Examples with KeyManager - javax.net.ssl.KeyManager

Example 26 with KeyManager

use of javax.net.ssl.KeyManager in project nifi by apache.

the class InvokeHTTP method setSslSocketFactory.

/*
        Overall, this method is based off of examples from OkHttp3 documentation:
            https://square.github.io/okhttp/3.x/okhttp/okhttp3/OkHttpClient.Builder.html#sslSocketFactory-javax.net.ssl.SSLSocketFactory-javax.net.ssl.X509TrustManager-
            https://github.com/square/okhttp/blob/master/samples/guide/src/main/java/okhttp3/recipes/CustomTrust.java#L156

        In-depth documentation on Java Secure Socket Extension (JSSE) Classes and interfaces:
            https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#JSSEClasses
     */
private void setSslSocketFactory(OkHttpClient.Builder okHttpClientBuilder, SSLContextService sslService, SSLContext sslContext, boolean setAsSocketFactory) throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException, KeyManagementException {
    final KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance("X509");
    // initialize the KeyManager array to null and we will overwrite later if a keystore is loaded
    KeyManager[] keyManagers = null;
    // we will only initialize the keystore if properties have been supplied by the SSLContextService
    if (sslService.isKeyStoreConfigured()) {
        final String keystoreLocation = sslService.getKeyStoreFile();
        final String keystorePass = sslService.getKeyStorePassword();
        final String keystoreType = sslService.getKeyStoreType();
        // prepare the keystore
        final KeyStore keyStore = KeyStore.getInstance(keystoreType);
        try (FileInputStream keyStoreStream = new FileInputStream(keystoreLocation)) {
            keyStore.load(keyStoreStream, keystorePass.toCharArray());
        }
        keyManagerFactory.init(keyStore, keystorePass.toCharArray());
        keyManagers = keyManagerFactory.getKeyManagers();
    }
    // we will only initialize the truststure if properties have been supplied by the SSLContextService
    if (sslService.isTrustStoreConfigured()) {
        // load truststore
        final String truststoreLocation = sslService.getTrustStoreFile();
        final String truststorePass = sslService.getTrustStorePassword();
        final String truststoreType = sslService.getTrustStoreType();
        KeyStore truststore = KeyStore.getInstance(truststoreType);
        truststore.load(new FileInputStream(truststoreLocation), truststorePass.toCharArray());
        trustManagerFactory.init(truststore);
    }
    /*
            TrustManagerFactory.getTrustManagers returns a trust manager for each type of trust material. Since we are getting a trust manager factory that uses "X509"
            as it's trust management algorithm, we are able to grab the first (and thus the most preferred) and use it as our x509 Trust Manager

            https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/TrustManagerFactory.html#getTrustManagers--
         */
    final X509TrustManager x509TrustManager;
    TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
    if (trustManagers[0] != null) {
        x509TrustManager = (X509TrustManager) trustManagers[0];
    } else {
        throw new IllegalStateException("List of trust managers is null");
    }
    // if keystore properties were not supplied, the keyManagers array will be null
    sslContext.init(keyManagers, trustManagerFactory.getTrustManagers(), null);
    final SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();
    okHttpClientBuilder.sslSocketFactory(sslSocketFactory, x509TrustManager);
    if (setAsSocketFactory) {
        okHttpClientBuilder.socketFactory(sslSocketFactory);
    }
}

Also used : X509TrustManager(javax.net.ssl.X509TrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) SSLSocketFactory(javax.net.ssl.SSLSocketFactory) KeyManager(javax.net.ssl.KeyManager) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) KeyManagerFactory(javax.net.ssl.KeyManagerFactory) TrustManager(javax.net.ssl.TrustManager) X509TrustManager(javax.net.ssl.X509TrustManager)

Example 27 with KeyManager

use of javax.net.ssl.KeyManager in project oxCore by GluuFederation.

the class SslDefaultHttpClient method newSslSocketFactory.

private SSLSocketFactory newSslSocketFactory() {
    try {
        TrustManager[] trustManagers = this.trustManagers;
        if (useTrustManager) {
            trustManagers = getTrustManagers();
        }
        KeyManager[] keyManagers = null;
        if (useKeyManager) {
            keyManagers = getKeyManagers();
        }
        SSLContext ctx = SSLContext.getInstance("TLS");
        ctx.init(keyManagers, trustManagers, new SecureRandom());
        // Pass the keystore to the SSLSocketFactory
        SSLSocketFactory sf = new SSLSocketFactory(ctx, SSLSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
        return sf;
    } catch (Exception ex) {
        throw new IllegalArgumentException("Failed to load keystore", ex);
    }
}

Also used : SecureRandom(java.security.SecureRandom) SSLContext(javax.net.ssl.SSLContext) SSLSocketFactory(org.apache.http.conn.ssl.SSLSocketFactory) KeyManager(javax.net.ssl.KeyManager) TrustManager(javax.net.ssl.TrustManager)

Example 28 with KeyManager

use of javax.net.ssl.KeyManager in project zookeeper by apache.

the class X509Util method createSSLContext.

public static SSLContext createSSLContext(ZKConfig config) throws SSLContextException {
    KeyManager[] keyManagers = null;
    TrustManager[] trustManagers = null;
    String keyStoreLocationProp = config.getProperty(ZKConfig.SSL_KEYSTORE_LOCATION);
    String keyStorePasswordProp = config.getProperty(ZKConfig.SSL_KEYSTORE_PASSWD);
    if (keyStoreLocationProp == null && keyStorePasswordProp == null) {
        LOG.warn("keystore not specified for client connection");
    } else {
        if (keyStoreLocationProp == null) {
            throw new SSLContextException("keystore location not specified for client connection");
        }
        if (keyStorePasswordProp == null) {
            throw new SSLContextException("keystore password not specified for client connection");
        }
        try {
            keyManagers = new KeyManager[] { createKeyManager(keyStoreLocationProp, keyStorePasswordProp) };
        } catch (KeyManagerException e) {
            throw new SSLContextException("Failed to create KeyManager", e);
        }
    }
    String trustStoreLocationProp = config.getProperty(ZKConfig.SSL_TRUSTSTORE_LOCATION);
    String trustStorePasswordProp = config.getProperty(ZKConfig.SSL_TRUSTSTORE_PASSWD);
    if (trustStoreLocationProp == null && trustStorePasswordProp == null) {
        LOG.warn("Truststore not specified for client connection");
    } else {
        if (trustStoreLocationProp == null) {
            throw new SSLContextException("Truststore location not specified for client connection");
        }
        if (trustStorePasswordProp == null) {
            throw new SSLContextException("Truststore password not specified for client connection");
        }
        try {
            trustManagers = new TrustManager[] { createTrustManager(trustStoreLocationProp, trustStorePasswordProp) };
        } catch (TrustManagerException e) {
            throw new SSLContextException("Failed to create TrustManager", e);
        }
    }
    SSLContext sslContext = null;
    try {
        sslContext = SSLContext.getInstance("TLSv1");
        sslContext.init(keyManagers, trustManagers, null);
    } catch (Exception e) {
        throw new SSLContextException(e);
    }
    return sslContext;
}

Also used : KeyManagerException(org.apache.zookeeper.common.X509Exception.KeyManagerException) SSLContextException(org.apache.zookeeper.common.X509Exception.SSLContextException) TrustManagerException(org.apache.zookeeper.common.X509Exception.TrustManagerException) SSLContext(javax.net.ssl.SSLContext) X509KeyManager(javax.net.ssl.X509KeyManager) KeyManager(javax.net.ssl.KeyManager) TrustManagerException(org.apache.zookeeper.common.X509Exception.TrustManagerException) IOException(java.io.IOException) KeyManagerException(org.apache.zookeeper.common.X509Exception.KeyManagerException) SSLContextException(org.apache.zookeeper.common.X509Exception.SSLContextException) TrustManager(javax.net.ssl.TrustManager) X509TrustManager(javax.net.ssl.X509TrustManager)

Example 29 with KeyManager

use of javax.net.ssl.KeyManager in project geode by apache.

the class SocketCreator method createAndConfigureSSLContext.

/**
   * Creates & configures the SSLContext when SSL is enabled.
   * 
   * @return new SSLContext configured using the given protocols & properties
   *
   * @throws GeneralSecurityException if security information can not be found
   * @throws IOException if information can not be loaded
   */
private SSLContext createAndConfigureSSLContext() throws GeneralSecurityException, IOException {
    SSLContext newSSLContext = getSSLContextInstance();
    KeyManager[] keyManagers = getKeyManagers();
    TrustManager[] trustManagers = getTrustManagers();
    newSSLContext.init(keyManagers, trustManagers, null);
    return newSSLContext;
}

Also used : SSLContext(javax.net.ssl.SSLContext) KeyManager(javax.net.ssl.KeyManager) X509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager) TrustManager(javax.net.ssl.TrustManager)

Example 30 with KeyManager

use of javax.net.ssl.KeyManager in project geode by apache.

the class SocketCreator method getKeyManagers.

private KeyManager[] getKeyManagers() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
    GfeConsoleReader consoleReader = GfeConsoleReaderFactory.getDefaultConsoleReader();
    KeyManager[] keyManagers = null;
    String keyStoreType = sslConfig.getKeystoreType();
    if (StringUtils.isEmpty(keyStoreType)) {
        // read from console, default on empty
        if (consoleReader.isSupported()) {
            keyStoreType = consoleReader.readLine("Please enter the keyStoreType (javax.net.ssl.keyStoreType) : ");
        } else {
            keyStoreType = KeyStore.getDefaultType();
        }
    }
    KeyStore keyStore = KeyStore.getInstance(keyStoreType);
    String keyStoreFilePath = sslConfig.getKeystore();
    if (StringUtils.isEmpty(keyStoreFilePath)) {
        if (consoleReader.isSupported()) {
            keyStoreFilePath = consoleReader.readLine("Please enter the keyStore location (javax.net.ssl.keyStore) : ");
        } else {
            keyStoreFilePath = System.getProperty("user.home") + System.getProperty("file.separator") + ".keystore";
        }
    }
    FileInputStream fileInputStream = new FileInputStream(keyStoreFilePath);
    String passwordString = sslConfig.getKeystorePassword();
    char[] password = null;
    if (passwordString != null) {
        if (passwordString.trim().equals("")) {
            String encryptedPass = System.getenv("javax.net.ssl.keyStorePassword");
            if (!StringUtils.isEmpty(encryptedPass)) {
                String toDecrypt = "encrypted(" + encryptedPass + ")";
                passwordString = PasswordUtil.decrypt(toDecrypt);
                password = passwordString.toCharArray();
            }
            // read from the console
            if (StringUtils.isEmpty(passwordString) && consoleReader != null) {
                password = consoleReader.readPassword("Please enter password for keyStore (javax.net.ssl.keyStorePassword) : ");
            }
        } else {
            password = passwordString.toCharArray();
        }
    }
    keyStore.load(fileInputStream, password);
    // default algorithm can be changed by setting property "ssl.KeyManagerFactory.algorithm" in
    // security properties
    KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
    keyManagerFactory.init(keyStore, password);
    keyManagers = keyManagerFactory.getKeyManagers();
    // follow the security tip in java doc
    if (password != null) {
        java.util.Arrays.fill(password, ' ');
    }
    KeyManager[] extendedKeyManagers = new KeyManager[keyManagers.length];
    for (int i = 0; i < keyManagers.length; i++) {
        extendedKeyManagers[i] = new ExtendedAliasKeyManager(keyManagers[i], sslConfig.getAlias());
    }
    return extendedKeyManagers;
}

Also used : GfeConsoleReader(org.apache.geode.internal.GfeConsoleReaderFactory.GfeConsoleReader) KeyManager(javax.net.ssl.KeyManager) X509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) KeyManagerFactory(javax.net.ssl.KeyManagerFactory)

Aggregations

KeyManager (javax.net.ssl.KeyManager)210 SSLContext (javax.net.ssl.SSLContext)127 TrustManager (javax.net.ssl.TrustManager)127 KeyManagerFactory (javax.net.ssl.KeyManagerFactory)103 KeyStore (java.security.KeyStore)95 IOException (java.io.IOException)59 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)59 SecureRandom (java.security.SecureRandom)54 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)54 KeyManagementException (java.security.KeyManagementException)46 X509TrustManager (javax.net.ssl.X509TrustManager)45 KeyStoreException (java.security.KeyStoreException)42 X509KeyManager (javax.net.ssl.X509KeyManager)40 InputStream (java.io.InputStream)33 UnrecoverableKeyException (java.security.UnrecoverableKeyException)32 FileInputStream (java.io.FileInputStream)31 CertificateException (java.security.cert.CertificateException)30 GeneralSecurityException (java.security.GeneralSecurityException)24 X509Certificate (java.security.cert.X509Certificate)23 File (java.io.File)15