Search in sources :

Example 6 with X509ExtendedTrustManager

use of javax.net.ssl.X509ExtendedTrustManager in project grpc-java by grpc.

the class AdvancedTlsX509TrustManager method checkTrusted.

private void checkTrusted(X509Certificate[] chain, String authType, SSLEngine sslEngine, Socket socket, boolean checkingServer) throws CertificateException {
    if (chain == null || chain.length == 0) {
        throw new IllegalArgumentException("Want certificate verification but got null or empty certificates");
    }
    if (sslEngine == null && socket == null) {
        throw new CertificateException("Not enough information to validate peer. SSLEngine or Socket required.");
    }
    if (this.verification != Verification.INSECURELY_SKIP_ALL_VERIFICATION) {
        X509ExtendedTrustManager currentDelegateManager = this.delegateManager;
        if (currentDelegateManager == null) {
            throw new CertificateException("No trust roots configured");
        }
        if (checkingServer) {
            String algorithm = this.verification == Verification.CERTIFICATE_AND_HOST_NAME_VERIFICATION ? "HTTPS" : "";
            if (sslEngine != null) {
                SSLParameters sslParams = sslEngine.getSSLParameters();
                sslParams.setEndpointIdentificationAlgorithm(algorithm);
                sslEngine.setSSLParameters(sslParams);
                currentDelegateManager.checkServerTrusted(chain, authType, sslEngine);
            } else {
                if (!(socket instanceof SSLSocket)) {
                    throw new CertificateException("socket is not a type of SSLSocket");
                }
                SSLSocket sslSocket = (SSLSocket) socket;
                SSLParameters sslParams = sslSocket.getSSLParameters();
                sslParams.setEndpointIdentificationAlgorithm(algorithm);
                sslSocket.setSSLParameters(sslParams);
                currentDelegateManager.checkServerTrusted(chain, authType, sslSocket);
            }
        } else {
            currentDelegateManager.checkClientTrusted(chain, authType, sslEngine);
        }
    }
    // Perform the additional peer cert check.
    if (socketAndEnginePeerVerifier != null) {
        if (sslEngine != null) {
            socketAndEnginePeerVerifier.verifyPeerCertificate(chain, authType, sslEngine);
        } else {
            socketAndEnginePeerVerifier.verifyPeerCertificate(chain, authType, socket);
        }
    }
}
Also used : X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) SSLParameters(javax.net.ssl.SSLParameters) SSLSocket(javax.net.ssl.SSLSocket) CertificateException(java.security.cert.CertificateException)

Example 7 with X509ExtendedTrustManager

use of javax.net.ssl.X509ExtendedTrustManager in project grpc-java by grpc.

the class AdvancedTlsX509TrustManager method createDelegateTrustManager.

private static X509ExtendedTrustManager createDelegateTrustManager(KeyStore keyStore) throws CertificateException, KeyStoreException, NoSuchAlgorithmException {
    TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
    tmf.init(keyStore);
    X509ExtendedTrustManager delegateManager = null;
    TrustManager[] tms = tmf.getTrustManagers();
    // If found, use that as the delegate trust manager.
    for (int j = 0; j < tms.length; j++) {
        if (tms[j] instanceof X509ExtendedTrustManager) {
            delegateManager = (X509ExtendedTrustManager) tms[j];
            break;
        }
    }
    if (delegateManager == null) {
        throw new CertificateException("Failed to find X509ExtendedTrustManager with default TrustManager algorithm " + TrustManagerFactory.getDefaultAlgorithm());
    }
    return delegateManager;
}
Also used : X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) CertificateException(java.security.cert.CertificateException) TrustManager(javax.net.ssl.TrustManager) X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)

Example 8 with X509ExtendedTrustManager

use of javax.net.ssl.X509ExtendedTrustManager in project grpc-java by grpc.

the class SdsTrustManagerFactory method createSdsX509TrustManager.

@VisibleForTesting
static SdsX509TrustManager createSdsX509TrustManager(X509Certificate[] certs, CertificateValidationContext certContext) throws CertStoreException {
    TrustManagerFactory tmf = null;
    try {
        tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        KeyStore ks = KeyStore.getInstance("PKCS12");
        // perform a load to initialize KeyStore
        ks.load(/* stream= */
        null, /* password= */
        null);
        int i = 1;
        for (X509Certificate cert : certs) {
            // note: alias lookup uses toLowerCase(Locale.ENGLISH)
            // so our alias needs to be all lower-case and unique
            ks.setCertificateEntry("alias" + i, cert);
            i++;
        }
        tmf.init(ks);
    } catch (NoSuchAlgorithmException | KeyStoreException | IOException | CertificateException e) {
        logger.log(Level.SEVERE, "createSdsX509TrustManager", e);
        throw new CertStoreException(e);
    }
    TrustManager[] tms = tmf.getTrustManagers();
    X509ExtendedTrustManager myDelegate = null;
    if (tms != null) {
        for (TrustManager tm : tms) {
            if (tm instanceof X509ExtendedTrustManager) {
                myDelegate = (X509ExtendedTrustManager) tm;
                break;
            }
        }
    }
    if (myDelegate == null) {
        throw new CertStoreException("Native X509 TrustManager not found.");
    }
    return new SdsX509TrustManager(certContext, myDelegate);
}
Also used : X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) CertStoreException(java.security.cert.CertStoreException) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) KeyStoreException(java.security.KeyStoreException) IOException(java.io.IOException) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) TrustManager(javax.net.ssl.TrustManager) X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) SimpleTrustManagerFactory(io.netty.handler.ssl.util.SimpleTrustManagerFactory) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Example 9 with X509ExtendedTrustManager

use of javax.net.ssl.X509ExtendedTrustManager in project cloudstack by apache.

the class WebSocketReverseProxy method acceptAllCerts.

private void acceptAllCerts() {
    TrustManager[] trustAllCerts = new TrustManager[] { new X509ExtendedTrustManager() {

        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType, Socket socket) {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType, Socket socket) {
        }

        @Override
        public void checkClientTrusted(X509Certificate[] chain, String authType, SSLEngine engine) {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] chain, String authType, SSLEngine engine) {
        }

        @Override
        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        @Override
        public void checkClientTrusted(X509Certificate[] certs, String authType) {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] certs, String authType) {
        }
    } };
    SSLContext sc;
    try {
        sc = SSLContext.getInstance("TLS");
        sc.init(null, trustAllCerts, new java.security.SecureRandom());
        SSLSocketFactory factory = sc.getSocketFactory();
        this.setSocketFactory(factory);
    } catch (Exception e) {
        e.printStackTrace();
    }
}
Also used : X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) SSLEngine(javax.net.ssl.SSLEngine) SSLContext(javax.net.ssl.SSLContext) SSLSocketFactory(javax.net.ssl.SSLSocketFactory) Socket(java.net.Socket) X509Certificate(java.security.cert.X509Certificate) IOException(java.io.IOException) TrustManager(javax.net.ssl.TrustManager) X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)

Example 10 with X509ExtendedTrustManager

use of javax.net.ssl.X509ExtendedTrustManager in project java-chassis by ServiceComb.

the class TrustManagerExtTest method testConstructor.

@SuppressWarnings("unused")
@Test
public void testConstructor() {
    String keyStoreName = custom.getFullPath(option.getKeyStore());
    char[] keyStoreValue = custom.decode(option.getKeyStoreValue().toCharArray());
    String trustStoreName = custom.getFullPath(option.getTrustStore());
    char[] trustStoreValue = custom.decode(option.getTrustStoreValue().toCharArray());
    KeyStore trustStore = KeyStoreUtil.createKeyStore(trustStoreName, option.getTrustStoreType(), trustStoreValue);
    TrustManager[] trustManager = KeyStoreUtil.createTrustManagers(trustStore);
    TrustManagerExt trustManagerExt = new TrustManagerExt((X509ExtendedTrustManager) trustManager[0], option, custom);
    Assert.assertEquals(3, trustManagerExt.getAcceptedIssuers()[0].getVersion());
    Assert.assertNotNull(trustManagerExt);
}
Also used : KeyStore(java.security.KeyStore) TrustManager(javax.net.ssl.TrustManager) X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) Test(org.junit.Test)

Aggregations

X509ExtendedTrustManager (javax.net.ssl.X509ExtendedTrustManager)25 TrustManager (javax.net.ssl.TrustManager)14 KeyStore (java.security.KeyStore)10 X509Certificate (java.security.cert.X509Certificate)8 CertificateException (java.security.cert.CertificateException)7 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)6 SSLEngine (javax.net.ssl.SSLEngine)6 Socket (java.net.Socket)5 KeyManager (javax.net.ssl.KeyManager)5 SSLContext (javax.net.ssl.SSLContext)5 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)5 Test (org.junit.Test)5 IOException (java.io.IOException)4 KeyManagementException (java.security.KeyManagementException)4 KeyStoreException (java.security.KeyStoreException)3 SecureRandom (java.security.SecureRandom)3 SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)2 File (java.io.File)2 VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 Bootstrap (io.netty.bootstrap.Bootstrap)1