Examples with SSLEngine javax.net.ssl.SSLEngine used on opensource projects

Search in sources :

Example 91 with SSLEngine

use of javax.net.ssl.SSLEngine in project incubator-servicecomb-java-chassis by apache.

the class SSLManager method createSSLEngine.

public static SSLEngine createSSLEngine(SSLOption option, SSLCustom custom) {
    SSLContext context = createSSLContext(option, custom);
    SSLEngine engine = context.createSSLEngine();
    engine.setEnabledProtocols(option.getProtocols().split(","));
    String[] supported = engine.getSupportedCipherSuites();
    String[] eanbled = option.getCiphers().split(",");
    engine.setEnabledCipherSuites(getEnabledCiphers(supported, eanbled));
    engine.setNeedClientAuth(option.isAuthPeer());
    return engine;
}
Also used : SSLEngine(javax.net.ssl.SSLEngine) SSLContext(javax.net.ssl.SSLContext)

Example 92 with SSLEngine

use of javax.net.ssl.SSLEngine in project incubator-servicecomb-java-chassis by apache.

the class TrustManagerExtTest method testCheckClientTrustedExecption.

@Test
public void testCheckClientTrustedExecption(@Mocked CertificateUtil certificateUtil) {
    MyX509Certificate myX509Certificate1 = new MyX509Certificate();
    MyX509Certificate myX509Certificate2 = new MyX509Certificate();
    MyX509Certificate[] MyX509CertificateArray = new MyX509Certificate[2];
    MyX509CertificateArray[0] = myX509Certificate1;
    MyX509CertificateArray[1] = myX509Certificate2;
    new Expectations() {

        {
            CertificateUtil.findOwner((X509Certificate[]) any);
            result = any;
            CertificateUtil.getCN((X509Certificate) any);
            result = "10.67.147.115";
        }
    };
    MyX509ExtendedTrustManager myX509ExtendedTrustManager = new MyX509ExtendedTrustManager();
    TrustManagerExt trustManagerExt = new TrustManagerExt(myX509ExtendedTrustManager, option, custom);
    Socket socket = null;
    SSLEngine sslengine = null;
    new MockUp<InputStreamReader>() {

        @Mock
        public int read(char[] cbuf) throws IOException {
            throw new IOException();
        }
    };
    boolean validAssert = true;
    try {
        trustManagerExt.checkClientTrusted(MyX509CertificateArray, "pks", socket);
        trustManagerExt.checkClientTrusted(MyX509CertificateArray, "pks", sslengine);
        trustManagerExt.checkServerTrusted(MyX509CertificateArray, "pks", socket);
        trustManagerExt.checkServerTrusted(MyX509CertificateArray, "pks", sslengine);
    } catch (Exception e) {
        Assert.assertEquals("java.security.cert.CertificateException", e.getClass().getName());
        validAssert = false;
    }
    Assert.assertFalse(validAssert);
}
Also used : Expectations(mockit.Expectations) SSLEngine(javax.net.ssl.SSLEngine) MockUp(mockit.MockUp) IOException(java.io.IOException) X509Certificate(java.security.cert.X509Certificate) Socket(java.net.Socket) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertificateExpiredException(java.security.cert.CertificateExpiredException) SignatureException(java.security.SignatureException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) NoSuchProviderException(java.security.NoSuchProviderException) CertificateEncodingException(java.security.cert.CertificateEncodingException) Test(org.junit.Test)

Example 93 with SSLEngine

use of javax.net.ssl.SSLEngine in project incubator-servicecomb-java-chassis by apache.

the class TrustManagerExtTest method testCheckClientTrusted.

@Test
public void testCheckClientTrusted(@Mocked CertificateUtil certificateUtil) {
    MyX509Certificate myX509Certificate1 = new MyX509Certificate();
    MyX509Certificate myX509Certificate2 = new MyX509Certificate();
    MyX509Certificate[] MyX509CertificateArray = new MyX509Certificate[2];
    MyX509CertificateArray[0] = myX509Certificate1;
    MyX509CertificateArray[1] = myX509Certificate2;
    new Expectations() {

        {
            CertificateUtil.findOwner((X509Certificate[]) any);
            result = any;
            CertificateUtil.getCN((X509Certificate) any);
            result = "10.67.147.115";
        }
    };
    MyX509ExtendedTrustManager myX509ExtendedTrustManager = new MyX509ExtendedTrustManager();
    TrustManagerExt trustManagerExt = new TrustManagerExt(myX509ExtendedTrustManager, option, custom);
    Socket socket = null;
    SSLEngine sslengine = null;
    boolean validAssert = true;
    try {
        trustManagerExt.checkClientTrusted(MyX509CertificateArray, "pks", socket);
        trustManagerExt.checkClientTrusted(MyX509CertificateArray, "pks", sslengine);
        trustManagerExt.checkServerTrusted(MyX509CertificateArray, "pks", socket);
        trustManagerExt.checkServerTrusted(MyX509CertificateArray, "pks", sslengine);
    } catch (Exception e) {
        validAssert = false;
    }
    Assert.assertTrue(validAssert);
}
Also used : Expectations(mockit.Expectations) SSLEngine(javax.net.ssl.SSLEngine) X509Certificate(java.security.cert.X509Certificate) Socket(java.net.Socket) CertificateNotYetValidException(java.security.cert.CertificateNotYetValidException) CertificateExpiredException(java.security.cert.CertificateExpiredException) SignatureException(java.security.SignatureException) IOException(java.io.IOException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) InvalidKeyException(java.security.InvalidKeyException) NoSuchProviderException(java.security.NoSuchProviderException) CertificateEncodingException(java.security.cert.CertificateEncodingException) Test(org.junit.Test)

Example 94 with SSLEngine

use of javax.net.ssl.SSLEngine in project java by wavefrontHQ.

the class SslSimpleBuilder method build.

public SslHandler build(ByteBufAllocator bufferAllocator) throws IOException, NoSuchAlgorithmException, CertificateException {
    SslContextBuilder builder = SslContextBuilder.forServer(sslCertificateFile, sslKeyFile, passPhrase);
    if (logger.isDebugEnabled())
        logger.debug("Ciphers:  " + ciphers.toString());
    builder.ciphers(Arrays.asList(ciphers));
    if (requireClientAuth()) {
        if (logger.isDebugEnabled())
            logger.debug("Certificate Authorities: " + certificateAuthorities.toString());
        builder.trustManager(loadCertificateCollection(certificateAuthorities));
    }
    SslContext context = builder.build();
    SslHandler sslHandler = context.newHandler(bufferAllocator);
    if (logger.isDebugEnabled())
        logger.debug("TLS: " + protocols.toString());
    SSLEngine engine = sslHandler.engine();
    engine.setEnabledProtocols(protocols);
    if (requireClientAuth()) {
        // server is doing the handshake
        engine.setUseClientMode(false);
        if (verifyMode == SslClientVerifyMode.FORCE_PEER) {
            // Explicitely require a client certificate
            engine.setNeedClientAuth(true);
        } else if (verifyMode == SslClientVerifyMode.VERIFY_PEER) {
            // If the client supply a client certificate we will verify it.
            engine.setWantClientAuth(true);
        }
    }
    sslHandler.setHandshakeTimeoutMillis(handshakeTimeoutMilliseconds);
    return sslHandler;
}
Also used : SslContextBuilder(io.netty.handler.ssl.SslContextBuilder) SSLEngine(javax.net.ssl.SSLEngine) SslHandler(io.netty.handler.ssl.SslHandler) SslContext(io.netty.handler.ssl.SslContext)

Example 95 with SSLEngine

use of javax.net.ssl.SSLEngine in project apache-kafka-on-k8s by banzaicloud.

the class SslTransportLayerTest method testClientEndpointNotValidated.

/**
 * According to RFC 2818:
 * <blockquote>Typically, the server has no external knowledge of what the client's
 * identity ought to be and so checks (other than that the client has a
 * certificate chain rooted in an appropriate CA) are not possible. If a
 * server has such knowledge (typically from some source external to
 * HTTP or TLS) it SHOULD check the identity as described above.</blockquote>
 *
 * However, Java SSL engine does not perform any endpoint validation for client IP address.
 * Hence it is safe to avoid reverse DNS lookup while creating the SSL engine. This test checks
 * that client validation does not fail even if the client certificate has an invalid hostname.
 * This test is to ensure that if client endpoint validation is added to Java in future, we can detect
 * and update Kafka SSL code to enable validation on the server-side and provide hostname if required.
 */
@Test
public void testClientEndpointNotValidated() throws Exception {
    String node = "0";
    // Create client certificate with an invalid hostname
    clientCertStores = new CertStores(false, "non-existent.com");
    serverCertStores = new CertStores(true, "localhost");
    sslServerConfigs = serverCertStores.getTrustingConfig(clientCertStores);
    sslClientConfigs = clientCertStores.getTrustingConfig(serverCertStores);
    // Create a server with endpoint validation enabled on the server SSL engine
    SslChannelBuilder serverChannelBuilder = new TestSslChannelBuilder(Mode.SERVER) {

        @Override
        protected TestSslTransportLayer newTransportLayer(String id, SelectionKey key, SSLEngine sslEngine) throws IOException {
            SSLParameters sslParams = sslEngine.getSSLParameters();
            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
            sslEngine.setSSLParameters(sslParams);
            return super.newTransportLayer(id, key, sslEngine);
        }
    };
    serverChannelBuilder.configure(sslServerConfigs);
    server = new NioEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(sslServerConfigs), "localhost", serverChannelBuilder, null);
    server.start();
    createSelector(sslClientConfigs);
    InetSocketAddress addr = new InetSocketAddress("localhost", server.port());
    selector.connect(node, addr, BUFFER_SIZE, BUFFER_SIZE);
    NetworkTestUtils.checkClientConnection(selector, node, 100, 10);
}
Also used : SelectionKey(java.nio.channels.SelectionKey) SSLParameters(javax.net.ssl.SSLParameters) SSLEngine(javax.net.ssl.SSLEngine) InetSocketAddress(java.net.InetSocketAddress) TestSecurityConfig(org.apache.kafka.common.security.TestSecurityConfig) Test(org.junit.Test)

Aggregations

SSLEngine (javax.net.ssl.SSLEngine)494 IOException (java.io.IOException)97 SSLContext (javax.net.ssl.SSLContext)97 ByteBuffer (java.nio.ByteBuffer)91 SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)75 SSLException (javax.net.ssl.SSLException)71 Test (org.junit.Test)64 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)54 SslHandler (io.netty.handler.ssl.SslHandler)52 SSLEngineResult (javax.net.ssl.SSLEngineResult)50 ParameterizedTest (org.junit.jupiter.params.ParameterizedTest)47 MethodSource (org.junit.jupiter.params.provider.MethodSource)44 SSLParameters (javax.net.ssl.SSLParameters)43 InetSocketAddress (java.net.InetSocketAddress)42 KeyManagementException (java.security.KeyManagementException)42 ReadOnlyBufferException (java.nio.ReadOnlyBufferException)35 KeyStore (java.security.KeyStore)28 Test (org.junit.jupiter.api.Test)22 ChannelHandlerContext (io.netty.channel.ChannelHandlerContext)21 Socket (java.net.Socket)21
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial