Search in sources :

Example 1 with SSLContextDetails

use of org.apache.synapse.transport.http.conn.SSLContextDetails in project wso2-synapse by wso2.

the class ClientConnFactoryBuilder method parseSSL.

public ClientConnFactoryBuilder parseSSL() throws AxisFault {
    Parameter keyParam = transportOut.getParameter("keystore");
    Parameter trustParam = transportOut.getParameter("truststore");
    Parameter httpsProtocolsParam = transportOut.getParameter("HttpsProtocols");
    Parameter preferredCiphersParam = transportOut.getParameter(NhttpConstants.PREFERRED_CIPHERS);
    OMElement ksEle = null;
    OMElement tsEle = null;
    if (keyParam != null) {
        ksEle = keyParam.getParameterElement().getFirstElement();
    }
    boolean novalidatecert = ParamUtils.getOptionalParamBoolean(transportOut, "novalidatecert", false);
    if (trustParam != null) {
        if (novalidatecert) {
            if (log.isWarnEnabled()) {
                log.warn(name + " Ignoring novalidatecert parameter since a truststore has been specified");
            }
        }
        tsEle = trustParam.getParameterElement().getFirstElement();
    }
    SSLContext sslContext = createSSLContext(ksEle, tsEle, novalidatecert);
    final Parameter hvp = transportOut.getParameter("HostnameVerifier");
    final String hvs = hvp != null ? hvp.getValue().toString() : null;
    final X509HostnameVerifier hostnameVerifier;
    if ("Strict".equalsIgnoreCase(hvs)) {
        hostnameVerifier = ClientSSLSetupHandler.STRICT;
    } else if ("AllowAll".equalsIgnoreCase(hvs)) {
        hostnameVerifier = ClientSSLSetupHandler.ALLOW_ALL;
    } else if ("DefaultAndLocalhost".equalsIgnoreCase(hvs)) {
        hostnameVerifier = ClientSSLSetupHandler.DEFAULT_AND_LOCALHOST;
    } else {
        hostnameVerifier = ClientSSLSetupHandler.DEFAULT;
    }
    final Parameter cvp = transportOut.getParameter("CertificateRevocationVerifier");
    final String cvEnable = cvp != null ? cvp.getParameterElement().getAttribute(new QName("enable")).getAttributeValue() : null;
    RevocationVerificationManager revocationVerifier = null;
    if ("true".equalsIgnoreCase(cvEnable)) {
        String cacheSizeString = cvp.getParameterElement().getFirstChildWithName(new QName("CacheSize")).getText();
        String cacheDelayString = cvp.getParameterElement().getFirstChildWithName(new QName("CacheDelay")).getText();
        Integer cacheSize = null;
        Integer cacheDelay = null;
        try {
            cacheSize = new Integer(cacheSizeString);
            cacheDelay = new Integer(cacheDelayString);
        } catch (NumberFormatException e) {
        }
        revocationVerifier = new RevocationVerificationManager(cacheSize, cacheDelay);
    }
    // Process HttpProtocols
    OMElement httpsProtocolsEl = httpsProtocolsParam != null ? httpsProtocolsParam.getParameterElement() : null;
    String[] httpsProtocols = null;
    final String configuredHttpsProtocols = httpsProtocolsEl != null ? httpsProtocolsEl.getText() : null;
    if (configuredHttpsProtocols != null && configuredHttpsProtocols.trim().length() != 0) {
        String[] configuredValues = configuredHttpsProtocols.trim().split(",");
        List<String> protocolList = new ArrayList<String>(configuredValues.length);
        for (String protocol : configuredValues) {
            if (!protocol.trim().isEmpty()) {
                protocolList.add(protocol.trim());
            }
        }
        httpsProtocols = protocolList.toArray(new String[protocolList.size()]);
    }
    // Initiated separately to cater setting https protocols
    ClientSSLSetupHandler clientSSLSetupHandler = new ClientSSLSetupHandler(hostnameVerifier, revocationVerifier);
    if (null != httpsProtocols) {
        clientSSLSetupHandler.setHttpsProtocols(httpsProtocols);
    }
    // Process enabled ciphers
    OMElement preferredCiphersEl = preferredCiphersParam != null ? preferredCiphersParam.getParameterElement() : null;
    String[] preferredCiphers = null;
    final String configuredWeakCiphers = preferredCiphersEl != null ? preferredCiphersEl.getText() : null;
    if (configuredWeakCiphers != null && configuredWeakCiphers.trim().length() != 0) {
        String[] configuredValues = configuredWeakCiphers.trim().split(",");
        List<String> ciphersList = new ArrayList<String>(configuredValues.length);
        for (String cipher : configuredValues) {
            cipher = cipher.trim();
            if (!cipher.isEmpty()) {
                ciphersList.add(cipher);
            }
        }
        preferredCiphers = ciphersList.toArray(new String[ciphersList.size()]);
        clientSSLSetupHandler.setPreferredCiphers(preferredCiphers);
    }
    ssl = new SSLContextDetails(sslContext, clientSSLSetupHandler);
    sslByHostMap = getCustomSSLContexts(transportOut);
    return this;
}
Also used : ClientSSLSetupHandler(org.apache.synapse.transport.http.conn.ClientSSLSetupHandler) SSLContextDetails(org.apache.synapse.transport.http.conn.SSLContextDetails) QName(javax.xml.namespace.QName) ArrayList(java.util.ArrayList) OMElement(org.apache.axiom.om.OMElement) SSLContext(javax.net.ssl.SSLContext) X509HostnameVerifier(org.apache.http.conn.ssl.X509HostnameVerifier) Parameter(org.apache.axis2.description.Parameter) RevocationVerificationManager(org.apache.synapse.transport.certificatevalidation.RevocationVerificationManager)

Example 2 with SSLContextDetails

use of org.apache.synapse.transport.http.conn.SSLContextDetails in project wso2-synapse by wso2.

the class ServerConnFactoryBuilder method createSSLContext.

protected SSLContextDetails createSSLContext(final OMElement keyStoreEl, final OMElement trustStoreEl, final OMElement cientAuthEl, final OMElement httpsProtocolsEl, final OMElement preferredCiphersEl, final RevocationVerificationManager verificationManager, final String sslProtocol) throws AxisFault {
    KeyManager[] keymanagers = null;
    TrustManager[] trustManagers = null;
    if (keyStoreEl != null) {
        String location = getValueOfElementWithLocalName(keyStoreEl, "Location");
        String type = getValueOfElementWithLocalName(keyStoreEl, "Type");
        String storePassword = getValueOfElementWithLocalName(keyStoreEl, "Password");
        String keyPassword = getValueOfElementWithLocalName(keyStoreEl, "KeyPassword");
        FileInputStream fis = null;
        try {
            KeyStore keyStore = KeyStore.getInstance(type);
            fis = new FileInputStream(location);
            if (log.isInfoEnabled()) {
                log.debug(name + " Loading Identity Keystore from : " + location);
            }
            keyStore.load(fis, storePassword.toCharArray());
            KeyManagerFactory kmfactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            kmfactory.init(keyStore, keyPassword.toCharArray());
            keymanagers = kmfactory.getKeyManagers();
            if (log.isInfoEnabled() && keymanagers != null) {
                for (KeyManager keymanager : keymanagers) {
                    if (keymanager instanceof X509KeyManager) {
                        X509KeyManager x509keymanager = (X509KeyManager) keymanager;
                        Enumeration<String> en = keyStore.aliases();
                        while (en.hasMoreElements()) {
                            String s = en.nextElement();
                            X509Certificate[] certs = x509keymanager.getCertificateChain(s);
                            if (certs == null)
                                continue;
                            for (X509Certificate cert : certs) {
                                log.debug(name + " Subject DN: " + cert.getSubjectDN());
                                log.debug(name + " Issuer DN: " + cert.getIssuerDN());
                            }
                        }
                    }
                }
            }
        } catch (GeneralSecurityException gse) {
            log.error(name + " Error loading Key store : " + location, gse);
            throw new AxisFault("Error loading Key store : " + location, gse);
        } catch (IOException ioe) {
            log.error(name + " Error opening Key store : " + location, ioe);
            throw new AxisFault("Error opening Key store : " + location, ioe);
        } finally {
            if (fis != null) {
                try {
                    fis.close();
                } catch (IOException ignore) {
                }
            }
        }
    }
    if (trustStoreEl != null) {
        String location = getValueOfElementWithLocalName(trustStoreEl, "Location");
        String type = getValueOfElementWithLocalName(trustStoreEl, "Type");
        String storePassword = getValueOfElementWithLocalName(trustStoreEl, "Password");
        FileInputStream fis = null;
        try {
            KeyStore trustStore = KeyStore.getInstance(type);
            fis = new FileInputStream(location);
            if (log.isInfoEnabled()) {
                log.debug(name + " Loading Trust Keystore from : " + location);
            }
            trustStore.load(fis, storePassword.toCharArray());
            TrustManagerFactory trustManagerfactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerfactory.init(trustStore);
            trustManagers = trustManagerfactory.getTrustManagers();
        } catch (GeneralSecurityException gse) {
            log.error(name + " Error loading Key store : " + location, gse);
            throw new AxisFault("Error loading Key store : " + location, gse);
        } catch (IOException ioe) {
            log.error(name + " Error opening Key store : " + location, ioe);
            throw new AxisFault("Error opening Key store : " + location, ioe);
        } finally {
            if (fis != null) {
                try {
                    fis.close();
                } catch (IOException ignore) {
                }
            }
        }
    }
    final String s = cientAuthEl != null ? cientAuthEl.getText() : null;
    final SSLClientAuth clientAuth;
    if ("optional".equalsIgnoreCase(s)) {
        clientAuth = SSLClientAuth.OPTIONAL;
    } else if ("require".equalsIgnoreCase(s)) {
        clientAuth = SSLClientAuth.REQUIRED;
    } else {
        clientAuth = null;
    }
    String[] httpsProtocols = null;
    final String configuredHttpsProtocols = httpsProtocolsEl != null ? httpsProtocolsEl.getText() : null;
    if (configuredHttpsProtocols != null && configuredHttpsProtocols.trim().length() != 0) {
        String[] configuredValues = configuredHttpsProtocols.trim().split(",");
        List<String> protocolList = new ArrayList<String>(configuredValues.length);
        for (String protocol : configuredValues) {
            if (!protocol.trim().isEmpty()) {
                protocolList.add(protocol.trim());
            }
        }
        httpsProtocols = protocolList.toArray(new String[protocolList.size()]);
    }
    String[] preferredCiphers = null;
    final String configuredWeakCiphers = preferredCiphersEl != null ? preferredCiphersEl.getText() : null;
    if (configuredWeakCiphers != null && configuredWeakCiphers.trim().length() != 0) {
        String[] configuredValues = configuredWeakCiphers.trim().split(",");
        List<String> ciphersList = new ArrayList<String>(configuredValues.length);
        for (String cipher : configuredValues) {
            cipher = cipher.trim();
            if (!cipher.isEmpty()) {
                ciphersList.add(cipher);
            }
        }
        preferredCiphers = ciphersList.toArray(new String[ciphersList.size()]);
    }
    try {
        final String sslProtocolValue = sslProtocol != null ? sslProtocol : "TLS";
        SSLContext sslContext = SSLContext.getInstance(sslProtocolValue);
        sslContext.init(keymanagers, trustManagers, null);
        ServerSSLSetupHandler sslSetupHandler = (clientAuth != null || httpsProtocols != null || preferredCiphers != null) ? new ServerSSLSetupHandler(clientAuth, httpsProtocols, verificationManager, preferredCiphers) : null;
        return new SSLContextDetails(sslContext, sslSetupHandler);
    } catch (GeneralSecurityException gse) {
        log.error(name + " Unable to create SSL context with the given configuration", gse);
        throw new AxisFault("Unable to create SSL context with the given configuration", gse);
    }
}
Also used : AxisFault(org.apache.axis2.AxisFault) SSLContextDetails(org.apache.synapse.transport.http.conn.SSLContextDetails) GeneralSecurityException(java.security.GeneralSecurityException) SSLClientAuth(org.apache.synapse.transport.http.conn.SSLClientAuth) ArrayList(java.util.ArrayList) IOException(java.io.IOException) SSLContext(javax.net.ssl.SSLContext) KeyStore(java.security.KeyStore) FileInputStream(java.io.FileInputStream) X509Certificate(java.security.cert.X509Certificate) TrustManager(javax.net.ssl.TrustManager) KeyManagerFactory(javax.net.ssl.KeyManagerFactory) ServerSSLSetupHandler(org.apache.synapse.transport.http.conn.ServerSSLSetupHandler) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) X509KeyManager(javax.net.ssl.X509KeyManager) X509KeyManager(javax.net.ssl.X509KeyManager) KeyManager(javax.net.ssl.KeyManager)

Example 3 with SSLContextDetails

use of org.apache.synapse.transport.http.conn.SSLContextDetails in project wso2-synapse by wso2.

the class ServerConnFactoryBuilder method parseMultiProfileSSL.

public ServerConnFactoryBuilder parseMultiProfileSSL() throws AxisFault {
    TransportInDescription loadedTransportIn = loadMultiProfileSSLConfig();
    if (loadedTransportIn == null)
        return this;
    Parameter profileParam = transportIn.getParameter("SSLProfiles");
    OMElement profilesEl = profileParam.getParameterElement();
    Iterator<?> profiles = profilesEl.getChildrenWithName(new QName("profile"));
    while (profiles.hasNext()) {
        OMElement profileEl = (OMElement) profiles.next();
        OMElement bindAddressEl = profileEl.getFirstChildWithName(new QName("bindAddress"));
        if (bindAddressEl == null) {
            String msg = "SSL profile must define a bind address";
            log.error(name + " " + msg);
            throw new AxisFault(msg);
        }
        InetSocketAddress address = new InetSocketAddress(bindAddressEl.getText(), host.getPort());
        OMElement keyStoreEl = profileEl.getFirstChildWithName(new QName("KeyStore"));
        OMElement trustStoreEl = profileEl.getFirstChildWithName(new QName("TrustStore"));
        OMElement clientAuthEl = profileEl.getFirstChildWithName(new QName("SSLVerifyClient"));
        OMElement httpsProtocolsEl = profileEl.getFirstChildWithName(new QName("HttpsProtocols"));
        OMElement preferredCiphersEl = profileEl.getFirstChildWithName(new QName(NhttpConstants.PREFERRED_CIPHERS));
        final Parameter sslpParameter = transportIn.getParameter("SSLProtocol");
        final String sslProtocol = sslpParameter != null ? sslpParameter.getValue().toString() : "TLS";
        SSLContextDetails ssl = createSSLContext(keyStoreEl, trustStoreEl, clientAuthEl, httpsProtocolsEl, preferredCiphersEl, null, sslProtocol);
        if (sslByIPMap == null) {
            sslByIPMap = new HashMap<InetSocketAddress, SSLContextDetails>();
        }
        sslByIPMap.put(address, ssl);
    }
    return this;
}
Also used : AxisFault(org.apache.axis2.AxisFault) SSLContextDetails(org.apache.synapse.transport.http.conn.SSLContextDetails) QName(javax.xml.namespace.QName) InetSocketAddress(java.net.InetSocketAddress) Parameter(org.apache.axis2.description.Parameter) OMElement(org.apache.axiom.om.OMElement) TransportInDescription(org.apache.axis2.description.TransportInDescription)

Aggregations

SSLContextDetails (org.apache.synapse.transport.http.conn.SSLContextDetails)3 ArrayList (java.util.ArrayList)2 SSLContext (javax.net.ssl.SSLContext)2 QName (javax.xml.namespace.QName)2 OMElement (org.apache.axiom.om.OMElement)2 AxisFault (org.apache.axis2.AxisFault)2 Parameter (org.apache.axis2.description.Parameter)2 FileInputStream (java.io.FileInputStream)1 IOException (java.io.IOException)1 InetSocketAddress (java.net.InetSocketAddress)1 GeneralSecurityException (java.security.GeneralSecurityException)1 KeyStore (java.security.KeyStore)1 X509Certificate (java.security.cert.X509Certificate)1 KeyManager (javax.net.ssl.KeyManager)1 KeyManagerFactory (javax.net.ssl.KeyManagerFactory)1 TrustManager (javax.net.ssl.TrustManager)1 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)1 X509KeyManager (javax.net.ssl.X509KeyManager)1 TransportInDescription (org.apache.axis2.description.TransportInDescription)1 X509HostnameVerifier (org.apache.http.conn.ssl.X509HostnameVerifier)1