Example 1 with TrustManagerException
use of org.apache.zookeeper.common.X509Exception.TrustManagerException in project zookeeper by apache.
the class X509Util method createSSLContext.
public static SSLContext createSSLContext(ZKConfig config) throws SSLContextException {
KeyManager[] keyManagers = null;
TrustManager[] trustManagers = null;
String keyStoreLocationProp = config.getProperty(ZKConfig.SSL_KEYSTORE_LOCATION);
String keyStorePasswordProp = config.getProperty(ZKConfig.SSL_KEYSTORE_PASSWD);
if (keyStoreLocationProp == null && keyStorePasswordProp == null) {
LOG.warn("keystore not specified for client connection");
} else {
if (keyStoreLocationProp == null) {
throw new SSLContextException("keystore location not specified for client connection");
}
if (keyStorePasswordProp == null) {
throw new SSLContextException("keystore password not specified for client connection");
}
try {
keyManagers = new KeyManager[] { createKeyManager(keyStoreLocationProp, keyStorePasswordProp) };
} catch (KeyManagerException e) {
throw new SSLContextException("Failed to create KeyManager", e);
}
}
String trustStoreLocationProp = config.getProperty(ZKConfig.SSL_TRUSTSTORE_LOCATION);
String trustStorePasswordProp = config.getProperty(ZKConfig.SSL_TRUSTSTORE_PASSWD);
if (trustStoreLocationProp == null && trustStorePasswordProp == null) {
LOG.warn("Truststore not specified for client connection");
} else {
if (trustStoreLocationProp == null) {
throw new SSLContextException("Truststore location not specified for client connection");
}
if (trustStorePasswordProp == null) {
throw new SSLContextException("Truststore password not specified for client connection");
}
try {
trustManagers = new TrustManager[] { createTrustManager(trustStoreLocationProp, trustStorePasswordProp) };
} catch (TrustManagerException e) {
throw new SSLContextException("Failed to create TrustManager", e);
}
}
SSLContext sslContext = null;
try {
sslContext = SSLContext.getInstance("TLSv1");
sslContext.init(keyManagers, trustManagers, null);
} catch (Exception e) {
throw new SSLContextException(e);
}
return sslContext;
}
Also used :
KeyManagerException(org.apache.zookeeper.common.X509Exception.KeyManagerException)
SSLContextException(org.apache.zookeeper.common.X509Exception.SSLContextException)
TrustManagerException(org.apache.zookeeper.common.X509Exception.TrustManagerException)
SSLContext(javax.net.ssl.SSLContext)
X509KeyManager(javax.net.ssl.X509KeyManager)
KeyManager(javax.net.ssl.KeyManager)
TrustManagerException(org.apache.zookeeper.common.X509Exception.TrustManagerException)
IOException(java.io.IOException)
KeyManagerException(org.apache.zookeeper.common.X509Exception.KeyManagerException)
SSLContextException(org.apache.zookeeper.common.X509Exception.SSLContextException)
TrustManager(javax.net.ssl.TrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
Example 2 with TrustManagerException
use of org.apache.zookeeper.common.X509Exception.TrustManagerException in project zookeeper by apache.
the class X509Util method createTrustManager.
public static X509TrustManager createTrustManager(String trustStoreLocation, String trustStorePassword) throws TrustManagerException {
FileInputStream inputStream = null;
try {
char[] trustStorePasswordChars = trustStorePassword.toCharArray();
File trustStoreFile = new File(trustStoreLocation);
KeyStore ts = KeyStore.getInstance("JKS");
inputStream = new FileInputStream(trustStoreFile);
ts.load(inputStream, trustStorePasswordChars);
TrustManagerFactory tmf = TrustManagerFactory.getInstance("SunX509");
tmf.init(ts);
for (TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509TrustManager) {
return (X509TrustManager) tm;
}
}
throw new TrustManagerException("Couldn't find X509TrustManager");
} catch (Exception e) {
throw new TrustManagerException(e);
} finally {
if (inputStream != null) {
try {
inputStream.close();
} catch (IOException e) {
}
}
}
}
Also used :
X509TrustManager(javax.net.ssl.X509TrustManager)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
TrustManagerException(org.apache.zookeeper.common.X509Exception.TrustManagerException)
IOException(java.io.IOException)
File(java.io.File)
KeyStore(java.security.KeyStore)
FileInputStream(java.io.FileInputStream)
TrustManagerException(org.apache.zookeeper.common.X509Exception.TrustManagerException)
IOException(java.io.IOException)
KeyManagerException(org.apache.zookeeper.common.X509Exception.KeyManagerException)
SSLContextException(org.apache.zookeeper.common.X509Exception.SSLContextException)
TrustManager(javax.net.ssl.TrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
Example 3 with TrustManagerException
use of org.apache.zookeeper.common.X509Exception.TrustManagerException in project zookeeper by apache.
the class X509Util method createSSLContextAndOptionsFromConfig.
public SSLContextAndOptions createSSLContextAndOptionsFromConfig(ZKConfig config) throws SSLContextException {
KeyManager[] keyManagers = null;
TrustManager[] trustManagers = null;
String keyStoreLocationProp = config.getProperty(sslKeystoreLocationProperty, "");
String keyStorePasswordProp = getPasswordFromConfigPropertyOrFile(config, sslKeystorePasswdProperty, sslKeystorePasswdPathProperty);
String keyStoreTypeProp = config.getProperty(sslKeystoreTypeProperty);
if (keyStoreLocationProp.isEmpty()) {
LOG.warn("{} not specified", getSslKeystoreLocationProperty());
} else {
try {
keyManagers = new KeyManager[] { createKeyManager(keyStoreLocationProp, keyStorePasswordProp, keyStoreTypeProp) };
} catch (KeyManagerException keyManagerException) {
throw new SSLContextException("Failed to create KeyManager", keyManagerException);
} catch (IllegalArgumentException e) {
throw new SSLContextException("Bad value for " + sslKeystoreTypeProperty + ": " + keyStoreTypeProp, e);
}
}
String trustStoreLocationProp = config.getProperty(sslTruststoreLocationProperty, "");
String trustStorePasswordProp = getPasswordFromConfigPropertyOrFile(config, sslTruststorePasswdProperty, sslTruststorePasswdPathProperty);
String trustStoreTypeProp = config.getProperty(sslTruststoreTypeProperty);
boolean sslCrlEnabled = config.getBoolean(this.sslCrlEnabledProperty);
boolean sslOcspEnabled = config.getBoolean(this.sslOcspEnabledProperty);
boolean sslServerHostnameVerificationEnabled = config.getBoolean(this.getSslHostnameVerificationEnabledProperty(), true);
boolean sslClientHostnameVerificationEnabled = sslServerHostnameVerificationEnabled && shouldVerifyClientHostname();
if (trustStoreLocationProp.isEmpty()) {
LOG.warn("{} not specified", getSslTruststoreLocationProperty());
} else {
try {
trustManagers = new TrustManager[] { createTrustManager(trustStoreLocationProp, trustStorePasswordProp, trustStoreTypeProp, sslCrlEnabled, sslOcspEnabled, sslServerHostnameVerificationEnabled, sslClientHostnameVerificationEnabled) };
} catch (TrustManagerException trustManagerException) {
throw new SSLContextException("Failed to create TrustManager", trustManagerException);
} catch (IllegalArgumentException e) {
throw new SSLContextException("Bad value for " + sslTruststoreTypeProperty + ": " + trustStoreTypeProp, e);
}
}
String protocol = config.getProperty(sslProtocolProperty, DEFAULT_PROTOCOL);
try {
SSLContext sslContext = SSLContext.getInstance(protocol);
sslContext.init(keyManagers, trustManagers, null);
return new SSLContextAndOptions(this, config, sslContext);
} catch (NoSuchAlgorithmException | KeyManagementException sslContextInitException) {
throw new SSLContextException(sslContextInitException);
}
}
Also used :
KeyManagerException(org.apache.zookeeper.common.X509Exception.KeyManagerException)
SSLContextException(org.apache.zookeeper.common.X509Exception.SSLContextException)
SSLContext(javax.net.ssl.SSLContext)
NoSuchAlgorithmException(java.security.NoSuchAlgorithmException)
KeyManagementException(java.security.KeyManagementException)
TrustManager(javax.net.ssl.TrustManager)
X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
TrustManagerException(org.apache.zookeeper.common.X509Exception.TrustManagerException)
X509KeyManager(javax.net.ssl.X509KeyManager)
KeyManager(javax.net.ssl.KeyManager)
Example 4 with TrustManagerException
use of org.apache.zookeeper.common.X509Exception.TrustManagerException in project zookeeper by apache.
the class X509Util method createTrustManager.
/**
* Creates a trust manager by loading the trust store from the given file
* of the given type, optionally decrypting it using the given password.
* @param trustStoreLocation the location of the trust store file.
* @param trustStorePassword optional password to decrypt the trust store
* (only applies to JKS trust stores). If empty,
* assumes the trust store is not encrypted.
* @param trustStoreTypeProp must be JKS, PEM, PKCS12, BCFKS or null. If
* null, attempts to autodetect the trust store
* type from the file extension (e.g. .jks / .pem).
* @param crlEnabled enable CRL (certificate revocation list) checks.
* @param ocspEnabled enable OCSP (online certificate status protocol)
* checks.
* @param serverHostnameVerificationEnabled if true, verify hostnames of
* remote servers that client
* sockets created by this
* X509Util connect to.
* @param clientHostnameVerificationEnabled if true, verify hostnames of
* remote clients that server
* sockets created by this
* X509Util accept connections
* from.
* @return the trust manager.
* @throws TrustManagerException if something goes wrong.
*/
public static X509TrustManager createTrustManager(String trustStoreLocation, String trustStorePassword, String trustStoreTypeProp, boolean crlEnabled, boolean ocspEnabled, final boolean serverHostnameVerificationEnabled, final boolean clientHostnameVerificationEnabled) throws TrustManagerException {
if (trustStorePassword == null) {
trustStorePassword = "";
}
try {
KeyStore ts = loadTrustStore(trustStoreLocation, trustStorePassword, trustStoreTypeProp);
PKIXBuilderParameters pbParams = new PKIXBuilderParameters(ts, new X509CertSelector());
if (crlEnabled || ocspEnabled) {
pbParams.setRevocationEnabled(true);
System.setProperty("com.sun.net.ssl.checkRevocation", "true");
System.setProperty("com.sun.security.enableCRLDP", "true");
if (ocspEnabled) {
Security.setProperty("ocsp.enable", "true");
}
} else {
pbParams.setRevocationEnabled(false);
}
// Revocation checking is only supported with the PKIX algorithm
TrustManagerFactory tmf = TrustManagerFactory.getInstance("PKIX");
tmf.init(new CertPathTrustManagerParameters(pbParams));
for (final TrustManager tm : tmf.getTrustManagers()) {
if (tm instanceof X509ExtendedTrustManager) {
return new ZKTrustManager((X509ExtendedTrustManager) tm, serverHostnameVerificationEnabled, clientHostnameVerificationEnabled);
}
}
throw new TrustManagerException("Couldn't find X509TrustManager");
} catch (IOException | GeneralSecurityException | IllegalArgumentException e) {
throw new TrustManagerException(e);
}
}
Also used :
X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)
PKIXBuilderParameters(java.security.cert.PKIXBuilderParameters)
CertPathTrustManagerParameters(javax.net.ssl.CertPathTrustManagerParameters)
GeneralSecurityException(java.security.GeneralSecurityException)
X509CertSelector(java.security.cert.X509CertSelector)
IOException(java.io.IOException)
KeyStore(java.security.KeyStore)
TrustManager(javax.net.ssl.TrustManager)
X509ExtendedTrustManager(javax.net.ssl.X509ExtendedTrustManager)
X509TrustManager(javax.net.ssl.X509TrustManager)
TrustManagerFactory(javax.net.ssl.TrustManagerFactory)
TrustManagerException(org.apache.zookeeper.common.X509Exception.TrustManagerException)
Aggregations
TrustManager (javax.net.ssl.TrustManager)4
X509TrustManager (javax.net.ssl.X509TrustManager)4
TrustManagerException (org.apache.zookeeper.common.X509Exception.TrustManagerException)4
IOException (java.io.IOException)3
KeyManagerException (org.apache.zookeeper.common.X509Exception.KeyManagerException)3
SSLContextException (org.apache.zookeeper.common.X509Exception.SSLContextException)3
KeyStore (java.security.KeyStore)2
KeyManager (javax.net.ssl.KeyManager)2
SSLContext (javax.net.ssl.SSLContext)2
TrustManagerFactory (javax.net.ssl.TrustManagerFactory)2
X509ExtendedTrustManager (javax.net.ssl.X509ExtendedTrustManager)2
X509KeyManager (javax.net.ssl.X509KeyManager)2
File (java.io.File)1
FileInputStream (java.io.FileInputStream)1
GeneralSecurityException (java.security.GeneralSecurityException)1
KeyManagementException (java.security.KeyManagementException)1
NoSuchAlgorithmException (java.security.NoSuchAlgorithmException)1
PKIXBuilderParameters (java.security.cert.PKIXBuilderParameters)1
X509CertSelector (java.security.cert.X509CertSelector)1
CertPathTrustManagerParameters (javax.net.ssl.CertPathTrustManagerParameters)1
