/** * When true, no upstream certificate verification will be performed. <b>This will make it possible for * attackers to MITM communications with the upstream server</b>, so use trustAllServers only when testing. * Calling this method with 'true' will remove any trustSource set with {@link #trustSource(TrustSource)}. * Calling this method with 'false' has no effect unless trustAllServers was previously called with 'true'. * To set a specific TrustSource, use {@link #trustSource(TrustSource)}. */ public Builder trustAllServers(boolean trustAllServers) { if (trustAllServers) { this.trustSource = null; } else { // if the TrustSource was previously removed, restore it to the default. otherwise keep the existing TrustSource. if (this.trustSource == null) { this.trustSource = TrustSource.defaultTrustSource(); } } return this; }
/** * Returns a TrustSource that contains no trusted CAs. Can be used in conjunction with the add() methods to build * a TrustSource containing custom CAs from a variety of sources (PEM files, KeyStores, etc.). */ public static TrustSource empty() { return new TrustSource(); }
/** * Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus the trusted CAs in the specified * TrustSource. * * @param trustSource TrustSource to combine with this TrustSource * @return a new TrustSource containing both TrustSources' trusted CAs */ public TrustSource add(TrustSource trustSource) { if (trustSource == null) { throw new IllegalArgumentException("TrustSource cannot be null"); } return add(trustSource.getTrustedCAs()); } }
/** * Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus all trusted certificate * entries from the specified trustStore. This method will only add trusted certificate entries from the specified * KeyStore (i.e. entries of type {@link java.security.KeyStore.TrustedCertificateEntry}; private keys will be * ignored. The trustStore may be in JKS or PKCS12 format. * * @param trustStore keystore containing trusted certificate entries * @return a new TrustSource containing this TrustSource's trusted CAs plus trusted certificate entries from the keystore */ public TrustSource add(KeyStore trustStore) { if (trustStore == null) { throw new IllegalArgumentException("Trust store cannot be null"); } List<X509Certificate> trustedCertificates = TrustUtil.extractTrustedCertificateEntries(trustStore); return add(trustedCertificates.toArray(new X509Certificate[0])); }
/** * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs * from the trustSource. When trustSource is true, no upstream certificate verification will be performed. * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated * certificates). * * @param cipherSuites cipher suites to allow when connecting to the upstream server * @param trustSource the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates * @return an SSLContext to connect to upstream servers with */ public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) { SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); if (trustSource == null) { log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers."); sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE); } else { sslContextBuilder.trustManager(trustSource.getTrustedCAs()); } sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE); try { return sslContextBuilder.build(); } catch (SSLException e) { throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e); } }
/** * Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus zero or more CAs contained in * the PEM-encoded String. The String may contain multiple certificates and may contain comments or other non-PEM-encoded * text, as long as the PEM-encoded certificates are delimited by appropriate BEGIN_CERTIFICATE and END_CERTIFICATE * text blocks. * * @param trustedPemEncodedCAs String containing PEM-encoded certificates to trust * @return a new TrustSource containing this TrustSource's trusted CAs plus the CAs in the specified String */ public TrustSource add(String trustedPemEncodedCAs) { if (trustedPemEncodedCAs == null) { throw new IllegalArgumentException("PEM-encoded trusted CA String cannot be null"); } X509Certificate[] trustedCertificates = TrustUtil.readX509CertificatesFromPem(trustedPemEncodedCAs); return add(trustedCertificates); }
/** * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs * from the trustSource. When trustSource is true, no upstream certificate verification will be performed. * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated * certificates). * * @param cipherSuites cipher suites to allow when connecting to the upstream server * @param trustSource the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates * @return an SSLContext to connect to upstream servers with */ public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) { SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); if (trustSource == null) { log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers."); sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE); } else { sslContextBuilder.trustManager(trustSource.getTrustedCAs()); } sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE); try { return sslContextBuilder.build(); } catch (SSLException e) { throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e); } }
@Override public void setTrustAllServers(boolean trustAllServers) { if (isStarted()) { throw new IllegalStateException("Cannot disable upstream server verification after the proxy has been started"); } if (trustAllServers) { trustSource = null; } else { if (trustSource == null) { trustSource = TrustSource.defaultTrustSource(); } } }
/** * Returns a TrustSource containing only the builtin trusted CAs and does not include the JVM's trusted CAs. * See {@link TrustUtil#getBuiltinTrustedCAs()}. */ public static TrustSource builtinTrustSource() { return new TrustSource(TrustUtil.getBuiltinTrustedCAs()); }
/** * Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus the trusted CAs in the specified * TrustSource. * * @param trustSource TrustSource to combine with this TrustSource * @return a new TrustSource containing both TrustSources' trusted CAs */ public TrustSource add(TrustSource trustSource) { if (trustSource == null) { throw new IllegalArgumentException("TrustSource cannot be null"); } return add(trustSource.getTrustedCAs()); } }
/** * Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus zero or more CAs contained in * the PEM-encoded File. The File may contain multiple certificates and may contain comments or other non-PEM-encoded * text, as long as the PEM-encoded certificates are delimited by appropriate BEGIN_CERTIFICATE and END_CERTIFICATE * text blocks. The file may contain UTF-8 characters, but the PEM-encoded certificate data itself must be US-ASCII. * * @param trustedCAPemFile File containing PEM-encoded certificates * @return a new TrustSource containing this TrustSource's trusted CAs plus the CAs in the specified String */ public TrustSource add(File trustedCAPemFile) { if (trustedCAPemFile == null) { throw new IllegalArgumentException("Trusted CA file cannot be null"); } String pemFileContents; try { pemFileContents = Files.asCharSource(trustedCAPemFile, StandardCharsets.UTF_8).read(); } catch (IOException e) { throw new UncheckedIOException("Unable to read file containing PEM-encoded trusted CAs: " + trustedCAPemFile.getAbsolutePath(), e); } return add(pemFileContents); }
/** * Creates a netty SslContext for use when connecting to upstream servers. Retrieves the list of trusted root CAs * from the trustSource. When trustSource is true, no upstream certificate verification will be performed. * <b>This will make it possible for attackers to MITM communications with the upstream server</b>, so always * supply an appropriate trustSource except in extraordinary circumstances (e.g. testing with dynamically-generated * certificates). * * @param cipherSuites cipher suites to allow when connecting to the upstream server * @param trustSource the trust store that will be used to validate upstream servers' certificates, or null to accept all upstream server certificates * @return an SSLContext to connect to upstream servers with */ public static SslContext getUpstreamServerSslContext(Collection<String> cipherSuites, TrustSource trustSource) { SslContextBuilder sslContextBuilder = SslContextBuilder.forClient(); if (trustSource == null) { log.warn("Disabling upstream server certificate verification. This will allow attackers to intercept communications with upstream servers."); sslContextBuilder.trustManager(InsecureTrustManagerFactory.INSTANCE); } else { sslContextBuilder.trustManager(trustSource.getTrustedCAs()); } sslContextBuilder.ciphers(cipherSuites, SupportedCipherSuiteFilter.INSTANCE); try { return sslContextBuilder.build(); } catch (SSLException e) { throw new SslContextInitializationException("Error creating new SSL context for connection to upstream server", e); } }
/** * When true, no upstream certificate verification will be performed. <b>This will make it possible for * attackers to MITM communications with the upstream server</b>, so use trustAllServers only when testing. * Calling this method with 'true' will remove any trustSource set with {@link #trustSource(TrustSource)}. * Calling this method with 'false' has no effect unless trustAllServers was previously called with 'true'. * To set a specific TrustSource, use {@link #trustSource(TrustSource)}. */ public Builder trustAllServers(boolean trustAllServers) { if (trustAllServers) { this.trustSource = null; } else { // if the TrustSource was previously removed, restore it to the default. otherwise keep the existing TrustSource. if (this.trustSource == null) { this.trustSource = TrustSource.defaultTrustSource(); } } return this; }
/** * Returns a TrustSource containing the default CAs trusted by this JVM. See {@link TrustUtil#getJavaTrustedCAs()}. */ public static TrustSource javaTrustSource() { return new TrustSource(TrustUtil.getJavaTrustedCAs()); }
/** * Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus the trusted CAs in the specified * TrustSource. * * @param trustSource TrustSource to combine with this TrustSource * @return a new TrustSource containing both TrustSources' trusted CAs */ public TrustSource add(TrustSource trustSource) { if (trustSource == null) { throw new IllegalArgumentException("TrustSource cannot be null"); } return add(trustSource.getTrustedCAs()); } }
/** * Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus all trusted certificate * entries from the specified trustStore. This method will only add trusted certificate entries from the specified * KeyStore (i.e. entries of type {@link KeyStore.TrustedCertificateEntry}; private keys will be * ignored. The trustStore may be in JKS or PKCS12 format. * * @param trustStore keystore containing trusted certificate entries * @return a new TrustSource containing this TrustSource's trusted CAs plus trusted certificate entries from the keystore */ public TrustSource add(KeyStore trustStore) { if (trustStore == null) { throw new IllegalArgumentException("Trust store cannot be null"); } List<X509Certificate> trustedCertificates = TrustUtil.extractTrustedCertificateEntries(trustStore); return add(trustedCertificates.toArray(new X509Certificate[0])); }
/** * When true, no upstream certificate verification will be performed. <b>This will make it possible for * attackers to MITM communications with the upstream server</b>, so use trustAllServers only when testing. * Calling this method with 'true' will remove any trustSource set with {@link #trustSource(TrustSource)}. * Calling this method with 'false' has no effect unless trustAllServers was previously called with 'true'. * To set a specific TrustSource, use {@link #trustSource(TrustSource)}. */ public Builder trustAllServers(boolean trustAllServers) { if (trustAllServers) { this.trustSource = null; } else { // if the TrustSource was previously removed, restore it to the default. otherwise keep the existing TrustSource. if (this.trustSource == null) { this.trustSource = TrustSource.defaultTrustSource(); } } return this; }
/** * Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus zero or more additional * trusted X509Certificates. If trustedCertificates is null or empty, returns this same TrustSource. * * @param trustedCertificates X509Certificates of CAs to trust * @return a new TrustSource containing this TrustSource's trusted CAs plus the specified CAs */ public TrustSource add(X509Certificate... trustedCertificates) { if (trustedCertificates == null || trustedCertificates.length == 0) { return this; } X509Certificate[] newTrustedCAs = ObjectArrays.concat(trustedCAs, trustedCertificates, X509Certificate.class); return new TrustSource(newTrustedCAs); }
/** * Returns a new TrustSource containing the same trusted CAs as this TrustSource, plus zero or more CAs contained in * the PEM-encoded String. The String may contain multiple certificates and may contain comments or other non-PEM-encoded * text, as long as the PEM-encoded certificates are delimited by appropriate BEGIN_CERTIFICATE and END_CERTIFICATE * text blocks. * * @param trustedPemEncodedCAs String containing PEM-encoded certificates to trust * @return a new TrustSource containing this TrustSource's trusted CAs plus the CAs in the specified String */ public TrustSource add(String trustedPemEncodedCAs) { if (trustedPemEncodedCAs == null) { throw new IllegalArgumentException("PEM-encoded trusted CA String cannot be null"); } X509Certificate[] trustedCertificates = TrustUtil.readX509CertificatesFromPem(trustedPemEncodedCAs); return add(trustedCertificates); }
@Override public void setTrustAllServers(boolean trustAllServers) { if (isStarted()) { throw new IllegalStateException("Cannot disable upstream server verification after the proxy has been started"); } if (trustAllServers) { trustSource = null; } else { if (trustSource == null) { trustSource = TrustSource.defaultTrustSource(); } } }