Examples with SslContextBuilder org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContextBuilder used on opensource projects

Example 11 with SslContextBuilder

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContextBuilder in project java-driver by datastax.

the class Jdk8SSLEncryptionTest method should_pass_peer_address_to_engine.

/**
 * Validates that {@link RemoteEndpointAwareSSLOptions} implementations properly pass remote endpoint information
 * to the underlying {@link SSLEngine} that is created.  This is done by creating a custom {@link TrustManagerFactory}
 * that inspects the peer information on the {@link SSLEngine} in
 * {@link X509ExtendedTrustManager#checkServerTrusted(X509Certificate[], String, SSLEngine)} and throws a
 * {@link CertificateException} if the peer host or port do not match.
 * <p>
 * This test is prefixed with 'Jdk8' so it only runs against JDK 8+ runtimes.  This is required because
 * X509ExtendedTrustManager was added in JDK 7.  Technically this would also run against JDK 7, but for simplicity
 * we only run it against 8+.
 *
 * @test_category connection:ssl
 * @jira_ticket JAVA-1364
 * @since 3.2.0
 */
@Test(groups = "short", dataProvider = "sslImplementation", dataProviderClass = SSLTestBase.class)
public void should_pass_peer_address_to_engine(SslImplementation sslImplementation) throws Exception {
    String expectedPeerHost = TestUtils.IP_PREFIX + "1";
    int expectedPeerPort = ccm().getBinaryPort();
    EngineInspectingTrustManagerFactory tmf = new EngineInspectingTrustManagerFactory(expectedPeerHost, expectedPeerPort);
    SSLOptions options = null;
    switch(sslImplementation) {
        case JDK:
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(null, tmf.getTrustManagers(), new SecureRandom());
            SSLParameters parameters = sslContext.getDefaultSSLParameters();
            parameters.setEndpointIdentificationAlgorithm("HTTPS");
            options = RemoteEndpointAwareJdkSSLOptions.builder().withSSLContext(sslContext).build();
            break;
        case NETTY_OPENSSL:
            SslContextBuilder builder = SslContextBuilder.forClient().sslProvider(OPENSSL).trustManager(tmf);
            options = new RemoteEndpointAwareNettySSLOptions(builder.build());
    }
    connectWithSSLOptions(options);
}

Example 12 with SslContextBuilder

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContextBuilder in project java-driver by datastax.

the class SSLTestBase method getSSLOptions.

/**
 * @param sslImplementation the SSL implementation to use
 * @param clientAuth        whether the client should authenticate
 * @param trustingServer    whether the client should trust the server's certificate
 * @return {@link com.datastax.driver.core.SSLOptions} with the given configuration for
 * server certificate validation and client certificate authentication.
 */
public SSLOptions getSSLOptions(SslImplementation sslImplementation, boolean clientAuth, boolean trustingServer) throws Exception {
    TrustManagerFactory tmf = null;
    if (trustingServer) {
        KeyStore ks = KeyStore.getInstance("JKS");
        ks.load(this.getClass().getResourceAsStream(CCMBridge.DEFAULT_CLIENT_TRUSTSTORE_PATH), CCMBridge.DEFAULT_CLIENT_TRUSTSTORE_PASSWORD.toCharArray());
        tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        tmf.init(ks);
    }
    switch(sslImplementation) {
        case JDK:
            KeyManagerFactory kmf = null;
            if (clientAuth) {
                KeyStore ks = KeyStore.getInstance("JKS");
                ks.load(this.getClass().getResourceAsStream(CCMBridge.DEFAULT_CLIENT_KEYSTORE_PATH), CCMBridge.DEFAULT_CLIENT_KEYSTORE_PASSWORD.toCharArray());
                kmf = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                kmf.init(ks, CCMBridge.DEFAULT_CLIENT_KEYSTORE_PASSWORD.toCharArray());
            }
            SSLContext sslContext = SSLContext.getInstance("TLS");
            sslContext.init(kmf != null ? kmf.getKeyManagers() : null, tmf != null ? tmf.getTrustManagers() : null, new SecureRandom());
            return RemoteEndpointAwareJdkSSLOptions.builder().withSSLContext(sslContext).build();
        case NETTY_OPENSSL:
            SslContextBuilder builder = SslContextBuilder.forClient().sslProvider(OPENSSL).trustManager(tmf);
            if (clientAuth) {
                builder.keyManager(CCMBridge.DEFAULT_CLIENT_CERT_CHAIN_FILE, CCMBridge.DEFAULT_CLIENT_PRIVATE_KEY_FILE);
            }
            return new RemoteEndpointAwareNettySSLOptions(builder.build());
        default:
            fail("Unsupported SSL implementation: " + sslImplementation);
            return null;
    }
}

Example 13 with SslContextBuilder

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContextBuilder in project redisson by redisson.

the class RedisChannelInitializer method initSsl.

private void initSsl(final RedisClientConfig config, Channel ch) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, SSLException, UnrecoverableKeyException {
    if (!config.getAddress().isSsl()) {
        return;
    }
    io.netty.handler.ssl.SslProvider provided = io.netty.handler.ssl.SslProvider.JDK;
    if (config.getSslProvider() == SslProvider.OPENSSL) {
        provided = io.netty.handler.ssl.SslProvider.OPENSSL;
    }
    SslContextBuilder sslContextBuilder = SslContextBuilder.forClient().sslProvider(provided);
    sslContextBuilder.protocols(config.getSslProtocols());
    if (config.getSslTruststore() != null) {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream stream = config.getSslTruststore().openStream();
        try {
            char[] password = null;
            if (config.getSslTruststorePassword() != null) {
                password = config.getSslTruststorePassword().toCharArray();
            }
            keyStore.load(stream, password);
        } finally {
            stream.close();
        }
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        sslContextBuilder.trustManager(trustManagerFactory);
    }
    if (config.getSslKeystore() != null) {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream stream = config.getSslKeystore().openStream();
        char[] password = null;
        if (config.getSslKeystorePassword() != null) {
            password = config.getSslKeystorePassword().toCharArray();
        }
        try {
            keyStore.load(stream, password);
        } finally {
            stream.close();
        }
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, password);
        sslContextBuilder.keyManager(keyManagerFactory);
    }
    SSLParameters sslParams = new SSLParameters();
    if (config.isSslEnableEndpointIdentification()) {
        sslParams.setEndpointIdentificationAlgorithm("HTTPS");
    } else {
        if (config.getSslTruststore() == null) {
            sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE);
        }
    }
    SslContext sslContext = sslContextBuilder.build();
    String hostname = config.getSslHostname();
    if (hostname == null || NetUtil.createByteArrayFromIpAddressString(hostname) != null) {
        hostname = config.getAddress().getHost();
    }
    SSLEngine sslEngine = sslContext.newEngine(ch.alloc(), hostname, config.getAddress().getPort());
    sslEngine.setSSLParameters(sslParams);
    SslHandler sslHandler = new SslHandler(sslEngine);
    ch.pipeline().addLast(sslHandler);
    ch.pipeline().addLast(new ChannelInboundHandlerAdapter() {

        volatile boolean sslInitDone;

        @Override
        public void channelActive(ChannelHandlerContext ctx) throws Exception {
            if (sslInitDone) {
                super.channelActive(ctx);
            }
        }

        @Override
        public void userEventTriggered(ChannelHandlerContext ctx, Object evt) throws Exception {
            if (!sslInitDone && (evt instanceof SslHandshakeCompletionEvent)) {
                SslHandshakeCompletionEvent e = (SslHandshakeCompletionEvent) evt;
                if (e.isSuccess()) {
                    sslInitDone = true;
                    ctx.fireChannelActive();
                } else {
                    RedisConnection connection = RedisConnection.getFrom(ctx.channel());
                    connection.closeAsync();
                    connection.getConnectionPromise().completeExceptionally(e.cause());
                }
            }
            super.userEventTriggered(ctx, evt);
        }
    });
}

Example 14 with SslContextBuilder

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContextBuilder in project flink by apache.

the class SSLUtils method createInternalNettySSLContext.

/**
 * Creates the SSL Context for internal SSL, if internal SSL is configured. For internal SSL,
 * the client and server side configuration are identical, because of mutual authentication.
 */
@Nullable
private static SslContext createInternalNettySSLContext(Configuration config, boolean clientMode, SslProvider provider) throws Exception {
    checkNotNull(config, "config");
    if (!SecurityOptions.isInternalSSLEnabled(config)) {
        return null;
    }
    String[] sslProtocols = getEnabledProtocols(config);
    List<String> ciphers = Arrays.asList(getEnabledCipherSuites(config));
    int sessionCacheSize = config.getInteger(SecurityOptions.SSL_INTERNAL_SESSION_CACHE_SIZE);
    int sessionTimeoutMs = config.getInteger(SecurityOptions.SSL_INTERNAL_SESSION_TIMEOUT);
    KeyManagerFactory kmf = getKeyManagerFactory(config, true, provider);
    TrustManagerFactory tmf = getTrustManagerFactory(config, true);
    ClientAuth clientAuth = ClientAuth.REQUIRE;
    final SslContextBuilder sslContextBuilder;
    if (clientMode) {
        sslContextBuilder = SslContextBuilder.forClient().keyManager(kmf);
    } else {
        sslContextBuilder = SslContextBuilder.forServer(kmf);
    }
    return sslContextBuilder.sslProvider(provider).protocols(sslProtocols).ciphers(ciphers).trustManager(tmf).clientAuth(clientAuth).sessionCacheSize(sessionCacheSize).sessionTimeout(sessionTimeoutMs / 1000).build();
}

Example 15 with SslContextBuilder

use of org.apache.flink.shaded.netty4.io.netty.handler.ssl.SslContextBuilder in project pinpoint by naver.

the class SslContextFactory method create.

public static SslContext create(SslClientConfig clientConfig) throws SSLException {
    Objects.requireNonNull(clientConfig, "clientConfig");
    if (!clientConfig.isEnable()) {
        throw new IllegalArgumentException("sslConfig is disabled.");
    }
    SslProvider sslProvider = getSslProvider(clientConfig.getSslProviderType());
    SslContextBuilder sslContextBuilder = null;
    try {
        sslContextBuilder = SslContextBuilder.forClient();
        Resource trustCertResource = clientConfig.getTrustCertResource();
        if (trustCertResource != null) {
            sslContextBuilder.trustManager(trustCertResource.getInputStream());
        } else {
            // Loads default Root CA certificates (generally, from JAVA_HOME/lib/cacerts)
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init((KeyStore) null);
            sslContextBuilder.trustManager(trustManagerFactory);
        }
        SslContext sslContext = createSslContext(sslContextBuilder, sslProvider);
        assertValidCipherSuite(sslContext);
        return sslContext;
    } catch (SSLException e) {
        throw e;
    } catch (Exception e) {
        throw new SSLException(e);
    }
}