use of io.netty.handler.ssl.SslContextBuilder in project java-driver by datastax.
the class Jdk8SSLEncryptionTest method should_pass_peer_address_to_engine.
/**
* Validates that {@link RemoteEndpointAwareSSLOptions} implementations properly pass remote endpoint information
* to the underlying {@link SSLEngine} that is created. This is done by creating a custom {@link TrustManagerFactory}
* that inspects the peer information on the {@link SSLEngine} in
* {@link X509ExtendedTrustManager#checkServerTrusted(X509Certificate[], String, SSLEngine)} and throws a
* {@link CertificateException} if the peer host or port do not match.
* <p>
* This test is prefixed with 'Jdk8' so it only runs against JDK 8+ runtimes. This is required because
* X509ExtendedTrustManager was added in JDK 7. Technically this would also run against JDK 7, but for simplicity
* we only run it against 8+.
*
* @test_category connection:ssl
* @jira_ticket JAVA-1364
* @since 3.2.0
*/
@Test(groups = "short", dataProvider = "sslImplementation", dataProviderClass = SSLTestBase.class)
public void should_pass_peer_address_to_engine(SslImplementation sslImplementation) throws Exception {
String expectedPeerHost = TestUtils.IP_PREFIX + "1";
int expectedPeerPort = ccm().getBinaryPort();
EngineInspectingTrustManagerFactory tmf = new EngineInspectingTrustManagerFactory(expectedPeerHost, expectedPeerPort);
SSLOptions options = null;
switch(sslImplementation) {
case JDK:
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(null, tmf.getTrustManagers(), new SecureRandom());
SSLParameters parameters = sslContext.getDefaultSSLParameters();
parameters.setEndpointIdentificationAlgorithm("HTTPS");
options = RemoteEndpointAwareJdkSSLOptions.builder().withSSLContext(sslContext).build();
break;
case NETTY_OPENSSL:
SslContextBuilder builder = SslContextBuilder.forClient().sslProvider(OPENSSL).trustManager(tmf);
options = new RemoteEndpointAwareNettySSLOptions(builder.build());
}
connectWithSSLOptions(options);
}
use of io.netty.handler.ssl.SslContextBuilder in project java-driver by datastax.
the class SSLTestBase method getSSLOptions.
/**
* @param sslImplementation the SSL implementation to use
* @param clientAuth whether the client should authenticate
* @param trustingServer whether the client should trust the server's certificate
* @return {@link com.datastax.driver.core.SSLOptions} with the given configuration for
* server certificate validation and client certificate authentication.
*/
public SSLOptions getSSLOptions(SslImplementation sslImplementation, boolean clientAuth, boolean trustingServer) throws Exception {
TrustManagerFactory tmf = null;
if (trustingServer) {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(this.getClass().getResourceAsStream(CCMBridge.DEFAULT_CLIENT_TRUSTSTORE_PATH), CCMBridge.DEFAULT_CLIENT_TRUSTSTORE_PASSWORD.toCharArray());
tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(ks);
}
switch(sslImplementation) {
case JDK:
KeyManagerFactory kmf = null;
if (clientAuth) {
KeyStore ks = KeyStore.getInstance("JKS");
ks.load(this.getClass().getResourceAsStream(CCMBridge.DEFAULT_CLIENT_KEYSTORE_PATH), CCMBridge.DEFAULT_CLIENT_KEYSTORE_PASSWORD.toCharArray());
kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(ks, CCMBridge.DEFAULT_CLIENT_KEYSTORE_PASSWORD.toCharArray());
}
SSLContext sslContext = SSLContext.getInstance("TLS");
sslContext.init(kmf != null ? kmf.getKeyManagers() : null, tmf != null ? tmf.getTrustManagers() : null, new SecureRandom());
return RemoteEndpointAwareJdkSSLOptions.builder().withSSLContext(sslContext).build();
case NETTY_OPENSSL:
SslContextBuilder builder = SslContextBuilder.forClient().sslProvider(OPENSSL).trustManager(tmf);
if (clientAuth) {
builder.keyManager(CCMBridge.DEFAULT_CLIENT_CERT_CHAIN_FILE, CCMBridge.DEFAULT_CLIENT_PRIVATE_KEY_FILE);
}
return new RemoteEndpointAwareNettySSLOptions(builder.build());
default:
fail("Unsupported SSL implementation: " + sslImplementation);
return null;
}
}
use of io.netty.handler.ssl.SslContextBuilder in project redisson by redisson.
the class RedisChannelInitializer method initSsl.
private void initSsl(final RedisClientConfig config, Channel ch) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, SSLException, UnrecoverableKeyException {
if (!config.getAddress().isSsl()) {
return;
}
io.netty.handler.ssl.SslProvider provided = io.netty.handler.ssl.SslProvider.JDK;
if (config.getSslProvider() == SslProvider.OPENSSL) {
provided = io.netty.handler.ssl.SslProvider.OPENSSL;
}
SslContextBuilder sslContextBuilder = SslContextBuilder.forClient().sslProvider(provided);
sslContextBuilder.protocols(config.getSslProtocols());
if (config.getSslTruststore() != null) {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream stream = config.getSslTruststore().openStream();
try {
char[] password = null;
if (config.getSslTruststorePassword() != null) {
password = config.getSslTruststorePassword().toCharArray();
}
keyStore.load(stream, password);
} finally {
stream.close();
}
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(keyStore);
sslContextBuilder.trustManager(trustManagerFactory);
}
if (config.getSslKeystore() != null) {
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
InputStream stream = config.getSslKeystore().openStream();
char[] password = null;
if (config.getSslKeystorePassword() != null) {
password = config.getSslKeystorePassword().toCharArray();
}
try {
keyStore.load(stream, password);
} finally {
stream.close();
}
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, password);
sslContextBuilder.keyManager(keyManagerFactory);
}
SSLParameters sslParams = new SSLParameters();
if (config.isSslEnableEndpointIdentification()) {
sslParams.setEndpointIdentificationAlgorithm("HTTPS");
} else {
if (config.getSslTruststore() == null) {
sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
}
}
SslContext sslContext = sslContextBuilder.build();
String hostname = config.getSslHostname();
if (hostname == null || NetUtil.createByteArrayFromIpAddressString(hostname) != null) {
hostname = config.getAddress().getHost();
}
SSLEngine sslEngine = sslContext.newEngine(ch.alloc(), hostname, config.getAddress().getPort());
sslEngine.setSSLParameters(sslParams);
SslHandler sslHandler = new SslHandler(sslEngine);
ch.pipeline().addLast(sslHandler);
ch.pipeline().addLast(new ChannelInboundHandlerAdapter() {
volatile boolean sslInitDone;
@Override
public void channelActive(ChannelHandlerContext ctx) throws Exception {
if (sslInitDone) {
super.channelActive(ctx);
}
}
@Override
public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {
if (!sslInitDone && (evt instanceof SslHandshakeCompletionEvent)) {
SslHandshakeCompletionEvent e = (SslHandshakeCompletionEvent) evt;
if (e.isSuccess()) {
sslInitDone = true;
ctx.fireChannelActive();
} else {
RedisConnection connection = RedisConnection.getFrom(ctx.channel());
connection.closeAsync();
connection.getConnectionPromise().completeExceptionally(e.cause());
}
}
super.userEventTriggered(ctx, evt);
}
});
}
use of io.netty.handler.ssl.SslContextBuilder in project flink by apache.
the class SSLUtils method createInternalNettySSLContext.
/**
* Creates the SSL Context for internal SSL, if internal SSL is configured. For internal SSL,
* the client and server side configuration are identical, because of mutual authentication.
*/
@Nullable
private static SslContext createInternalNettySSLContext(Configuration config, boolean clientMode, SslProvider provider) throws Exception {
checkNotNull(config, "config");
if (!SecurityOptions.isInternalSSLEnabled(config)) {
return null;
}
String[] sslProtocols = getEnabledProtocols(config);
List<String> ciphers = Arrays.asList(getEnabledCipherSuites(config));
int sessionCacheSize = config.getInteger(SecurityOptions.SSL_INTERNAL_SESSION_CACHE_SIZE);
int sessionTimeoutMs = config.getInteger(SecurityOptions.SSL_INTERNAL_SESSION_TIMEOUT);
KeyManagerFactory kmf = getKeyManagerFactory(config, true, provider);
TrustManagerFactory tmf = getTrustManagerFactory(config, true);
ClientAuth clientAuth = ClientAuth.REQUIRE;
final SslContextBuilder sslContextBuilder;
if (clientMode) {
sslContextBuilder = SslContextBuilder.forClient().keyManager(kmf);
} else {
sslContextBuilder = SslContextBuilder.forServer(kmf);
}
return sslContextBuilder.sslProvider(provider).protocols(sslProtocols).ciphers(ciphers).trustManager(tmf).clientAuth(clientAuth).sessionCacheSize(sessionCacheSize).sessionTimeout(sessionTimeoutMs / 1000).build();
}
use of io.netty.handler.ssl.SslContextBuilder in project pinpoint by naver.
the class SslContextFactory method create.
public static SslContext create(SslClientConfig clientConfig) throws SSLException {
Objects.requireNonNull(clientConfig, "clientConfig");
if (!clientConfig.isEnable()) {
throw new IllegalArgumentException("sslConfig is disabled.");
}
SslProvider sslProvider = getSslProvider(clientConfig.getSslProviderType());
SslContextBuilder sslContextBuilder = null;
try {
sslContextBuilder = SslContextBuilder.forClient();
Resource trustCertResource = clientConfig.getTrustCertResource();
if (trustCertResource != null) {
sslContextBuilder.trustManager(trustCertResource.getInputStream());
} else {
// Loads default Root CA certificates (generally, from JAVA_HOME/lib/cacerts)
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init((KeyStore) null);
sslContextBuilder.trustManager(trustManagerFactory);
}
SslContext sslContext = createSslContext(sslContextBuilder, sslProvider);
assertValidCipherSuite(sslContext);
return sslContext;
} catch (SSLException e) {
throw e;
} catch (Exception e) {
throw new SSLException(e);
}
}
Aggregations