Search in sources :

Example 16 with SslContextBuilder

use of io.netty.handler.ssl.SslContextBuilder in project grpc-java by grpc.

the class ProtocolNegotiators method from.

public static FromChannelCredentialsResult from(ChannelCredentials creds) {
    if (creds instanceof TlsChannelCredentials) {
        TlsChannelCredentials tlsCreds = (TlsChannelCredentials) creds;
        Set<TlsChannelCredentials.Feature> incomprehensible = tlsCreds.incomprehensible(understoodTlsFeatures);
        if (!incomprehensible.isEmpty()) {
            return FromChannelCredentialsResult.error("TLS features not understood: " + incomprehensible);
        }
        SslContextBuilder builder = GrpcSslContexts.forClient();
        if (tlsCreds.getKeyManagers() != null) {
            builder.keyManager(new FixedKeyManagerFactory(tlsCreds.getKeyManagers()));
        } else if (tlsCreds.getPrivateKey() != null) {
            builder.keyManager(new ByteArrayInputStream(tlsCreds.getCertificateChain()), new ByteArrayInputStream(tlsCreds.getPrivateKey()), tlsCreds.getPrivateKeyPassword());
        }
        if (tlsCreds.getTrustManagers() != null) {
            builder.trustManager(new FixedTrustManagerFactory(tlsCreds.getTrustManagers()));
        } else if (tlsCreds.getRootCertificates() != null) {
            builder.trustManager(new ByteArrayInputStream(tlsCreds.getRootCertificates()));
        }
        // else use system default
        try {
            return FromChannelCredentialsResult.negotiator(tlsClientFactory(builder.build()));
        } catch (SSLException ex) {
            log.log(Level.FINE, "Exception building SslContext", ex);
            return FromChannelCredentialsResult.error("Unable to create SslContext: " + ex.getMessage());
        }
    } else if (creds instanceof InsecureChannelCredentials) {
        return FromChannelCredentialsResult.negotiator(plaintextClientFactory());
    } else if (creds instanceof CompositeChannelCredentials) {
        CompositeChannelCredentials compCreds = (CompositeChannelCredentials) creds;
        return from(compCreds.getChannelCredentials()).withCallCredentials(compCreds.getCallCredentials());
    } else if (creds instanceof NettyChannelCredentials) {
        NettyChannelCredentials nettyCreds = (NettyChannelCredentials) creds;
        return FromChannelCredentialsResult.negotiator(nettyCreds.getNegotiator());
    } else if (creds instanceof ChoiceChannelCredentials) {
        ChoiceChannelCredentials choiceCreds = (ChoiceChannelCredentials) creds;
        StringBuilder error = new StringBuilder();
        for (ChannelCredentials innerCreds : choiceCreds.getCredentialsList()) {
            FromChannelCredentialsResult result = from(innerCreds);
            if (result.error == null) {
                return result;
            }
            error.append(", ");
            error.append(result.error);
        }
        return FromChannelCredentialsResult.error(error.substring(2));
    } else {
        return FromChannelCredentialsResult.error("Unsupported credential type: " + creds.getClass().getName());
    }
}
Also used : CompositeChannelCredentials(io.grpc.CompositeChannelCredentials) InsecureChannelCredentials(io.grpc.InsecureChannelCredentials) TlsChannelCredentials(io.grpc.TlsChannelCredentials) SSLException(javax.net.ssl.SSLException) ByteArrayInputStream(java.io.ByteArrayInputStream) SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) ChoiceChannelCredentials(io.grpc.ChoiceChannelCredentials) TlsChannelCredentials(io.grpc.TlsChannelCredentials) InsecureChannelCredentials(io.grpc.InsecureChannelCredentials) CompositeChannelCredentials(io.grpc.CompositeChannelCredentials) ChannelCredentials(io.grpc.ChannelCredentials) ChoiceChannelCredentials(io.grpc.ChoiceChannelCredentials)

Example 17 with SslContextBuilder

use of io.netty.handler.ssl.SslContextBuilder in project grpc-java by grpc.

the class ProtocolNegotiators method from.

public static FromServerCredentialsResult from(ServerCredentials creds) {
    if (creds instanceof TlsServerCredentials) {
        TlsServerCredentials tlsCreds = (TlsServerCredentials) creds;
        Set<TlsServerCredentials.Feature> incomprehensible = tlsCreds.incomprehensible(understoodServerTlsFeatures);
        if (!incomprehensible.isEmpty()) {
            return FromServerCredentialsResult.error("TLS features not understood: " + incomprehensible);
        }
        SslContextBuilder builder;
        if (tlsCreds.getKeyManagers() != null) {
            builder = GrpcSslContexts.configure(SslContextBuilder.forServer(new FixedKeyManagerFactory(tlsCreds.getKeyManagers())));
        } else if (tlsCreds.getPrivateKey() != null) {
            builder = GrpcSslContexts.forServer(new ByteArrayInputStream(tlsCreds.getCertificateChain()), new ByteArrayInputStream(tlsCreds.getPrivateKey()), tlsCreds.getPrivateKeyPassword());
        } else {
            throw new AssertionError("BUG! No key");
        }
        if (tlsCreds.getTrustManagers() != null) {
            builder.trustManager(new FixedTrustManagerFactory(tlsCreds.getTrustManagers()));
        } else if (tlsCreds.getRootCertificates() != null) {
            builder.trustManager(new ByteArrayInputStream(tlsCreds.getRootCertificates()));
        }
        // else use system default
        switch(tlsCreds.getClientAuth()) {
            case OPTIONAL:
                builder.clientAuth(io.netty.handler.ssl.ClientAuth.OPTIONAL);
                break;
            case REQUIRE:
                builder.clientAuth(io.netty.handler.ssl.ClientAuth.REQUIRE);
                break;
            case NONE:
                builder.clientAuth(io.netty.handler.ssl.ClientAuth.NONE);
                break;
            default:
                return FromServerCredentialsResult.error("Unknown TlsServerCredentials.ClientAuth value: " + tlsCreds.getClientAuth());
        }
        SslContext sslContext;
        try {
            sslContext = builder.build();
        } catch (SSLException ex) {
            throw new IllegalArgumentException("Unexpected error converting ServerCredentials to Netty SslContext", ex);
        }
        return FromServerCredentialsResult.negotiator(serverTlsFactory(sslContext));
    } else if (creds instanceof InsecureServerCredentials) {
        return FromServerCredentialsResult.negotiator(serverPlaintextFactory());
    } else if (creds instanceof NettyServerCredentials) {
        NettyServerCredentials nettyCreds = (NettyServerCredentials) creds;
        return FromServerCredentialsResult.negotiator(nettyCreds.getNegotiator());
    } else if (creds instanceof ChoiceServerCredentials) {
        ChoiceServerCredentials choiceCreds = (ChoiceServerCredentials) creds;
        StringBuilder error = new StringBuilder();
        for (ServerCredentials innerCreds : choiceCreds.getCredentialsList()) {
            FromServerCredentialsResult result = from(innerCreds);
            if (result.error == null) {
                return result;
            }
            error.append(", ");
            error.append(result.error);
        }
        return FromServerCredentialsResult.error(error.substring(2));
    } else {
        return FromServerCredentialsResult.error("Unsupported credential type: " + creds.getClass().getName());
    }
}
Also used : ChoiceServerCredentials(io.grpc.ChoiceServerCredentials) ServerCredentials(io.grpc.ServerCredentials) InsecureServerCredentials(io.grpc.InsecureServerCredentials) TlsServerCredentials(io.grpc.TlsServerCredentials) ChoiceServerCredentials(io.grpc.ChoiceServerCredentials) SSLException(javax.net.ssl.SSLException) ByteArrayInputStream(java.io.ByteArrayInputStream) SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) InsecureServerCredentials(io.grpc.InsecureServerCredentials) TlsServerCredentials(io.grpc.TlsServerCredentials) SslContext(io.netty.handler.ssl.SslContext)

Example 18 with SslContextBuilder

use of io.netty.handler.ssl.SslContextBuilder in project grpc-java by grpc.

the class CertProviderServerSslContextProvider method getSslContextBuilder.

@Override
protected final SslContextBuilder getSslContextBuilder(CertificateValidationContext certificateValidationContextdationContext) throws CertStoreException, CertificateException, IOException {
    SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(savedKey, savedCertChain);
    setClientAuthValues(sslContextBuilder, isMtls() ? new SdsTrustManagerFactory(savedTrustedRoots.toArray(new X509Certificate[0]), certificateValidationContextdationContext) : null);
    sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder);
    return sslContextBuilder;
}
Also used : SdsTrustManagerFactory(io.grpc.xds.internal.sds.trust.SdsTrustManagerFactory) SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) X509Certificate(java.security.cert.X509Certificate)

Example 19 with SslContextBuilder

use of io.netty.handler.ssl.SslContextBuilder in project dubbo by alibaba.

the class GrpcOptionsUtils method buildServerSslContext.

private static SslContext buildServerSslContext(URL url) {
    ConfigManager globalConfigManager = ApplicationModel.getConfigManager();
    SslConfig sslConfig = globalConfigManager.getSsl().orElseThrow(() -> new IllegalStateException("Ssl enabled, but no ssl cert information provided!"));
    SslContextBuilder sslClientContextBuilder = null;
    InputStream serverKeyCertChainPathStream = null;
    InputStream serverPrivateKeyPathStream = null;
    InputStream trustCertCollectionFilePath = null;
    try {
        serverKeyCertChainPathStream = sslConfig.getServerKeyCertChainPathStream();
        serverPrivateKeyPathStream = sslConfig.getServerPrivateKeyPathStream();
        String password = sslConfig.getServerKeyPassword();
        if (password != null) {
            sslClientContextBuilder = GrpcSslContexts.forServer(serverKeyCertChainPathStream, serverPrivateKeyPathStream, password);
        } else {
            sslClientContextBuilder = GrpcSslContexts.forServer(serverKeyCertChainPathStream, serverPrivateKeyPathStream);
        }
        trustCertCollectionFilePath = sslConfig.getServerTrustCertCollectionPathStream();
        if (trustCertCollectionFilePath != null) {
            sslClientContextBuilder.trustManager(trustCertCollectionFilePath);
            sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
        }
    } catch (Exception e) {
        throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", e);
    } finally {
        safeCloseStream(serverKeyCertChainPathStream);
        safeCloseStream(serverPrivateKeyPathStream);
        safeCloseStream(trustCertCollectionFilePath);
    }
    try {
        return sslClientContextBuilder.build();
    } catch (SSLException e) {
        throw new IllegalStateException("Build SslSession failed.", e);
    }
}
Also used : SslConfig(org.apache.dubbo.config.SslConfig) SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) InputStream(java.io.InputStream) SSLException(javax.net.ssl.SSLException) ConfigManager(org.apache.dubbo.config.context.ConfigManager) IOException(java.io.IOException) SSLException(javax.net.ssl.SSLException)

Example 20 with SslContextBuilder

use of io.netty.handler.ssl.SslContextBuilder in project dubbo by alibaba.

the class SslContexts method buildServerSslContext.

public static SslContext buildServerSslContext(URL url) {
    ConfigManager globalConfigManager = ApplicationModel.getConfigManager();
    SslConfig sslConfig = globalConfigManager.getSsl().orElseThrow(() -> new IllegalStateException("Ssl enabled, but no ssl cert information provided!"));
    SslContextBuilder sslClientContextBuilder = null;
    InputStream serverKeyCertChainPathStream = null;
    InputStream serverPrivateKeyPathStream = null;
    InputStream serverTrustCertStream = null;
    try {
        serverKeyCertChainPathStream = sslConfig.getServerKeyCertChainPathStream();
        serverPrivateKeyPathStream = sslConfig.getServerPrivateKeyPathStream();
        serverTrustCertStream = sslConfig.getServerTrustCertCollectionPathStream();
        String password = sslConfig.getServerKeyPassword();
        if (password != null) {
            sslClientContextBuilder = SslContextBuilder.forServer(serverKeyCertChainPathStream, serverPrivateKeyPathStream, password);
        } else {
            sslClientContextBuilder = SslContextBuilder.forServer(serverKeyCertChainPathStream, serverPrivateKeyPathStream);
        }
        if (serverTrustCertStream != null) {
            sslClientContextBuilder.trustManager(serverTrustCertStream);
            sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
        }
        if (sslConfig.getCiphers() != null) {
            sslClientContextBuilder.ciphers(sslConfig.getCiphers());
        }
        if (sslConfig.getProtocols() != null) {
            sslClientContextBuilder.protocols(sslConfig.getProtocols());
        }
    } catch (Exception e) {
        throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", e);
    } finally {
        safeCloseStream(serverKeyCertChainPathStream);
        safeCloseStream(serverPrivateKeyPathStream);
        safeCloseStream(serverTrustCertStream);
    }
    try {
        return sslClientContextBuilder.sslProvider(findSslProvider()).build();
    } catch (SSLException e) {
        throw new IllegalStateException("Build SslSession failed.", e);
    }
}
Also used : SslConfig(org.apache.dubbo.config.SslConfig) SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) InputStream(java.io.InputStream) SSLException(javax.net.ssl.SSLException) ConfigManager(org.apache.dubbo.config.context.ConfigManager) IOException(java.io.IOException) SSLException(javax.net.ssl.SSLException)

Aggregations

SslContextBuilder (io.netty.handler.ssl.SslContextBuilder)49 SslContext (io.netty.handler.ssl.SslContext)14 SSLException (javax.net.ssl.SSLException)12 KeyManagerFactory (javax.net.ssl.KeyManagerFactory)11 InputStream (java.io.InputStream)10 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)10 SslProvider (io.netty.handler.ssl.SslProvider)9 File (java.io.File)9 IOException (java.io.IOException)9 KeyStore (java.security.KeyStore)7 X509Certificate (java.security.cert.X509Certificate)7 ApplicationProtocolConfig (io.netty.handler.ssl.ApplicationProtocolConfig)5 PrivateKey (java.security.PrivateKey)5 SslHandler (io.netty.handler.ssl.SslHandler)4 SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)4 FileInputStream (java.io.FileInputStream)4 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)4 CertificateException (java.security.cert.CertificateException)4 NettyChannelBuilder (io.grpc.netty.NettyChannelBuilder)3 Bootstrap (io.netty.bootstrap.Bootstrap)3