Search in sources :

Example 21 with X509ExtendedTrustManager

use of javax.net.ssl.X509ExtendedTrustManager in project netty by netty.

the class SslContextBuilderTest method testContextFromManagers.

private static void testContextFromManagers(SslProvider provider) throws Exception {
    final SelfSignedCertificate cert = new SelfSignedCertificate();
    KeyManager customKeyManager = new X509ExtendedKeyManager() {

        @Override
        public String[] getClientAliases(String s, Principal[] principals) {
            return new String[0];
        }

        @Override
        public String chooseClientAlias(String[] strings, Principal[] principals, Socket socket) {
            return "cert_sent_to_server";
        }

        @Override
        public String[] getServerAliases(String s, Principal[] principals) {
            return new String[0];
        }

        @Override
        public String chooseServerAlias(String s, Principal[] principals, Socket socket) {
            return null;
        }

        @Override
        public X509Certificate[] getCertificateChain(String s) {
            X509Certificate[] certificates = new X509Certificate[1];
            certificates[0] = cert.cert();
            return new X509Certificate[0];
        }

        @Override
        public PrivateKey getPrivateKey(String s) {
            return cert.key();
        }
    };
    TrustManager customTrustManager = new X509ExtendedTrustManager() {

        @Override
        public void checkClientTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] x509Certificates, String s, Socket socket) throws CertificateException {
        }

        @Override
        public void checkClientTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] x509Certificates, String s, SSLEngine sslEngine) throws CertificateException {
        }

        @Override
        public void checkClientTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
        }

        @Override
        public void checkServerTrusted(X509Certificate[] x509Certificates, String s) throws CertificateException {
        }

        @Override
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    };
    SslContextBuilder client_builder = SslContextBuilder.forClient().sslProvider(provider).keyManager(customKeyManager).trustManager(customTrustManager).clientAuth(ClientAuth.OPTIONAL);
    SslContext client_context = client_builder.build();
    SSLEngine client_engine = client_context.newEngine(UnpooledByteBufAllocator.DEFAULT);
    assertFalse(client_engine.getWantClientAuth());
    assertFalse(client_engine.getNeedClientAuth());
    client_engine.closeInbound();
    client_engine.closeOutbound();
    SslContextBuilder server_builder = SslContextBuilder.forServer(customKeyManager).sslProvider(provider).trustManager(customTrustManager).clientAuth(ClientAuth.REQUIRE);
    SslContext server_context = server_builder.build();
    SSLEngine server_engine = server_context.newEngine(UnpooledByteBufAllocator.DEFAULT);
    assertFalse(server_engine.getWantClientAuth());
    assertTrue(server_engine.getNeedClientAuth());
    server_engine.closeInbound();
    server_engine.closeOutbound();
}
Also used : SelfSignedCertificate(io.netty.handler.ssl.util.SelfSignedCertificate) X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) SSLEngine(javax.net.ssl.SSLEngine) X509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager) KeyManager(javax.net.ssl.KeyManager) X509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager) Socket(java.net.Socket) X509Certificate(java.security.cert.X509Certificate) TrustManager(javax.net.ssl.TrustManager) X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)

Example 22 with X509ExtendedTrustManager

use of javax.net.ssl.X509ExtendedTrustManager in project druid by druid-io.

the class JettyTest method testCustomCheckX509TrustManagerSetEndpointIdentificationAlgorithmToNullWithValidateServerHostnamesSetToFalse.

@Test
public void testCustomCheckX509TrustManagerSetEndpointIdentificationAlgorithmToNullWithValidateServerHostnamesSetToFalse() throws Exception {
    SslContextFactory.Server server = injector.getInstance(SslContextFactory.Server.class);
    server.setEndpointIdentificationAlgorithm("HTTPS");
    server.start();
    SSLEngine sslEngine = server.newSSLEngine();
    X509ExtendedTrustManager mockX509ExtendedTrustManager = Mockito.mock(X509ExtendedTrustManager.class);
    TLSCertificateChecker mockTLSCertificateChecker = Mockito.mock(TLSCertificateChecker.class);
    X509Certificate mockX509Certificate = Mockito.mock(X509Certificate.class);
    String authType = "testAuthType";
    X509Certificate[] chain = new X509Certificate[] { mockX509Certificate };
    // The EndpointIdentificationAlgorithm should not be null as we set it to HTTPS earlier
    Assert.assertNotNull(sslEngine.getSSLParameters().getEndpointIdentificationAlgorithm());
    CustomCheckX509TrustManager customCheckX509TrustManager = new CustomCheckX509TrustManager(mockX509ExtendedTrustManager, mockTLSCertificateChecker, false);
    customCheckX509TrustManager.checkServerTrusted(chain, authType, sslEngine);
    ArgumentCaptor<SSLEngine> captor = ArgumentCaptor.forClass(SSLEngine.class);
    Mockito.verify(mockTLSCertificateChecker).checkServer(ArgumentMatchers.eq(chain), ArgumentMatchers.eq(authType), captor.capture(), ArgumentMatchers.eq(mockX509ExtendedTrustManager));
    SSLEngine transformedSSLEngine = captor.getValue();
    // The EndpointIdentificationAlgorithm should be null or empty Stringas the CustomCheckX509TrustManager
    // has validateServerHostnames set to false
    String endpointIdentificationAlgorithm = transformedSSLEngine.getSSLParameters().getEndpointIdentificationAlgorithm();
    Assert.assertTrue(endpointIdentificationAlgorithm == null || endpointIdentificationAlgorithm.isEmpty());
}
Also used : SslContextFactory(org.eclipse.jetty.util.ssl.SslContextFactory) X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) TLSCertificateChecker(org.apache.druid.server.security.TLSCertificateChecker) SSLEngine(javax.net.ssl.SSLEngine) CustomCheckX509TrustManager(org.apache.druid.server.security.CustomCheckX509TrustManager) X509Certificate(java.security.cert.X509Certificate) Test(org.junit.Test)

Example 23 with X509ExtendedTrustManager

use of javax.net.ssl.X509ExtendedTrustManager in project smarthome by eclipse.

the class ExtensibleTrustManagerImpl method addTlsCertificateProvider.

@Override
@Reference(cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC)
public void addTlsCertificateProvider(TlsCertificateProvider tlsCertificateProvider) {
    X509ExtendedTrustManager trustManager = new TlsCertificateTrustManagerAdapter(tlsCertificateProvider).getTrustManager();
    mappingFromTlsCertificateProvider.put(tlsCertificateProvider, trustManager);
    addLinkedTrustManager(tlsCertificateProvider.getHostName(), trustManager);
}
Also used : X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) Reference(org.osgi.service.component.annotations.Reference)

Example 24 with X509ExtendedTrustManager

use of javax.net.ssl.X509ExtendedTrustManager in project smarthome by eclipse.

the class TrustManagerUtil method keyStoreToTrustManager.

static X509ExtendedTrustManager keyStoreToTrustManager(@Nullable KeyStore keyStore) {
    try {
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(keyStore);
        // Get hold of the X509ExtendedTrustManager
        for (TrustManager tm : tmf.getTrustManagers()) {
            if (tm instanceof X509ExtendedTrustManager) {
                return (X509ExtendedTrustManager) tm;
            }
        }
    } catch (NoSuchAlgorithmException e) {
        throw new IllegalStateException("Default algorithm missing...", e);
    } catch (KeyStoreException e) {
        throw new IllegalStateException("Problem while processing keystore", e);
    }
    throw new IllegalStateException("Could not find X509ExtendedTrustManager");
}
Also used : X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) KeyStoreException(java.security.KeyStoreException) X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager) TrustManager(javax.net.ssl.TrustManager)

Example 25 with X509ExtendedTrustManager

use of javax.net.ssl.X509ExtendedTrustManager in project smarthome by eclipse.

the class ExtensibleTrustManagerImpl method getLinkedTrustMananger.

private X509ExtendedTrustManager getLinkedTrustMananger(X509Certificate[] chain, SSLEngine sslEngine) {
    if (sslEngine != null) {
        X509ExtendedTrustManager trustManager = null;
        String peer = null;
        if (sslEngine.getPeerHost() != null) {
            peer = sslEngine.getPeerHost() + ":" + sslEngine.getPeerPort();
            trustManager = linkedTrustManager.getOrDefault(peer, EMPTY_QUEUE).peek();
        }
        if (trustManager != null) {
            logger.trace("Found trustManager by sslEngine peer/host: {}", peer);
            return trustManager;
        } else {
            logger.trace("Did NOT find trustManager by sslEngine peer/host: {}", peer);
        }
    }
    return getLinkedTrustMananger(chain);
}
Also used : X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)

Aggregations

X509ExtendedTrustManager (javax.net.ssl.X509ExtendedTrustManager)25 TrustManager (javax.net.ssl.TrustManager)14 KeyStore (java.security.KeyStore)10 X509Certificate (java.security.cert.X509Certificate)8 CertificateException (java.security.cert.CertificateException)7 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)6 SSLEngine (javax.net.ssl.SSLEngine)6 Socket (java.net.Socket)5 KeyManager (javax.net.ssl.KeyManager)5 SSLContext (javax.net.ssl.SSLContext)5 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)5 Test (org.junit.Test)5 IOException (java.io.IOException)4 KeyManagementException (java.security.KeyManagementException)4 KeyStoreException (java.security.KeyStoreException)3 SecureRandom (java.security.SecureRandom)3 SelfSignedCertificate (io.netty.handler.ssl.util.SelfSignedCertificate)2 File (java.io.File)2 VisibleForTesting (com.google.common.annotations.VisibleForTesting)1 Bootstrap (io.netty.bootstrap.Bootstrap)1