Examples with X509TrustManager javax.net.ssl.X509TrustManager used on opensource projects

Search in sources :

Example 1 with X509TrustManager

use of javax.net.ssl.X509TrustManager in project hadoop by apache.

the class ReloadingX509TrustManager method getAcceptedIssuers.

@Override
public X509Certificate[] getAcceptedIssuers() {
    X509Certificate[] issuers = EMPTY;
    X509TrustManager tm = trustManagerRef.get();
    if (tm != null) {
        issuers = tm.getAcceptedIssuers();
    }
    return issuers;
}
Also used : X509TrustManager(javax.net.ssl.X509TrustManager) X509Certificate(java.security.cert.X509Certificate)

Example 2 with X509TrustManager

use of javax.net.ssl.X509TrustManager in project tomcat by apache.

the class OpenSSLContext method init.

/**
     * Setup the SSL_CTX.
     *
     * @param kms Must contain a KeyManager of the type
     *            {@code OpenSSLKeyManager}
     * @param tms Must contain a TrustManager of the type
     *            {@code X509TrustManager}
     * @param sr Is not used for this implementation.
     */
@Override
public synchronized void init(KeyManager[] kms, TrustManager[] tms, SecureRandom sr) {
    if (initialized) {
        log.warn(sm.getString("openssl.doubleInit"));
        return;
    }
    try {
        if (sslHostConfig.getInsecureRenegotiation()) {
            SSLContext.setOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
        } else {
            SSLContext.clearOptions(ctx, SSL.SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
        }
        // client's)
        if (sslHostConfig.getHonorCipherOrder()) {
            SSLContext.setOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
        } else {
            SSLContext.clearOptions(ctx, SSL.SSL_OP_CIPHER_SERVER_PREFERENCE);
        }
        // Disable compression if requested
        if (sslHostConfig.getDisableCompression()) {
            SSLContext.setOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
        } else {
            SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_COMPRESSION);
        }
        // Disable TLS Session Tickets (RFC4507) to protect perfect forward secrecy
        if (sslHostConfig.getDisableSessionTickets()) {
            SSLContext.setOptions(ctx, SSL.SSL_OP_NO_TICKET);
        } else {
            SSLContext.clearOptions(ctx, SSL.SSL_OP_NO_TICKET);
        }
        // Set session cache size, if specified
        if (sslHostConfig.getSessionCacheSize() > 0) {
            SSLContext.setSessionCacheSize(ctx, sslHostConfig.getSessionCacheSize());
        } else {
            // Get the default session cache size using SSLContext.setSessionCacheSize()
            long sessionCacheSize = SSLContext.setSessionCacheSize(ctx, 20480);
            // Revert the session cache size to the default value.
            SSLContext.setSessionCacheSize(ctx, sessionCacheSize);
        }
        // Set session timeout, if specified
        if (sslHostConfig.getSessionTimeout() > 0) {
            SSLContext.setSessionCacheTimeout(ctx, sslHostConfig.getSessionTimeout());
        } else {
            // Get the default session timeout using SSLContext.setSessionCacheTimeout()
            long sessionTimeout = SSLContext.setSessionCacheTimeout(ctx, 300);
            // Revert the session timeout to the default value.
            SSLContext.setSessionCacheTimeout(ctx, sessionTimeout);
        }
        // List the ciphers that the client is permitted to negotiate
        String opensslCipherConfig = sslHostConfig.getCiphers();
        this.jsseCipherNames = OpenSSLCipherConfigurationParser.parseExpression(opensslCipherConfig);
        SSLContext.setCipherSuite(ctx, opensslCipherConfig);
        // Load Server key and certificate
        if (certificate.getCertificateFile() != null) {
            // Set certificate
            SSLContext.setCertificate(ctx, SSLHostConfig.adjustRelativePath(certificate.getCertificateFile()), SSLHostConfig.adjustRelativePath(certificate.getCertificateKeyFile()), certificate.getCertificateKeyPassword(), SSL.SSL_AIDX_RSA);
            // Set certificate chain file
            SSLContext.setCertificateChainFile(ctx, SSLHostConfig.adjustRelativePath(certificate.getCertificateChainFile()), false);
            // Support Client Certificates
            SSLContext.setCACertificate(ctx, SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificateFile()), SSLHostConfig.adjustRelativePath(sslHostConfig.getCaCertificatePath()));
            // Set revocation
            SSLContext.setCARevocation(ctx, SSLHostConfig.adjustRelativePath(sslHostConfig.getCertificateRevocationListFile()), SSLHostConfig.adjustRelativePath(sslHostConfig.getCertificateRevocationListPath()));
        } else {
            X509KeyManager keyManager = chooseKeyManager(kms);
            String alias = certificate.getCertificateKeyAlias();
            if (alias == null) {
                alias = "tomcat";
            }
            X509Certificate[] chain = keyManager.getCertificateChain(alias);
            if (chain == null) {
                alias = findAlias(keyManager, certificate);
                chain = keyManager.getCertificateChain(alias);
            }
            PrivateKey key = keyManager.getPrivateKey(alias);
            StringBuilder sb = new StringBuilder(BEGIN_KEY);
            sb.append(Base64.getMimeEncoder(64, new byte[] { '\n' }).encodeToString(key.getEncoded()));
            sb.append(END_KEY);
            SSLContext.setCertificateRaw(ctx, chain[0].getEncoded(), sb.toString().getBytes(StandardCharsets.US_ASCII), SSL.SSL_AIDX_RSA);
            for (int i = 1; i < chain.length; i++) {
                SSLContext.addChainCertificateRaw(ctx, chain[i].getEncoded());
            }
        }
        // Client certificate verification
        int value = 0;
        switch(sslHostConfig.getCertificateVerification()) {
            case NONE:
                value = SSL.SSL_CVERIFY_NONE;
                break;
            case OPTIONAL:
                value = SSL.SSL_CVERIFY_OPTIONAL;
                break;
            case OPTIONAL_NO_CA:
                value = SSL.SSL_CVERIFY_OPTIONAL_NO_CA;
                break;
            case REQUIRED:
                value = SSL.SSL_CVERIFY_REQUIRE;
                break;
        }
        SSLContext.setVerify(ctx, value, sslHostConfig.getCertificateVerificationDepth());
        if (tms != null) {
            final X509TrustManager manager = chooseTrustManager(tms);
            SSLContext.setCertVerifyCallback(ctx, new CertificateVerifier() {

                @Override
                public boolean verify(long ssl, byte[][] chain, String auth) {
                    X509Certificate[] peerCerts = certificates(chain);
                    try {
                        manager.checkClientTrusted(peerCerts, auth);
                        return true;
                    } catch (Exception e) {
                        log.debug(sm.getString("openssl.certificateVerificationFailed"), e);
                    }
                    return false;
                }
            });
        }
        if (negotiableProtocols != null && negotiableProtocols.size() > 0) {
            ArrayList<String> protocols = new ArrayList<>();
            protocols.addAll(negotiableProtocols);
            protocols.add("http/1.1");
            String[] protocolsArray = protocols.toArray(new String[0]);
            SSLContext.setAlpnProtos(ctx, protocolsArray, SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
            SSLContext.setNpnProtos(ctx, protocolsArray, SSL.SSL_SELECTOR_FAILURE_NO_ADVERTISE);
        }
        sessionContext = new OpenSSLSessionContext(ctx);
        sslHostConfig.setOpenSslContext(Long.valueOf(ctx));
        initialized = true;
    } catch (Exception e) {
        log.warn(sm.getString("openssl.errorSSLCtxInit"), e);
        destroy();
    }
}
Also used : PrivateKey(java.security.PrivateKey) ArrayList(java.util.ArrayList) X509Certificate(java.security.cert.X509Certificate) AbstractEndpoint(org.apache.tomcat.util.net.AbstractEndpoint) CertificateException(java.security.cert.CertificateException) SSLException(javax.net.ssl.SSLException) X509TrustManager(javax.net.ssl.X509TrustManager) CertificateVerifier(org.apache.tomcat.jni.CertificateVerifier) X509KeyManager(javax.net.ssl.X509KeyManager)

Example 3 with X509TrustManager

use of javax.net.ssl.X509TrustManager in project cas by apereo.

the class SimpleHttpClientTests method getFriendlyToAllSSLSocketFactory.

private static SSLConnectionSocketFactory getFriendlyToAllSSLSocketFactory() throws Exception {
    final TrustManager trm = new X509TrustManager() {

        @Override
        public X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        @Override
        public void checkClientTrusted(final X509Certificate[] certs, final String authType) {
        }

        @Override
        public void checkServerTrusted(final X509Certificate[] certs, final String authType) {
        }
    };
    final SSLContext sc = SSLContext.getInstance("SSL");
    sc.init(null, new TrustManager[] { trm }, null);
    return new SSLConnectionSocketFactory(sc, new NoopHostnameVerifier());
}
Also used : NoopHostnameVerifier(org.apache.http.conn.ssl.NoopHostnameVerifier) X509TrustManager(javax.net.ssl.X509TrustManager) SSLContext(javax.net.ssl.SSLContext) SSLConnectionSocketFactory(org.apache.http.conn.ssl.SSLConnectionSocketFactory) X509Certificate(java.security.cert.X509Certificate) X509TrustManager(javax.net.ssl.X509TrustManager) TrustManager(javax.net.ssl.TrustManager)

Example 4 with X509TrustManager

use of javax.net.ssl.X509TrustManager in project sonarqube by SonarSource.

the class OkHttpClientBuilder method build.

public OkHttpClient build() {
    OkHttpClient.Builder builder = new OkHttpClient.Builder();
    builder.proxy(proxy);
    if (connectTimeoutMs >= 0) {
        builder.connectTimeout(connectTimeoutMs, TimeUnit.MILLISECONDS);
    }
    if (readTimeoutMs >= 0) {
        builder.readTimeout(readTimeoutMs, TimeUnit.MILLISECONDS);
    }
    builder.addInterceptor(this::completeHeaders);
    ConnectionSpec tls = new ConnectionSpec.Builder(ConnectionSpec.MODERN_TLS).allEnabledTlsVersions().allEnabledCipherSuites().supportsTlsExtensions(true).build();
    builder.connectionSpecs(asList(tls, ConnectionSpec.CLEARTEXT));
    X509TrustManager trustManager = sslTrustManager != null ? sslTrustManager : systemDefaultTrustManager();
    SSLSocketFactory sslFactory = sslSocketFactory != null ? sslSocketFactory : systemDefaultSslSocketFactory(trustManager);
    builder.sslSocketFactory(sslFactory, trustManager);
    return builder.build();
}
Also used : OkHttpClient(okhttp3.OkHttpClient) ConnectionSpec(okhttp3.ConnectionSpec) X509TrustManager(javax.net.ssl.X509TrustManager) SSLSocketFactory(javax.net.ssl.SSLSocketFactory)

Example 5 with X509TrustManager

use of javax.net.ssl.X509TrustManager in project useful-java-links by Vedenin.

the class GithubDownLoadTests method initHTTPSDownload.

private static void initHTTPSDownload() throws Exception {
    // Create a new trust manager that trust all certificates
    TrustManager[] trustAllCerts = new TrustManager[] { new X509TrustManager() {

        public java.security.cert.X509Certificate[] getAcceptedIssuers() {
            return null;
        }

        public void checkClientTrusted(java.security.cert.X509Certificate[] certs, String authType) {
        }

        public void checkServerTrusted(java.security.cert.X509Certificate[] certs, String authType) {
        }
    } };
    // Activate the new trust manager
    try {
        SSLContext sc = SSLContext.getInstance("SSL");
        sc.init(null, trustAllCerts, new java.security.SecureRandom());
        HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
    } catch (Exception e) {
        System.out.print(e.getMessage());
    }
}
Also used : X509TrustManager(javax.net.ssl.X509TrustManager) SSLContext(javax.net.ssl.SSLContext) X509TrustManager(javax.net.ssl.X509TrustManager) TrustManager(javax.net.ssl.TrustManager)

Aggregations

X509TrustManager (javax.net.ssl.X509TrustManager)150 TrustManager (javax.net.ssl.TrustManager)87 X509Certificate (java.security.cert.X509Certificate)79 SSLContext (javax.net.ssl.SSLContext)70 CertificateException (java.security.cert.CertificateException)49 IOException (java.io.IOException)40 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)40 SecureRandom (java.security.SecureRandom)35 NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)25 KeyManagementException (java.security.KeyManagementException)22 KeyStore (java.security.KeyStore)16 GeneralSecurityException (java.security.GeneralSecurityException)15 Test (org.junit.Test)15 KeyStoreException (java.security.KeyStoreException)14 HostnameVerifier (javax.net.ssl.HostnameVerifier)14 SSLSocketFactory (javax.net.ssl.SSLSocketFactory)14 SSLException (javax.net.ssl.SSLException)13 SSLSession (javax.net.ssl.SSLSession)11 OkHttpClient (okhttp3.OkHttpClient)8 X509KeyManager (javax.net.ssl.X509KeyManager)7
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial