Examples with CertificateValidator org.eclipse.jetty.util.security.CertificateValidator used on opensource projects

Search in sources :

Example 1 with CertificateValidator

use of org.eclipse.jetty.util.security.CertificateValidator in project jetty.project by eclipse.

the class SslContextFactory method load.

private void load() throws Exception {
    SSLContext context = _setContext;
    KeyStore keyStore = _setKeyStore;
    KeyStore trustStore = _setTrustStore;
    if (context == null) {
        // Is this an empty factory?
        if (keyStore == null && _keyStoreResource == null && trustStore == null && _trustStoreResource == null) {
            TrustManager[] trust_managers = null;
            if (isTrustAll()) {
                if (LOG.isDebugEnabled())
                    LOG.debug("No keystore or trust store configured.  ACCEPTING UNTRUSTED CERTIFICATES!!!!!");
                // Create a trust manager that does not validate certificate chains
                trust_managers = TRUST_ALL_CERTS;
            }
            String algorithm = getSecureRandomAlgorithm();
            SecureRandom secureRandom = algorithm == null ? null : SecureRandom.getInstance(algorithm);
            context = _sslProvider == null ? SSLContext.getInstance(_sslProtocol) : SSLContext.getInstance(_sslProtocol, _sslProvider);
            context.init(null, trust_managers, secureRandom);
        } else {
            if (keyStore == null)
                keyStore = loadKeyStore(_keyStoreResource);
            if (trustStore == null)
                trustStore = loadTrustStore(_trustStoreResource);
            Collection<? extends CRL> crls = loadCRL(getCrlPath());
            // Look for X.509 certificates to create alias map
            if (keyStore != null) {
                for (String alias : Collections.list(keyStore.aliases())) {
                    Certificate certificate = keyStore.getCertificate(alias);
                    if (certificate != null && "X.509".equals(certificate.getType())) {
                        X509Certificate x509C = (X509Certificate) certificate;
                        // Exclude certificates with special uses
                        if (X509.isCertSign(x509C)) {
                            if (LOG.isDebugEnabled())
                                LOG.debug("Skipping " + x509C);
                            continue;
                        }
                        X509 x509 = new X509(alias, x509C);
                        _aliasX509.put(alias, x509);
                        if (isValidateCerts()) {
                            CertificateValidator validator = new CertificateValidator(trustStore, crls);
                            validator.setMaxCertPathLength(getMaxCertPathLength());
                            validator.setEnableCRLDP(isEnableCRLDP());
                            validator.setEnableOCSP(isEnableOCSP());
                            validator.setOcspResponderURL(getOcspResponderURL());
                            // TODO what about truststore?
                            validator.validate(keyStore, x509C);
                        }
                        LOG.info("x509={} for {}", x509, this);
                        for (String h : x509.getHosts()) _certHosts.put(h, x509);
                        for (String w : x509.getWilds()) _certWilds.put(w, x509);
                    }
                }
            }
            // Instantiate key and trust managers
            KeyManager[] keyManagers = getKeyManagers(keyStore);
            TrustManager[] trustManagers = getTrustManagers(trustStore, crls);
            // Initialize context
            SecureRandom secureRandom = (_secureRandomAlgorithm == null) ? null : SecureRandom.getInstance(_secureRandomAlgorithm);
            context = _sslProvider == null ? SSLContext.getInstance(_sslProtocol) : SSLContext.getInstance(_sslProtocol, _sslProvider);
            context.init(keyManagers, trustManagers, secureRandom);
        }
    }
    // Initialize cache
    SSLSessionContext serverContext = context.getServerSessionContext();
    if (serverContext != null) {
        if (getSslSessionCacheSize() > -1)
            serverContext.setSessionCacheSize(getSslSessionCacheSize());
        if (getSslSessionTimeout() > -1)
            serverContext.setSessionTimeout(getSslSessionTimeout());
    }
    // select the protocols and ciphers
    SSLParameters enabled = context.getDefaultSSLParameters();
    SSLParameters supported = context.getSupportedSSLParameters();
    selectCipherSuites(enabled.getCipherSuites(), supported.getCipherSuites());
    selectProtocols(enabled.getProtocols(), supported.getProtocols());
    _factory = new Factory(keyStore, trustStore, context);
    if (LOG.isDebugEnabled()) {
        LOG.debug("Selected Protocols {} of {}", Arrays.asList(_selectedProtocols), Arrays.asList(supported.getProtocols()));
        LOG.debug("Selected Ciphers   {} of {}", Arrays.asList(_selectedCipherSuites), Arrays.asList(supported.getCipherSuites()));
    }
}
Also used : SSLSessionContext(javax.net.ssl.SSLSessionContext) CertificateValidator(org.eclipse.jetty.util.security.CertificateValidator) SecureRandom(java.security.SecureRandom) TrustManagerFactory(javax.net.ssl.TrustManagerFactory) SSLServerSocketFactory(javax.net.ssl.SSLServerSocketFactory) SSLSocketFactory(javax.net.ssl.SSLSocketFactory) KeyManagerFactory(javax.net.ssl.KeyManagerFactory) SSLContext(javax.net.ssl.SSLContext) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) TrustManager(javax.net.ssl.TrustManager) X509TrustManager(javax.net.ssl.X509TrustManager) SSLParameters(javax.net.ssl.SSLParameters) KeyManager(javax.net.ssl.KeyManager) X509ExtendedKeyManager(javax.net.ssl.X509ExtendedKeyManager) X509Certificate(java.security.cert.X509Certificate) Certificate(java.security.cert.Certificate)

Example 2 with CertificateValidator

use of org.eclipse.jetty.util.security.CertificateValidator in project jetty.project by eclipse.

the class ClientCertAuthenticator method validateRequest.

@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
    if (!mandatory)
        return new DeferredAuthentication(this);
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
    try {
        // Need certificates.
        if (certs != null && certs.length > 0) {
            if (_validateCerts) {
                KeyStore trustStore = getKeyStore(_trustStorePath, _trustStoreType, _trustStoreProvider, _trustStorePassword == null ? null : _trustStorePassword.toString());
                Collection<? extends CRL> crls = loadCRL(_crlPath);
                CertificateValidator validator = new CertificateValidator(trustStore, crls);
                validator.validate(certs);
            }
            for (X509Certificate cert : certs) {
                if (cert == null)
                    continue;
                Principal principal = cert.getSubjectDN();
                if (principal == null)
                    principal = cert.getIssuerDN();
                final String username = principal == null ? "clientcert" : principal.getName();
                final char[] credential = B64Code.encode(cert.getSignature());
                UserIdentity user = login(username, credential, req);
                if (user != null) {
                    return new UserAuthentication(getAuthMethod(), user);
                }
            }
        }
        if (!DeferredAuthentication.isDeferred(response)) {
            response.sendError(HttpServletResponse.SC_FORBIDDEN);
            return Authentication.SEND_FAILURE;
        }
        return Authentication.UNAUTHENTICATED;
    } catch (Exception e) {
        throw new ServerAuthException(e.getMessage());
    }
}
Also used : CertificateValidator(org.eclipse.jetty.util.security.CertificateValidator) UserIdentity(org.eclipse.jetty.server.UserIdentity) HttpServletResponse(javax.servlet.http.HttpServletResponse) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) HttpServletRequest(javax.servlet.http.HttpServletRequest) Principal(java.security.Principal)

Example 3 with CertificateValidator

use of org.eclipse.jetty.util.security.CertificateValidator in project blade by biezhi.

the class ClientCertAuthenticator method validateRequest.

@Override
public Authentication validateRequest(ServletRequest req, ServletResponse res, boolean mandatory) throws ServerAuthException {
    if (!mandatory)
        return new DeferredAuthentication(this);
    HttpServletRequest request = (HttpServletRequest) req;
    HttpServletResponse response = (HttpServletResponse) res;
    X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
    try {
        // Need certificates.
        if (certs != null && certs.length > 0) {
            if (_validateCerts) {
                KeyStore trustStore = getKeyStore(_trustStorePath, _trustStoreType, _trustStoreProvider, _trustStorePassword == null ? null : _trustStorePassword.toString());
                Collection<? extends CRL> crls = loadCRL(_crlPath);
                CertificateValidator validator = new CertificateValidator(trustStore, crls);
                validator.validate(certs);
            }
            for (X509Certificate cert : certs) {
                if (cert == null)
                    continue;
                Principal principal = cert.getSubjectDN();
                if (principal == null)
                    principal = cert.getIssuerDN();
                final String username = principal == null ? "clientcert" : principal.getName();
                final char[] credential = B64Code.encode(cert.getSignature());
                UserIdentity user = login(username, credential, req);
                if (user != null) {
                    return new UserAuthentication(getAuthMethod(), user);
                }
            }
        }
        if (!DeferredAuthentication.isDeferred(response)) {
            response.sendError(HttpServletResponse.SC_FORBIDDEN);
            return Authentication.SEND_FAILURE;
        }
        return Authentication.UNAUTHENTICATED;
    } catch (Exception e) {
        throw new ServerAuthException(e.getMessage());
    }
}
Also used : CertificateValidator(org.eclipse.jetty.util.security.CertificateValidator) UserIdentity(org.eclipse.jetty.server.UserIdentity) HttpServletResponse(javax.servlet.http.HttpServletResponse) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) UserAuthentication(org.eclipse.jetty.security.UserAuthentication) KeyStore(java.security.KeyStore) X509Certificate(java.security.cert.X509Certificate) ServerAuthException(org.eclipse.jetty.security.ServerAuthException) HttpServletRequest(javax.servlet.http.HttpServletRequest) Principal(java.security.Principal)

Aggregations

KeyStore (java.security.KeyStore)3 X509Certificate (java.security.cert.X509Certificate)3 CertificateValidator (org.eclipse.jetty.util.security.CertificateValidator)3 Principal (java.security.Principal)2 HttpServletRequest (javax.servlet.http.HttpServletRequest)2 HttpServletResponse (javax.servlet.http.HttpServletResponse)2 ServerAuthException (org.eclipse.jetty.security.ServerAuthException)2 UserAuthentication (org.eclipse.jetty.security.UserAuthentication)2 UserIdentity (org.eclipse.jetty.server.UserIdentity)2 SecureRandom (java.security.SecureRandom)1 Certificate (java.security.cert.Certificate)1 KeyManager (javax.net.ssl.KeyManager)1 KeyManagerFactory (javax.net.ssl.KeyManagerFactory)1 SSLContext (javax.net.ssl.SSLContext)1 SSLParameters (javax.net.ssl.SSLParameters)1 SSLServerSocketFactory (javax.net.ssl.SSLServerSocketFactory)1 SSLSessionContext (javax.net.ssl.SSLSessionContext)1 SSLSocketFactory (javax.net.ssl.SSLSocketFactory)1 TrustManager (javax.net.ssl.TrustManager)1 TrustManagerFactory (javax.net.ssl.TrustManagerFactory)1
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial