use of org.apache.cxf.transport.http.HTTPConduit in project fabric8 by fabric8io.
the class WebClients method configureClientCert.
public static void configureClientCert(WebClient webClient, String clientCertData, File clientCertFile, String clientKeyData, File clientKeyFile, String clientKeyAlgo, char[] clientKeyPassword) {
try {
KeyStore keyStore = createKeyStore(clientCertData, clientCertFile, clientKeyData, clientKeyFile, clientKeyAlgo, clientKeyPassword);
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, clientKeyPassword);
KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
HTTPConduit conduit = WebClient.getConfig(webClient).getHttpConduit();
TLSClientParameters params = conduit.getTlsClientParameters();
if (params == null) {
params = new TLSClientParameters();
conduit.setTlsClientParameters(params);
}
KeyManager[] existingKeyManagers = params.getKeyManagers();
if (existingKeyManagers != null && existingKeyManagers.length > 0) {
List<KeyManager> list = new ArrayList<>();
list.addAll(Arrays.asList(existingKeyManagers));
list.addAll(Arrays.asList(keyManagers));
keyManagers = list.toArray(new KeyManager[list.size()]);
}
params.setKeyManagers(keyManagers);
} catch (Exception e) {
LOG.error("Could not create key manager for " + clientCertFile + " (" + clientKeyFile + ")", e);
}
}
use of org.apache.cxf.transport.http.HTTPConduit in project fabric8 by fabric8io.
the class WebClients method configureCaCert.
public static void configureCaCert(WebClient webClient, String caCertData, File caCertFile) {
try {
KeyStore trustStore = createTrustStore(caCertData, caCertFile);
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
HTTPConduit conduit = WebClient.getConfig(webClient).getHttpConduit();
TLSClientParameters params = conduit.getTlsClientParameters();
if (params == null) {
params = new TLSClientParameters();
conduit.setTlsClientParameters(params);
}
TrustManager[] existingTrustManagers = params.getTrustManagers();
if (existingTrustManagers != null && existingTrustManagers.length > 0) {
List<TrustManager> list = new ArrayList<>();
list.addAll(Arrays.asList(existingTrustManagers));
list.addAll(Arrays.asList(trustManagers));
trustManagers = list.toArray(new TrustManager[list.size()]);
}
params.setTrustManagers(trustManagers);
} catch (Exception e) {
LOG.error("Could not create trust manager for " + caCertFile, e);
}
}
use of org.apache.cxf.transport.http.HTTPConduit in project testcases by coheigea.
the class TLSOCSPClientAuthTest method testTLSOCSPClientAuthPass.
@org.junit.Test
public void testTLSOCSPClientAuthPass() throws Exception {
try {
Security.setProperty("ocsp.responderURL", "http://localhost:12345");
Security.setProperty("ocsp.enable", "true");
SpringBusFactory bf = new SpringBusFactory();
URL busFile = TLSOCSPClientAuthTest.class.getResource("cxf-client.xml");
Bus bus = bf.createBus(busFile.toString());
SpringBusFactory.setDefaultBus(bus);
SpringBusFactory.setThreadDefaultBus(bus);
URL wsdl = TLSOCSPClientAuthTest.class.getResource("DoubleIt.wsdl");
Service service = Service.create(wsdl, SERVICE_QNAME);
QName portQName = new QName(NAMESPACE, "DoubleItTLSOCSPClientAuthPort");
DoubleItPortType transportPort = service.getPort(portQName, DoubleItPortType.class);
updateAddressPort(transportPort, PORT);
// Configure TLS (no ocsp on the client side)
TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
keyStore.load(ClassLoaderUtils.getResourceAsStream("clientstore.jks", this.getClass()), "cspass".toCharArray());
tmf.init(keyStore);
KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
kmf.init(keyStore, "ckpass".toCharArray());
TLSClientParameters tlsParams = new TLSClientParameters();
tlsParams.setTrustManagers(tmf.getTrustManagers());
tlsParams.setKeyManagers(kmf.getKeyManagers());
tlsParams.setDisableCNCheck(true);
Client client = ClientProxy.getClient(transportPort);
HTTPConduit http = (HTTPConduit) client.getConduit();
http.setTlsClientParameters(tlsParams);
doubleIt(transportPort, 25);
} finally {
Security.setProperty("ocsp.responderURL", "");
Security.setProperty("ocsp.enable", "false");
}
}
use of org.apache.cxf.transport.http.HTTPConduit in project ddf by codice.
the class SecureCxfClientFactoryImpl method configureTimeouts.
/**
* Configures the connection and receive timeouts. If any of the parameters are null, the timeouts
* will be set to the system default.
*
* @param clientConfiguration Client configuration used for outgoing requests.
* @param connectionTimeout Connection timeout in milliseconds.
* @param receiveTimeout Receive timeout in milliseconds.
*/
protected void configureTimeouts(ClientConfiguration clientConfiguration, Integer connectionTimeout, Integer receiveTimeout) {
HTTPConduit httpConduit = clientConfiguration.getHttpConduit();
if (httpConduit == null) {
LOGGER.info("HTTPConduit was null for {}. Unable to configure timeouts", this);
return;
}
HTTPClientPolicy httpClientPolicy = httpConduit.getClient();
if (httpClientPolicy == null) {
httpClientPolicy = new HTTPClientPolicy();
}
if (connectionTimeout != null) {
httpClientPolicy.setConnectionTimeout(connectionTimeout);
} else {
httpClientPolicy.setConnectionTimeout(DEFAULT_CONNECTION_TIMEOUT);
}
if (receiveTimeout != null) {
httpClientPolicy.setReceiveTimeout(receiveTimeout);
} else {
httpClientPolicy.setReceiveTimeout(DEFAULT_RECEIVE_TIMEOUT);
}
if (httpClientPolicy.isSetConnectionTimeout()) {
LOGGER.debug("Connection timeout has been set.");
} else {
LOGGER.debug("Connection timeout has NOT been set.");
}
if (httpClientPolicy.isSetReceiveTimeout()) {
LOGGER.debug("Receive timeout has been set.");
} else {
LOGGER.debug("Receive timeout has NOT been set.");
}
httpConduit.setClient(httpClientPolicy);
}
use of org.apache.cxf.transport.http.HTTPConduit in project ddf by codice.
the class SecureCxfClientFactoryImpl method configureConduit.
@SuppressWarnings("squid:S3776")
private void configureConduit(ClientConfiguration clientConfig) {
HTTPConduit httpConduit = clientConfig.getHttpConduit();
if (httpConduit == null) {
LOGGER.info("HTTPConduit was null for {}. Unable to configure security.", this);
return;
}
if (allowRedirects) {
HTTPClientPolicy clientPolicy = httpConduit.getClient();
if (clientPolicy != null) {
clientPolicy.setAutoRedirect(true);
Bus bus = clientConfig.getBus();
if (bus != null) {
bus.getProperties().put(AUTO_REDIRECT_ALLOW_REL_URI, true);
bus.getProperties().put(AUTO_REDIRECT_MAX_SAME_URI_COUNT, getSameUriRedirectMax());
}
}
}
TLSClientParameters tlsParams = httpConduit.getTlsClientParameters();
if (tlsParams == null) {
tlsParams = new TLSClientParameters();
}
tlsParams.setDisableCNCheck(disableCnCheck);
tlsParams.setUseHttpsURLConnectionDefaultHostnameVerifier(!disableCnCheck);
String cipherSuites = System.getProperty("https.cipherSuites");
if (cipherSuites != null) {
tlsParams.setCipherSuites(Arrays.asList(cipherSuites.split(",")));
}
KeyStore keyStore = null;
KeyStore trustStore = null;
try {
keyStore = SecurityConstants.newKeystore();
trustStore = SecurityConstants.newTruststore();
} catch (KeyStoreException e) {
LOGGER.debug("Unable to create keystore instance of type {}", System.getProperty(SecurityConstants.KEYSTORE_TYPE), e);
}
Path keyStoreFile;
if (keyInfo != null && keyInfo.getKeystorePath() != null) {
keyStoreFile = keyInfo.getKeystorePath();
} else {
keyStoreFile = Paths.get(SecurityConstants.getKeystorePath());
}
Path trustStoreFile = Paths.get(SecurityConstants.getTruststorePath());
String ddfHome = System.getProperty("ddf.home");
if (ddfHome != null) {
Path ddfHomePath = Paths.get(ddfHome);
if (!keyStoreFile.isAbsolute()) {
keyStoreFile = Paths.get(ddfHomePath.toString(), keyStoreFile.toString());
}
if (!trustStoreFile.isAbsolute()) {
trustStoreFile = Paths.get(ddfHomePath.toString(), trustStoreFile.toString());
}
}
String keyStorePassword = SecurityConstants.getKeystorePassword();
String trustStorePassword = SecurityConstants.getTruststorePassword();
if (!Files.isReadable(keyStoreFile) || !Files.isReadable(trustStoreFile)) {
LOGGER.debug("Unable to read system key/trust store files: [ {} ] [ {} ]", keyStoreFile, trustStoreFile);
return;
}
try (InputStream kfis = Files.newInputStream(keyStoreFile)) {
if (keyStore != null) {
keyStore.load(kfis, keyStorePassword.toCharArray());
}
} catch (NoSuchAlgorithmException | CertificateException | IOException e) {
LOGGER.debug("Unable to load system key file.", e);
}
try (InputStream tfis = Files.newInputStream(trustStoreFile)) {
if (trustStore != null) {
trustStore.load(tfis, trustStorePassword.toCharArray());
}
} catch (NoSuchAlgorithmException | CertificateException | IOException e) {
LOGGER.debug("Unable to load system trust file.", e);
}
KeyManager[] keyManagers = null;
try {
KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());
keyManagers = keyManagerFactory.getKeyManagers();
tlsParams.setKeyManagers(keyManagers);
} catch (NoSuchAlgorithmException | KeyStoreException | UnrecoverableKeyException e) {
LOGGER.debug("Unable to initialize KeyManagerFactory.", e);
}
TrustManager[] trustManagers = null;
try {
TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
trustManagerFactory.init(trustStore);
trustManagers = trustManagerFactory.getTrustManagers();
tlsParams.setTrustManagers(trustManagers);
} catch (NoSuchAlgorithmException | KeyStoreException e) {
LOGGER.debug("Unable to initialize TrustManagerFactory.", e);
}
if (keyInfo != null) {
LOGGER.trace("Using keystore file: {}, alias: {}", keyStoreFile, keyInfo.getAlias());
tlsParams.setUseHttpsURLConnectionDefaultSslSocketFactory(false);
tlsParams.setCertAlias(keyInfo.getAlias());
try {
if (keyManagers == null) {
throw new KeyManagementException("keyManagers was null");
}
boolean validProtocolFound = false;
String validProtocolsStr = System.getProperty("jdk.tls.client.protocols");
if (StringUtils.isNotBlank(validProtocolsStr)) {
String[] validProtocols = validProtocolsStr.split(",");
for (String validProtocol : validProtocols) {
if (validProtocol.equals(sslProtocol)) {
validProtocolFound = true;
break;
}
}
if (!validProtocolFound) {
LOGGER.error("{} is not in list of valid SSL protocols {}", sslProtocol, validProtocolsStr);
}
} else {
validProtocolFound = true;
}
if (validProtocolFound) {
tlsParams.setSSLSocketFactory(getSSLSocketFactory(sslProtocol, keyInfo.getAlias(), keyManagers, trustManagers));
}
} catch (KeyManagementException | NoSuchAlgorithmException e) {
LOGGER.debug("Unable to override default SSL Socket Factory", e);
}
} else {
tlsParams.setUseHttpsURLConnectionDefaultSslSocketFactory(true);
tlsParams.setCertAlias(SystemBaseUrl.INTERNAL.getHost());
}
httpConduit.setTlsClientParameters(tlsParams);
}
Aggregations