Example 1 with X509TrustManagerResolver
use of com.vmware.photon.controller.model.security.ssl.X509TrustManagerResolver in project photon-model by vmware.
the class CertificateUtil method resolveCertificate.
public static X509TrustManagerResolver resolveCertificate(URI uri, Proxy proxy, String proxyUsername, String proxyPassword, long timeoutMillis) {
logger.entering(logger.getName(), "resolveCertificate");
X509TrustManagerResolver trustManagerResolver = new X509TrustManagerResolver();
SSLContext sslContext;
try {
sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, new TrustManager[] { trustManagerResolver }, null);
} catch (KeyManagementException | NoSuchAlgorithmException e) {
logger.throwing(logger.getName(), "connect", e);
throw new LocalizableValidationException(e, "Failed to initialize SSL context.", "security.certificate.context.init.error");
}
String hostAddress = uri.getHost();
int port = uri.getPort() == -1 ? DEFAULT_SECURE_CONNECTION_PORT : uri.getPort();
String uriScheme = uri.getScheme();
String host = String.format("%s://%s:%d", uriScheme, hostAddress, port);
try {
SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
if (proxy != null && proxy.type() == Type.HTTP && proxyUsername != null && UriUtils.HTTPS_SCHEME.equalsIgnoreCase(uriScheme)) {
URL url = uri.toURL();
handleCertForHttpsThroughHttpProxyWithAuth(url, proxy, proxyUsername, proxyPassword, timeoutMillis, sslSocketFactory);
} else {
SSLSocket sslSocket;
if (proxy != null) {
if (proxyUsername != null) {
throw new LocalizableValidationException("Proxy authentication supported " + "for HTTPS URI through HTTP Proxy only." + " URI: " + uri.toASCIIString() + ", Proxy: " + proxy.toString(), "security.certificate.proxy.authentication.not.supported.error", uri.toASCIIString(), proxy.toString());
}
Socket tunnel = new Socket(proxy);
tunnel.connect(new InetSocketAddress(hostAddress, port), (int) timeoutMillis);
sslSocket = (SSLSocket) sslSocketFactory.createSocket(tunnel, hostAddress, port, true);
} else {
sslSocket = (SSLSocket) sslSocketFactory.createSocket();
if (SSL_CONNECT_USE_SNI) {
SNIHostName serverName = new SNIHostName(hostAddress);
List<SNIServerName> serverNames = new ArrayList<>(1);
serverNames.add(serverName);
SSLParameters params = sslSocket.getSSLParameters();
params.setServerNames(serverNames);
sslSocket.setSSLParameters(params);
}
sslSocket.connect(new InetSocketAddress(hostAddress, port), (int) timeoutMillis);
}
SSLSession session = sslSocket.getSession();
session.invalidate();
}
} catch (IOException e) {
try {
if (trustManagerResolver.isCertsTrusted() || trustManagerResolver.getCertificateChain().length == 0) {
Utils.logWarning("Exception while resolving certificate for host: [%s]. Error: %s ", host, e.getMessage());
} else {
logger.throwing(logger.getName(), "connect", e);
throw new IllegalArgumentException(e.getMessage(), e);
}
} catch (IllegalStateException ise) {
throw new LocalizableValidationException(e, String.format("Cannot connect to host: [%s]. Error: %s", host, e.getMessage()), "security.certificate.connection.error", host, e.getMessage());
}
}
if (trustManagerResolver.getCertificateChain().length == 0) {
LocalizableValidationException e = new LocalizableValidationException("Check ssl certificate failed for server: " + host, "security.certificate.check.error", host);
logger.throwing(logger.getName(), "connect", e);
throw e;
}
logger.exiting(logger.getName(), "resolveCertificate");
return trustManagerResolver;
}
Also used :
LocalizableValidationException(com.vmware.xenon.common.LocalizableValidationException)
InetSocketAddress(java.net.InetSocketAddress)
SSLSocket(javax.net.ssl.SSLSocket)
ArrayList(java.util.ArrayList)
SSLSession(javax.net.ssl.SSLSession)
SSLContext(javax.net.ssl.SSLContext)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
DEROctetString(org.bouncycastle.asn1.DEROctetString)
IOException(java.io.IOException)
CertIOException(org.bouncycastle.cert.CertIOException)
KeyManagementException(java.security.KeyManagementException)
URL(java.net.URL)
SNIServerName(javax.net.ssl.SNIServerName)
SSLParameters(javax.net.ssl.SSLParameters)
SNIHostName(javax.net.ssl.SNIHostName)
X509TrustManagerResolver(com.vmware.photon.controller.model.security.ssl.X509TrustManagerResolver)
SSLSocketFactory(javax.net.ssl.SSLSocketFactory)
SSLSocket(javax.net.ssl.SSLSocket)
Socket(java.net.Socket)
Example 2 with X509TrustManagerResolver
use of com.vmware.photon.controller.model.security.ssl.X509TrustManagerResolver in project photon-model by vmware.
the class ResolveCertificateUtil method assertUntrustedCert.
private void assertUntrustedCert(String uri) {
X509TrustManagerResolver trustManagerResolver = CertificateUtil.resolveCertificate(URI.create(uri), 5000L);
assertTrustManagerResolver(uri, trustManagerResolver);
}
Also used :
X509TrustManagerResolver(com.vmware.photon.controller.model.security.ssl.X509TrustManagerResolver)
Example 3 with X509TrustManagerResolver
use of com.vmware.photon.controller.model.security.ssl.X509TrustManagerResolver in project photon-model by vmware.
the class BaseVSphereAdapterTest method setUp.
@Before
public void setUp() throws Throwable {
this.host = VerificationHost.create(Integer.getInteger(TestProperties.HOST_PREFERRED_PORT, 0));
String bindingAddress = System.getProperty(TestProperties.HOST_BINDING_ADDRESS);
if (!StringUtils.isEmpty(bindingAddress)) {
this.host.setBindAddress(bindingAddress);
}
this.host.start();
this.host.waitForServiceAvailable(ExampleService.FACTORY_LINK);
// TODO: VSYM-992 - improve test/fix arbitrary timeout
// must be at least 15min as default timeout to get an IP is 10min
this.host.setTimeoutSeconds(15 * 60);
try {
PhotonModelAdaptersRegistryAdapters.startServices(this.host);
PhotonModelServices.startServices(this.host);
PhotonModelMetricServices.startServices(this.host);
PhotonModelTaskServices.startServices(this.host);
PhotonModelSecurityServices.startServices(this.host);
this.host.waitForServiceAvailable(PhotonModelServices.LINKS);
this.host.waitForServiceAvailable(PhotonModelTaskServices.LINKS);
this.host.waitForServiceAvailable(PhotonModelSecurityServices.LINKS);
startAdditionalServices();
ServerX509TrustManager.create(this.host);
} catch (Throwable e) {
this.host.log("Error starting up services for the test %s", e.getMessage());
throw new Exception(e);
}
if (this.vcUrl == null) {
this.vcUrl = "http://not-configured";
} else {
X509TrustManagerResolver resolver = CertificateUtil.resolveCertificate(URI.create(this.vcUrl), 20000);
if (!resolver.isCertsTrusted()) {
SslTrustCertificateState certState = new SslTrustCertificateState();
certState.certificate = CertificateUtil.toPEMformat(resolver.getCertificate());
SslTrustCertificateState.populateCertificateProperties(certState, resolver.getCertificate());
Operation op = Operation.createPost(this.host, SslTrustCertificateService.FACTORY_LINK).setReferer(this.host.getReferer()).setBody(certState);
this.host.waitForResponse(op);
}
}
if (this.dataStoreId != null) {
this.dataStoreId = this.dataStoreId.substring(this.dataStoreId.lastIndexOf("/") + 1, this.dataStoreId.length());
}
doSetup();
}
Also used :
SslTrustCertificateState(com.vmware.photon.controller.model.security.service.SslTrustCertificateService.SslTrustCertificateState)
X509TrustManagerResolver(com.vmware.photon.controller.model.security.ssl.X509TrustManagerResolver)
ResourceOperation(com.vmware.photon.controller.model.adapters.registry.operations.ResourceOperation)
Operation(com.vmware.xenon.common.Operation)
IOException(java.io.IOException)
ExecutionException(java.util.concurrent.ExecutionException)
Before(org.junit.Before)
Example 4 with X509TrustManagerResolver
use of com.vmware.photon.controller.model.security.ssl.X509TrustManagerResolver in project photon-model by vmware.
the class ResolveCertificateUtil method resolveSelfSignedBehindHttpProxy.
@Test
public void resolveSelfSignedBehindHttpProxy() {
String uri = "https://self-signed.badssl.com/";
X509TrustManagerResolver resolver = CertificateUtil.resolveCertificate(URI.create(uri), new Proxy(Type.HTTP, new InetSocketAddress("proxy.vmware.com", 3128)), null, null, 5000L);
assertTrustManagerResolver(uri, resolver);
}
Also used :
Proxy(java.net.Proxy)
InetSocketAddress(java.net.InetSocketAddress)
X509TrustManagerResolver(com.vmware.photon.controller.model.security.ssl.X509TrustManagerResolver)
Test(org.junit.Test)
Example 5 with X509TrustManagerResolver
use of com.vmware.photon.controller.model.security.ssl.X509TrustManagerResolver in project photon-model by vmware.
the class ResolveCertificateUtil method resolveSelfSignedBehindSocksProxy_neg.
@Test(expected = LocalizableValidationException.class)
public void resolveSelfSignedBehindSocksProxy_neg() {
String uri = "https://self-signed.badssl.com/";
X509TrustManagerResolver resolver = CertificateUtil.resolveCertificate(URI.create(uri), new Proxy(Type.SOCKS, new InetSocketAddress("proxy.vmware.com", 3128)), "user", "pass", 5000L);
assertTrustManagerResolver(uri, resolver);
}
Also used :
Proxy(java.net.Proxy)
InetSocketAddress(java.net.InetSocketAddress)
X509TrustManagerResolver(com.vmware.photon.controller.model.security.ssl.X509TrustManagerResolver)
Test(org.junit.Test)
Aggregations
X509TrustManagerResolver (com.vmware.photon.controller.model.security.ssl.X509TrustManagerResolver)6
InetSocketAddress (java.net.InetSocketAddress)3
Test (org.junit.Test)3
IOException (java.io.IOException)2
Proxy (java.net.Proxy)2
ResourceOperation (com.vmware.photon.controller.model.adapters.registry.operations.ResourceOperation)1
SslTrustCertificateState (com.vmware.photon.controller.model.security.service.SslTrustCertificateService.SslTrustCertificateState)1
LocalizableValidationException (com.vmware.xenon.common.LocalizableValidationException)1
Operation (com.vmware.xenon.common.Operation)1
Socket (java.net.Socket)1
URL (java.net.URL)1
KeyManagementException (java.security.KeyManagementException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
ArrayList (java.util.ArrayList)1
ExecutionException (java.util.concurrent.ExecutionException)1
SNIHostName (javax.net.ssl.SNIHostName)1
SNIServerName (javax.net.ssl.SNIServerName)1
SSLContext (javax.net.ssl.SSLContext)1
SSLParameters (javax.net.ssl.SSLParameters)1
SSLSession (javax.net.ssl.SSLSession)1
