Added tests for both SelectChannel and Socket connectors.
git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/sandbox/trunk@2745 7e9141cc-0065-0410-87d8-b60c137991c4
diff --git a/jetty-exssl/config/etc/jetty-exssl.xml b/jetty-exssl/config/etc/jetty-exssl.xml
index 3f5e87c..253bf17 100644
--- a/jetty-exssl/config/etc/jetty-exssl.xml
+++ b/jetty-exssl/config/etc/jetty-exssl.xml
@@ -25,6 +25,7 @@
<Set name="KeyPassword">webtide</Set>
<Set name="truststore"><Property name="jetty.home" default="." />/etc/jetty.keystore</Set>
<Set name="trustPassword">webtide</Set>
+ <Set name="validateCert">true</Set>
<Set name="crlPath"><Property name="jetty.home" default="." />/etc/crlfile.pem</Set>
</New>
</Arg>
diff --git a/jetty-exssl/pom.xml b/jetty-exssl/pom.xml
index d5cc4b1..2cd3556 100644
--- a/jetty-exssl/pom.xml
+++ b/jetty-exssl/pom.xml
@@ -68,16 +68,6 @@
</build>
<dependencies>
<dependency>
- <groupId>junit</groupId>
- <artifactId>junit</artifactId>
- <version>${junit4-version}</version>
- <scope>test</scope>
- </dependency>
- <dependency>
- <groupId>javax.servlet</groupId>
- <artifactId>servlet-api</artifactId>
- </dependency>
- <dependency>
<groupId>org.eclipse.jetty</groupId>
<artifactId>jetty-server</artifactId>
<version>${project.version}</version>
@@ -88,10 +78,15 @@
<version>${project.version}</version>
</dependency>
<dependency>
- <groupId>org.eclipse.jetty</groupId>
- <artifactId>jetty-jmx</artifactId>
- <version>${project.version}</version>
- <optional>true</optional>
+ <groupId>org.eclipse.jetty.toolchain</groupId>
+ <artifactId>jetty-test-helper</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>junit</groupId>
+ <artifactId>junit</artifactId>
+ <version>${junit4-version}</version>
+ <scope>test</scope>
</dependency>
</dependencies>
</project>
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/CertificateValidator.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/CertificateValidator.java
index 0826292..a467dfc 100644
--- a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/CertificateValidator.java
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/CertificateValidator.java
@@ -4,11 +4,8 @@
import java.security.KeyStoreException;
import java.security.cert.CRL;
import java.security.cert.CertPathBuilder;
-import java.security.cert.CertPathBuilderException;
import java.security.cert.CertPathBuilderResult;
import java.security.cert.CertPathValidator;
-import java.security.cert.CertPathValidatorException;
-import java.security.cert.CertPathValidatorResult;
import java.security.cert.CertStore;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
@@ -47,11 +44,9 @@
}
catch (KeyStoreException ex)
{
- CertificateException crtex =
- new CertificateException("Unable to validate certificate for alias " +
- keyAlias + ": " + ex.toString());
- crtex.initCause(ex);
- throw crtex;
+ Log.debug(ex);
+ throw new CertificateException("Unable to validate certificate for alias [" +
+ keyAlias + "]: " + ex.getMessage());
}
result = keyAlias;
}
@@ -114,11 +109,9 @@
}
catch (Exception ex)
{
- CertificateException crtex =
- new CertificateException("Unable to validate certificate for alias " +
- certAlias + ": " + ex.toString());
- crtex.initCause(ex);
- throw crtex;
+ Log.debug(ex);
+ throw new CertificateException("Unable to validate certificate for alias [" +
+ certAlias + "]: " + ex.getMessage());
}
}
}
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslConnector.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslConnector.java
index 2b781c9..e601aed 100644
--- a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslConnector.java
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslConnector.java
@@ -288,4 +288,40 @@
* @return Path to file that contains Certificate Revocation List
*/
public abstract String getCrlPath();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return Maximum number of intermediate certificates in the certification path (-1 for unlimited)
+ */
+ public abstract int getMaxCertPathLength();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param maxCertPathLength maximum number of intermediate certificates in the chain (-1 for unlimited)
+ */
+ public abstract void setMaxCertPathLength(int maxCertPathLength);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return true if SSL certificate has to be validated
+ */
+ public abstract boolean getValidateCert();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param validateServerCert true if SSL certificate has to be validated
+ */
+ public abstract void setValidateCert(boolean validateCert);
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return Alias of SSL certificate for the connector
+ */
+ public abstract String getCertAlias();
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param certAlias Alias of SSL certificate for the connector
+ */
+ public abstract void setCertAlias(String certAlias);
}
\ No newline at end of file
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSelectChannelConnector.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSelectChannelConnector.java
index fce4b9d..1d893d8 100644
--- a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSelectChannelConnector.java
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSelectChannelConnector.java
@@ -22,6 +22,7 @@
import java.security.Security;
import java.security.cert.CRL;
import java.security.cert.CertStore;
+import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
@@ -29,6 +30,7 @@
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
+import java.util.Collections;
import java.util.List;
import javax.net.ssl.CertPathTrustManagerParameters;
@@ -72,6 +74,10 @@
*
*
*/
+
+/* ------------------------------------------------------------ */
+/**
+ */
public class EnhancedSslSelectChannelConnector extends SelectChannelConnector implements EnhancedSslConnector
{
/** Excluded cipher suites. */
@@ -85,8 +91,8 @@
private String _keystoreProvider;
/** KeyStore type */
private String _keystoreType="JKS";
- /** SSL key alias */
- private String _keyAlias;
+ /** SSL certificate alias */
+ private String _certAlias;
/** TrustStore path */
private String _truststorePath;
@@ -99,6 +105,8 @@
private boolean _needClientAuth=false;
/** Set to true if client certificate authentication is desired */
private boolean _wantClientAuth=false;
+ /** Set to true if SSL certificate validation is required */
+ private boolean _validateCert;
/** Set to true if renegotiation is allowed */
private boolean _allowRenegotiate=false;
@@ -128,8 +136,9 @@
/** SSL context */
private SSLContext _context;
+ /** SSL buffers */
private Buffers _sslBuffers;
-
+
/* ------------------------------------------------------------ */
public EnhancedSslSelectChannelConnector()
{
@@ -138,6 +147,491 @@
/* ------------------------------------------------------------ */
/**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
+ */
+ public String[] getExcludeCipherSuites()
+ {
+ return _excludeCipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
+ */
+ public void setExcludeCipherSuites(String[] cipherSuites)
+ {
+ this._excludeCipherSuites=cipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
+ */
+ public String[] getIncludeCipherSuites()
+ {
+ return _includeCipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
+ */
+ public void setIncludeCipherSuites(String[] cipherSuites)
+ {
+ this._includeCipherSuites=cipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystore()
+ */
+ public String getKeystore()
+ {
+ return _keystorePath;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystore(java.lang.String)
+ */
+ public void setKeystore(String keystore)
+ {
+ _keystorePath=keystore;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getKeystoreProvider()
+ */
+ public String getKeystoreProvider()
+ {
+ return _keystoreProvider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setKeystoreProvider(java.lang.String)
+ */
+ public void setKeystoreProvider(String keystoreProvider)
+ {
+ _keystoreProvider = keystoreProvider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystoreType()
+ */
+ public String getKeystoreType()
+ {
+ return (_keystoreType);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystoreType(java.lang.String)
+ */
+ public void setKeystoreType(String keystoreType)
+ {
+ _keystoreType=keystoreType;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getCertAlias()
+ */
+ public String getCertAlias()
+ {
+ return _certAlias;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setCertAlias(java.lang.String)
+ */
+ public void setCertAlias(String certAlias)
+ {
+ this._certAlias = certAlias;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststore()
+ */
+ public String getTruststore()
+ {
+ return _truststorePath;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststore(java.lang.String)
+ */
+ public void setTruststore(String truststore)
+ {
+ _truststorePath=truststore;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getTruststoreProvider()
+ */
+ public String getTruststoreProvider()
+ {
+ return _truststoreProvider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setTruststoreProvider(java.lang.String)
+ */
+ public void setTruststoreProvider(String truststoreProvider)
+ {
+ _truststoreProvider = truststoreProvider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststoreType()
+ */
+ public String getTruststoreType()
+ {
+ return _truststoreType;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststoreType(java.lang.String)
+ */
+ public void setTruststoreType(String truststoreType)
+ {
+ _truststoreType=truststoreType;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getNeedClientAuth()
+ */
+ public boolean getNeedClientAuth()
+ {
+ return _needClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setNeedClientAuth(boolean)
+ */
+ public void setNeedClientAuth(boolean needClientAuth)
+ {
+ _needClientAuth=needClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getWantClientAuth()
+ */
+ public boolean getWantClientAuth()
+ {
+ return _wantClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setWantClientAuth(boolean)
+ */
+ public void setWantClientAuth(boolean wantClientAuth)
+ {
+ _wantClientAuth=wantClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getValidateCert()
+ */
+ public boolean getValidateCert()
+ {
+ return _validateCert;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setValidateCert(boolean)
+ */
+ public void setValidateCert(boolean validateCert)
+ {
+ _validateCert = validateCert;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return True if SSL re-negotiation is allowed (default false)
+ */
+ public boolean isAllowRenegotiate()
+ {
+ return _allowRenegotiate;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
+ * a vulnerability in SSL/TLS with re-negotiation. If your JVM
+ * does not have CVE-2009-3555 fixed, then re-negotiation should
+ * not be allowed.
+ * @param allowRenegotiate true if re-negotiation is allowed (default false)
+ */
+ public void setAllowRenegotiate(boolean allowRenegotiate)
+ {
+ _allowRenegotiate = allowRenegotiate;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setPassword(java.lang.String)
+ */
+ public void setPassword(String password)
+ {
+ _password=Password.getPassword(PASSWORD_PROPERTY,password,null);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setKeyPassword(java.lang.String)
+ */
+ public void setKeyPassword(String password)
+ {
+ _keyPassword=Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setTrustPassword(java.lang.String)
+ */
+ public void setTrustPassword(String password)
+ {
+ _trustPassword=Password.getPassword(PASSWORD_PROPERTY,password,null);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getProvider()
+ */
+ public String getProvider()
+ {
+ return _sslProvider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setProvider(java.lang.String)
+ */
+ public void setProvider(String provider)
+ {
+ _sslProvider=provider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getProtocol()
+ */
+ public String getProtocol()
+ {
+ return _sslProtocol;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setProtocol(java.lang.String)
+ */
+ public void setProtocol(String protocol)
+ {
+ _sslProtocol=protocol;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getSecureRandomAlgorithm()
+ */
+ public String getSecureRandomAlgorithm()
+ {
+ return _secureRandomAlgorithm;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSecureRandomAlgorithm(java.lang.String)
+ */
+ public void setSecureRandomAlgorithm(String algorithm)
+ {
+ this._secureRandomAlgorithm=algorithm;
+ }
+
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getSslKeyManagerFactoryAlgorithm()
+ */
+ public String getSslKeyManagerFactoryAlgorithm()
+ {
+ return (this._sslKeyManagerFactoryAlgorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSslKeyManagerFactoryAlgorithm(java.lang.String)
+ */
+ public void setSslKeyManagerFactoryAlgorithm(String algorithm)
+ {
+ this._sslKeyManagerFactoryAlgorithm=algorithm;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getSslTrustManagerFactoryAlgorithm()
+ */
+ public String getSslTrustManagerFactoryAlgorithm()
+ {
+ return (this._sslTrustManagerFactoryAlgorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSslTrustManagerFactoryAlgorithm(java.lang.String)
+ */
+ public void setSslTrustManagerFactoryAlgorithm(String algorithm)
+ {
+ this._sslTrustManagerFactoryAlgorithm=algorithm;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @deprecated use {@link #getSslKeyManagerFactoryAlgorithm()} or
+ * {@link #getSslTrustManagerFactoryAlgorithm()}
+ */
+ @Deprecated
+ public String getAlgorithm()
+ {
+ return getSslKeyManagerFactoryAlgorithm();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @deprecated use {@link #setSslKeyManagerFactoryAlgorithm(String)} or
+ * {@link #setSslTrustManagerFactoryAlgorithm(String)}
+ */
+ @Deprecated
+ public void setAlgorithm(String algorithm)
+ {
+ setSslKeyManagerFactoryAlgorithm(algorithm);
+ setSslTrustManagerFactoryAlgorithm(algorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setCrlPath(java.lang.String)
+ */
+ public void setCrlPath(String crlPath)
+ {
+ _crlPath = crlPath;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getCrlPath()
+ */
+ public String getCrlPath()
+ {
+ return _crlPath;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getMaxCertPathLength()
+ */
+ public int getMaxCertPathLength()
+ {
+ return _maxCertPathLength;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setMaxCertPathLength(int)
+ */
+ public void setMaxCertPathLength(int maxCertPathLength)
+ {
+ _maxCertPathLength = maxCertPathLength;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
+ */
+ public SSLContext getSslContext()
+ {
+ try
+ {
+ if (_context == null)
+ _context=createSSLContext();
+ }
+ catch(Exception e)
+ {
+ throw new RuntimeException(e);
+ }
+
+ return _context;
+ }
+
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
+ */
+ public void setSslContext(SSLContext sslContext)
+ {
+ _context = sslContext;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @return SSL buffers
+ */
+ public Buffers getSslBuffers()
+ {
+ return _sslBuffers;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * By default, we're confidential, given we speak SSL. But, if we've been
+ * told about an confidential port, and said port is not our port, then
+ * we're not. This allows separation of listeners providing INTEGRAL versus
+ * CONFIDENTIAL constraints, such as one SSL listener configured to require
+ * client certs providing CONFIDENTIAL, whereas another SSL listener not
+ * requiring client certs providing mere INTEGRAL constraints.
+ */
+ @Override
+ public boolean isConfidential(Request request)
+ {
+ final int confidentialPort=getConfidentialPort();
+ return confidentialPort==0||confidentialPort==request.getServerPort();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * By default, we're integral, given we speak SSL. But, if we've been told
+ * about an integral port, and said port is not our port, then we're not.
+ * This allows separation of listeners providing INTEGRAL versus
+ * CONFIDENTIAL constraints, such as one SSL listener configured to require
+ * client certs providing CONFIDENTIAL, whereas another SSL listener not
+ * requiring client certs providing mere INTEGRAL constraints.
+ */
+ @Override
+ public boolean isIntegral(Request request)
+ {
+ final int integralPort=getIntegralPort();
+ return integralPort==0||integralPort==request.getServerPort();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
* Allow the Listener a chance to customise the request. before the server
* does its stuff. <br>
* This allows the required attributes to be set for SSL requests. <br>
@@ -175,372 +669,6 @@
SslCertificates.customize(sslSession,endpoint,request);
}
- /* ------------------------------------------------------------ */
- /**
- * @return True if SSL re-negotiation is allowed (default false)
- */
- public boolean isAllowRenegotiate()
- {
- return _allowRenegotiate;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
- * a vulnerability in SSL/TLS with re-negotiation. If your JVM
- * does not have CVE-2009-3555 fixed, then re-negotiation should
- * not be allowed.
- * @param allowRenegotiate true if re-negotiation is allowed (default false)
- */
- public void setAllowRenegotiate(boolean allowRenegotiate)
- {
- _allowRenegotiate = allowRenegotiate;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
- */
- public String[] getExcludeCipherSuites()
- {
- return _excludeCipherSuites;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
- */
- public void setExcludeCipherSuites(String[] cipherSuites)
- {
- this._excludeCipherSuites=cipherSuites;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
- */
- public String[] getIncludeCipherSuites()
- {
- return _includeCipherSuites;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
- */
- public void setIncludeCipherSuites(String[] cipherSuites)
- {
- this._includeCipherSuites=cipherSuites;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setPassword(java.lang.String)
- */
- public void setPassword(String password)
- {
- _password=Password.getPassword(PASSWORD_PROPERTY,password,null);
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setTrustPassword(java.lang.String)
- */
- public void setTrustPassword(String password)
- {
- _trustPassword=Password.getPassword(PASSWORD_PROPERTY,password,null);
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setKeyPassword(java.lang.String)
- */
- public void setKeyPassword(String password)
- {
- _keyPassword=Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @deprecated use {@link #getSslKeyManagerFactoryAlgorithm()} or
- * {@link #getSslTrustManagerFactoryAlgorithm()}
- */
- @Deprecated
- public String getAlgorithm()
- {
- return getSslKeyManagerFactoryAlgorithm();
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @deprecated use {@link #setSslKeyManagerFactoryAlgorithm(String)} or
- * {@link #setSslTrustManagerFactoryAlgorithm(String)}
- */
- @Deprecated
- public void setAlgorithm(String algorithm)
- {
- setSslKeyManagerFactoryAlgorithm(algorithm);
- setSslTrustManagerFactoryAlgorithm(algorithm);
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getProtocol()
- */
- public String getProtocol()
- {
- return _sslProtocol;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setProtocol(java.lang.String)
- */
- public void setProtocol(String protocol)
- {
- _sslProtocol=protocol;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystore(java.lang.String)
- */
- public void setKeystore(String keystore)
- {
- _keystorePath=keystore;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystore()
- */
- public String getKeystore()
- {
- return _keystorePath;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystoreType()
- */
- public String getKeystoreType()
- {
- return (_keystoreType);
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getNeedClientAuth()
- */
- public boolean getNeedClientAuth()
- {
- return _needClientAuth;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getWantClientAuth()
- */
- public boolean getWantClientAuth()
- {
- return _wantClientAuth;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setNeedClientAuth(boolean)
- */
- public void setNeedClientAuth(boolean needClientAuth)
- {
- _needClientAuth=needClientAuth;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setWantClientAuth(boolean)
- */
- public void setWantClientAuth(boolean wantClientAuth)
- {
- _wantClientAuth=wantClientAuth;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystoreType(java.lang.String)
- */
- public void setKeystoreType(String keystoreType)
- {
- _keystoreType=keystoreType;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getProvider()
- */
- public String getProvider()
- {
- return _sslProvider;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getSecureRandomAlgorithm()
- */
- public String getSecureRandomAlgorithm()
- {
- return (this._secureRandomAlgorithm);
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getSslKeyManagerFactoryAlgorithm()
- */
- public String getSslKeyManagerFactoryAlgorithm()
- {
- return (this._sslKeyManagerFactoryAlgorithm);
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getSslTrustManagerFactoryAlgorithm()
- */
- public String getSslTrustManagerFactoryAlgorithm()
- {
- return (this._sslTrustManagerFactoryAlgorithm);
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststore()
- */
- public String getTruststore()
- {
- return _truststorePath;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststoreType()
- */
- public String getTruststoreType()
- {
- return _truststoreType;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setProvider(java.lang.String)
- */
- public void setProvider(String provider)
- {
- _sslProvider=provider;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setSecureRandomAlgorithm(java.lang.String)
- */
- public void setSecureRandomAlgorithm(String algorithm)
- {
- this._secureRandomAlgorithm=algorithm;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setSslKeyManagerFactoryAlgorithm(java.lang.String)
- */
- public void setSslKeyManagerFactoryAlgorithm(String algorithm)
- {
- this._sslKeyManagerFactoryAlgorithm=algorithm;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setSslTrustManagerFactoryAlgorithm(java.lang.String)
- */
- public void setSslTrustManagerFactoryAlgorithm(String algorithm)
- {
- this._sslTrustManagerFactoryAlgorithm=algorithm;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststore(java.lang.String)
- */
- public void setTruststore(String truststore)
- {
- _truststorePath=truststore;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststoreType(java.lang.String)
- */
- public void setTruststoreType(String truststoreType)
- {
- _truststoreType=truststoreType;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
- */
- public void setSslContext(SSLContext sslContext)
- {
- _context = sslContext;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
- */
- public SSLContext getSslContext()
- {
- try
- {
- if (_context == null)
- _context=createSSLContext();
- }
- catch(Exception e)
- {
- throw new RuntimeException(e);
- }
-
- return _context;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * By default, we're confidential, given we speak SSL. But, if we've been
- * told about an confidential port, and said port is not our port, then
- * we're not. This allows separation of listeners providing INTEGRAL versus
- * CONFIDENTIAL constraints, such as one SSL listener configured to require
- * client certs providing CONFIDENTIAL, whereas another SSL listener not
- * requiring client certs providing mere INTEGRAL constraints.
- */
- @Override
- public boolean isConfidential(Request request)
- {
- final int confidentialPort=getConfidentialPort();
- return confidentialPort==0||confidentialPort==request.getServerPort();
- }
-
- /* ------------------------------------------------------------ */
- /**
- * By default, we're integral, given we speak SSL. But, if we've been told
- * about an integral port, and said port is not our port, then we're not.
- * This allows separation of listeners providing INTEGRAL versus
- * CONFIDENTIAL constraints, such as one SSL listener configured to require
- * client certs providing CONFIDENTIAL, whereas another SSL listener not
- * requiring client certs providing mere INTEGRAL constraints.
- */
- @Override
- public boolean isIntegral(Request request)
- {
- final int integralPort=getIntegralPort();
- return integralPort==0||integralPort==request.getServerPort();
- }
-
/* ------------------------------------------------------------------------------- */
@Override
protected SelectChannelEndPoint newEndPoint(SocketChannel channel, SelectSet selectSet, SelectionKey key) throws IOException
@@ -559,6 +687,49 @@
return connection;
}
+ @Override
+ protected void doStart() throws Exception
+ {
+ if (_context == null)
+ _context=createSSLContext();
+
+ SSLEngine engine=createSSLEngine();
+ SSLSession ssl_session=engine.getSession();
+
+ ThreadLocalBuffers buffers = new ThreadLocalBuffers()
+ {
+ @Override
+ protected Buffer newBuffer(int size)
+ {
+ if (getUseDirectBuffers())
+ return new DirectNIOBuffer(size);
+ return new IndirectNIOBuffer(size);
+ }
+ @Override
+ protected Buffer newHeader(int size)
+ {
+ if (getUseDirectBuffers())
+ return new DirectNIOBuffer(size);
+ return new IndirectNIOBuffer(size);
+ }
+ @Override
+ protected boolean isHeader(Buffer buffer)
+ {
+ return true;
+ }
+ };
+ buffers.setBufferSize(ssl_session.getApplicationBufferSize());
+ buffers.setHeaderSize(ssl_session.getApplicationBufferSize());
+ _sslBuffers=buffers;
+
+ if (getRequestHeaderSize()<ssl_session.getApplicationBufferSize())
+ setRequestHeaderSize(ssl_session.getApplicationBufferSize());
+ if (getRequestBufferSize()<ssl_session.getApplicationBufferSize())
+ setRequestBufferSize(ssl_session.getApplicationBufferSize());
+
+ super.doStart();
+ }
+
/* ------------------------------------------------------------ */
protected SSLEngine createSSLEngine() throws IOException
{
@@ -628,92 +799,33 @@
return engine;
}
- @Override
- protected void doStart() throws Exception
- {
- if (_context == null)
- _context=createSSLContext();
-
- SSLEngine engine=createSSLEngine();
- SSLSession ssl_session=engine.getSession();
-
- ThreadLocalBuffers buffers = new ThreadLocalBuffers()
- {
- @Override
- protected Buffer newBuffer(int size)
- {
- if (getUseDirectBuffers())
- return new DirectNIOBuffer(size);
- return new IndirectNIOBuffer(size);
- }
- @Override
- protected Buffer newHeader(int size)
- {
- if (getUseDirectBuffers())
- return new DirectNIOBuffer(size);
- return new IndirectNIOBuffer(size);
- }
- @Override
- protected boolean isHeader(Buffer buffer)
- {
- return true;
- }
- };
- buffers.setBufferSize(ssl_session.getApplicationBufferSize());
- buffers.setHeaderSize(ssl_session.getApplicationBufferSize());
- _sslBuffers=buffers;
-
- if (getRequestHeaderSize()<ssl_session.getApplicationBufferSize())
- setRequestHeaderSize(ssl_session.getApplicationBufferSize());
- if (getRequestBufferSize()<ssl_session.getApplicationBufferSize())
- setRequestBufferSize(ssl_session.getApplicationBufferSize());
-
- super.doStart();
- }
-
- public Buffers getSslBuffers()
- {
- return _sslBuffers;
- }
-
- public void setKeystoreProvider(String keystoreProvider)
- {
- _keystoreProvider = keystoreProvider;
- }
-
- public String getKeystoreProvider()
- {
- return _keystoreProvider;
- }
-
- public void setTruststoreProvider(String truststoreProvider)
- {
- _truststoreProvider = truststoreProvider;
- }
-
- public String getTruststoreProvider()
- {
- return _truststoreProvider;
- }
-
- public void setCrlPath(String crlPath)
- {
- _crlPath = crlPath;
- }
-
- public String getCrlPath()
- {
- return _crlPath;
- }
-
/* ------------------------------------------------------------ */
protected SSLContext createSSLContext() throws Exception
{
KeyStore keyStore = getKeyStore(_keystorePath, _keystoreType, _keystoreProvider, _password==null?null:_password.toString());
KeyStore trustStore = getTrustStore(_truststorePath, _truststoreType, _truststoreProvider, _trustPassword == null ? null : _trustPassword.toString());
Collection<? extends CRL> crls = loadCRL(_crlPath);
+
+ if (_certAlias == null)
+ {
+ List<String> aliases = Collections.list(keyStore.aliases());
+ _certAlias = aliases.size() == 1 ? aliases.get(0) : null;
+ }
- KeyManager[] keyManagers = getKeyManagers(keyStore, trustStore, crls);
+ Certificate cert = _certAlias == null ? null : keyStore.getCertificate(_certAlias);
+ if (cert == null)
+ {
+ throw new Exception("No certificate found in the keystore"+
+ (_certAlias == null ? "" : " for alias "+_certAlias));
+ }
+
+ if (_validateCert)
+ {
+ CertificateValidator validator = new CertificateValidator(keyStore,trustStore,crls);
+ validator.validate(cert);
+ }
+
+ KeyManager[] keyManagers = getKeyManagers(keyStore);
TrustManager[] trustManagers = getTrustManagers(trustStore, crls);
SecureRandom secureRandom =
@@ -726,20 +838,19 @@
}
/* ------------------------------------------------------------ */
- protected KeyManager[] getKeyManagers(KeyStore keyStore, KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
+ protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
{
KeyManagerFactory keyManagerFactory=KeyManagerFactory.getInstance(_sslKeyManagerFactoryAlgorithm);
keyManagerFactory.init(keyStore,_keyPassword==null?(_password==null?null:_password.toString().toCharArray()):_keyPassword.toString().toCharArray());
KeyManager[] managers = keyManagerFactory.getKeyManagers();
- if (_keyAlias != null)
+ if (_certAlias != null)
{
for (int idx=0; idx < managers.length; idx++)
{
if (managers[idx] instanceof X509KeyManager)
{
- managers[idx] = new SslKeyManager(_keyAlias, (X509KeyManager)managers[idx],
- new CertificateValidator(keyStore, trustStore, crls));
+ managers[idx] = new SslExtendedKeyManager(_certAlias, (X509KeyManager)managers[idx]);
}
}
}
@@ -794,26 +905,6 @@
return managers;
}
- private Collection<? extends CRL> loadCRL(String crlPath) throws Exception
- {
- Collection<? extends CRL> crlList = null;
-
- InputStream in = null;
- try {
- in = Resource.newResource(crlPath).getInputStream();
- crlList = CertificateFactory.getInstance("X.509").generateCRLs(in);
- }
- finally
- {
- if (in != null)
- {
- in.close();
- }
- }
-
- return crlList;
- }
-
/* ------------------------------------------------------------ */
protected KeyStore getKeyStore(String storePath, String storeType, String storeProvider, String storePassword) throws Exception
{
@@ -847,6 +938,7 @@
}
}
+ /* ------------------------------------------------------------ */
protected KeyStore getTrustStore(String trustPath, String trustType, String trustProvider, String trustPassword) throws Exception
{
if (trustPath==null)
@@ -868,4 +960,28 @@
return getKeyStore(trustPath, trustType, trustProvider, trustPassword);
}
+
+ /* ------------------------------------------------------------ */
+ private Collection<? extends CRL> loadCRL(String crlPath) throws Exception
+ {
+ Collection<? extends CRL> crlList = null;
+
+ if (crlPath != null)
+ {
+ InputStream in = null;
+ try {
+ in = Resource.newResource(crlPath).getInputStream();
+ crlList = CertificateFactory.getInstance("X.509").generateCRLs(in);
+ }
+ finally
+ {
+ if (in != null)
+ {
+ in.close();
+ }
+ }
+ }
+
+ return crlList;
+ }
}
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSocketConnector.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSocketConnector.java
index 535f0b4..e111cd4 100644
--- a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSocketConnector.java
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/EnhancedSslSocketConnector.java
@@ -22,21 +22,18 @@
import java.security.SecureRandom;
import java.security.Security;
import java.security.cert.CRL;
-import java.security.cert.CertPathBuilder;
import java.security.cert.CertStore;
-import java.security.cert.CertStoreParameters;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.CollectionCertStoreParameters;
import java.security.cert.PKIXBuilderParameters;
import java.security.cert.X509CertSelector;
-import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
+import java.util.Collections;
import java.util.List;
-import javax.management.openmbean.KeyAlreadyExistsException;
import javax.net.ssl.CertPathTrustManagerParameters;
import javax.net.ssl.HandshakeCompletedEvent;
import javax.net.ssl.HandshakeCompletedListener;
@@ -91,7 +88,7 @@
/** KeyStore type */
private String _keystoreType="JKS";
/** SSL key alias */
- private String _keyAlias;
+ private String _certAlias;
/** TrustStore path */
private String _truststorePath;
@@ -104,6 +101,8 @@
private boolean _needClientAuth=false;
/** Set to true if client certificate authentication is desired */
private boolean _wantClientAuth=false;
+ /** Set to true if SSL certificate validation is required */
+ private boolean _validateCert;
/** Set to true if renegotiation is allowed */
private boolean _allowRenegotiate=false;
@@ -147,6 +146,223 @@
/* ------------------------------------------------------------ */
/**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
+ */
+ public String[] getExcludeCipherSuites()
+ {
+ return _excludeCipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
+ */
+ public void setExcludeCipherSuites(String[] cipherSuites)
+ {
+ this._excludeCipherSuites=cipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getExcludeCipherSuites()
+ */
+ public String[] getIncludeCipherSuites()
+ {
+ return _includeCipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setExcludeCipherSuites(java.lang.String[])
+ */
+ public void setIncludeCipherSuites(String[] cipherSuites)
+ {
+ this._includeCipherSuites=cipherSuites;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystore()
+ */
+ public String getKeystore()
+ {
+ return _keystorePath;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystore(java.lang.String)
+ */
+ public void setKeystore(String keystore)
+ {
+ _keystorePath=keystore;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getKeystoreProvider()
+ */
+ public String getKeystoreProvider()
+ {
+ return _keystoreProvider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setKeystoreProvider(java.lang.String)
+ */
+ public void setKeystoreProvider(String keystoreProvider)
+ {
+ _keystoreProvider = keystoreProvider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getKeystoreType()
+ */
+ public String getKeystoreType()
+ {
+ return (_keystoreType);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setKeystoreType(java.lang.String)
+ */
+ public void setKeystoreType(String keystoreType)
+ {
+ _keystoreType=keystoreType;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getCertAlias()
+ */
+ public String getCertAlias()
+ {
+ return _certAlias;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setCertAlias(java.lang.String)
+ */
+ public void setCertAlias(String certAlias)
+ {
+ this._certAlias = certAlias;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststore()
+ */
+ public String getTruststore()
+ {
+ return _truststorePath;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststore(java.lang.String)
+ */
+ public void setTruststore(String truststore)
+ {
+ _truststorePath=truststore;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getTruststoreProvider()
+ */
+ public String getTruststoreProvider()
+ {
+ return _truststoreProvider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setTruststoreProvider(java.lang.String)
+ */
+ public void setTruststoreProvider(String truststoreProvider)
+ {
+ _truststoreProvider = truststoreProvider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getTruststoreType()
+ */
+ public String getTruststoreType()
+ {
+ return _truststoreType;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setTruststoreType(java.lang.String)
+ */
+ public void setTruststoreType(String truststoreType)
+ {
+ _truststoreType=truststoreType;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getNeedClientAuth()
+ */
+ public boolean getNeedClientAuth()
+ {
+ return _needClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setNeedClientAuth(boolean)
+ */
+ public void setNeedClientAuth(boolean needClientAuth)
+ {
+ _needClientAuth=needClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getWantClientAuth()
+ */
+ public boolean getWantClientAuth()
+ {
+ return _wantClientAuth;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setWantClientAuth(boolean)
+ */
+ public void setWantClientAuth(boolean wantClientAuth)
+ {
+ _wantClientAuth=wantClientAuth;
+ }
+
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getValidateCert()
+ */
+ public boolean getValidateCert()
+ {
+ return _validateCert;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setValidateCert(boolean)
+ */
+ public void setValidateCert(boolean validateCert)
+ {
+ _validateCert = validateCert;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
* @return True if SSL re-negotiation is allowed (default false)
*/
public boolean isAllowRenegotiate()
@@ -158,7 +374,7 @@
/**
* Set if SSL re-negotiation is allowed. CVE-2009-3555 discovered
* a vulnerability in SSL/TLS with re-negotiation. If your JVM
- * does not have CVE-2009-3555 fixed, then re-negotiation should
+ * does not have CVE-2009-3555 fixed, then re-negotiation should
* not be allowed.
* @param allowRenegotiate true if re-negotiation is allowed (default false)
*/
@@ -168,6 +384,296 @@
}
/* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setPassword(java.lang.String)
+ */
+ public void setPassword(String password)
+ {
+ _password=Password.getPassword(PASSWORD_PROPERTY,password,null);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setKeyPassword(java.lang.String)
+ */
+ public void setKeyPassword(String password)
+ {
+ _keyPassword=Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setTrustPassword(java.lang.String)
+ */
+ public void setTrustPassword(String password)
+ {
+ _trustPassword=Password.getPassword(PASSWORD_PROPERTY,password,null);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getProvider()
+ */
+ public String getProvider()
+ {
+ return _sslProvider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setProvider(java.lang.String)
+ */
+ public void setProvider(String provider)
+ {
+ _sslProvider=provider;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getProtocol()
+ */
+ public String getProtocol()
+ {
+ return _sslProtocol;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setProtocol(java.lang.String)
+ */
+ public void setProtocol(String protocol)
+ {
+ _sslProtocol=protocol;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getSecureRandomAlgorithm()
+ */
+ public String getSecureRandomAlgorithm()
+ {
+ return _secureRandomAlgorithm;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSecureRandomAlgorithm(java.lang.String)
+ */
+ public void setSecureRandomAlgorithm(String algorithm)
+ {
+ this._secureRandomAlgorithm=algorithm;
+ }
+
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getSslKeyManagerFactoryAlgorithm()
+ */
+ public String getSslKeyManagerFactoryAlgorithm()
+ {
+ return (this._sslKeyManagerFactoryAlgorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSslKeyManagerFactoryAlgorithm(java.lang.String)
+ */
+ public void setSslKeyManagerFactoryAlgorithm(String algorithm)
+ {
+ this._sslKeyManagerFactoryAlgorithm=algorithm;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#getSslTrustManagerFactoryAlgorithm()
+ */
+ public String getSslTrustManagerFactoryAlgorithm()
+ {
+ return (this._sslTrustManagerFactoryAlgorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSslTrustManagerFactoryAlgorithm(java.lang.String)
+ */
+ public void setSslTrustManagerFactoryAlgorithm(String algorithm)
+ {
+ this._sslTrustManagerFactoryAlgorithm=algorithm;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @deprecated use {@link #getSslKeyManagerFactoryAlgorithm()} or
+ * {@link #getSslTrustManagerFactoryAlgorithm()}
+ */
+ @Deprecated
+ public String getAlgorithm()
+ {
+ return getSslKeyManagerFactoryAlgorithm();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @deprecated use {@link #setSslKeyManagerFactoryAlgorithm(String)} or
+ * {@link #setSslTrustManagerFactoryAlgorithm(String)}
+ */
+ @Deprecated
+ public void setAlgorithm(String algorithm)
+ {
+ setSslKeyManagerFactoryAlgorithm(algorithm);
+ setSslTrustManagerFactoryAlgorithm(algorithm);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setCrlPath(java.lang.String)
+ */
+ public void setCrlPath(String crlPath)
+ {
+ _crlPath = crlPath;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getCrlPath()
+ */
+ public String getCrlPath()
+ {
+ return _crlPath;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#getMaxCertPathLength()
+ */
+ public int getMaxCertPathLength()
+ {
+ return _maxCertPathLength;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setMaxCertPathLength(int)
+ */
+ public void setMaxCertPathLength(int maxCertPathLength)
+ {
+ _maxCertPathLength = maxCertPathLength;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Set the time in milliseconds for so_timeout during ssl handshaking
+ * @param msec a non-zero value will be used to set so_timeout during
+ * ssl handshakes. A zero value means the maxIdleTime is used instead.
+ */
+ public void setHandshakeTimeout (int msec)
+ {
+ _handshakeTimeout = msec;
+ }
+
+
+ /* ------------------------------------------------------------ */
+ public int getHandshakeTimeout ()
+ {
+ return _handshakeTimeout;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
+ */
+ public SSLContext getSslContext()
+ {
+ try
+ {
+ if (_context == null)
+ _context=createSSLContext();
+ }
+ catch(Exception e)
+ {
+ throw new RuntimeException(e);
+ }
+
+ return _context;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.exssl.EnhancedSslConnector#setSslContext(javax.net.ssl.SSLContext)
+ */
+ public void setSslContext(SSLContext sslContext)
+ {
+ _context = sslContext;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * By default, we're confidential, given we speak SSL. But, if we've been told about an
+ * confidential port, and said port is not our port, then we're not. This allows separation of
+ * listeners providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener
+ * configured to require client certs providing CONFIDENTIAL, whereas another SSL listener not
+ * requiring client certs providing mere INTEGRAL constraints.
+ */
+ @Override
+ public boolean isConfidential(Request request)
+ {
+ final int confidentialPort = getConfidentialPort();
+ return confidentialPort == 0 || confidentialPort == request.getServerPort();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * By default, we're integral, given we speak SSL. But, if we've been told about an integral
+ * port, and said port is not our port, then we're not. This allows separation of listeners
+ * providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener configured to
+ * require client certs providing CONFIDENTIAL, whereas another SSL listener not requiring
+ * client certs providing mere INTEGRAL constraints.
+ */
+ @Override
+ public boolean isIntegral(Request request)
+ {
+ final int integralPort = getIntegralPort();
+ return integralPort == 0 || integralPort == request.getServerPort();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * Allow the Listener a chance to customise the request. before the server does its stuff. <br>
+ * This allows the required attributes to be set for SSL requests. <br>
+ * The requirements of the Servlet specs are:
+ * <ul>
+ * <li> an attribute named "javax.servlet.request.ssl_id" of type String (since Spec 3.0).</li>
+ * <li> an attribute named "javax.servlet.request.cipher_suite" of type String.</li>
+ * <li> an attribute named "javax.servlet.request.key_size" of type Integer.</li>
+ * <li> an attribute named "javax.servlet.request.X509Certificate" of type
+ * java.security.cert.X509Certificate[]. This is an array of objects of type X509Certificate,
+ * the order of this array is defined as being in ascending order of trust. The first
+ * certificate in the chain is the one set by the client, the next is the one used to
+ * authenticate the first, and so on. </li>
+ * </ul>
+ *
+ * @param endpoint The Socket the request arrived on.
+ * This should be a {@link SocketEndPoint} wrapping a {@link SSLSocket}.
+ * @param request HttpRequest to be customised.
+ */
+ @Override
+ public void customize(EndPoint endpoint, Request request)
+ throws IOException
+ {
+ super.customize(endpoint, request);
+ request.setScheme(HttpSchemes.HTTPS);
+
+ SocketEndPoint socket_end_point = (SocketEndPoint)endpoint;
+ SSLSocket sslSocket = (SSLSocket)socket_end_point.getTransport();
+ SSLSession sslSession = sslSocket.getSession();
+
+ SslCertificates.customize(sslSession,endpoint,request);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see org.eclipse.jetty.server.bio.SocketConnector#accept(int)
+ */
@Override
public void accept(int acceptorID)
throws IOException, InterruptedException
@@ -186,15 +692,142 @@
{
super.configure(socket);
}
+
+ @Override
+ protected void doStart() throws Exception
+ {
+ if (_context == null)
+ _context=createSSLContext();
+
+ super.doStart();
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @param host The host name that this server should listen on
+ * @param port the port that this server should listen on
+ * @param backlog See {@link ServerSocket#bind(java.net.SocketAddress, int)}
+ * @return A new {@link ServerSocket socket object} bound to the supplied address with all other
+ * settings as per the current configuration of this connector.
+ * @see #setWantClientAuth(boolean)
+ * @see #setNeedClientAuth(boolean)
+ * @exception IOException
+ */
+ @Override
+ protected ServerSocket newServerSocket(String host, int port,int backlog) throws IOException
+ {
+ SSLServerSocketFactory factory = null;
+ SSLServerSocket socket = null;
+
+ try
+ {
+ factory = createFactory();
+
+ socket = (SSLServerSocket) (host==null?
+ factory.createServerSocket(port,backlog):
+ factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
+
+ if (_wantClientAuth)
+ socket.setWantClientAuth(_wantClientAuth);
+ if (_needClientAuth)
+ socket.setNeedClientAuth(_needClientAuth);
+
+ if ((_excludeCipherSuites!=null&&_excludeCipherSuites.length>0)
+ || (_includeCipherSuites!=null&&_includeCipherSuites.length>0))
+ {
+ List<String> includedCSList;
+ if (_includeCipherSuites!=null)
+ {
+ includedCSList = Arrays.asList(_includeCipherSuites);
+ } else {
+ includedCSList = new ArrayList<String>();
+ }
+ List<String> excludedCSList;
+ if (_excludeCipherSuites!=null)
+ {
+ excludedCSList = Arrays.asList(_excludeCipherSuites);
+ } else {
+ excludedCSList = new ArrayList<String>();
+ }
+ String[] enabledCipherSuites = socket.getEnabledCipherSuites();
+ List<String> enabledCSList = new ArrayList<String>(Arrays.asList(enabledCipherSuites));
+
+ String[] supportedCipherSuites = socket.getSupportedCipherSuites();
+ List<String> supportedCSList = Arrays.asList(supportedCipherSuites);
+
+ for (String cipherName : includedCSList)
+ {
+ if ((!enabledCSList.contains(cipherName))
+ && supportedCSList.contains(cipherName))
+ {
+ enabledCSList.add(cipherName);
+ }
+ }
+
+ for (String cipherName : excludedCSList)
+ {
+ if (enabledCSList.contains(cipherName))
+ {
+ enabledCSList.remove(cipherName);
+ }
+ }
+ enabledCipherSuites = enabledCSList.toArray(new String[enabledCSList.size()]);
+
+ socket.setEnabledCipherSuites(enabledCipherSuites);
+ }
+
+ }
+ catch (IOException e)
+ {
+ throw e;
+ }
+ catch (Exception e)
+ {
+ Log.warn(e.toString());
+ Log.debug(e);
+ throw new IOException("!JsseListener: " + e);
+ }
+ return socket;
+ }
+
+ /* ------------------------------------------------------------ */
+ protected SSLServerSocketFactory createFactory()
+ throws Exception
+ {
+ if (_context == null)
+ _context = createSSLContext();
+
+ return _context.getServerSocketFactory();
+ }
+
/* ------------------------------------------------------------ */
protected SSLContext createSSLContext() throws Exception
{
KeyStore keyStore = getKeyStore(_keystorePath, _keystoreType, _keystoreProvider, _password==null?null:_password.toString());
KeyStore trustStore = getTrustStore(_truststorePath, _truststoreType, _truststoreProvider, _trustPassword == null ? null : _trustPassword.toString());
Collection<? extends CRL> crls = loadCRL(_crlPath);
+
+ if (_certAlias == null)
+ {
+ List<String> aliases = Collections.list(keyStore.aliases());
+ _certAlias = aliases.size() == 1 ? aliases.get(0) : null;
+ }
- KeyManager[] keyManagers = getKeyManagers(keyStore, trustStore, crls);
+ Certificate cert = _certAlias == null ? null : keyStore.getCertificate(_certAlias);
+ if (cert == null)
+ {
+ throw new Exception("No certificate found in the keystore"+
+ (_certAlias == null ? "" : " for alias "+_certAlias));
+ }
+
+ if (_validateCert)
+ {
+ CertificateValidator certValidator = new CertificateValidator(keyStore,trustStore,crls);
+ certValidator.validate(cert);
+ }
+
+ KeyManager[] keyManagers = getKeyManagers(keyStore);
TrustManager[] trustManagers = getTrustManagers(trustStore, crls);
SecureRandom secureRandom =
@@ -204,21 +837,10 @@
context.init(keyManagers,trustManagers,secureRandom);
return context;
- }
-
- /* ------------------------------------------------------------ */
- protected SSLServerSocketFactory createFactory()
- throws Exception
- {
- if (_context == null)
- _context = createSSLContext();
-
- return _context.getServerSocketFactory();
- }
-
+ }
/* ------------------------------------------------------------ */
- protected KeyManager[] getKeyManagers(KeyStore keyStore, KeyStore trustStore, Collection<? extends CRL> crls) throws Exception
+ protected KeyManager[] getKeyManagers(KeyStore keyStore) throws Exception
{
KeyManagerFactory keyManagerFactory=KeyManagerFactory.getInstance(_sslKeyManagerFactoryAlgorithm);
keyManagerFactory.init(keyStore,_keyPassword==null?(_password==null?null:_password.toString().toCharArray()):_keyPassword.toString().toCharArray());
@@ -228,8 +850,7 @@
{
if (managers[idx] instanceof X509KeyManager)
{
- managers[idx] = new SslKeyManager(_keyAlias, (X509KeyManager)managers[idx],
- new CertificateValidator(keyStore, trustStore, crls));
+ managers[idx] = new SslKeyManager(_certAlias, (X509KeyManager)managers[idx]);
}
}
@@ -283,26 +904,6 @@
return managers;
}
- private Collection<? extends CRL> loadCRL(String crlPath) throws Exception
- {
- Collection<? extends CRL> crlList = null;
-
- InputStream in = null;
- try {
- in = Resource.newResource(crlPath).getInputStream();
- crlList = CertificateFactory.getInstance("X.509").generateCRLs(in);
- }
- finally
- {
- if (in != null)
- {
- in.close();
- }
- }
-
- return crlList;
- }
-
/* ------------------------------------------------------------ */
protected KeyStore getKeyStore(String storePath, String storeType, String storeProvider, String storePassword) throws Exception
{
@@ -336,6 +937,7 @@
}
}
+ /* ------------------------------------------------------------ */
protected KeyStore getTrustStore(String trustPath, String trustType, String trustProvider, String trustPassword) throws Exception
{
if (trustPath==null)
@@ -359,417 +961,24 @@
}
/* ------------------------------------------------------------ */
- /**
- * Allow the Listener a chance to customise the request. before the server does its stuff. <br>
- * This allows the required attributes to be set for SSL requests. <br>
- * The requirements of the Servlet specs are:
- * <ul>
- * <li> an attribute named "javax.servlet.request.ssl_id" of type String (since Spec 3.0).</li>
- * <li> an attribute named "javax.servlet.request.cipher_suite" of type String.</li>
- * <li> an attribute named "javax.servlet.request.key_size" of type Integer.</li>
- * <li> an attribute named "javax.servlet.request.X509Certificate" of type
- * java.security.cert.X509Certificate[]. This is an array of objects of type X509Certificate,
- * the order of this array is defined as being in ascending order of trust. The first
- * certificate in the chain is the one set by the client, the next is the one used to
- * authenticate the first, and so on. </li>
- * </ul>
- *
- * @param endpoint The Socket the request arrived on.
- * This should be a {@link SocketEndPoint} wrapping a {@link SSLSocket}.
- * @param request HttpRequest to be customised.
- */
- @Override
- public void customize(EndPoint endpoint, Request request)
- throws IOException
+ private Collection<? extends CRL> loadCRL(String crlPath) throws Exception
{
- super.customize(endpoint, request);
- request.setScheme(HttpSchemes.HTTPS);
-
- SocketEndPoint socket_end_point = (SocketEndPoint)endpoint;
- SSLSocket sslSocket = (SSLSocket)socket_end_point.getTransport();
- SSLSession sslSession = sslSocket.getSession();
+ Collection<? extends CRL> crlList = null;
- SslCertificates.customize(sslSession,endpoint,request);
- }
-
- /* ------------------------------------------------------------ */
- public String[] getExcludeCipherSuites() {
- return _excludeCipherSuites;
- }
-
- /* ------------------------------------------------------------ */
- public String[] getIncludeCipherSuites()
- {
- return _includeCipherSuites;
- }
-
- /* ------------------------------------------------------------ */
- public String getKeystore()
- {
- return _keystorePath;
- }
-
- /* ------------------------------------------------------------ */
- public String getKeystoreType()
- {
- return (_keystoreType);
- }
-
- /* ------------------------------------------------------------ */
- public boolean getNeedClientAuth()
- {
- return _needClientAuth;
- }
-
- /* ------------------------------------------------------------ */
- public String getProtocol()
- {
- return _sslProtocol;
- }
-
- /* ------------------------------------------------------------ */
- public String getProvider() {
- return _sslProvider;
- }
-
- /* ------------------------------------------------------------ */
- public String getSecureRandomAlgorithm()
- {
- return (this._secureRandomAlgorithm);
- }
-
- /* ------------------------------------------------------------ */
- public String getSslKeyManagerFactoryAlgorithm()
- {
- return (this._sslKeyManagerFactoryAlgorithm);
- }
-
- /* ------------------------------------------------------------ */
- public String getSslTrustManagerFactoryAlgorithm()
- {
- return (this._sslTrustManagerFactoryAlgorithm);
- }
-
- /* ------------------------------------------------------------ */
- public String getTruststore()
- {
- return _truststorePath;
- }
-
- /* ------------------------------------------------------------ */
- public String getTruststoreType()
- {
- return _truststoreType;
- }
-
- /* ------------------------------------------------------------ */
- public boolean getWantClientAuth()
- {
- return _wantClientAuth;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * By default, we're confidential, given we speak SSL. But, if we've been told about an
- * confidential port, and said port is not our port, then we're not. This allows separation of
- * listeners providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener
- * configured to require client certs providing CONFIDENTIAL, whereas another SSL listener not
- * requiring client certs providing mere INTEGRAL constraints.
- */
- @Override
- public boolean isConfidential(Request request)
- {
- final int confidentialPort = getConfidentialPort();
- return confidentialPort == 0 || confidentialPort == request.getServerPort();
- }
-
- /* ------------------------------------------------------------ */
- /**
- * By default, we're integral, given we speak SSL. But, if we've been told about an integral
- * port, and said port is not our port, then we're not. This allows separation of listeners
- * providing INTEGRAL versus CONFIDENTIAL constraints, such as one SSL listener configured to
- * require client certs providing CONFIDENTIAL, whereas another SSL listener not requiring
- * client certs providing mere INTEGRAL constraints.
- */
- @Override
- public boolean isIntegral(Request request)
- {
- final int integralPort = getIntegralPort();
- return integralPort == 0 || integralPort == request.getServerPort();
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @param host The host name that this server should listen on
- * @param port the port that this server should listen on
- * @param backlog See {@link ServerSocket#bind(java.net.SocketAddress, int)}
- * @return A new {@link ServerSocket socket object} bound to the supplied address with all other
- * settings as per the current configuration of this connector.
- * @see #setWantClientAuth(boolean)
- * @see #setNeedClientAuth(boolean)
- * @exception IOException
- */
-
- /* ------------------------------------------------------------ */
- @Override
- protected ServerSocket newServerSocket(String host, int port,int backlog) throws IOException
- {
- SSLServerSocketFactory factory = null;
- SSLServerSocket socket = null;
-
- try
+ InputStream in = null;
+ try {
+ in = Resource.newResource(crlPath).getInputStream();
+ crlList = CertificateFactory.getInstance("X.509").generateCRLs(in);
+ }
+ finally
{
- factory = createFactory();
-
- socket = (SSLServerSocket) (host==null?
- factory.createServerSocket(port,backlog):
- factory.createServerSocket(port,backlog,InetAddress.getByName(host)));
-
- if (_wantClientAuth)
- socket.setWantClientAuth(_wantClientAuth);
- if (_needClientAuth)
- socket.setNeedClientAuth(_needClientAuth);
-
- if ((_excludeCipherSuites!=null&&_excludeCipherSuites.length>0)
- || (_includeCipherSuites!=null&&_includeCipherSuites.length>0))
+ if (in != null)
{
- List<String> includedCSList;
- if (_includeCipherSuites!=null)
- {
- includedCSList = Arrays.asList(_includeCipherSuites);
- } else {
- includedCSList = new ArrayList<String>();
- }
- List<String> excludedCSList;
- if (_excludeCipherSuites!=null)
- {
- excludedCSList = Arrays.asList(_excludeCipherSuites);
- } else {
- excludedCSList = new ArrayList<String>();
- }
- String[] enabledCipherSuites = socket.getEnabledCipherSuites();
- List<String> enabledCSList = new ArrayList<String>(Arrays.asList(enabledCipherSuites));
-
- String[] supportedCipherSuites = socket.getSupportedCipherSuites();
- List<String> supportedCSList = Arrays.asList(supportedCipherSuites);
-
- for (String cipherName : includedCSList)
- {
- if ((!enabledCSList.contains(cipherName))
- && supportedCSList.contains(cipherName))
- {
- enabledCSList.add(cipherName);
- }
- }
-
- for (String cipherName : excludedCSList)
- {
- if (enabledCSList.contains(cipherName))
- {
- enabledCSList.remove(cipherName);
- }
- }
- enabledCipherSuites = enabledCSList.toArray(new String[enabledCSList.size()]);
-
- socket.setEnabledCipherSuites(enabledCipherSuites);
+ in.close();
}
-
}
- catch (IOException e)
- {
- throw e;
- }
- catch (Exception e)
- {
- Log.warn(e.toString());
- Log.debug(e);
- throw new IOException("!JsseListener: " + e);
- }
- return socket;
- }
- /* ------------------------------------------------------------ */
- /**
- *
- */
- public void setExcludeCipherSuites(String[] cipherSuites) {
- this._excludeCipherSuites = cipherSuites;
- }
-
- /* ------------------------------------------------------------ */
- public void setIncludeCipherSuites(String[] cipherSuites)
- {
- this._includeCipherSuites=cipherSuites;
- }
-
- /* ------------------------------------------------------------ */
- public void setKeyPassword(String password)
- {
- _keyPassword = Password.getPassword(KEYPASSWORD_PROPERTY,password,null);
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @param keystore The resource path to the keystore, or null for built in keystores.
- */
- public void setKeystore(String keystore)
- {
- _keystorePath = keystore;
- }
-
- /* ------------------------------------------------------------ */
- public void setKeystoreType(String keystoreType)
- {
- _keystoreType = keystoreType;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * Set the value of the needClientAuth property
- *
- * @param needClientAuth true iff we require client certificate authentication.
- */
- public void setNeedClientAuth(boolean needClientAuth)
- {
- _needClientAuth = needClientAuth;
- }
-
- /* ------------------------------------------------------------ */
- public void setPassword(String password)
- {
- _password = Password.getPassword(PASSWORD_PROPERTY,password,null);
- }
-
- /* ------------------------------------------------------------ */
- public void setTrustPassword(String password)
- {
- _trustPassword = Password.getPassword(PASSWORD_PROPERTY,password,null);
- }
-
- /* ------------------------------------------------------------ */
- public void setProtocol(String protocol)
- {
- _sslProtocol = protocol;
- }
-
- /* ------------------------------------------------------------ */
- public void setProvider(String _provider) {
- this._sslProvider = _provider;
- }
-
- /* ------------------------------------------------------------ */
- public void setSecureRandomAlgorithm(String algorithm)
- {
- this._secureRandomAlgorithm = algorithm;
- }
-
- /* ------------------------------------------------------------ */
- public void setSslKeyManagerFactoryAlgorithm(String algorithm)
- {
- this._sslKeyManagerFactoryAlgorithm = algorithm;
- }
-
- /* ------------------------------------------------------------ */
- public void setSslTrustManagerFactoryAlgorithm(String algorithm)
- {
- this._sslTrustManagerFactoryAlgorithm = algorithm;
- }
-
-
- public void setTruststore(String truststore)
- {
- _truststorePath = truststore;
- }
-
-
- public void setTruststoreType(String truststoreType)
- {
- _truststoreType = truststoreType;
- }
-
- public void setSslContext(SSLContext sslContext)
- {
- _context = sslContext;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * @see org.eclipse.jetty.server.ssl.SslConnector#setSslContext(javax.net.ssl.SSLContext)
- */
- public SSLContext getSslContext()
- {
- try
- {
- if (_context == null)
- _context=createSSLContext();
- }
- catch(Exception e)
- {
- throw new RuntimeException(e);
- }
-
- return _context;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * Set the value of the _wantClientAuth property. This property is used
- * internally when opening server sockets.
- *
- * @param wantClientAuth true if we want client certificate authentication.
- * @see SSLServerSocket#setWantClientAuth
- */
- public void setWantClientAuth(boolean wantClientAuth)
- {
- _wantClientAuth = wantClientAuth;
- }
-
- /* ------------------------------------------------------------ */
- /**
- * Set the time in milliseconds for so_timeout during ssl handshaking
- * @param msec a non-zero value will be used to set so_timeout during
- * ssl handshakes. A zero value means the maxIdleTime is used instead.
- */
- public void setHandshakeTimeout (int msec)
- {
- _handshakeTimeout = msec;
- }
-
-
- /* ------------------------------------------------------------ */
- public int getHandshakeTimeout ()
- {
- return _handshakeTimeout;
- }
-
- public void setKeystoreProvider(String keystoreProvider)
- {
- _keystoreProvider = keystoreProvider;
- }
-
- public String getKeystoreProvider()
- {
- return _keystoreProvider;
- }
-
- public void setTruststoreProvider(String truststoreProvider)
- {
- _truststoreProvider = truststoreProvider;
- }
-
- public String getTruststoreProvider()
- {
- return _truststoreProvider;
- }
-
- public void setCrlPath(String crlPath)
- {
- _crlPath = crlPath;
- }
-
- public String getCrlPath()
- {
- return _crlPath;
+ return crlList;
}
/* ------------------------------------------------------------ */
@@ -835,26 +1044,4 @@
}
}
}
-
- /* ------------------------------------------------------------ */
- /**
- * Unsupported.
- *
- * TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
- */
- public String getAlgorithm()
- {
- throw new UnsupportedOperationException();
- }
-
- /* ------------------------------------------------------------ */
- /**
- * Unsupported.
- *
- * TODO: we should remove this as it is no longer an overridden method from SslConnector (like it was in the past)
- */
- public void setAlgorithm(String algorithm)
- {
- throw new UnsupportedOperationException();
- }
}
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslExtendedKeyManager.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslExtendedKeyManager.java
new file mode 100644
index 0000000..1bcf964
--- /dev/null
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslExtendedKeyManager.java
@@ -0,0 +1,107 @@
+// ========================================================================
+// Copyright (c) 2009-2009 Mort Bay Consulting Pty. Ltd.
+// ------------------------------------------------------------------------
+// All rights reserved. This program and the accompanying materials
+// are made available under the terms of the Eclipse Public License v1.0
+// and Apache License v2.0 which accompanies this distribution.
+// The Eclipse Public License is available at
+// http://www.eclipse.org/legal/epl-v10.html
+// The Apache License v2.0 is available at
+// http://www.opensource.org/licenses/apache2.0.php
+// You may elect to redistribute this code under either of these licenses.
+// ========================================================================
+
+
+package org.eclipse.jetty.exssl;
+
+import java.net.Socket;
+import java.security.Principal;
+import java.security.PrivateKey;
+import java.security.cert.X509Certificate;
+
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.X509KeyManager;
+import javax.net.ssl.X509ExtendedKeyManager;
+
+
+/* ------------------------------------------------------------ */
+/**
+ * KeyManager to select a key with desired alias
+ */
+public class SslExtendedKeyManager extends X509ExtendedKeyManager
+{
+ private String _keyAlias;
+ private X509KeyManager _keyManager;
+
+ /* ------------------------------------------------------------ */
+ public SslExtendedKeyManager(String keyAlias, X509KeyManager keyManager) throws Exception
+ {
+ _keyAlias = keyAlias;
+ _keyManager = keyManager;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509KeyManager#chooseClientAlias(java.lang.String[], java.security.Principal[], java.net.Socket)
+ */
+ public String chooseClientAlias(String[] keyType, Principal[] issuers, Socket socket)
+ {
+ return _keyManager.chooseClientAlias(keyType, issuers, socket);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509KeyManager#chooseServerAlias(java.lang.String, java.security.Principal[], java.net.Socket)
+ */
+ public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
+ {
+ return _keyAlias == null ?_keyManager.chooseServerAlias(keyType, issuers, socket) : _keyAlias;
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509KeyManager#getClientAliases(java.lang.String, java.security.Principal[])
+ */
+ public String[] getClientAliases(String keyType, Principal[] issuers)
+ {
+ return _keyManager.getClientAliases(keyType, issuers);
+ }
+
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509KeyManager#getServerAliases(java.lang.String, java.security.Principal[])
+ */
+ public String[] getServerAliases(String keyType, Principal[] issuers)
+ {
+ return _keyManager.getServerAliases(keyType, issuers);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509KeyManager#getCertificateChain(java.lang.String)
+ */
+ public X509Certificate[] getCertificateChain(String alias)
+ {
+ return _keyManager.getCertificateChain(alias);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509KeyManager#getPrivateKey(java.lang.String)
+ */
+ public PrivateKey getPrivateKey(String alias)
+ {
+ return _keyManager.getPrivateKey(alias);
+ }
+
+ /* ------------------------------------------------------------ */
+ /**
+ * @see javax.net.ssl.X509ExtendedKeyManager#chooseEngineServerAlias(java.lang.String, java.security.Principal[], javax.net.ssl.SSLEngine)
+ */
+ @Override
+ public String chooseEngineServerAlias(String keyType, Principal[] issuers, SSLEngine engine)
+ {
+ return _keyAlias == null ? super.chooseEngineServerAlias(keyType,issuers,engine) : _keyAlias;
+ }
+}
diff --git a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslKeyManager.java b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslKeyManager.java
index 8883e8e..da468d6 100644
--- a/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslKeyManager.java
+++ b/jetty-exssl/src/main/java/org/eclipse/jetty/exssl/SslKeyManager.java
@@ -30,15 +30,12 @@
{
private String _keyAlias;
private X509KeyManager _keyManager;
- private CertificateValidator _certValidator;
/* ------------------------------------------------------------ */
- public SslKeyManager(String keyAlias, X509KeyManager keyManager,
- CertificateValidator certValidator) throws Exception
+ public SslKeyManager(String keyAlias, X509KeyManager keyManager) throws Exception
{
_keyAlias = keyAlias;
_keyManager = keyManager;
- _certValidator = certValidator;
}
/* ------------------------------------------------------------ */
@@ -56,12 +53,7 @@
*/
public String chooseServerAlias(String keyType, Principal[] issuers, Socket socket)
{
- if (_keyAlias == null)
- {
- _keyAlias = _keyManager.chooseServerAlias(keyType, issuers, socket);
- }
-
- return _keyAlias;
+ return _keyAlias == null ?_keyManager.chooseServerAlias(keyType, issuers, socket) : _keyAlias;
}
/* ------------------------------------------------------------ */
diff --git a/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/CertificateValidationTestBase.java b/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/CertificateValidationTestBase.java
new file mode 100644
index 0000000..4dfa494
--- /dev/null
+++ b/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/CertificateValidationTestBase.java
@@ -0,0 +1,73 @@
+package org.eclipse.jetty.exssl;
+
+import java.io.File;
+import java.security.cert.CertificateException;
+
+import org.eclipse.jetty.server.Server;
+import org.eclipse.jetty.toolchain.test.MavenTestingUtils;
+import org.junit.After;
+import org.junit.Test;
+
+public abstract class CertificateValidationTestBase
+{
+ protected Server _server;
+ protected EnhancedSslConnector _connector;
+
+ @After
+ public void tearDown()
+ {
+ try
+ {
+ _server.stop();
+ _connector = null;
+ _server = null;
+ }
+ catch (Exception ex) {}
+ }
+
+ protected void doTest(String keystore) throws Exception
+ {
+ String keypath = MavenTestingUtils.getTestResourceFile(keystore).getAbsolutePath();
+ String trustpath = new File(System.getProperty("java.home"),"./lib/security/cacerts").getAbsolutePath();
+ String crlpath = MavenTestingUtils.getTestResourceFile("crlfile.pem").getAbsolutePath();
+
+ _connector.setPort(0);
+ _connector.setValidateCert(true);
+ _connector.setKeystore(keypath);
+ _connector.setPassword("webtide");
+ _connector.setKeyPassword("webtide");
+ _connector.setTruststore(trustpath);
+ _connector.setTrustPassword("changeit");
+ _connector.setCrlPath(crlpath);
+
+ _server = new Server();
+ _server.addConnector(_connector);
+ _server.start();
+
+ Thread.sleep(1000);
+ }
+
+ @Test
+ public void validCertificateTest() throws Exception
+ {
+ doTest("jetty-valid.keystore"); // certificate is valid until Jan 1, 2050
+ }
+
+ @Test(expected = CertificateException.class)
+ public void revokedCertificateTest() throws Exception
+ {
+ doTest("jetty-revoked.keystore"); // certificate is valid until Jan 1, 2050
+ }
+
+ @Test(expected = CertificateException.class)
+ public void notvalidCertificateTest() throws Exception
+ {
+ doTest("jetty-notvalid.keystore"); // certificate is valid from Jan 1, 2049
+ }
+
+ @Test(expected = CertificateException.class)
+ public void expiredCertificateTest() throws Exception
+ {
+ doTest("jetty-expired.keystore"); // certificate is valid until Dec 31, 2000
+ }
+}
diff --git a/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/SslSelectChannelValidationTest.java b/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/SslSelectChannelValidationTest.java
new file mode 100644
index 0000000..f02c595
--- /dev/null
+++ b/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/SslSelectChannelValidationTest.java
@@ -0,0 +1,13 @@
+package org.eclipse.jetty.exssl;
+
+import org.junit.Before;
+import org.junit.Test;
+
+public class SslSelectChannelValidationTest extends CertificateValidationTestBase
+{
+ @Before
+ public void setUp()
+ {
+ _connector = new EnhancedSslSelectChannelConnector();
+ }
+}
diff --git a/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/SslSocketValidationTest.java b/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/SslSocketValidationTest.java
new file mode 100644
index 0000000..20b67cd
--- /dev/null
+++ b/jetty-exssl/src/test/java/org/eclipse/jetty/exssl/SslSocketValidationTest.java
@@ -0,0 +1,13 @@
+package org.eclipse.jetty.exssl;
+
+import org.junit.Before;
+import org.junit.Test;
+
+public class SslSocketValidationTest extends CertificateValidationTestBase
+{
+ @Before
+ public void setUp()
+ {
+ _connector = new EnhancedSslSocketConnector();
+ }
+}
diff --git a/jetty-exssl/src/test/resources/crlfile.pem b/jetty-exssl/src/test/resources/crlfile.pem
new file mode 100644
index 0000000..881e0ac
--- /dev/null
+++ b/jetty-exssl/src/test/resources/crlfile.pem
@@ -0,0 +1,13 @@
+-----BEGIN X509 CRL-----
+MIICDDCB9QIBATANBgkqhkiG9w0BAQUFADCBnDELMAkGA1UEBhMCVVMxEzARBgNV
+BAgTCkNhbGlmb3JuaWExEjAQBgNVBAcTCVBhbG8gQWx0bzEVMBMGA1UEChMMSW50
+YWxpbyBJbmMuMRAwDgYDVQQLEwdXZWJ0aWRlMRMwEQYDVQQDEwpKZXR0eSBSb290
+MSYwJAYJKoZIhvcNAQkBFhd3ZWJ0aWRlLWRldkBpbnRhbGlvLmNvbRcNMTEwMjA1
+MDEyMTM3WhcNMzgwNjIzMDEyMTM3WjAUMBICAQIXDTExMDIwNTAxMjExN1qgDjAM
+MAoGA1UdFAQDAgECMA0GCSqGSIb3DQEBBQUAA4IBAQBiXl0WWLIs0924NINb2q8s
+2vZ6S7LJPR+Ui9nb2HY1bfhA3gQG+auuYFldXbmo82PNm4+g2z1lL5pwqRWDGmjI
+tM70vj1AC5meXo0aWsl6mUpKrzw0bP7zr7UgOehWb9B4VPYGAkkbngukH+GsNW4U
++5jzOLxG5QZL1ruG2jyXdV4FIhgiALIvhts2gGTMnsGfn0EQ/u3VwrTI0dtBiUIq
+FLd/arMwRkKB1n6m6rxm9nsYsYQEBkcffIiNJUHlAh+bcx9oARnoXPeEbz1OWvYv
+zCX7IaWXzoWM3rvNbLceS137dVYnmhQRhFBMIPKFwdzycl3+qxE6fhQdBpREjCR9
+-----END X509 CRL-----
diff --git a/jetty-exssl/src/test/resources/jetty-expired.keystore b/jetty-exssl/src/test/resources/jetty-expired.keystore
new file mode 100644
index 0000000..65c0a8e
--- /dev/null
+++ b/jetty-exssl/src/test/resources/jetty-expired.keystore
Binary files differ
diff --git a/jetty-exssl/src/test/resources/jetty-notvalid.keystore b/jetty-exssl/src/test/resources/jetty-notvalid.keystore
new file mode 100644
index 0000000..04415c2
--- /dev/null
+++ b/jetty-exssl/src/test/resources/jetty-notvalid.keystore
Binary files differ
diff --git a/jetty-exssl/src/test/resources/jetty-revoked.keystore b/jetty-exssl/src/test/resources/jetty-revoked.keystore
new file mode 100644
index 0000000..d88c1df
--- /dev/null
+++ b/jetty-exssl/src/test/resources/jetty-revoked.keystore
Binary files differ
diff --git a/jetty-exssl/src/test/resources/jetty-valid.keystore b/jetty-exssl/src/test/resources/jetty-valid.keystore
new file mode 100644
index 0000000..c653027
--- /dev/null
+++ b/jetty-exssl/src/test/resources/jetty-valid.keystore
Binary files differ
