Examples with TrustManagerFactory javax.net.ssl.TrustManagerFactory used on opensource projects

Search in sources :

Example 76 with TrustManagerFactory

use of javax.net.ssl.TrustManagerFactory in project qpid-broker-j by apache.

the class SiteSpecificTrustStoreImpl method generateTrustManagers.

private void generateTrustManagers() {
    try {
        java.security.KeyStore inMemoryKeyStore = java.security.KeyStore.getInstance(java.security.KeyStore.getDefaultType());
        inMemoryKeyStore.load(null, null);
        inMemoryKeyStore.setCertificateEntry("1", _x509Certificate);
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(inMemoryKeyStore);
        _trustManagers = tmf.getTrustManagers();
    } catch (IOException | GeneralSecurityException e) {
        throw new IllegalConfigurationException("Cannot load certificate(s) :" + e, e);
    }
}
Also used : TrustManagerFactory(javax.net.ssl.TrustManagerFactory) GeneralSecurityException(java.security.GeneralSecurityException) IllegalConfigurationException(org.apache.qpid.server.configuration.IllegalConfigurationException) IOException(java.io.IOException)

Example 77 with TrustManagerFactory

use of javax.net.ssl.TrustManagerFactory in project qpid-broker-j by apache.

the class TrustManagerTest method testQpidMultipleTrustManagerWithRegularTrustStore.

/**
 * Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
 * regular TrustManager against the broker truststore.
 */
public void testQpidMultipleTrustManagerWithRegularTrustStore() throws Exception {
    final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
    final KeyStore ts = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_TRUSTSTORE, TestSSLConstants.BROKER_TRUSTSTORE_PASSWORD, STORE_TYPE);
    final TrustManagerFactory tmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
    tmf.init(ts);
    final TrustManager[] delegateTrustManagers = tmf.getTrustManagers();
    boolean trustManagerAdded = false;
    for (final TrustManager tm : delegateTrustManagers) {
        if (tm instanceof X509TrustManager) {
            // add broker's trust manager
            mulTrustManager.addTrustManager((X509TrustManager) tm);
            trustManagerAdded = true;
        }
    }
    assertTrue("The regular trust manager for the trust store was not added", trustManagerAdded);
    try {
        // verify the CA-trusted app1 cert (should succeed)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
    } catch (CertificateException ex) {
        fail("Trusted client's validation against the broker's multi store manager failed.");
    }
    try {
        // verify the CA-trusted app2 cert (should succeed)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
    } catch (CertificateException ex) {
        fail("Trusted client's validation against the broker's multi store manager failed.");
    }
    try {
        // verify the untrusted cert (should fail)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.UNTRUSTED_KEYSTORE, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
        fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
    } catch (CertificateException ex) {
    // expected
    }
}
Also used : QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) CertificateException(java.security.cert.CertificateException) KeyStore(java.security.KeyStore) TrustManager(javax.net.ssl.TrustManager) QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)

Example 78 with TrustManagerFactory

use of javax.net.ssl.TrustManagerFactory in project qpid-broker-j by apache.

the class TrustManagerTest method testQpidMultipleTrustManagerWithPeerStore.

/**
 * Tests that the QpidMultipleTrustManager gives the expected behaviour when wrapping a
 * QpidPeersOnlyTrustManager against the broker peerstore.
 */
public void testQpidMultipleTrustManagerWithPeerStore() throws Exception {
    final QpidMultipleTrustManager mulTrustManager = new QpidMultipleTrustManager();
    final KeyStore ps = SSLUtil.getInitializedKeyStore(TestSSLConstants.BROKER_PEERSTORE, TestSSLConstants.BROKER_PEERSTORE_PASSWORD, STORE_TYPE);
    final TrustManagerFactory pmf = TrustManagerFactory.getInstance(DEFAULT_TRUST_MANAGER_ALGORITHM);
    pmf.init(ps);
    final TrustManager[] delegatePeerManagers = pmf.getTrustManagers();
    boolean peerManagerAdded = false;
    for (final TrustManager tm : delegatePeerManagers) {
        if (tm instanceof X509TrustManager) {
            // add broker's peer manager
            mulTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(ps, (X509TrustManager) tm));
            peerManagerAdded = true;
        }
    }
    assertTrue("The QpidPeersOnlyTrustManager for the peerstore was not added", peerManagerAdded);
    try {
        // verify the trusted app1 cert (should succeed as the key is in the peerstore)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP1), "RSA");
    } catch (CertificateException ex) {
        fail("Trusted client's validation against the broker's multi store manager failed.");
    }
    try {
        // verify the untrusted app2 cert (should fail as the key is not in the peerstore)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.KEYSTORE, TestSSLConstants.CERT_ALIAS_APP2), "RSA");
        fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
    } catch (CertificateException ex) {
    // expected
    }
    try {
        // verify the untrusted cert (should fail as the key is not in the peerstore)
        mulTrustManager.checkClientTrusted(this.getClientChain(TestSSLConstants.UNTRUSTED_KEYSTORE, TestSSLConstants.CERT_ALIAS_UNTRUSTED_CLIENT), "RSA");
        fail("Untrusted client's validation against the broker's multi store manager unexpectedly passed.");
    } catch (CertificateException ex) {
    // expected
    }
}
Also used : QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) CertificateException(java.security.cert.CertificateException) QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager) KeyStore(java.security.KeyStore) TrustManager(javax.net.ssl.TrustManager) QpidPeersOnlyTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidPeersOnlyTrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) QpidMultipleTrustManager(org.apache.qpid.server.transport.network.security.ssl.QpidMultipleTrustManager)

Example 79 with TrustManagerFactory

use of javax.net.ssl.TrustManagerFactory in project nifi by apache.

the class SslContextFactory method createSslContext.

public static SSLContext createSslContext(final NiFiProperties props, final boolean strict) throws SslContextCreationException {
    final boolean hasKeystoreProperties = hasKeystoreProperties(props);
    if (hasKeystoreProperties == false) {
        if (strict) {
            throw new SslContextCreationException("SSL context cannot be created because keystore properties have not been configured.");
        } else {
            return null;
        }
    } else if (props.getNeedClientAuth() && hasTruststoreProperties(props) == false) {
        throw new SslContextCreationException("Need client auth is set to 'true', but no truststore properties are configured.");
    }
    try {
        // prepare the trust store
        final KeyStore trustStore;
        if (hasTruststoreProperties(props)) {
            trustStore = KeyStoreUtils.getTrustStore(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_TYPE));
            try (final InputStream trustStoreStream = new FileInputStream(props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE))) {
                trustStore.load(trustStoreStream, props.getProperty(NiFiProperties.SECURITY_TRUSTSTORE_PASSWD).toCharArray());
            }
        } else {
            trustStore = null;
        }
        final TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(trustStore);
        // prepare the key store
        final KeyStore keyStore = KeyStoreUtils.getKeyStore(props.getProperty(NiFiProperties.SECURITY_KEYSTORE_TYPE));
        try (final InputStream keyStoreStream = new FileInputStream(props.getProperty(NiFiProperties.SECURITY_KEYSTORE))) {
            keyStore.load(keyStoreStream, props.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD).toCharArray());
        }
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        // if the key password is provided, try to use that - otherwise default to the keystore password
        if (StringUtils.isNotBlank(props.getProperty(NiFiProperties.SECURITY_KEY_PASSWD))) {
            keyManagerFactory.init(keyStore, props.getProperty(NiFiProperties.SECURITY_KEY_PASSWD).toCharArray());
        } else {
            keyManagerFactory.init(keyStore, props.getProperty(NiFiProperties.SECURITY_KEYSTORE_PASSWD).toCharArray());
        }
        // initialize the ssl context
        final SSLContext sslContext = SSLContext.getInstance("TLS");
        sslContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
        sslContext.getDefaultSSLParameters().setNeedClientAuth(props.getNeedClientAuth());
        return sslContext;
    } catch (final KeyStoreException | IOException | NoSuchAlgorithmException | CertificateException | UnrecoverableKeyException | KeyManagementException e) {
        throw new SslContextCreationException(e);
    }
}
Also used : FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) CertificateException(java.security.cert.CertificateException) SSLContext(javax.net.ssl.SSLContext) KeyStoreException(java.security.KeyStoreException) IOException(java.io.IOException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) KeyManagementException(java.security.KeyManagementException) KeyManagerFactory(javax.net.ssl.KeyManagerFactory) UnrecoverableKeyException(java.security.UnrecoverableKeyException) TrustManagerFactory(javax.net.ssl.TrustManagerFactory)

Example 80 with TrustManagerFactory

use of javax.net.ssl.TrustManagerFactory in project pentaho-kettle by pentaho.

the class Rest method setConfig.

private void setConfig() throws KettleException {
    if (data.config == null) {
        // Use ApacheHttpClient for supporting proxy authentication.
        data.config = new DefaultApacheHttpClient4Config();
        if (!Utils.isEmpty(data.realProxyHost)) {
            // PROXY CONFIGURATION
            data.config.getProperties().put(ApacheHttpClient4Config.PROPERTY_PROXY_URI, "http://" + data.realProxyHost + ":" + data.realProxyPort);
            if (!Utils.isEmpty(data.realHttpLogin) && !Utils.isEmpty(data.realHttpPassword)) {
                AuthScope authScope = new AuthScope(data.realProxyHost, data.realProxyPort);
                UsernamePasswordCredentials credentials = new UsernamePasswordCredentials(data.realHttpLogin, data.realHttpPassword);
                CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
                credentialsProvider.setCredentials(authScope, credentials);
                data.config.getProperties().put(ApacheHttpClient4Config.PROPERTY_CREDENTIALS_PROVIDER, credentialsProvider);
            }
        } else {
            if (!Utils.isEmpty(data.realHttpLogin)) {
                // Basic authentication
                data.basicAuthentication = new HTTPBasicAuthFilter(data.realHttpLogin, data.realHttpPassword);
            }
        }
        if (meta.isPreemptive()) {
            data.config.getProperties().put(ApacheHttpClient4Config.PROPERTY_PREEMPTIVE_BASIC_AUTHENTICATION, true);
        }
        // SSL TRUST STORE CONFIGURATION
        if (!Utils.isEmpty(data.trustStoreFile)) {
            try (FileInputStream trustFileStream = new FileInputStream(data.trustStoreFile)) {
                KeyStore trustStore = KeyStore.getInstance("JKS");
                trustStore.load(trustFileStream, data.trustStorePassword.toCharArray());
                TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
                tmf.init(trustStore);
                SSLContext ctx = SSLContext.getInstance("SSL");
                ctx.init(null, tmf.getTrustManagers(), null);
                HostnameVerifier hv = new HostnameVerifier() {

                    public boolean verify(String hostname, SSLSession session) {
                        if (isDebug()) {
                            logDebug("Warning: URL Host: " + hostname + " vs. " + session.getPeerHost());
                        }
                        return true;
                    }
                };
                data.config.getProperties().put(HTTPSProperties.PROPERTY_HTTPS_PROPERTIES, new HTTPSProperties(hv, ctx));
            } catch (NoSuchAlgorithmException e) {
                throw new KettleException(BaseMessages.getString(PKG, "Rest.Error.NoSuchAlgorithm"), e);
            } catch (KeyStoreException e) {
                throw new KettleException(BaseMessages.getString(PKG, "Rest.Error.KeyStoreException"), e);
            } catch (CertificateException e) {
                throw new KettleException(BaseMessages.getString(PKG, "Rest.Error.CertificateException"), e);
            } catch (FileNotFoundException e) {
                throw new KettleException(BaseMessages.getString(PKG, "Rest.Error.FileNotFound", data.trustStoreFile), e);
            } catch (IOException e) {
                throw new KettleException(BaseMessages.getString(PKG, "Rest.Error.IOException"), e);
            } catch (KeyManagementException e) {
                throw new KettleException(BaseMessages.getString(PKG, "Rest.Error.KeyManagementException"), e);
            }
        }
    }
}
Also used : KettleException(org.pentaho.di.core.exception.KettleException) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) SSLSession(javax.net.ssl.SSLSession) FileNotFoundException(java.io.FileNotFoundException) CertificateException(java.security.cert.CertificateException) BasicCredentialsProvider(org.apache.http.impl.client.BasicCredentialsProvider) CredentialsProvider(org.apache.http.client.CredentialsProvider) SSLContext(javax.net.ssl.SSLContext) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) KeyStoreException(java.security.KeyStoreException) IOException(java.io.IOException) HTTPBasicAuthFilter(com.sun.jersey.api.client.filter.HTTPBasicAuthFilter) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) KeyManagementException(java.security.KeyManagementException) UsernamePasswordCredentials(org.apache.http.auth.UsernamePasswordCredentials) HostnameVerifier(javax.net.ssl.HostnameVerifier) DefaultApacheHttpClient4Config(com.sun.jersey.client.apache4.config.DefaultApacheHttpClient4Config) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) AuthScope(org.apache.http.auth.AuthScope) HTTPSProperties(com.sun.jersey.client.urlconnection.HTTPSProperties)

Aggregations

TrustManagerFactory (javax.net.ssl.TrustManagerFactory)504 KeyStore (java.security.KeyStore)318 SSLContext (javax.net.ssl.SSLContext)247 TrustManager (javax.net.ssl.TrustManager)186 KeyManagerFactory (javax.net.ssl.KeyManagerFactory)180 IOException (java.io.IOException)129 FileInputStream (java.io.FileInputStream)123 X509TrustManager (javax.net.ssl.X509TrustManager)123 InputStream (java.io.InputStream)113 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)113 KeyStoreException (java.security.KeyStoreException)98 CertificateException (java.security.cert.CertificateException)87 KeyManagementException (java.security.KeyManagementException)64 X509Certificate (java.security.cert.X509Certificate)60 SecureRandom (java.security.SecureRandom)53 KeyManager (javax.net.ssl.KeyManager)48 CertificateFactory (java.security.cert.CertificateFactory)37 GeneralSecurityException (java.security.GeneralSecurityException)36 File (java.io.File)35 Certificate (java.security.cert.Certificate)34
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial