Repository: cxf Updated Branches: refs/heads/master 4660cd8ca -> 2e6ca288a
Some SSL refactoring Project: http://git-wip-us.apache.org/repos/asf/cxf/repo Commit: http://git-wip-us.apache.org/repos/asf/cxf/commit/2e6ca288 Tree: http://git-wip-us.apache.org/repos/asf/cxf/tree/2e6ca288 Diff: http://git-wip-us.apache.org/repos/asf/cxf/diff/2e6ca288 Branch: refs/heads/master Commit: 2e6ca288a9b363f3cfe08afec071427a13a25ff3 Parents: 4660cd8 Author: Colm O hEigeartaigh <[email protected]> Authored: Fri Feb 12 17:23:14 2016 +0000 Committer: Colm O hEigeartaigh <[email protected]> Committed: Fri Feb 12 17:23:14 2016 +0000 ---------------------------------------------------------------------- .../apache/cxf/configuration/jsse/SSLUtils.java | 43 +++++++++++--------- .../http/asyncclient/AsyncHTTPConduit.java | 31 ++------------ .../http_jetty/JettyHTTPServerEngine.java | 20 ++------- .../https/HttpsURLConnectionFactory.java | 42 +++---------------- .../apache/cxf/transport/https/SSLUtils.java | 22 ++++++---- 5 files changed, 51 insertions(+), 107 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java ---------------------------------------------------------------------- diff --git a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java index b485f3e..4132b35 100644 --- a/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java +++ b/core/src/main/java/org/apache/cxf/configuration/jsse/SSLUtils.java @@ -96,9 +96,9 @@ public final class SSLUtils { throws Exception { //TODO for performance reasons we should cache // the KeymanagerFactory and TrustManagerFactory - if ((keyStorePassword != null) - && (keyPassword != null) - && (!keyStorePassword.equals(keyPassword))) { + if (keyStorePassword != null + && keyPassword != null + && !keyStorePassword.equals(keyPassword)) { LogUtils.log(log, Level.WARNING, "KEY_PASSWORD_NOT_SAME_KEYSTORE_PASSWORD"); @@ -111,30 +111,32 @@ public final class SSLUtils { if (keyStoreType.equalsIgnoreCase(PKCS12_TYPE)) { Path path = FileSystems.getDefault().getPath(keyStoreLocation); byte[] bytes = Files.readAllBytes(path); - ByteArrayInputStream bin = new ByteArrayInputStream(bytes); + try (ByteArrayInputStream bin = new ByteArrayInputStream(bytes)) { - if (keyStorePassword != null) { - keystoreManagers = loadKeyStore(kmf, - ks, - bin, - keyStoreLocation, - keyStorePassword, - log); + if (keyStorePassword != null) { + keystoreManagers = loadKeyStore(kmf, + ks, + bin, + keyStoreLocation, + keyStorePassword, + log); + } } } else { byte[] sslCert = loadFile(keyStoreLocation); if (sslCert != null && sslCert.length > 0 && keyStorePassword != null) { - ByteArrayInputStream bin = new ByteArrayInputStream(sslCert); - keystoreManagers = loadKeyStore(kmf, + try (ByteArrayInputStream bin = new ByteArrayInputStream(sslCert)) { + keystoreManagers = loadKeyStore(kmf, ks, bin, keyStoreLocation, keyStorePassword, log); + } } } - if ((keyStorePassword == null) && (keyStoreLocation != null)) { + if (keyStorePassword == null && keyStoreLocation != null) { LogUtils.log(log, Level.WARNING, "FAILED_TO_LOAD_KEYSTORE_NULL_PASSWORD", keyStoreLocation); @@ -151,6 +153,7 @@ public final class SSLUtils { } return defaultManagers; } + private static synchronized void loadDefaultKeyManagers(Logger log) { if (defaultManagers != null) { return; @@ -233,10 +236,10 @@ public final class SSLUtils { byte[] caCert = loadFile(trustStoreLocation); try { if (caCert != null) { - ByteArrayInputStream cabin = new ByteArrayInputStream(caCert); - X509Certificate cert = (X509Certificate)cf.generateCertificate(cabin); - trustedCertStore.setCertificateEntry(cert.getIssuerDN().toString(), cert); - cabin.close(); + try (ByteArrayInputStream cabin = new ByteArrayInputStream(caCert)) { + X509Certificate cert = (X509Certificate)cf.generateCertificate(cabin); + trustedCertStore.setCertificateEntry(cert.getIssuerDN().toString(), cert); + } } } catch (Exception e) { LogUtils.log(log, Level.WARNING, "FAILED_TO_LOAD_TRUST_STORE", @@ -284,6 +287,7 @@ public final class SSLUtils { public static String getKeystoreType(String keyStoreType, Logger log) { return getKeystoreType(keyStoreType, log, DEFAULT_KEYSTORE_TYPE); } + public static String getKeystoreType(String keyStoreType, Logger log, String def) { String logMsg = null; if (keyStoreType != null) { @@ -299,7 +303,8 @@ public final class SSLUtils { } LogUtils.log(log, Level.FINE, logMsg, keyStoreType); return keyStoreType; - } + } + public static String getKeystoreProvider(String keyStoreProvider, Logger log) { String logMsg = null; if (keyStoreProvider != null) { http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java b/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java index 8483631..a3421e3 100644 --- a/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java +++ b/rt/transports/http-hc/src/main/java/org/apache/cxf/transport/http/asyncclient/AsyncHTTPConduit.java @@ -47,7 +47,6 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLException; import javax.net.ssl.SSLSession; -import javax.net.ssl.X509KeyManager; import org.apache.cxf.Bus; import org.apache.cxf.common.util.StringUtils; @@ -65,7 +64,6 @@ import org.apache.cxf.transport.http.Address; import org.apache.cxf.transport.http.Headers; import org.apache.cxf.transport.http.URLConnectionHTTPConduit; import org.apache.cxf.transport.http.asyncclient.AsyncHTTPConduitFactory.UseAsyncPolicy; -import org.apache.cxf.transport.https.AliasedX509ExtendedKeyManager; import org.apache.cxf.transport.https.HttpsURLConnectionInfo; import org.apache.cxf.transports.http.configuration.HTTPClientPolicy; import org.apache.cxf.version.Version; @@ -878,10 +876,11 @@ public class AsyncHTTPConduit extends URLConnectionHTTPConduit { SSLContext ctx = provider == null ? SSLContext.getInstance(protocol) : SSLContext .getInstance(protocol, provider); ctx.getClientSessionContext().setSessionTimeout(tlsClientParameters.getSslCacheTimeout()); + KeyManager[] keyManagers = tlsClientParameters.getKeyManagers(); - if (tlsClientParameters.getCertAlias() != null) { - keyManagers = getKeyManagersWithCertAlias(tlsClientParameters, keyManagers); - } + org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias( + tlsClientParameters, keyManagers); + ctx.init(keyManagers, tlsClientParameters.getTrustManagers(), tlsClientParameters.getSecureRandom()); @@ -931,26 +930,4 @@ public class AsyncHTTPConduit extends URLConnectionHTTPConduit { return list.toArray(new String[list.size()]); } - protected static KeyManager[] getKeyManagersWithCertAlias(TLSClientParameters tlsClientParameters, - KeyManager[] keyManagers) throws GeneralSecurityException { - if (tlsClientParameters.getCertAlias() != null) { - KeyManager ret[] = new KeyManager[keyManagers.length]; - for (int idx = 0; idx < keyManagers.length; idx++) { - if (keyManagers[idx] instanceof X509KeyManager) { - try { - ret[idx] = new AliasedX509ExtendedKeyManager(tlsClientParameters.getCertAlias(), - (X509KeyManager)keyManagers[idx]); - } catch (Exception e) { - throw new GeneralSecurityException(e); - } - } else { - ret[idx] = keyManagers[idx]; - } - } - return ret; - } - return keyManagers; - } - - } http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java ---------------------------------------------------------------------- diff --git a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java index e6f0fed..67e960b 100644 --- a/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java +++ b/rt/transports/http-jetty/src/main/java/org/apache/cxf/transport/http_jetty/JettyHTTPServerEngine.java @@ -34,7 +34,6 @@ import java.util.logging.Logger; import javax.annotation.PostConstruct; import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; -import javax.net.ssl.X509KeyManager; import javax.servlet.RequestDispatcher; import javax.servlet.ServletContext; import javax.servlet.http.HttpServletRequest; @@ -52,7 +51,6 @@ import org.apache.cxf.configuration.jsse.TLSServerParameters; import org.apache.cxf.configuration.security.ClientAuthentication; import org.apache.cxf.interceptor.Fault; import org.apache.cxf.transport.HttpUriMapper; -import org.apache.cxf.transport.https.AliasedX509ExtendedKeyManager; import org.eclipse.jetty.http.HttpStatus; import org.eclipse.jetty.security.SecurityHandler; import org.eclipse.jetty.server.AbstractConnector; @@ -729,9 +727,9 @@ public class JettyHTTPServerEngine implements ServerEngine { : SSLContext.getInstance(proto, tlsServerParameters.getJsseProvider()); KeyManager keyManagers[] = tlsServerParameters.getKeyManagers(); - if (tlsServerParameters.getCertAlias() != null) { - keyManagers = getKeyManagersWithCertAlias(keyManagers); - } + org.apache.cxf.transport.https.SSLUtils.configureKeyManagersWithCertAlias( + tlsServerParameters, keyManagers); + context.init(tlsServerParameters.getKeyManagers(), tlsServerParameters.getTrustManagers(), tlsServerParameters.getSecureRandom()); @@ -760,17 +758,7 @@ public class JettyHTTPServerEngine implements ServerEngine { return context; } - protected KeyManager[] getKeyManagersWithCertAlias(KeyManager keyManagers[]) throws Exception { - if (tlsServerParameters.getCertAlias() != null) { - for (int idx = 0; idx < keyManagers.length; idx++) { - if (keyManagers[idx] instanceof X509KeyManager) { - keyManagers[idx] = new AliasedX509ExtendedKeyManager( - tlsServerParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]); - } - } - } - return keyManagers; - } + protected void setClientAuthentication(SslContextFactory con, ClientAuthentication clientAuth) { con.setWantClientAuth(true); http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java ---------------------------------------------------------------------- diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java index f5d88de..0d02d6b 100644 --- a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java +++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/HttpsURLConnectionFactory.java @@ -32,10 +32,8 @@ import java.util.logging.Logger; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HttpsURLConnection; -import javax.net.ssl.KeyManager; import javax.net.ssl.SSLContext; import javax.net.ssl.SSLSocketFactory; -import javax.net.ssl.X509KeyManager; import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.common.util.ReflectionInvokationHandler; @@ -152,23 +150,8 @@ public class HttpsURLConnectionFactory { // ssl socket factory not yet instantiated, create a new one with tlsClientParameters's Trust // Managers, Key Managers, etc - String provider = tlsClientParameters.getJsseProvider(); - - String protocol = tlsClientParameters.getSecureSocketProtocol() != null ? tlsClientParameters - .getSecureSocketProtocol() : "TLS"; - - SSLContext ctx = provider == null ? SSLContext.getInstance(protocol) : SSLContext - .getInstance(protocol, provider); - ctx.getClientSessionContext().setSessionTimeout(tlsClientParameters.getSslCacheTimeout()); - KeyManager[] keyManagers = tlsClientParameters.getKeyManagers(); - if (keyManagers == null) { - keyManagers = SSLUtils.getDefaultKeyStoreManagers(LOG); - } - if (tlsClientParameters.getCertAlias() != null) { - getKeyManagersWithCertAlias(tlsClientParameters, keyManagers); - } - ctx.init(keyManagers, tlsClientParameters.getTrustManagers(), - tlsClientParameters.getSecureRandom()); + SSLContext ctx = + org.apache.cxf.transport.https.SSLUtils.getSSLContext(tlsClientParameters); String[] cipherSuites = SSLUtils.getCiphersuitesToInclude(tlsClientParameters.getCipherSuites(), @@ -178,9 +161,11 @@ public class HttpsURLConnectionFactory { LOG); // The SSLSocketFactoryWrapper enables certain cipher suites // from the policy. + String protocol = tlsClientParameters.getSecureSocketProtocol() != null ? tlsClientParameters + .getSecureSocketProtocol() : "TLS"; socketFactory = new SSLSocketFactoryWrapper(ctx.getSocketFactory(), cipherSuites, protocol); - //recalc the hashcode since somet of the above MAY have changed the tlsClientParameters + //recalc the hashcode since some of the above MAY have changed the tlsClientParameters lastTlsHash = tlsClientParameters.hashCode(); } else { // ssl socket factory already initialized, reuse it to benefit of keep alive @@ -259,23 +244,6 @@ public class HttpsURLConnectionFactory { LOG.addHandler(handler); } - protected void getKeyManagersWithCertAlias(TLSClientParameters tlsClientParameters, - KeyManager[] keyManagers) throws GeneralSecurityException { - if (tlsClientParameters.getCertAlias() != null && keyManagers != null) { - for (int idx = 0; idx < keyManagers.length; idx++) { - if (keyManagers[idx] instanceof X509KeyManager - && !(keyManagers[idx] instanceof AliasedX509ExtendedKeyManager)) { - try { - keyManagers[idx] = new AliasedX509ExtendedKeyManager( - tlsClientParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]); - } catch (Exception e) { - throw new GeneralSecurityException(e); - } - } - } - } - } - } http://git-wip-us.apache.org/repos/asf/cxf/blob/2e6ca288/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java ---------------------------------------------------------------------- diff --git a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java index 183f80e..11d8ddd 100644 --- a/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java +++ b/rt/transports/http/src/main/java/org/apache/cxf/transport/https/SSLUtils.java @@ -19,6 +19,7 @@ package org.apache.cxf.transport.https; import java.security.GeneralSecurityException; +import java.util.logging.Logger; import javax.net.ssl.HostnameVerifier; import javax.net.ssl.HttpsURLConnection; @@ -27,6 +28,7 @@ import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.X509KeyManager; +import org.apache.cxf.common.logging.LogUtils; import org.apache.cxf.configuration.jsse.TLSClientParameters; import org.apache.cxf.configuration.jsse.TLSParameterBase; import org.apache.cxf.configuration.jsse.TLSServerParameters; @@ -35,6 +37,9 @@ import org.apache.cxf.transport.https.httpclient.DefaultHostnameVerifier; import org.apache.cxf.transport.https.httpclient.PublicSuffixMatcherLoader; public final class SSLUtils { + + private static final Logger LOG = LogUtils.getL7dLogger(SSLUtils.class); + private SSLUtils() { //Helper class } @@ -54,7 +59,7 @@ public final class SSLUtils { return verifier; } - public static SSLContext getSSLContext(TLSParameterBase parameters) throws Exception { + public static SSLContext getSSLContext(TLSParameterBase parameters) throws GeneralSecurityException { // TODO do we need to cache the context String provider = parameters.getJsseProvider(); @@ -68,24 +73,25 @@ public final class SSLUtils { ctx.getClientSessionContext().setSessionTimeout(((TLSClientParameters)parameters).getSslCacheTimeout()); } - // TODO setting on the server side - KeyManager[] keyManagers = parameters.getKeyManagers(); - if (parameters.getCertAlias() != null) { - getKeyManagersWithCertAlias(parameters, keyManagers); + if (keyManagers == null && parameters instanceof TLSClientParameters) { + keyManagers = org.apache.cxf.configuration.jsse.SSLUtils.getDefaultKeyStoreManagers(LOG); } + configureKeyManagersWithCertAlias(parameters, keyManagers); + ctx.init(keyManagers, parameters.getTrustManagers(), parameters.getSecureRandom()); return ctx; } - protected static void getKeyManagersWithCertAlias(TLSParameterBase tlsParameters, + public static void configureKeyManagersWithCertAlias(TLSParameterBase tlsParameters, KeyManager[] keyManagers) throws GeneralSecurityException { - if (tlsParameters.getCertAlias() != null) { + if (tlsParameters.getCertAlias() != null && keyManagers != null) { for (int idx = 0; idx < keyManagers.length; idx++) { - if (keyManagers[idx] instanceof X509KeyManager) { + if (keyManagers[idx] instanceof X509KeyManager + && !(keyManagers[idx] instanceof AliasedX509ExtendedKeyManager)) { try { keyManagers[idx] = new AliasedX509ExtendedKeyManager(tlsParameters.getCertAlias(), (X509KeyManager)keyManagers[idx]);
