Search in sources :

Example 11 with SslContextBuilder

use of io.netty.handler.ssl.SslContextBuilder in project java-driver by datastax.

the class Jdk8SSLEncryptionTest method should_pass_peer_address_to_engine.

/**
 * Validates that {@link RemoteEndpointAwareSSLOptions} implementations properly pass remote endpoint information
 * to the underlying {@link SSLEngine} that is created.  This is done by creating a custom {@link TrustManagerFactory}
 * that inspects the peer information on the {@link SSLEngine} in
 * {@link X509ExtendedTrustManager#checkServerTrusted(X509Certificate[], String, SSLEngine)} and throws a
 * {@link CertificateException} if the peer host or port do not match.
 * <p>
 * This test is prefixed with 'Jdk8' so it only runs against JDK 8+ runtimes.  This is required because
 * X509ExtendedTrustManager was added in JDK 7.  Technically this would also run against JDK 7, but for simplicity
 * we only run it against 8+.
 *
 * @test_category connection:ssl
 * @jira_ticket JAVA-1364
 * @since 3.2.0
 */
@Test(groups = "short", dataProvider = "sslImplementation", dataProviderClass = SSLTestBase.class)
public void should_pass_peer_address_to_engine(SslImplementation sslImplementation) throws Exception {
    String expectedPeerHost = TestUtils.IP_PREFIX + "1";
    int expectedPeerPort = ccm().getBinaryPort();
    EngineInspectingTrustManagerFactory tmf = new EngineInspectingTrustManagerFactory(expectedPeerHost, expectedPeerPort);
    SSLOptions options = null;
    switch(sslImplementation) {
        case JDK:
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, tmf.getTrustManagers(), new SecureRandom());
            SSLParameters parameters = sslContext.getDefaultSSLParameters();
            parameters.setEndpointIdentificationAlgorithm("HTTPS");
            options = RemoteEndpointAwareJdkSSLOptions.builder().withSSLContext(sslContext).build();
            break;
        case NETTY_OPENSSL:
            SslContextBuilder builder = SslContextBuilder.forClient().sslProvider(OPENSSL).trustManager(tmf);
            options = new RemoteEndpointAwareNettySSLOptions(builder.build());
    }
    connectWithSSLOptions(options);
}
Also used : SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) Test(org.testng.annotations.Test)

Example 12 with SslContextBuilder

use of io.netty.handler.ssl.SslContextBuilder in project java-driver by datastax.

the class SSLTestBase method getSSLOptions.

/**
 * @param sslImplementation the SSL implementation to use
 * @param clientAuth        whether the client should authenticate
 * @param trustingServer    whether the client should trust the server's certificate
 * @return {@link com.datastax.driver.core.SSLOptions} with the given configuration for
 * server certificate validation and client certificate authentication.
 */
public SSLOptions getSSLOptions(SslImplementation sslImplementation, boolean clientAuth, boolean trustingServer) throws Exception {
    TrustManagerFactory tmf = null;
    if (trustingServer) {
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(this.getClass().getResourceAsStream(CCMBridge.DEFAULT_CLIENT_TRUSTSTORE_PATH), CCMBridge.DEFAULT_CLIENT_TRUSTSTORE_PASSWORD.toCharArray());
        tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
    }
    switch(sslImplementation) {
        case JDK:
            KeyManagerFactory kmf = null;
            if (clientAuth) {
                KeyStore ks = KeyStore.getInstance("JKS");
                ks.load(this.getClass().getResourceAsStream(CCMBridge.DEFAULT_CLIENT_KEYSTORE_PATH), CCMBridge.DEFAULT_CLIENT_KEYSTORE_PASSWORD.toCharArray());
                kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                kmf.init(ks, CCMBridge.DEFAULT_CLIENT_KEYSTORE_PASSWORD.toCharArray());
            }
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(kmf != null ? kmf.getKeyManagers() : null, tmf != null ? tmf.getTrustManagers() : null, new SecureRandom());
            return RemoteEndpointAwareJdkSSLOptions.builder().withSSLContext(sslContext).build();
        case NETTY_OPENSSL:
            SslContextBuilder builder = SslContextBuilder.forClient().sslProvider(OPENSSL).trustManager(tmf);
            if (clientAuth) {
                builder.keyManager(CCMBridge.DEFAULT_CLIENT_CERT_CHAIN_FILE, CCMBridge.DEFAULT_CLIENT_PRIVATE_KEY_FILE);
            }
            return new RemoteEndpointAwareNettySSLOptions(builder.build());
        default:
            fail("Unsupported SSL implementation: " + sslImplementation);
            return null;
    }
}
Also used : SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) SecureRandom(java.security.SecureRandom) SSLContext(javax.net.ssl.SSLContext) KeyStore(java.security.KeyStore) KeyManagerFactory(javax.net.ssl.KeyManagerFactory)

Example 13 with SslContextBuilder

use of io.netty.handler.ssl.SslContextBuilder in project redisson by redisson.

the class RedisChannelInitializer method initSsl.

private void initSsl(final RedisClientConfig config, Channel ch) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, SSLException, UnrecoverableKeyException {
    if (!config.getAddress().isSsl()) {
        return;
    }
    io.netty.handler.ssl.SslProvider provided = io.netty.handler.ssl.SslProvider.JDK;
    if (config.getSslProvider() == SslProvider.OPENSSL) {
        provided = io.netty.handler.ssl.SslProvider.OPENSSL;
    }
    SslContextBuilder sslContextBuilder = SslContextBuilder.forClient().sslProvider(provided);
    sslContextBuilder.protocols(config.getSslProtocols());
    if (config.getSslTruststore() != null) {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream stream = config.getSslTruststore().openStream();
        try {
            char[] password = null;
            if (config.getSslTruststorePassword() != null) {
                password = config.getSslTruststorePassword().toCharArray();
            }
            keyStore.load(stream, password);
        } finally {
            stream.close();
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        sslContextBuilder.trustManager(trustManagerFactory);
    }
    if (config.getSslKeystore() != null) {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream stream = config.getSslKeystore().openStream();
        char[] password = null;
        if (config.getSslKeystorePassword() != null) {
            password = config.getSslKeystorePassword().toCharArray();
        }
        try {
            keyStore.load(stream, password);
        } finally {
            stream.close();
        }
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, password);
        sslContextBuilder.keyManager(keyManagerFactory);
    }
    SSLParameters sslParams = new SSLParameters();
    if (config.isSslEnableEndpointIdentification()) {
        sslParams.setEndpointIdentificationAlgorithm("HTTPS");
    } else {
        if (config.getSslTruststore() == null) {
            sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
        }
    }
    SslContext sslContext = sslContextBuilder.build();
    String hostname = config.getSslHostname();
    if (hostname == null || NetUtil.createByteArrayFromIpAddressString(hostname) != null) {
        hostname = config.getAddress().getHost();
    }
    SSLEngine sslEngine = sslContext.newEngine(ch.alloc(), hostname, config.getAddress().getPort());
    sslEngine.setSSLParameters(sslParams);
    SslHandler sslHandler = new SslHandler(sslEngine);
    ch.pipeline().addLast(sslHandler);
    ch.pipeline().addLast(new ChannelInboundHandlerAdapter() {

        volatile boolean sslInitDone;

        @Override
        public void channelActive(ChannelHandlerContext ctx) throws Exception {
            if (sslInitDone) {
                super.channelActive(ctx);
            }
        }

        @Override
        public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {
            if (!sslInitDone && (evt instanceof SslHandshakeCompletionEvent)) {
                SslHandshakeCompletionEvent e = (SslHandshakeCompletionEvent) evt;
                if (e.isSuccess()) {
                    sslInitDone = true;
                    ctx.fireChannelActive();
                } else {
                    RedisConnection connection = RedisConnection.getFrom(ctx.channel());
                    connection.closeAsync();
                    connection.getConnectionPromise().completeExceptionally(e.cause());
                }
            }
            super.userEventTriggered(ctx, evt);
        }
    });
}
Also used : SslHandshakeCompletionEvent(io.netty.handler.ssl.SslHandshakeCompletionEvent) InputStream(java.io.InputStream) ChannelHandlerContext(io.netty.channel.ChannelHandlerContext) javax.net.ssl(javax.net.ssl) KeyStore(java.security.KeyStore) SslHandler(io.netty.handler.ssl.SslHandler) IOException(java.io.IOException) KeyStoreException(java.security.KeyStoreException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) InsecureTrustManagerFactory(io.netty.handler.ssl.util.InsecureTrustManagerFactory) SslContext(io.netty.handler.ssl.SslContext) ChannelInboundHandlerAdapter(io.netty.channel.ChannelInboundHandlerAdapter) RedisConnection(org.redisson.client.RedisConnection)

Example 14 with SslContextBuilder

use of io.netty.handler.ssl.SslContextBuilder in project flink by apache.

the class SSLUtils method createInternalNettySSLContext.

/**
 * Creates the SSL Context for internal SSL, if internal SSL is configured. For internal SSL,
 * the client and server side configuration are identical, because of mutual authentication.
 */
@Nullable
private static SslContext createInternalNettySSLContext(Configuration config, boolean clientMode, SslProvider provider) throws Exception {
    checkNotNull(config, "config");
    if (!SecurityOptions.isInternalSSLEnabled(config)) {
        return null;
    }
    String[] sslProtocols = getEnabledProtocols(config);
    List<String> ciphers = Arrays.asList(getEnabledCipherSuites(config));
    int sessionCacheSize = config.getInteger(SecurityOptions.SSL_INTERNAL_SESSION_CACHE_SIZE);
    int sessionTimeoutMs = config.getInteger(SecurityOptions.SSL_INTERNAL_SESSION_TIMEOUT);
    KeyManagerFactory kmf = getKeyManagerFactory(config, true, provider);
    TrustManagerFactory tmf = getTrustManagerFactory(config, true);
    ClientAuth clientAuth = ClientAuth.REQUIRE;
    final SslContextBuilder sslContextBuilder;
    if (clientMode) {
        sslContextBuilder = SslContextBuilder.forClient().keyManager(kmf);
    } else {
        sslContextBuilder = SslContextBuilder.forServer(kmf);
    }
    return sslContextBuilder.sslProvider(provider).protocols(sslProtocols).ciphers(ciphers).trustManager(tmf).clientAuth(clientAuth).sessionCacheSize(sessionCacheSize).sessionTimeout(sessionTimeoutMs / 1000).build();
}
Also used : SslContextBuilder(org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContextBuilder) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) FingerprintTrustManagerFactory(org.apache.flink.shaded.netty4.io.netty.handler.ssl.util.FingerprintTrustManagerFactory) ClientAuth(org.apache.flink.shaded.netty4.io.netty.handler.ssl.ClientAuth) OpenSslX509KeyManagerFactory(org.apache.flink.shaded.netty4.io.netty.handler.ssl.OpenSslX509KeyManagerFactory) KeyManagerFactory(javax.net.ssl.KeyManagerFactory) Nullable(javax.annotation.Nullable)

Example 15 with SslContextBuilder

use of io.netty.handler.ssl.SslContextBuilder in project pinpoint by naver.

the class SslContextFactory method create.

public static SslContext create(SslClientConfig clientConfig) throws SSLException {
    Objects.requireNonNull(clientConfig, "clientConfig");
    if (!clientConfig.isEnable()) {
        throw new IllegalArgumentException("sslConfig is disabled.");
    }
    SslProvider sslProvider = getSslProvider(clientConfig.getSslProviderType());
    SslContextBuilder sslContextBuilder = null;
    try {
        sslContextBuilder = SslContextBuilder.forClient();
        Resource trustCertResource = clientConfig.getTrustCertResource();
        if (trustCertResource != null) {
            sslContextBuilder.trustManager(trustCertResource.getInputStream());
        } else {
            // Loads default Root CA certificates (generally, from JAVA_HOME/lib/cacerts)
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init((KeyStore) null);
            sslContextBuilder.trustManager(trustManagerFactory);
        }
        SslContext sslContext = createSslContext(sslContextBuilder, sslProvider);
        assertValidCipherSuite(sslContext);
        return sslContext;
    } catch (SSLException e) {
        throw e;
    } catch (Exception e) {
        throw new SSLException(e);
    }
}
Also used : SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) Resource(com.navercorp.pinpoint.grpc.util.Resource) SslProvider(io.netty.handler.ssl.SslProvider) SSLException(javax.net.ssl.SSLException) SSLException(javax.net.ssl.SSLException) SslContext(io.netty.handler.ssl.SslContext)

Aggregations

SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)49 SslContext (io.netty.handler.ssl.SslContext)14 SSLException (javax.net.ssl.SSLException)12 KeyManagerFactory (javax.net.ssl.KeyManagerFactory)11 InputStream (java.io.InputStream)10 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)10 SslProvider (io.netty.handler.ssl.SslProvider)9 File (java.io.File)9 IOException (java.io.IOException)9 KeyStore (java.security.KeyStore)7 X509Certificate (java.security.cert.X509Certificate)7 ApplicationProtocolConfig (io.netty.handler.ssl.ApplicationProtocolConfig)5 PrivateKey (java.security.PrivateKey)5 SslHandler (io.netty.handler.ssl.SslHandler)4 SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)4 FileInputStream (java.io.FileInputStream)4 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4 CertificateException (java.security.cert.CertificateException)4 NettyChannelBuilder (io.grpc.netty.NettyChannelBuilder)3 Bootstrap (io.netty.bootstrap.Bootstrap)3