Examples with ClientAuth org.apache.flink.shaded.netty4.io.netty.handler.ssl.ClientAuth used on opensource projects

Example 6 with ClientAuth

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.ClientAuth in project flink by apache.

the class SSLUtils method createRestNettySSLContext.

/**
 * Creates an SSL context for the external REST SSL. If mutual authentication is configured the
 * client and the server side configuration are identical.
 */
@Nullable
public static SslContext createRestNettySSLContext(Configuration config, boolean clientMode, ClientAuth clientAuth, SslProvider provider) throws Exception {
    checkNotNull(config, "config");
    if (!SecurityOptions.isRestSSLEnabled(config)) {
        return null;
    }
    String[] sslProtocols = getEnabledProtocols(config);
    final SslContextBuilder sslContextBuilder;
    if (clientMode) {
        sslContextBuilder = SslContextBuilder.forClient();
        if (clientAuth != ClientAuth.NONE) {
            KeyManagerFactory kmf = getKeyManagerFactory(config, false, provider);
            sslContextBuilder.keyManager(kmf);
        }
    } else {
        KeyManagerFactory kmf = getKeyManagerFactory(config, false, provider);
        sslContextBuilder = SslContextBuilder.forServer(kmf);
    }
    if (clientMode || clientAuth != ClientAuth.NONE) {
        TrustManagerFactory tmf = getTrustManagerFactory(config, false);
        sslContextBuilder.trustManager(tmf);
    }
    return sslContextBuilder.sslProvider(provider).protocols(sslProtocols).clientAuth(clientAuth).build();
}

Example 7 with ClientAuth

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.ClientAuth in project flink by apache.

the class SSLUtils method createRestSSLContext.

/**
 * Creates an SSL context for clients against the external REST endpoint.
 */
@Nullable
@VisibleForTesting
public static SSLContext createRestSSLContext(Configuration config, boolean clientMode) throws Exception {
    ClientAuth clientAuth = SecurityOptions.isRestSSLAuthenticationEnabled(config) ? ClientAuth.REQUIRE : ClientAuth.NONE;
    JdkSslContext nettySSLContext = (JdkSslContext) createRestNettySSLContext(config, clientMode, clientAuth, JDK);
    if (nettySSLContext != null) {
        return nettySSLContext.context();
    } else {
        return null;
    }
}

Example 8 with ClientAuth

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.ClientAuth in project graylog2-server by Graylog2.

the class AbstractTcpTransport method getSslHandlerCallable.

private Callable<ChannelHandler> getSslHandlerCallable(MessageInput input) {
    final File certFile;
    final File keyFile;
    if (tlsCertFile.exists() && tlsKeyFile.exists()) {
        certFile = tlsCertFile;
        keyFile = tlsKeyFile;
    } else {
        LOG.warn("TLS key file or certificate file does not exist, creating a self-signed certificate for input [{}/{}].", input.getName(), input.getId());
        final String tmpDir = System.getProperty("java.io.tmpdir");
        checkState(tmpDir != null, "The temporary directory must not be null!");
        final Path tmpPath = Paths.get(tmpDir);
        if (!Files.isDirectory(tmpPath) || !Files.isWritable(tmpPath)) {
            throw new IllegalStateException("Couldn't write to temporary directory: " + tmpPath.toAbsolutePath());
        }
        try {
            final SelfSignedCertificate ssc = new SelfSignedCertificate(configuration.getString(CK_BIND_ADDRESS) + ":" + configuration.getString(CK_PORT));
            certFile = ssc.certificate();
            if (!Strings.isNullOrEmpty(tlsKeyPassword)) {
                keyFile = KeyUtil.generatePKCS8FromPrivateKey(tmpPath, tlsKeyPassword.toCharArray(), ssc.key());
                ssc.privateKey().delete();
            } else {
                keyFile = ssc.privateKey();
            }
        } catch (GeneralSecurityException e) {
            final String msg = String.format(Locale.ENGLISH, "Problem creating a self-signed certificate for input [%s/%s].", input.getName(), input.getId());
            throw new IllegalStateException(msg, e);
        }
    }
    final ClientAuth clientAuth;
    switch(tlsClientAuth) {
        case TLS_CLIENT_AUTH_DISABLED:
            LOG.debug("Not using TLS client authentication");
            clientAuth = ClientAuth.NONE;
            break;
        case TLS_CLIENT_AUTH_OPTIONAL:
            LOG.debug("Using optional TLS client authentication");
            clientAuth = ClientAuth.OPTIONAL;
            break;
        case TLS_CLIENT_AUTH_REQUIRED:
            LOG.debug("Using mandatory TLS client authentication");
            clientAuth = ClientAuth.REQUIRE;
            break;
        default:
            throw new IllegalArgumentException("Unknown TLS client authentication mode: " + tlsClientAuth);
    }
    return buildSslHandlerCallable(nettyTransportConfiguration.getTlsProvider(), certFile, keyFile, tlsKeyPassword, clientAuth, tlsClientAuthCertFile, input);
}