConfidentialPort();
+ return confidentialPort==0||confidentialPort==request.getServerPort();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * By default, we're integral, given we speak SSL. But, if we've been told
+ * about an integral port, and said port is not our port, then we're not.
+ * This allows separation of listeners providing INTEGRAL versus
+ * CONFIDENTIAL constraints, such as one SSL listener configured to require
+ * client certs providing CONFIDENTIAL, whereas another SSL listener not
+ * requiring client certs providing mere INTEGRAL constraints.
+ */
+ @Override
+ public boolean isIntegral(Request request)
+ {
+ final int integralPort=getIntegralPort();
+ return integralPort==0||integralPort==request.getServerPort();
+ }
+
+ /* ------------------------------------------------------------------------------- */
+ @Override
+ protected SelectChannelEndPoint newEndPoint(SocketChannel channel, SelectSet selectSet, SelectionKey key) throws IOException
+ {
+ SslSelectChannelEndPoint endp = new SslSelectChannelEndPoint(_sslBuffers,channel,selectSet,key,createSSLEngine(), EnhancedSslSelectChannelConnector.this._maxIdleTime);
+ endp.setAllowRenegotiate(_allowRenegotiate);
+ return endp;
+ }
+
+ /* ------------------------------------------------------------------------------- */
+ @Override
+ protected Connection newConnection(SocketChannel channel, SelectChannelEndPoint endpoint)
+ {
+ HttpConnection connection=(HttpConnection)super.newConnection(channel,endpoint);
+ ((HttpParser)connection.getParser()).setForceContentBuffer(true);
+ return connection;
+ }
+
+ /* ------------------------------------------------------------ */
+ protected SSLEngine createSSLEngine() throws IOException
+ {
+ SSLEngine engine = null;
+ try
+ {
+ engine = _context.createSSLEngine();
+ engine.setUseClientMode(false);
+
+ if (_wantClientAuth)
+ engine.setWantClientAuth(_wantClientAuth);
+ if (_needClientAuth)
+ engine.setNeedClientAuth(_needClientAuth);
+
+ if ((_excludeCipherSuites != null && _excludeCipherSuites.length > 0) || (_includeCipherSuites != null && _includeCipherSuites.length > 0))
+ {
+ List<String> includedCSList;
+ if (_includeCipherSuites != null)
+ {
+ includedCSList = Arrays.asList(_includeCipherSuites);
+ }
+ else
+ {
+ includedCSList = new ArrayList<String>();
+ }
+ List<String> excludedCSList;
+ if (_excludeCipherSuites != null)
+ {
+ excludedCSList = Arrays.asList(_excludeCipherSuites);
+ }
+ else
+ {
+ excludedCSList = new ArrayList<String>();
+ }
+ String[] enabledCipherSuites = engine.getEnabledCipherSuites();
+ List<String> enabledCSList = new ArrayList<String>(Arrays.asList(enabledCipherSuites));
+
+ String[] supportedCipherSuites = engine.getSupportedCipherSuites();
+ List<String> supportedCSList = Arrays.asList(supportedCipherSuites);
+
+ for (String cipherName : includedCSList)
+ {
+ if ((!enabledCSList.contains(cipherName)) && supportedCSList.contains(cipherName))
+ {
+ enabledCSList.add(cipherName);
+ }
+ }
+
+ for (String cipherName : excludedCSList)
+ {
+ if (enabledCSList.contains(cipherName))
+ {
+ enabledCSList.remove(cipherName);
+ }
+ }
+ enabledCipherSuites = enabledCSList.toArray(new String[0]);
+
+ engine.setEnabledCipherSuites(enabledCipherSuites);
+ }
+ }
+ catch (Exception e)
+ {
+ Log.warn("Error creating sslEngine -- closing this connector",e);
+ close();
+ throw new IllegalStateException(e);
+ }
+ return engine;
+ }
+
+ @Override
+ protected void doStart() throws Exception
+ {
+ if (_context == null)
+ _context=createSSLContext();
+
+ SSLEngine engine=createSSLEngine();
+ SSLSession ssl_session=engine.getSession();
+
+ ThreadLocalBuffers buffers = new ThreadLocalBuffers()
+ {
+ @Override
+ protected Buffer newBuffer(int size)
+ {
+ if (getUseDirectBuffers())
+ return new DirectNIOBuffer(size);
+ return new IndirectNIOBuffer(size);
+ }
+ @Override
+ protected Buffer newHeader(int size)
+ {
+ if (getUseDirectBuffers())
+ return new DirectNIOBuffer(size);
+ return new IndirectNIOBuffer(size);
+ }
+ @Override
+ protected boolean isHeader(Buffer buffer)
+ {
+ return true;
+ }
+ };
+ buffers.setBufferSize(ssl_session.getApplicationBufferSize());
+ buffers.setHeaderSize(ssl_session.getApplicationBufferSize());
+ _sslBuffers=buffers;
+
+ if (getRequestHeaderSize()<ssl_session.getApplicationBufferSize())
+ setRequestHeaderSize(ssl_session.getApplicationBufferSize());
+ if (getRequestBufferSize()<ssl_session.getApplicationBufferSize())
+ setRequestBufferSize(ssl_session.getApplicationBufferSize());
+
+ super.doStart();
+ }
+
+ public Buffers getSslBuffers()
+ {
+ return _sslBuffers;
+ }
+
+ public void setKeystoreProvider(String keystoreProvider)
+ {
+ _keystoreProvider = keystoreProvider;
+ }
+
+ public String getKeystoreProvider()
+ {
+ return _keystoreProvider;
+ }
+
+ public void setTruststoreProvider(String truststoreProvider)
+ {
+ _truststoreProvider = truststoreProvider;
+ }
+
+ public String getTruststoreProvider()
+ {
+ return _truststoreProvider;
+ }
+
+ public void setCrlPath(String crlPath)
+ {
+ _crlPath = crlPath;
+ }
+
+ public String getCrlPath()
+ {
+ return _crlPath;
+ }
+
+ /* ------------------------------------------------------------ */
+ protected SSLContext createSSLContext() throws Exception
+ {
+ KeyStore keyStore = getKeyStore(_keystorePath, _keystoreType, _keystoreProvider, _password==null?null:_password.toString());
+ KeyStore trustStore = getTrustStore(_truststorePath, _truststoreType, _truststoreProvider, _trustPassword == null ? null : _trustPassword.toString());
+ Collection<? extends CRL> crls = loadCRL(_crlPath);
+
+ KeyManager[] keyManagers = getKeyManagers(keyStore, trustStore, crls);
+ TrustManager[] trustManagers = getTrustManagers(trustStore, crls);
+
+ SecureRandom secureRandom =
+ _secureRandomAlgorithm == null ? null : SecureRandom.getInstance(_secureRandomAlgorithm);
+ SSLContext context = _sslProvider == null ? SSLContext.getInstance(_sslProtocol) :
+ SSLContext.getInstance(_sslProtocol,_sslProvider);
+ context.init(keyManagers,trustManagers,secureRandom);
+
+ return context;
+ }
+
+ /* ------------------------------------------------------------ */
+ protected KeyManager[] getKeyManagers(KeyStore keyStore, KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
+ {
+ KeyManagerFactory keyManagerFactory=KeyManagerFactory.getInstance(_sslKeyManagerFactoryAlgorithm);
+ keyManagerFactory.init(keyStore,_keyPassword==null?(_password==null?null:_password.toString().toCharArray()):_keyPassword.toString().toCharArray());
+ KeyManager[] managers = keyManagerFactory.getKeyManagers();
+
+ if (_keyAlias != null)
+ {
+ for (int idx=0; idx < managers.length; idx++)
+ {
+ if (managers[idx] instanceof X509KeyManager)
+ {
+ managers[idx] = new SslKeyManager(_keyAlias, (X509KeyManager)managers[idx],
+ new CertificateValidator(keyStore, trustStore, crls));
+ }
+ }
+ }
+
+ return managers;
+ }
+
+ /* ------------------------------------------------------------ */
+ protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
+ {
+ TrustManager[] managers = null;
+ if (trustStore != null)
+ {
+ // Revocation checking is only supported for PKIX algorithm
+ if (_sslTrustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX"))
+ {
+ PKIXBuilderParameters pbParams =
+ new PKIXBuilderParameters(trustStore, new X509CertSelector());
+
+ // Enable revocation checking
+ pbParams.setRevocationEnabled(true);
+
+ // Set maximum certification path length
+ pbParams.setMaxPathLength(_maxCertPathLength);
+
+ if (crls != null && !crls.isEmpty())
+ {
+ pbParams.addCertStore(CertStore.getInstance("Collection",
+ new CollectionCertStoreParameters(crls)));
+ }
+
+ // Enable On-Line Certificate Status Protocol (OCSP) support
+ Security.setProperty("ocsp.enable", "true");
+
+ // Enable Certificate Revocation List Distribution Points (CRLDP) support
+ System.setProperty("com.sun.security.enableCRLDP","true");
+
+ TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_sslTrustManagerFactoryAlgorithm);
+ trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams));
+
+ managers = trustManagerFactory.getTrustManagers();
+ }
+ else
+ {
+ TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_sslTrustManagerFactoryAlgorithm);
+ trustManagerFactory.init(trustStore);
+
+ managers = trustManagerFactory.getTrustManagers();
+ }
+ }
+
+ return managers;
+ }
+
+ private Collection<? extends CRL> loadCRL(String crlPath) throws Exception
+ {
+ Collection<? extends CRL> crlList = null;
+
+ InputStream in = null;
+ try {
+ in = Resource.newResource(crlPath).getInputStream();
+ crlList = CertificateFactory.getInstance("X.509").generateCRLs(in);
+ }
+ finally
+ {
+ if (in != null)
+ {
+ in.close();
+ }
+ }
+
+ return crlList;
+ }
+
+ /* ------------------------------------------------------------ */
+ protected KeyStore getKeyStore(String storePath, String storeType, String storeProvider, String storePassword) throws Exception
+ {
+ if (storePath == null)
+ return null;
+
+ KeyStore keystore = null;
+ InputStream inStream = null;
+ try
+ {
+ if (storeProvider != null)
+ {
+ keystore = KeyStore.getInstance(storeType, storeProvider);
+ }
+ else
+ {
+ keystore = KeyStore.getInstance(storeType);
+ }
+
+ inStream = Resource.newResource(storePath).getInputStream();
+ keystore.load(inStream, storePassword == null ? null : storePassword.toCharArray());
+
+ return keystore;
+ }
+ finally
+ {
+ if (inStream != null)
+ {
+ inStream.close();
+ }
+ }
+ }
+
+ protected KeyStore getTrustStore(String trustPath, String trustType, String trustProvider, String trustPassword) throws Exception
+ {
+ if (trustPath==null)
+ {
+ trustPath = System.getProperty("javax.net.ssl.trustStore");
+ trustType = System.getProperty("javax.net.ssl.trustStoreType");
+ trustProvider = System.getProperty("javax.net.ssl.trustStoreProvider");
+ trustPassword = System.getProperty("javax.net.ssl.trustStorePassword");
+ }
+
+ if (trustPath==null)
+ {
+ trustPath = _keystorePath;
+ trustType = _keystoreType;
+ trustProvider = _keystoreProvider;
+ trustPassword = _password.toString();
+ _sslTrustManagerFactoryAlgorithm = _sslKeyManagerFactoryAlgorithm;
+ }
+
+ return getKeyStore(trustPath, trustType, trustProvider, trustPassword);
+ }
+}
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSocketConnector.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSocketConnector.java
new file mode 100644
index 0000000..535f0b4
--- /dev/null
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSocketConnector.java
@@ -0,0 +1,860 @@
+// ========================================================================
+// Copyright (c) 2000-2009 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+
+package org.eclipse.jetty.exssl;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.security.KeyStore;
+import java.security.SecureRandom;
+import java.security.Security;
+import java.security.cert.CRL;
+import java.security.cert.CertPathBuilder;
+import java.security.cert.CertStore;
+import java.security.cert.CertStoreParameters;
+import java.security.cert.Certificate;
+import java.security.cert.CertificateFactory;
+import java.security.cert.CollectionCertStoreParameters;
+import java.security.cert.PKIXBuilderParameters;
+import java.security.cert.X509CertSelector;
+import java.security.cert.X509Certificate;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collection;
+import java.util.List;
+
+import javax.management.openmbean.KeyAlreadyExistsException;
+import javax.net.ssl.CertPathTrustManagerParameters;
+import javax.net.ssl.HandshakeCompletedEvent;
+import javax.net.ssl.HandshakeCompletedListener;
+import javax.net.ssl.KeyManager;
+import javax.net.ssl.KeyManagerFactory;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLServerSocket;
+import javax.net.ssl.SSLServerSocketFactory;
+import javax.net.ssl.SSLSession;
+import javax.net.ssl.SSLSocket;
+import javax.net.ssl.TrustManager;
+import javax.net.ssl.TrustManagerFactory;
+import javax.net.ssl.X509KeyManager;
+
+import org.eclipse.jetty.http.HttpSchemes;
+import org.eclipse.jetty.http.security.Password;
+import org.eclipse.jetty.io.EndPoint;
+import org.eclipse.jetty.io.bio.SocketEndPoint;
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.bio.SocketConnector;
+import org.eclipse.jetty.server.ssl.SslCertificates;
+import org.eclipse.jetty.util.log.Log;
+import org.eclipse.jetty.util.resource.Resource;
+
+/* ------------------------------------------------------------ */
+/**
+ * SSL Socket Connector.
+ *
+ * This specialization of SocketConnector is an abstract listener that can be used as the basis for a
+ * specific JSSE listener.
+ *
+ * The original of this class was heavily based on the work from Court Demas, which in turn is
+ * based on the work from Forge Research. Since JSSE, this class has evolved significantly from
+ * that early work.
+ *
+ * @org.apache.xbean.XBean element="sslSocketConnector" description="Creates an ssl socket connector"
+ *
+ *
+ */
+public class EnhancedSslSocketConnector extends SocketConnector implements EnhancedSslConnector
+{
+ /** Excluded cipher suites. */
+ private String _excludeCipherSuites[]=null;
+ /** Included cipher suites. */
+ private String _includeCipherSuites[]=null;
+
+ /** KeyStore path. */
+ private String _keystorePath=DEFAULT_KEYSTORE;
+ /** KeyStore provider name */
+ private String _keystoreProvider;
+ /** KeyStore type */
+ private String _keystoreType="JKS";
+ /** SSL key alias */
+ private String _keyAlias;
+
+ /** TrustStore path */
+ private String _truststorePath;
+ /** TrustStore provider name */
+ private String _truststoreProvider;
+ /** TrustStore type */
+ private String _truststoreType="JKS";
+
+ /** Set to true if client certificate authentication is required */
+ private boolean _needClientAuth=false;
+ /** Set to true if client certificate authentication is desired */
+ private boolean _wantClientAuth=false;
+ /** Set to true if renegotiation is allowed */
+ private boolean _allowRenegotiate=false;
+
+ /** KeyStore password */
+ private transient Password _password;
+ /** Key password */
+ private transient Password _keyPassword;
+ /** TrustStore password */
+ private transient Password _trustPassword;
+
+ /** SSL Provider name */
+ private String _sslProvider;
+ /** SSL Protocol name */
+ private String _sslProtocol="TLS";
+
+ /** SecureRandom algorithm */
+ private String _secureRandomAlgorithm;
+ /** KeyManager factory algorithm */
+ private String _sslKeyManagerFactoryAlgorithm=DEFAULT_KEYSTORE_ALGORITHM;
+ /** TrustManager factory algorithm */
+ private String _sslTrustManagerFactoryAlgorithm=DEFAULT_TRUSTSTORE_ALGORITHM;
+
+ /** Path to file that contains Certificate Revocation List */
+ private String _crlPath;
+ /** Maximum certification path length (n - number of intermediate certs, -1 for unlimited) */
+ private int _maxCertPathLength = -1;
+ /** Handshake timeout, 0 for maxIdleTime */
+ private int _handshakeTimeout = 0;
+
+ /** SSL context */
+ private SSLContext _context;
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Constructor.
+ */
+ public EnhancedSslSocketConnector()
+ {
+ super();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return True if SSL re-negotiation is allowed (default false)
+ */
+ public boolean isAllowRenegotiate()
+ {
+ return _allowRenegotiate;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
+ * a vulnerability in SSL/TLS with re-negotiation. If your JVM
+ * does not have CVE-2009-3555 fixed, then re-negotiation should
+ * not be allowed.
+ * @param allowRenegotiate true if re-negotiation is allowed (default false)
+ */
+ public void setAllowRenegotiate(boolean allowRenegotiate)
+ {
+ _allowRenegotiate = allowRenegotiate;
+ }
+
+ /* ------------------------------------------------------------ */
+ @Override
+ public void accept(int acceptorID)
+ throws IOException, InterruptedException
+ {
+ Socket socket = _serverSocket.accept();
+ configure(socket);
+
+ ConnectorEndPoint connection=new SslConnectorEndPoint(socket);
+ connection.dispatch();
+ }
+
+ /* ------------------------------------------------------------ */
+ @Override
+ protected void configure(Socket socket)
+ throws IOException
+ {
+ super.configure(socket);
+ }
+
+ /* ------------------------------------------------------------ */
+ protected SSLContext createSSLContext() throws Exception
+ {
+ KeyStore keyStore = getKeyStore(_keystorePath, _keystoreType, _keystoreProvider, _password==null?null:_password.toString());
+ KeyStore trustStore = getTrustStore(_truststorePath, _truststoreType, _truststoreProvider, _trustPassword == null ? null : _trustPassword.toString());
+ Collection<? extends CRL> crls = loadCRL(_crlPath);
+
+ KeyManager[] keyManagers = getKeyManagers(keyStore, trustStore, crls);
+ TrustManager[] trustManagers = getTrustManagers(trustStore, crls);
+
+ SecureRandom secureRandom =
+ _secureRandomAlgorithm == null ? null : SecureRandom.getInstance(_secureRandomAlgorithm);
+ SSLContext context = _sslProvider == null ? SSLContext.getInstance(_sslProtocol) :
+ SSLContext.getInstance(_sslProtocol,_sslProvider);
+ context.init(keyManagers,trustManagers,secureRandom);
+
+ return context;
+ }
+
+ /* ------------------------------------------------------------ */
+ protected SSLServerSocketFactory createFactory()
+ throws Exception
+ {
+ if (_context == null)
+ _context = createSSLContext();
+
+ return _context.getServerSocketFactory();
+ }
+
+
+ /* ------------------------------------------------------------ */
+ protected KeyManager[] getKeyManagers(KeyStore keyStore, KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
+ {
+ KeyManagerFactory keyManagerFactory=KeyManagerFactory.getInstance(_sslKeyManagerFactoryAlgorithm);
+ keyManagerFactory.init(keyStore,_keyPassword==null?(_password==null?null:_password.toString().toCharArray()):_keyPassword.toString().toCharArray());
+ KeyManager[] managers = keyManagerFactory.getKeyManagers();
+
+ for (int idx=0; idx < managers.length; idx++)
+ {
+ if (managers[idx] instanceof X509KeyManager)
+ {
+ managers[idx] = new SslKeyManager(_keyAlias, (X509KeyManager)managers[idx],
+ new CertificateValidator(keyStore, trustStore, crls));
+ }
+ }
+
+ return managers;
+ }
+
+ protected TrustManager[] getTrustManagers(KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
+ {
+ TrustManager[] managers = null;
+ if (trustStore != null)
+ {
+ // Revocation checking is only supported for PKIX algorithm
+ if (_sslTrustManagerFactoryAlgorithm.equalsIgnoreCase("PKIX"))
+ {
+ PKIXBuilderParameters pbParams =
+ new PKIXBuilderParameters(trustStore, new X509CertSelector());
+
+ // Enable revocation checking
+ pbParams.setRevocationEnabled(true);
+
+ // Set maximum certification path length
+ pbParams.setMaxPathLength(_maxCertPathLength);
+
+ // Set static Certificate Revocation List
+ if (crls != null && !crls.isEmpty())
+ {
+ pbParams.addCertStore(CertStore.getInstance("Collection",
+ new CollectionCertStoreParameters(crls)));
+ }
+
+ // Enable On-Line Certificate Status Protocol (OCSP) support
+ Security.setProperty("ocsp.enable", "true");
+
+ // Enable Certificate Revocation List Distribution Points (CRLDP) support
+ System.setProperty("com.sun.security.enableCRLDP","true");
+
+ TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_sslTrustManagerFactoryAlgorithm);
+ trustManagerFactory.init(new CertPathTrustManagerParameters(pbParams));
+
+ managers = trustManagerFactory.getTrustManagers();
+ }
+ else
+ {
+ TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(_sslTrustManagerFactoryAlgorithm);
+ trustManagerFactory.init(trustStore);
+
+ managers = trustManagerFactory.getTrustManagers();
+ }
+ }
+
+ return managers;
+ }
+
+ private Collection<? extends CRL> loadCRL(String crlPath) throws Exception
+ {
+ Collection<? extends CRL> crlList = null;
+
+ InputStream in = null;
+ try {
+ in = Resource.newResource(crlPath).getInputStream();
+ crlList = CertificateFactory.getInstance("X.509").generateCRLs(in);
+ }
+ finally
+ {
+ if (in != null)
+ {
+ in.close();
+ }
+ }
+
+ return crlList;
+ }
+
+ /* ------------------------------------------------------------ */
+ protected KeyStore getKeyStore(String storePath, String storeType, String storeProvider, String storePassword) throws Exception
+ {
+ if (storePath == null)
+ return null;
+
+ KeyStore keystore = null;
+ InputStream inStream = null;
+ try
+ {
+ if (storeProvider != null)
+ {
+ keystore = KeyStore.getInstance(storeType, storeProvider);
+ }
+ else
+ {
+ keystore = KeyStore.getInstance(storeType);
+ }
+
+ inStream = Resource.newResource(storePath).getInputStream();
+ keystore.load(inStream, storePassword == null ? null : storePassword.toCharArray());
+
+ return keystore;
+ }
+ finally
+ {
+ if (inStream != null)
+ {
+ inStream.close();
+ }
+ }
+ }
+
+ protected KeyStore getTrustStore(String trustPath, String trustType, String trustProvider, String trustPassword) throws Exception
+ {
+ if (trustPath==null)
+ {
+ trustPath = System.getProperty("javax.net.ssl.trustStore");
+ trustType = System.getProperty("javax.net.ssl.trustStoreType");
+ trustProvider = System.getProperty("javax.net.ssl.trustStoreProvider");
+ trustPassword = System.getProperty("javax.net.ssl.trustStorePassword");
+ }
+
+ if (trustPath==null)
+ {
+ trustPath = _keystorePath;
+ trustType = _keystoreType;
+ trustProvider = _keystoreProvider;
+ trustPassword = _password.toString();
+ _sslTrustManagerFactoryAlgorithm = _sslKeyManagerFactoryAlgorithm;
+ }
+
+ return getKeyStore(trustPath, trustType, trustProvider, trustPassword);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Allow the Listener a chance to customise the request. before the server does its stuff. <br>
+ * This allows the required attributes to be set for SSL requests. <br>
+ * The requirements of the Servlet specs are:
+ * <ul>
+ * <li> an attribute named "javax.servlet.request.ssl_id" of type String (since Spec 3.0).</li>
+ * <li> an attribute named "javax.servlet.request.cipher_suite" of type String.</li>
+ * <li> an attribute named "javax.servlet.request.key_size" of type Integer.</li>
+ * <li> an attribute named "javax.servlet.request.X509Certificate" of type
+ * java.security.cert.X509Certificate[]. This is an array of objects of type X509Certificate,
+ * the order of this array is defined as being in ascending order of trust. The first
+ * certificate in the chain is the one set by the client, the next is the one used to
+ * authenticate the first, and so on. </li>
+ * </ul>
+ *
+ * @param endpoint The Socket the request arrived on.
+ * This should be a {@link SocketEndPoint} wrapping a {@link SSLSocket}.
+ * @param request HttpRequest to be customised.
+ */
+ @Override
+ public void customize(EndPoint endpoint, Request request)
+ throws IOException
+ {
+ super.customize(endpoint, request);
+ request.setScheme(HttpSchemes.HTTPS);
+
+ SocketEndPoint socket_end_point = (SocketEndPoint)endpoint;
+ SSLSocket sslSocket = (SSLSocket)socket_end_point.getTransport();
+ SSLSession sslSession = sslSocket.getSession();
+
+ SslCertificates.customize(sslSession,endpoint,request);
+ }
+
+ /* ------------------------------------------------------------ */
+ public String[] getExcludeCipherSuites() {
+ return _excludeCipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ public String[] getIncludeCipherSuites()
+ {
+ return _includeCipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ public String getKeystore()
+ {
+ return _keystorePath;
+ }
+
+ /* ------------------------------------------------------------ */
+ public String getKeystoreType()
+ {
+ return (_keystoreType);
+ }
+
+ /* ------------------------------------------------------------ */
+ public boolean getNeedClientAuth()
+ {
+ return _needClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ public String getProtocol()
+ {
+ return _sslProtocol;
+ }
+
+ /* ------------------------------------------------------------ */
+ public String getProvider() {
+ return _sslProvider;
+ }
+
+ /* ------------------------------------------------------------ */
+ public String getSecureRandomAlgorithm()
+ {
+ return (this._secureRandomAlgorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ public String getSslKeyManagerFactoryAlgorithm()
+ {
+ return (this._sslKeyManagerFactoryAlgorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ public String getSslTrustManagerFactoryAlgorithm()
+ {
+ return (this._sslTrustManagerFactoryAlgorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ public String getTruststore()
+ {
+ return _truststorePath;
+ }
+
+ /* ------------------------------------------------------------ */
+ public String getTruststoreType()
+ {
+ return _truststoreType;
+ }
+
+ /* ------------------------------------------------------------ */
+ public boolean getWantClientAuth()
+ {
+ return _wantClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * By default, we're confidential, given we speak SSL. But, if we've been told about an
+ * confidential port, and said port is not our port, then we're not. This allows separation of
+ * listeners providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener
+ * configured to require client certs providing CONFIDENTIAL, whereas another SSL listener not
+ * requiring client certs providing mere INTEGRAL constraints.
+ */
+ @Override
+ public boolean isConfidential(Request request)
+ {
+ final int confidentialPort = getConfidentialPort();
+ return confidentialPort == 0 || confidentialPort == request.getServerPort();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * By default, we're integral, given we speak SSL. But, if we've been told about an integral
+ * port, and said port is not our port, then we're not. This allows separation of listeners
+ * providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener configured to
+ * require client certs providing CONFIDENTIAL, whereas another SSL listener not requiring
+ * client certs providing mere INTEGRAL constraints.
+ */
+ @Override
+ public boolean isIntegral(Request request)
+ {
+ final int integralPort = getIntegralPort();
+ return integralPort == 0 || integralPort == request.getServerPort();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param host The host name that this server should listen on
+ * @param port the port that this server should listen on
+ * @param backlog See {@link ServerSocket#bind(java.net.SocketAddress, int)}
+ * @return A new {@link ServerSocket socket object} bound to the supplied address with all other
+ * settings as per the current configuration of this connector.
+ * @see #setWantClientAuth(boolean)
+ * @see #setNeedClientAuth(boolean)
+ * @exception IOException
+ */
+
+ /* ------------------------------------------------------------ */
+ @Override
+ protected ServerSocket newServerSocket(String host, int port,int backlog) throws IOException
+ {
+ SSLServerSocketFactory factory = null;
+ SSLServerSocket socket = null;
+
+ try
+ {
+ factory = createFactory();
+
+ socket = (SSLServerSocket) (host==null?
+ factory.createServerSocket(port,backlog):
+ factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
+
+ if (_wantClientAuth)
+ socket.setWantClientAuth(_wantClientAuth);
+ if (_needClientAuth)
+ socket.setNeedClientAuth(_needClientAuth);
+
+ if ((_excludeCipherSuites!=null&&_excludeCipherSuites.length>0)
+ || (_includeCipherSuites!=null&&_includeCipherSuites.length>0))
+ {
+ List<String> includedCSList;
+ if (_includeCipherSuites!=null)
+ {
+ includedCSList = Arrays.asList(_includeCipherSuites);
+ } else {
+ includedCSList = new ArrayList<String>();
+ }
+ List<String> excludedCSList;
+ if (_excludeCipherSuites!=null)
+ {
+ excludedCSList = Arrays.asList(_excludeCipherSuites);
+ } else {
+ excludedCSList = new ArrayList<String>();
+ }
+ String[] enabledCipherSuites = socket.getEnabledCipherSuites();
+ List<String> enabledCSList = new ArrayList<String>(Arrays.asList(enabledCipherSuites));
+
+ String[] supportedCipherSuites = socket.getSupportedCipherSuites();
+ List<String> supportedCSList = Arrays.asList(supportedCipherSuites);
+
+ for (String cipherName : includedCSList)
+ {
+ if ((!enabledCSList.contains(cipherName))
+ && supportedCSList.contains(cipherName))
+ {
+ enabledCSList.add(cipherName);
+ }
+ }
+
+ for (String cipherName : excludedCSList)
+ {
+ if (enabledCSList.contains(cipherName))
+ {
+ enabledCSList.remove(cipherName);
+ }
+ }
+ enabledCipherSuites = enabledCSList.toArray(new String[enabledCSList.size()]);
+
+ socket.setEnabledCipherSuites(enabledCipherSuites);
+ }
+
+ }
+ catch (IOException e)
+ {
+ throw e;
+ }
+ catch (Exception e)
+ {
+ Log.warn(e.toString());
+ Log.debug(e);
+ throw new IOException("!JsseListener: " + e);
+ }
+ return socket;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ *
+ */
+ public void setExcludeCipherSuites(String[] cipherSuites) {
+ this._excludeCipherSuites = cipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ public void setIncludeCipherSuites(String[] cipherSuites)
+ {
+ this._includeCipherSuites=cipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ public void setKeyPassword(String password)
+ {
+ _keyPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param keystore The resource path to the keystore, or null for built in keystores.
+ */
+ public void setKeystore(String keystore)
+ {
+ _keystorePath = keystore;
+ }
+
+ /* ------------------------------------------------------------ */
+ public void setKeystoreType(String keystoreType)
+ {
+ _keystoreType = keystoreType;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Set the value of the needClientAuth property
+ *
+ * @param needClientAuth true iff we require client certificate authentication.
+ */
+ public void setNeedClientAuth(boolean needClientAuth)
+ {
+ _needClientAuth = needClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ public void setPassword(String password)
+ {
+ _password = Password.getPassword(PASSWORD_PROPERTY,password,null);
+ }
+
+ /* ------------------------------------------------------------ */
+ public void setTrustPassword(String password)
+ {
+ _trustPassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
+ }
+
+ /* ------------------------------------------------------------ */
+ public void setProtocol(String protocol)
+ {
+ _sslProtocol = protocol;
+ }
+
+ /* ------------------------------------------------------------ */
+ public void setProvider(String _provider) {
+ this._sslProvider = _provider;
+ }
+
+ /* ------------------------------------------------------------ */
+ public void setSecureRandomAlgorithm(String algorithm)
+ {
+ this._secureRandomAlgorithm = algorithm;
+ }
+
+ /* ------------------------------------------------------------ */
+ public void setSslKeyManagerFactoryAlgorithm(String algorithm)
+ {
+ this._sslKeyManagerFactoryAlgorithm = algorithm;
+ }
+
+ /* ------------------------------------------------------------ */
+ public void setSslTrustManagerFactoryAlgorithm(String algorithm)
+ {
+ this._sslTrustManagerFactoryAlgorithm = algorithm;
+ }
+
+
+ public void setTruststore(String truststore)
+ {
+ _truststorePath = truststore;
+ }
+
+
+ public void setTruststoreType(String truststoreType)
+ {
+ _truststoreType = truststoreType;
+ }
+
+ public void setSslContext(SSLContext sslContext)
+ {
+ _context = sslContext;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
+ */
+ public SSLContext getSslContext()
+ {
+ try
+ {
+ if (_context == null)
+ _context=createSSLContext();
+ }
+ catch(Exception e)
+ {
+ throw new RuntimeException(e);
+ }
+
+ return _context;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Set the value of the _wantClientAuth property. This property is used
+ * internally when opening server sockets.
+ *
+ * @param wantClientAuth true if we want client certificate authentication.
+ * @see SSLServerSocket#setWantClientAuth
+ */
+ public void setWantClientAuth(boolean wantClientAuth)
+ {
+ _wantClientAuth = wantClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Set the time in milliseconds for so_timeout during ssl handshaking
+ * @param msec a non-zero value will be used to set so_timeout during
+ * ssl handshakes. A zero value means the maxIdleTime is used instead.
+ */
+ public void setHandshakeTimeout (int msec)
+ {
+ _handshakeTimeout = msec;
+ }
+
+
+ /* ------------------------------------------------------------ */
+ public int getHandshakeTimeout ()
+ {
+ return _handshakeTimeout;
+ }
+
+ public void setKeystoreProvider(String keystoreProvider)
+ {
+ _keystoreProvider = keystoreProvider;
+ }
+
+ public String getKeystoreProvider()
+ {
+ return _keystoreProvider;
+ }
+
+ public void setTruststoreProvider(String truststoreProvider)
+ {
+ _truststoreProvider = truststoreProvider;
+ }
+
+ public String getTruststoreProvider()
+ {
+ return _truststoreProvider;
+ }
+
+ public void setCrlPath(String crlPath)
+ {
+ _crlPath = crlPath;
+ }
+
+ public String getCrlPath()
+ {
+ return _crlPath;
+ }
+
+ /* ------------------------------------------------------------ */
+ public class SslConnectorEndPoint extends ConnectorEndPoint
+ {
+ public SslConnectorEndPoint(Socket socket) throws IOException
+ {
+ super(socket);
+ }
+
+ @Override
+ public void shutdownOutput() throws IOException
+ {
+ close();
+ }
+
+ @Override
+ public void run()
+ {
+ try
+ {
+ int handshakeTimeout = getHandshakeTimeout();
+ int oldTimeout = _socket.getSoTimeout();
+ if (handshakeTimeout > 0)
+ _socket.setSoTimeout(handshakeTimeout);
+
+ final SSLSocket ssl=(SSLSocket)_socket;
+ ssl.addHandshakeCompletedListener(new HandshakeCompletedListener()
+ {
+ boolean handshook=false;
+ public void handshakeCompleted(HandshakeCompletedEvent event)
+ {
+ if (handshook)
+ {
+ if (!_allowRenegotiate)
+ {
+ Log.warn("SSL renegotiate denied: "+ssl);
+ try{ssl.close();}catch(IOException e){Log.warn(e);}
+ }
+ }
+ else
+ handshook=true;
+ }
+ });
+ ssl.startHandshake();
+
+ if (handshakeTimeout>0)
+ _socket.setSoTimeout(oldTimeout);
+
+ super.run();
+ }
+ catch (SSLException e)
+ {
+ Log.debug(e);
+ try{close();}
+ catch(IOException e2){Log.ignore(e2);}
+ }
+ catch (IOException e)
+ {
+ Log.debug(e);
+ try{close();}
+ catch(IOException e2){Log.ignore(e2);}
+ }
+ }
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Unsupported.
+ *
+ * TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
+ */
+ public String getAlgorithm()
+ {
+ throw new UnsupportedOperationException();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Unsupported.
+ *
+ * TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
+ */
+ public void setAlgorithm(String algorithm)
+ {
+ throw new UnsupportedOperationException();
+ }
+}
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslKeyManager.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslKeyManager.java
new file mode 100644
index 0000000..8883e8e
--- /dev/null
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslKeyManager.java
@@ -0,0 +1,108 @@
+// ========================================================================
+// Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+
+
+package org.eclipse.jetty.exssl;
+
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.X509KeyManager;
+
+
+/* ------------------------------------------------------------ */
+/**
+ * KeyManager to select a key with desired alias
+ */
+public class SslKeyManager implements X509KeyManager
+{
+ private String _keyAlias;
+ private X509KeyManager _keyManager;
+ private CertificateValidator _certValidator;
+
+ /* ------------------------------------------------------------ */
+ public SslKeyManager(String keyAlias, X509KeyManager keyManager,
+ CertificateValidator certValidator) throws Exception
+ {
+ _keyAlias = keyAlias;
+ _keyManager = keyManager;
+ _certValidator = certValidator;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509KeyManager#chooseClientAlias(java.lang.String[], java.security.Principal[], java.net.Socket)
+ */
+ public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
+ {
+ return _keyManager.chooseClientAlias(keyType, issuers, socket);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509KeyManager#chooseServerAlias(java.lang.String, java.security.Principal[], java.net.Socket)
+ */
+ public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
+ {
+ if (_keyAlias == null)
+ {
+ _keyAlias = _keyManager.chooseServerAlias(keyType, issuers, socket);
+ }
+
+ return _keyAlias;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509KeyManager#getClientAliases(java.lang.String, java.security.Principal[])
+ */
+ public String[] getClientAliases(String keyType, Principal[] issuers)
+ {
+ return _keyManager.getClientAliases(keyType, issuers);
+ }
+
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509KeyManager#getServerAliases(java.lang.String, java.security.Principal[])
+ */
+ public String[] getServerAliases(String keyType, Principal[] issuers)
+ {
+ return _keyManager.getServerAliases(keyType, issuers);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509KeyManager#getCertificateChain(java.lang.String)
+ */
+ public X509Certificate[] getCertificateChain(String alias)
+ {
+ return _keyManager.getCertificateChain(alias);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509KeyManager#getPrivateKey(java.lang.String)
+ */
+ public PrivateKey getPrivateKey(String alias)
+ {
+ return _keyManager.getPrivateKey(alias);
+ }
+
+ public String getKeyAlias()
+ {
+ return _keyAlias;
+ }
+}
