use of io.netty.handler.ssl.SslContextBuilder in project grpc-java by grpc.
the class ProtocolNegotiators method from.
public static FromChannelCredentialsResult from(ChannelCredentials creds) {
if (creds instanceof TlsChannelCredentials) {
TlsChannelCredentials tlsCreds = (TlsChannelCredentials) creds;
Set<TlsChannelCredentials.Feature> incomprehensible = tlsCreds.incomprehensible(understoodTlsFeatures);
if (!incomprehensible.isEmpty()) {
return FromChannelCredentialsResult.error("TLS features not understood: " + incomprehensible);
}
SslContextBuilder builder = GrpcSslContexts.forClient();
if (tlsCreds.getKeyManagers() != null) {
builder.keyManager(new FixedKeyManagerFactory(tlsCreds.getKeyManagers()));
} else if (tlsCreds.getPrivateKey() != null) {
builder.keyManager(new ByteArrayInputStream(tlsCreds.getCertificateChain()), new ByteArrayInputStream(tlsCreds.getPrivateKey()), tlsCreds.getPrivateKeyPassword());
}
if (tlsCreds.getTrustManagers() != null) {
builder.trustManager(new FixedTrustManagerFactory(tlsCreds.getTrustManagers()));
} else if (tlsCreds.getRootCertificates() != null) {
builder.trustManager(new ByteArrayInputStream(tlsCreds.getRootCertificates()));
}
// else use system default
try {
return FromChannelCredentialsResult.negotiator(tlsClientFactory(builder.build()));
} catch (SSLException ex) {
log.log(Level.FINE, "Exception building SslContext", ex);
return FromChannelCredentialsResult.error("Unable to create SslContext: " + ex.getMessage());
}
} else if (creds instanceof InsecureChannelCredentials) {
return FromChannelCredentialsResult.negotiator(plaintextClientFactory());
} else if (creds instanceof CompositeChannelCredentials) {
CompositeChannelCredentials compCreds = (CompositeChannelCredentials) creds;
return from(compCreds.getChannelCredentials()).withCallCredentials(compCreds.getCallCredentials());
} else if (creds instanceof NettyChannelCredentials) {
NettyChannelCredentials nettyCreds = (NettyChannelCredentials) creds;
return FromChannelCredentialsResult.negotiator(nettyCreds.getNegotiator());
} else if (creds instanceof ChoiceChannelCredentials) {
ChoiceChannelCredentials choiceCreds = (ChoiceChannelCredentials) creds;
StringBuilder error = new StringBuilder();
for (ChannelCredentials innerCreds : choiceCreds.getCredentialsList()) {
FromChannelCredentialsResult result = from(innerCreds);
if (result.error == null) {
return result;
}
error.append(", ");
error.append(result.error);
}
return FromChannelCredentialsResult.error(error.substring(2));
} else {
return FromChannelCredentialsResult.error("Unsupported credential type: " + creds.getClass().getName());
}
}
use of io.netty.handler.ssl.SslContextBuilder in project grpc-java by grpc.
the class ProtocolNegotiators method from.
public static FromServerCredentialsResult from(ServerCredentials creds) {
if (creds instanceof TlsServerCredentials) {
TlsServerCredentials tlsCreds = (TlsServerCredentials) creds;
Set<TlsServerCredentials.Feature> incomprehensible = tlsCreds.incomprehensible(understoodServerTlsFeatures);
if (!incomprehensible.isEmpty()) {
return FromServerCredentialsResult.error("TLS features not understood: " + incomprehensible);
}
SslContextBuilder builder;
if (tlsCreds.getKeyManagers() != null) {
builder = GrpcSslContexts.configure(SslContextBuilder.forServer(new FixedKeyManagerFactory(tlsCreds.getKeyManagers())));
} else if (tlsCreds.getPrivateKey() != null) {
builder = GrpcSslContexts.forServer(new ByteArrayInputStream(tlsCreds.getCertificateChain()), new ByteArrayInputStream(tlsCreds.getPrivateKey()), tlsCreds.getPrivateKeyPassword());
} else {
throw new AssertionError("BUG! No key");
}
if (tlsCreds.getTrustManagers() != null) {
builder.trustManager(new FixedTrustManagerFactory(tlsCreds.getTrustManagers()));
} else if (tlsCreds.getRootCertificates() != null) {
builder.trustManager(new ByteArrayInputStream(tlsCreds.getRootCertificates()));
}
// else use system default
switch(tlsCreds.getClientAuth()) {
case OPTIONAL:
builder.clientAuth(io.netty.handler.ssl.ClientAuth.OPTIONAL);
break;
case REQUIRE:
builder.clientAuth(io.netty.handler.ssl.ClientAuth.REQUIRE);
break;
case NONE:
builder.clientAuth(io.netty.handler.ssl.ClientAuth.NONE);
break;
default:
return FromServerCredentialsResult.error("Unknown TlsServerCredentials.ClientAuth value: " + tlsCreds.getClientAuth());
}
SslContext sslContext;
try {
sslContext = builder.build();
} catch (SSLException ex) {
throw new IllegalArgumentException("Unexpected error converting ServerCredentials to Netty SslContext", ex);
}
return FromServerCredentialsResult.negotiator(serverTlsFactory(sslContext));
} else if (creds instanceof InsecureServerCredentials) {
return FromServerCredentialsResult.negotiator(serverPlaintextFactory());
} else if (creds instanceof NettyServerCredentials) {
NettyServerCredentials nettyCreds = (NettyServerCredentials) creds;
return FromServerCredentialsResult.negotiator(nettyCreds.getNegotiator());
} else if (creds instanceof ChoiceServerCredentials) {
ChoiceServerCredentials choiceCreds = (ChoiceServerCredentials) creds;
StringBuilder error = new StringBuilder();
for (ServerCredentials innerCreds : choiceCreds.getCredentialsList()) {
FromServerCredentialsResult result = from(innerCreds);
if (result.error == null) {
return result;
}
error.append(", ");
error.append(result.error);
}
return FromServerCredentialsResult.error(error.substring(2));
} else {
return FromServerCredentialsResult.error("Unsupported credential type: " + creds.getClass().getName());
}
}
use of io.netty.handler.ssl.SslContextBuilder in project grpc-java by grpc.
the class CertProviderServerSslContextProvider method getSslContextBuilder.
@Override
protected final SslContextBuilder getSslContextBuilder(CertificateValidationContext certificateValidationContextdationContext) throws CertStoreException, CertificateException, IOException {
SslContextBuilder sslContextBuilder = SslContextBuilder.forServer(savedKey, savedCertChain);
setClientAuthValues(sslContextBuilder, isMtls() ? new SdsTrustManagerFactory(savedTrustedRoots.toArray(new X509Certificate[0]), certificateValidationContextdationContext) : null);
sslContextBuilder = GrpcSslContexts.configure(sslContextBuilder);
return sslContextBuilder;
}
use of io.netty.handler.ssl.SslContextBuilder in project dubbo by alibaba.
the class GrpcOptionsUtils method buildServerSslContext.
private static SslContext buildServerSslContext(URL url) {
ConfigManager globalConfigManager = ApplicationModel.getConfigManager();
SslConfig sslConfig = globalConfigManager.getSsl().orElseThrow(() -> new IllegalStateException("Ssl enabled, but no ssl cert information provided!"));
SslContextBuilder sslClientContextBuilder = null;
InputStream serverKeyCertChainPathStream = null;
InputStream serverPrivateKeyPathStream = null;
InputStream trustCertCollectionFilePath = null;
try {
serverKeyCertChainPathStream = sslConfig.getServerKeyCertChainPathStream();
serverPrivateKeyPathStream = sslConfig.getServerPrivateKeyPathStream();
String password = sslConfig.getServerKeyPassword();
if (password != null) {
sslClientContextBuilder = GrpcSslContexts.forServer(serverKeyCertChainPathStream, serverPrivateKeyPathStream, password);
} else {
sslClientContextBuilder = GrpcSslContexts.forServer(serverKeyCertChainPathStream, serverPrivateKeyPathStream);
}
trustCertCollectionFilePath = sslConfig.getServerTrustCertCollectionPathStream();
if (trustCertCollectionFilePath != null) {
sslClientContextBuilder.trustManager(trustCertCollectionFilePath);
sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
}
} catch (Exception e) {
throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", e);
} finally {
safeCloseStream(serverKeyCertChainPathStream);
safeCloseStream(serverPrivateKeyPathStream);
safeCloseStream(trustCertCollectionFilePath);
}
try {
return sslClientContextBuilder.build();
} catch (SSLException e) {
throw new IllegalStateException("Build SslSession failed.", e);
}
}
use of io.netty.handler.ssl.SslContextBuilder in project dubbo by alibaba.
the class SslContexts method buildServerSslContext.
public static SslContext buildServerSslContext(URL url) {
ConfigManager globalConfigManager = ApplicationModel.getConfigManager();
SslConfig sslConfig = globalConfigManager.getSsl().orElseThrow(() -> new IllegalStateException("Ssl enabled, but no ssl cert information provided!"));
SslContextBuilder sslClientContextBuilder = null;
InputStream serverKeyCertChainPathStream = null;
InputStream serverPrivateKeyPathStream = null;
InputStream serverTrustCertStream = null;
try {
serverKeyCertChainPathStream = sslConfig.getServerKeyCertChainPathStream();
serverPrivateKeyPathStream = sslConfig.getServerPrivateKeyPathStream();
serverTrustCertStream = sslConfig.getServerTrustCertCollectionPathStream();
String password = sslConfig.getServerKeyPassword();
if (password != null) {
sslClientContextBuilder = SslContextBuilder.forServer(serverKeyCertChainPathStream, serverPrivateKeyPathStream, password);
} else {
sslClientContextBuilder = SslContextBuilder.forServer(serverKeyCertChainPathStream, serverPrivateKeyPathStream);
}
if (serverTrustCertStream != null) {
sslClientContextBuilder.trustManager(serverTrustCertStream);
sslClientContextBuilder.clientAuth(ClientAuth.REQUIRE);
}
if (sslConfig.getCiphers() != null) {
sslClientContextBuilder.ciphers(sslConfig.getCiphers());
}
if (sslConfig.getProtocols() != null) {
sslClientContextBuilder.protocols(sslConfig.getProtocols());
}
} catch (Exception e) {
throw new IllegalArgumentException("Could not find certificate file or the certificate is invalid.", e);
} finally {
safeCloseStream(serverKeyCertChainPathStream);
safeCloseStream(serverPrivateKeyPathStream);
safeCloseStream(serverTrustCertStream);
}
try {
return sslClientContextBuilder.sslProvider(findSslProvider()).build();
} catch (SSLException e) {
throw new IllegalStateException("Build SslSession failed.", e);
}
}
Aggregations