Search in sources :

Example 61 with HTTPConduit

use of org.apache.cxf.transport.http.HTTPConduit in project fabric8 by fabric8io.

the class WebClients method configureClientCert.

public static void configureClientCert(WebClient webClient, String clientCertData, File clientCertFile, String clientKeyData, File clientKeyFile, String clientKeyAlgo, char[] clientKeyPassword) {
    try {
        KeyStore keyStore = createKeyStore(clientCertData, clientCertFile, clientKeyData, clientKeyFile, clientKeyAlgo, clientKeyPassword);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, clientKeyPassword);
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
        HTTPConduit conduit = WebClient.getConfig(webClient).getHttpConduit();
        TLSClientParameters params = conduit.getTlsClientParameters();
        if (params == null) {
            params = new TLSClientParameters();
            conduit.setTlsClientParameters(params);
        }
        KeyManager[] existingKeyManagers = params.getKeyManagers();
        if (existingKeyManagers != null && existingKeyManagers.length > 0) {
            List<KeyManager> list = new ArrayList<>();
            list.addAll(Arrays.asList(existingKeyManagers));
            list.addAll(Arrays.asList(keyManagers));
            keyManagers = list.toArray(new KeyManager[list.size()]);
        }
        params.setKeyManagers(keyManagers);
    } catch (Exception e) {
        LOG.error("Could not create key manager for " + clientCertFile + " (" + clientKeyFile + ")", e);
    }
}
Also used : HTTPConduit(org.apache.cxf.transport.http.HTTPConduit) TLSClientParameters(org.apache.cxf.configuration.jsse.TLSClientParameters) ArrayList(java.util.ArrayList) KeyStore(java.security.KeyStore) KeyManager(javax.net.ssl.KeyManager) IOException(java.io.IOException) FileNotFoundException(java.io.FileNotFoundException) KeyManagerFactory(javax.net.ssl.KeyManagerFactory)

Example 62 with HTTPConduit

use of org.apache.cxf.transport.http.HTTPConduit in project fabric8 by fabric8io.

the class WebClients method configureCaCert.

public static void configureCaCert(WebClient webClient, String caCertData, File caCertFile) {
    try {
        KeyStore trustStore = createTrustStore(caCertData, caCertFile);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(trustStore);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        HTTPConduit conduit = WebClient.getConfig(webClient).getHttpConduit();
        TLSClientParameters params = conduit.getTlsClientParameters();
        if (params == null) {
            params = new TLSClientParameters();
            conduit.setTlsClientParameters(params);
        }
        TrustManager[] existingTrustManagers = params.getTrustManagers();
        if (existingTrustManagers != null && existingTrustManagers.length > 0) {
            List<TrustManager> list = new ArrayList<>();
            list.addAll(Arrays.asList(existingTrustManagers));
            list.addAll(Arrays.asList(trustManagers));
            trustManagers = list.toArray(new TrustManager[list.size()]);
        }
        params.setTrustManagers(trustManagers);
    } catch (Exception e) {
        LOG.error("Could not create trust manager for " + caCertFile, e);
    }
}
Also used : HTTPConduit(org.apache.cxf.transport.http.HTTPConduit) TLSClientParameters(org.apache.cxf.configuration.jsse.TLSClientParameters) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) ArrayList(java.util.ArrayList) KeyStore(java.security.KeyStore) IOException(java.io.IOException) FileNotFoundException(java.io.FileNotFoundException) TrustEverythingSSLTrustManager(io.fabric8.utils.ssl.TrustEverythingSSLTrustManager) TrustManager(javax.net.ssl.TrustManager)

Example 63 with HTTPConduit

use of org.apache.cxf.transport.http.HTTPConduit in project testcases by coheigea.

the class TLSOCSPClientAuthTest method testTLSOCSPClientAuthPass.

@org.junit.Test
public void testTLSOCSPClientAuthPass() throws Exception {
    try {
        Security.setProperty("ocsp.responderURL", "http://localhost:12345");
        Security.setProperty("ocsp.enable", "true");
        SpringBusFactory bf = new SpringBusFactory();
        URL busFile = TLSOCSPClientAuthTest.class.getResource("cxf-client.xml");
        Bus bus = bf.createBus(busFile.toString());
        SpringBusFactory.setDefaultBus(bus);
        SpringBusFactory.setThreadDefaultBus(bus);
        URL wsdl = TLSOCSPClientAuthTest.class.getResource("DoubleIt.wsdl");
        Service service = Service.create(wsdl, SERVICE_QNAME);
        QName portQName = new QName(NAMESPACE, "DoubleItTLSOCSPClientAuthPort");
        DoubleItPortType transportPort = service.getPort(portQName, DoubleItPortType.class);
        updateAddressPort(transportPort, PORT);
        // Configure TLS (no ocsp on the client side)
        TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(ClassLoaderUtils.getResourceAsStream("clientstore.jks", this.getClass()), "cspass".toCharArray());
        tmf.init(keyStore);
        KeyManagerFactory kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        kmf.init(keyStore, "ckpass".toCharArray());
        TLSClientParameters tlsParams = new TLSClientParameters();
        tlsParams.setTrustManagers(tmf.getTrustManagers());
        tlsParams.setKeyManagers(kmf.getKeyManagers());
        tlsParams.setDisableCNCheck(true);
        Client client = ClientProxy.getClient(transportPort);
        HTTPConduit http = (HTTPConduit) client.getConduit();
        http.setTlsClientParameters(tlsParams);
        doubleIt(transportPort, 25);
    } finally {
        Security.setProperty("ocsp.responderURL", "");
        Security.setProperty("ocsp.enable", "false");
    }
}
Also used : HTTPConduit(org.apache.cxf.transport.http.HTTPConduit) Bus(org.apache.cxf.Bus) TLSClientParameters(org.apache.cxf.configuration.jsse.TLSClientParameters) SpringBusFactory(org.apache.cxf.bus.spring.SpringBusFactory) QName(javax.xml.namespace.QName) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) Service(javax.xml.ws.Service) DoubleItPortType(org.example.contract.doubleit.DoubleItPortType) Client(org.apache.cxf.endpoint.Client) KeyStore(java.security.KeyStore) URL(java.net.URL) KeyManagerFactory(javax.net.ssl.KeyManagerFactory)

Example 64 with HTTPConduit

use of org.apache.cxf.transport.http.HTTPConduit in project ddf by codice.

the class SecureCxfClientFactoryImpl method configureTimeouts.

/**
 * Configures the connection and receive timeouts. If any of the parameters are null, the timeouts
 * will be set to the system default.
 *
 * @param clientConfiguration Client configuration used for outgoing requests.
 * @param connectionTimeout Connection timeout in milliseconds.
 * @param receiveTimeout Receive timeout in milliseconds.
 */
protected void configureTimeouts(ClientConfiguration clientConfiguration, Integer connectionTimeout, Integer receiveTimeout) {
    HTTPConduit httpConduit = clientConfiguration.getHttpConduit();
    if (httpConduit == null) {
        LOGGER.info("HTTPConduit was null for {}. Unable to configure timeouts", this);
        return;
    }
    HTTPClientPolicy httpClientPolicy = httpConduit.getClient();
    if (httpClientPolicy == null) {
        httpClientPolicy = new HTTPClientPolicy();
    }
    if (connectionTimeout != null) {
        httpClientPolicy.setConnectionTimeout(connectionTimeout);
    } else {
        httpClientPolicy.setConnectionTimeout(DEFAULT_CONNECTION_TIMEOUT);
    }
    if (receiveTimeout != null) {
        httpClientPolicy.setReceiveTimeout(receiveTimeout);
    } else {
        httpClientPolicy.setReceiveTimeout(DEFAULT_RECEIVE_TIMEOUT);
    }
    if (httpClientPolicy.isSetConnectionTimeout()) {
        LOGGER.debug("Connection timeout has been set.");
    } else {
        LOGGER.debug("Connection timeout has NOT been set.");
    }
    if (httpClientPolicy.isSetReceiveTimeout()) {
        LOGGER.debug("Receive timeout has been set.");
    } else {
        LOGGER.debug("Receive timeout has NOT been set.");
    }
    httpConduit.setClient(httpClientPolicy);
}
Also used : HTTPConduit(org.apache.cxf.transport.http.HTTPConduit) HTTPClientPolicy(org.apache.cxf.transports.http.configuration.HTTPClientPolicy)

Example 65 with HTTPConduit

use of org.apache.cxf.transport.http.HTTPConduit in project ddf by codice.

the class SecureCxfClientFactoryImpl method configureConduit.

@SuppressWarnings("squid:S3776")
private void configureConduit(ClientConfiguration clientConfig) {
    HTTPConduit httpConduit = clientConfig.getHttpConduit();
    if (httpConduit == null) {
        LOGGER.info("HTTPConduit was null for {}. Unable to configure security.", this);
        return;
    }
    if (allowRedirects) {
        HTTPClientPolicy clientPolicy = httpConduit.getClient();
        if (clientPolicy != null) {
            clientPolicy.setAutoRedirect(true);
            Bus bus = clientConfig.getBus();
            if (bus != null) {
                bus.getProperties().put(AUTO_REDIRECT_ALLOW_REL_URI, true);
                bus.getProperties().put(AUTO_REDIRECT_MAX_SAME_URI_COUNT, getSameUriRedirectMax());
            }
        }
    }
    TLSClientParameters tlsParams = httpConduit.getTlsClientParameters();
    if (tlsParams == null) {
        tlsParams = new TLSClientParameters();
    }
    tlsParams.setDisableCNCheck(disableCnCheck);
    tlsParams.setUseHttpsURLConnectionDefaultHostnameVerifier(!disableCnCheck);
    String cipherSuites = System.getProperty("https.cipherSuites");
    if (cipherSuites != null) {
        tlsParams.setCipherSuites(Arrays.asList(cipherSuites.split(",")));
    }
    KeyStore keyStore = null;
    KeyStore trustStore = null;
    try {
        keyStore = SecurityConstants.newKeystore();
        trustStore = SecurityConstants.newTruststore();
    } catch (KeyStoreException e) {
        LOGGER.debug("Unable to create keystore instance of type {}", System.getProperty(SecurityConstants.KEYSTORE_TYPE), e);
    }
    Path keyStoreFile;
    if (keyInfo != null && keyInfo.getKeystorePath() != null) {
        keyStoreFile = keyInfo.getKeystorePath();
    } else {
        keyStoreFile = Paths.get(SecurityConstants.getKeystorePath());
    }
    Path trustStoreFile = Paths.get(SecurityConstants.getTruststorePath());
    String ddfHome = System.getProperty("ddf.home");
    if (ddfHome != null) {
        Path ddfHomePath = Paths.get(ddfHome);
        if (!keyStoreFile.isAbsolute()) {
            keyStoreFile = Paths.get(ddfHomePath.toString(), keyStoreFile.toString());
        }
        if (!trustStoreFile.isAbsolute()) {
            trustStoreFile = Paths.get(ddfHomePath.toString(), trustStoreFile.toString());
        }
    }
    String keyStorePassword = SecurityConstants.getKeystorePassword();
    String trustStorePassword = SecurityConstants.getTruststorePassword();
    if (!Files.isReadable(keyStoreFile) || !Files.isReadable(trustStoreFile)) {
        LOGGER.debug("Unable to read system key/trust store files: [ {} ] [ {} ]", keyStoreFile, trustStoreFile);
        return;
    }
    try (InputStream kfis = Files.newInputStream(keyStoreFile)) {
        if (keyStore != null) {
            keyStore.load(kfis, keyStorePassword.toCharArray());
        }
    } catch (NoSuchAlgorithmException | CertificateException | IOException e) {
        LOGGER.debug("Unable to load system key file.", e);
    }
    try (InputStream tfis = Files.newInputStream(trustStoreFile)) {
        if (trustStore != null) {
            trustStore.load(tfis, trustStorePassword.toCharArray());
        }
    } catch (NoSuchAlgorithmException | CertificateException | IOException e) {
        LOGGER.debug("Unable to load system trust file.", e);
    }
    KeyManager[] keyManagers = null;
    try {
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, keyStorePassword.toCharArray());
        keyManagers = keyManagerFactory.getKeyManagers();
        tlsParams.setKeyManagers(keyManagers);
    } catch (NoSuchAlgorithmException | KeyStoreException | UnrecoverableKeyException e) {
        LOGGER.debug("Unable to initialize KeyManagerFactory.", e);
    }
    TrustManager[] trustManagers = null;
    try {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(trustStore);
        trustManagers = trustManagerFactory.getTrustManagers();
        tlsParams.setTrustManagers(trustManagers);
    } catch (NoSuchAlgorithmException | KeyStoreException e) {
        LOGGER.debug("Unable to initialize TrustManagerFactory.", e);
    }
    if (keyInfo != null) {
        LOGGER.trace("Using keystore file: {}, alias: {}", keyStoreFile, keyInfo.getAlias());
        tlsParams.setUseHttpsURLConnectionDefaultSslSocketFactory(false);
        tlsParams.setCertAlias(keyInfo.getAlias());
        try {
            if (keyManagers == null) {
                throw new KeyManagementException("keyManagers was null");
            }
            boolean validProtocolFound = false;
            String validProtocolsStr = System.getProperty("jdk.tls.client.protocols");
            if (StringUtils.isNotBlank(validProtocolsStr)) {
                String[] validProtocols = validProtocolsStr.split(",");
                for (String validProtocol : validProtocols) {
                    if (validProtocol.equals(sslProtocol)) {
                        validProtocolFound = true;
                        break;
                    }
                }
                if (!validProtocolFound) {
                    LOGGER.error("{} is not in list of valid SSL protocols {}", sslProtocol, validProtocolsStr);
                }
            } else {
                validProtocolFound = true;
            }
            if (validProtocolFound) {
                tlsParams.setSSLSocketFactory(getSSLSocketFactory(sslProtocol, keyInfo.getAlias(), keyManagers, trustManagers));
            }
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            LOGGER.debug("Unable to override default SSL Socket Factory", e);
        }
    } else {
        tlsParams.setUseHttpsURLConnectionDefaultSslSocketFactory(true);
        tlsParams.setCertAlias(SystemBaseUrl.INTERNAL.getHost());
    }
    httpConduit.setTlsClientParameters(tlsParams);
}
Also used : TLSClientParameters(org.apache.cxf.configuration.jsse.TLSClientParameters) CertificateException(java.security.cert.CertificateException) NoSuchAlgorithmException(java.security.NoSuchAlgorithmException) KeyManagementException(java.security.KeyManagementException) UnrecoverableKeyException(java.security.UnrecoverableKeyException) X509KeyManager(javax.net.ssl.X509KeyManager) KeyManager(javax.net.ssl.KeyManager) Path(java.nio.file.Path) Bus(org.apache.cxf.Bus) InputStream(java.io.InputStream) KeyStoreException(java.security.KeyStoreException) IOException(java.io.IOException) KeyStore(java.security.KeyStore) KeyManagerFactory(javax.net.ssl.KeyManagerFactory) TrustManager(javax.net.ssl.TrustManager) HTTPConduit(org.apache.cxf.transport.http.HTTPConduit) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) HTTPClientPolicy(org.apache.cxf.transports.http.configuration.HTTPClientPolicy)

Aggregations

HTTPConduit (org.apache.cxf.transport.http.HTTPConduit)125 Client (org.apache.cxf.endpoint.Client)52 HTTPClientPolicy (org.apache.cxf.transports.http.configuration.HTTPClientPolicy)47 Test (org.junit.Test)42 URL (java.net.URL)35 Bus (org.apache.cxf.Bus)32 TLSClientParameters (org.apache.cxf.configuration.jsse.TLSClientParameters)32 QName (javax.xml.namespace.QName)22 SpringBusFactory (org.apache.cxf.bus.spring.SpringBusFactory)20 Service (javax.xml.ws.Service)16 KeyStore (java.security.KeyStore)15 AuthorizationPolicy (org.apache.cxf.configuration.security.AuthorizationPolicy)15 Greeter (org.apache.hello_world.Greeter)14 SOAPService (org.apache.hello_world.services.SOAPService)14 TrustManager (javax.net.ssl.TrustManager)13 IOException (java.io.IOException)12 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)11 InputStream (java.io.InputStream)8 X509TrustManager (javax.net.ssl.X509TrustManager)8 BindingProvider (javax.xml.ws.BindingProvider)8