Example 21 with X509ExtendedTrustManager
use of javax.net.ssl.X509ExtendedTrustManager in project netty by netty.
the class SslContextBuilderTest method testContextFromManagers.
private static void testContextFromManagers(SslProvider provider) throws Exception {
final SelfSignedCertificate cert = new SelfSignedCertificate();
KeyManager customKeyManager = new X509ExtendedKeyManager() {
@Override
public String[] getClientAliases(String s, Principal[] principals) {
return new String[0];
}
@Override
public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) {
return "cert_sent_to_server";
}
@Override
public String[] getServerAliases(String s, Principal[] principals) {
return new String[0];
}
@Override
public String chooseServerAlias(String s, Principal[] principals, Socket socket) {
return null;
}
@Override
public X509Certificate[] getCertificateChain(String s) {
X509Certificate[] certificates = new X509Certificate[1];
certificates[0] = cert.cert();
return new X509Certificate[0];
}
@Override
public PrivateKey getPrivateKey(String s) {
return cert.key();
}
};
TrustManager customTrustManager = new X509ExtendedTrustManager() {
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
}
@Override
public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
}
@Override
public X509Certificate[] getAcceptedIssuers() {
return new X509Certificate[0];
}
};
SslContextBuilder client_builder = SslContextBuilder.forClient().sslProvider(provider).keyManager(customKeyManager).trustManager(customTrustManager).clientAuth(ClientAuth.OPTIONAL);
SslContext client_context = client_builder.build();
SSLEngine client_engine = client_context.newEngine(UnpooledByteBufAllocator.DEFAULT);
assertFalse(client_engine.getWantClientAuth());
assertFalse(client_engine.getNeedClientAuth());
client_engine.closeInbound();
client_engine.closeOutbound();
SslContextBuilder server_builder = SslContextBuilder.forServer(customKeyManager).sslProvider(provider).trustManager(customTrustManager).clientAuth(ClientAuth.REQUIRE);
SslContext server_context = server_builder.build();
SSLEngine server_engine = server_context.newEngine(UnpooledByteBufAllocator.DEFAULT);
assertFalse(server_engine.getWantClientAuth());
assertTrue(server_engine.getNeedClientAuth());
server_engine.closeInbound();
server_engine.closeOutbound();
}
Also used :
SelfSignedCertificate(io.netty.handler.ssl.util.SelfSignedCertificate)
X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)
SSLEngine(javax.net.ssl.SSLEngine)
X509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager)
KeyManager(javax.net.ssl.KeyManager)
X509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager)
Socket(java.net.Socket)
X509Certificate(java.security.cert.X509Certificate)
TrustManager(javax.net.ssl.TrustManager)
X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)
Example 22 with X509ExtendedTrustManager
use of javax.net.ssl.X509ExtendedTrustManager in project druid by druid-io.
the class JettyTest method testCustomCheckX509TrustManagerSetEndpointIdentificationAlgorithmToNullWithValidateServerHostnamesSetToFalse.
@Test
public void testCustomCheckX509TrustManagerSetEndpointIdentificationAlgorithmToNullWithValidateServerHostnamesSetToFalse() throws Exception {
SslContextFactory.Server server = injector.getInstance(SslContextFactory.Server.class);
server.setEndpointIdentificationAlgorithm("HTTPS");
server.start();
SSLEngine sslEngine = server.newSSLEngine();
X509ExtendedTrustManager mockX509ExtendedTrustManager = Mockito.mock(X509ExtendedTrustManager.class);
TLSCertificateChecker mockTLSCertificateChecker = Mockito.mock(TLSCertificateChecker.class);
X509Certificate mockX509Certificate = Mockito.mock(X509Certificate.class);
String authType = "testAuthType";
X509Certificate[] chain = new X509Certificate[] { mockX509Certificate };
// The EndpointIdentificationAlgorithm should not be null as we set it to HTTPS earlier
Assert.assertNotNull(sslEngine.getSSLParameters().getEndpointIdentificationAlgorithm());
CustomCheckX509TrustManager customCheckX509TrustManager = new CustomCheckX509TrustManager(mockX509ExtendedTrustManager, mockTLSCertificateChecker, false);
customCheckX509TrustManager.checkServerTrusted(chain, authType, sslEngine);
ArgumentCaptor<SSLEngine> captor = ArgumentCaptor.forClass(SSLEngine.class);
Mockito.verify(mockTLSCertificateChecker).checkServer(ArgumentMatchers.eq(chain), ArgumentMatchers.eq(authType), captor.capture(), ArgumentMatchers.eq(mockX509ExtendedTrustManager));
SSLEngine transformedSSLEngine = captor.getValue();
// The EndpointIdentificationAlgorithm should be null or empty Stringas the CustomCheckX509TrustManager
// has validateServerHostnames set to false
String endpointIdentificationAlgorithm = transformedSSLEngine.getSSLParameters().getEndpointIdentificationAlgorithm();
Assert.assertTrue(endpointIdentificationAlgorithm == null || endpointIdentificationAlgorithm.isEmpty());
}
Also used :
SslContextFactory(org.eclipse.jetty.util.ssl.SslContextFactory)
X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)
TLSCertificateChecker(org.apache.druid.server.security.TLSCertificateChecker)
SSLEngine(javax.net.ssl.SSLEngine)
CustomCheckX509TrustManager(org.apache.druid.server.security.CustomCheckX509TrustManager)
X509Certificate(java.security.cert.X509Certificate)
Test(org.junit.Test)
Example 23 with X509ExtendedTrustManager
use of javax.net.ssl.X509ExtendedTrustManager in project smarthome by eclipse.
the class ExtensibleTrustManagerImpl method addTlsCertificateProvider.
@Override
@Reference(cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC)
public void addTlsCertificateProvider(TlsCertificateProvider tlsCertificateProvider) {
X509ExtendedTrustManager trustManager = new TlsCertificateTrustManagerAdapter(tlsCertificateProvider).getTrustManager();
mappingFromTlsCertificateProvider.put(tlsCertificateProvider, trustManager);
addLinkedTrustManager(tlsCertificateProvider.getHostName(), trustManager);
}
Also used :
X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)
Reference(org.osgi.service.component.annotations.Reference)
Example 24 with X509ExtendedTrustManager
use of javax.net.ssl.X509ExtendedTrustManager in project smarthome by eclipse.
the class TrustManagerUtil method keyStoreToTrustManager.
static X509ExtendedTrustManager keyStoreToTrustManager(@Nullable KeyStore keyStore) {
try {
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
tmf.init(keyStore);
// Get hold of the X509ExtendedTrustManager
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509ExtendedTrustManager) {
return (X509ExtendedTrustManager) tm;
}
}
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException("Default algorithm missing...", e);
} catch (KeyStoreException e) {
throw new IllegalStateException("Problem while processing keystore", e);
}
throw new IllegalStateException("Could not find X509ExtendedTrustManager");
}
Also used :
X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
KeyStoreException(java.security.KeyStoreException)
X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)
TrustManager(javax.net.ssl.TrustManager)
Example 25 with X509ExtendedTrustManager
use of javax.net.ssl.X509ExtendedTrustManager in project smarthome by eclipse.
the class ExtensibleTrustManagerImpl method getLinkedTrustMananger.
private X509ExtendedTrustManager getLinkedTrustMananger(X509Certificate[] chain, SSLEngine sslEngine) {
if (sslEngine != null) {
X509ExtendedTrustManager trustManager = null;
String peer = null;
if (sslEngine.getPeerHost() != null) {
peer = sslEngine.getPeerHost() + ":" + sslEngine.getPeerPort();
trustManager = linkedTrustManager.getOrDefault(peer, EMPTY_QUEUE).peek();
}
if (trustManager != null) {
logger.trace("Found trustManager by sslEngine peer/host: {}", peer);
return trustManager;
} else {
logger.trace("Did NOT find trustManager by sslEngine peer/host: {}", peer);
}
}
return getLinkedTrustMananger(chain);
}
Also used :
X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)
Aggregations
X509ExtendedTrustManager (javax.net.ssl.X509ExtendedTrustManager)25
TrustManager (javax.net.ssl.TrustManager)14
KeyStore (java.security.KeyStore)10
X509Certificate (java.security.cert.X509Certificate)8
CertificateException (java.security.cert.CertificateException)7
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)6
SSLEngine (javax.net.ssl.SSLEngine)6
Socket (java.net.Socket)5
KeyManager (javax.net.ssl.KeyManager)5
SSLContext (javax.net.ssl.SSLContext)5
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)5
Test (org.junit.Test)5
IOException (java.io.IOException)4
KeyManagementException (java.security.KeyManagementException)4
KeyStoreException (java.security.KeyStoreException)3
SecureRandom (java.security.SecureRandom)3
SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)2
File (java.io.File)2
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
Bootstrap (io.netty.bootstrap.Bootstrap)1
