Refine search
public SSLEngineConfigurator build(SSLProperties sslProperties) { SSLContextConfigurator sslContext = new SSLContextConfigurator(); sslContext.setKeyStoreFile(sslProperties.getKeyStoreFile()); // contains server keypair sslContext.setKeyStorePass(sslProperties.getKeyStorePass()); SSLEngineConfigurator sslConf = new SSLEngineConfigurator(sslContext).setClientMode(false); sslProperties.getClientAuth().filter(auth-> auth.toLowerCase().equals("want")) .ifPresent(auth->sslConf.setWantClientAuth(true)); sslProperties.getClientAuth().filter(auth-> auth.toLowerCase().equals("need")) .ifPresent(auth->sslConf.setNeedClientAuth(true)); Maybe.fromOptional(sslProperties.getCiphers()).peek(ciphers->sslConf.setEnabledCipherSuites(ciphers.split(","))) .forEach(c-> sslConf.setCipherConfigured(true)); Maybe.fromOptional(sslProperties.getProtocol()).peek(pr->sslConf.setEnabledProtocols(pr.split(","))) .forEach(p->sslConf.setProtocolConfigured(true));
/** * Start SSL-secured HTTP test server. * * @throws IOException in case there is an error while reading server key store or trust store. * @return an instance of the started SSL-secured HTTP test server. */ public static Server start() throws IOException { // Grizzly ssl configuration SSLContextConfigurator sslContext = new SSLContextConfigurator(); // set up security context sslContext.setKeyStoreFile(KEYSTORE_SERVER_FILE); // contains server keypair sslContext.setKeyStorePass(KEYSTORE_SERVER_PWD); sslContext.setTrustStoreFile(TRUSTORE_SERVER_FILE); // contains client certificate sslContext.setTrustStorePass(TRUSTORE_SERVER_PWD); ResourceConfig rc = new ResourceConfig(); rc.registerClasses(RootResource.class, SecurityFilter.class, AuthenticationExceptionMapper.class); final HttpServer grizzlyServer = GrizzlyHttpServerFactory.createHttpServer( getBaseURI(), rc, true, new SSLEngineConfigurator(sslContext).setClientMode(false).setNeedClientAuth(true) ); // start Grizzly embedded server // LOGGER.info("Jersey app started. Try out " + BASE_URI + "\nHit CTRL + C to stop it..."); grizzlyServer.start(); return new Server(grizzlyServer); }
public void startServer() throws TelegramApiRequestException { ResourceConfig rc = new ResourceConfig(); rc.register(restApi); rc.register(JacksonFeature.class); final HttpServer grizzlyServer; if (keystoreServerFile != null && keystoreServerPwd != null) { SSLContextConfigurator sslContext = new SSLContextConfigurator(); // set up security context sslContext.setKeyStoreFile(keystoreServerFile); // contains server keypair sslContext.setKeyStorePass(keystoreServerPwd); grizzlyServer = GrizzlyHttpServerFactory.createHttpServer(getBaseURI(), rc, true, new SSLEngineConfigurator(sslContext).setClientMode(false).setNeedClientAuth(false)); } else { grizzlyServer = GrizzlyHttpServerFactory.createHttpServer(getBaseURI(), rc); } try { grizzlyServer.start(); } catch (IOException e) { throw new TelegramApiRequestException("Error starting webhook server", e); } }
if (enabledCipherSuites != null) { if (!isCipherConfigured) { enabledCipherSuites = configureEnabledCiphers(sslEngine, enabledCipherSuites); isCipherConfigured = true; sslEngine.setEnabledCipherSuites(enabledCipherSuites); if (!isProtocolConfigured) { enabledProtocols = configureEnabledProtocols(sslEngine, enabledProtocols); isProtocolConfigured = true; sslEngine.setEnabledProtocols(enabledProtocols); sslEngine.setUseClientMode(clientMode); if (wantClientAuth) { sslEngine.setWantClientAuth(wantClientAuth);
} else if (!isHandshaking(sslEngine)) { // if handshake haven't been started sslEngineConfigurator.configure(sslEngine); if (forceBeginHandshake || !sslEngine.getSession().isValid()) { sslEngine.beginHandshake();
@Override public NextAction handleEvent(final FilterChainContext ctx, final FilterChainEvent event) throws IOException { if (event.type() == SSLSwitchingEvent.class) { final SSLSwitchingEvent se = (SSLSwitchingEvent) event; final boolean isSecure = se.isSecure(); CONNECTION_IS_SECURE.set(se.getConnection(), isSecure); // if enabling security - create SSLEngine here, because default // Grizzly SSLFilter will use host/port info from the Connection, rather // than request URL. Specifically this doesn't work with CONNECT tunnels. if (isSecure && SSLUtils.getSSLEngine(ctx.getConnection()) == null) { // if SSLEngine is not yet set for the connection - initialize it final SSLEngine sslEngine = getClientSSLEngineConfigurator() .createSSLEngine(se.getHost(), se.getPort() == -1 ? 443 : se.getPort() ); sslEngine.beginHandshake(); SSLUtils.setSSLEngine(ctx.getConnection(), sslEngine); } return ctx.getStopAction(); } return ctx.getInvokeAction(); }
@Override public NextAction handleRead(final FilterChainContext ctx) throws IOException { final Connection connection = ctx.getConnection(); final SSLConnectionContext sslCtx = sslBaseFilter.obtainSslConnectionContext(connection); if (sslCtx.getSslEngine() == null) { final SSLEngine sslEngine = sslBaseFilter.serverSSLEngineConfigurator.createSSLEngine(); sslEngine.beginHandshake(); sslCtx.configure(sslEngine); sslBaseFilter.notifyHandshakeStart(connection); } ctx.setMessage(allowDispose(allocateInputBuffer(sslCtx))); return wrappedFilter.handleRead(ctx); }
@Override public SSLEngine createSSLEngine(final String peerHost, final int peerPort) { /* the port is not part of host name verification, it is present in the constructor because of Kerberos (which is not supported by Tyrus) */ // We use the peerHost provided by Tyrus, because Grizzly provides the peerHost only for JDK 7+ SSLEngine sslEngine = super.createSSLEngine(this.peerHost, peerPort); if (hostVerificationEnabled && hostnameVerifier == null) { SSLParameters sslParameters = sslEngine.getSSLParameters(); sslParameters.setEndpointIdentificationAlgorithm("HTTPS"); sslEngine.setSSLParameters(sslParameters); } return sslEngine; } }
/** * Initialize server side SSL configuration. * * @return server side {@link SSLEngineConfigurator}. */ private static SSLEngineConfigurator createSslConfiguration() { // Initialize SSLContext configuration SSLContextConfigurator sslContextConfig = new SSLContextConfigurator(); ClassLoader cl = Server.class.getClassLoader(); // Set key store URL keystoreUrl = cl.getResource("ssltest-keystore.jks"); if (keystoreUrl != null) { sslContextConfig.setKeyStoreFile(keystoreUrl.getFile()); sslContextConfig.setKeyStorePass("changeit"); } // Create SSLEngine configurator return new SSLEngineConfigurator(sslContextConfig.createSSLContext(), false, false, false); }}
private SSLEngineConfigurator buildSslEngineConfigurator(Path certFile, Path keyFile, String keyPassword) throws GeneralSecurityException, IOException { if (keyFile == null || !Files.isRegularFile(keyFile) || !Files.isReadable(keyFile)) { throw new InvalidKeyException("Unreadable or missing private key: " + keyFile); } if (certFile == null || !Files.isRegularFile(certFile) || !Files.isReadable(certFile)) { throw new CertificateException("Unreadable or missing X.509 certificate: " + certFile); } final SSLContextConfigurator sslContextConfigurator = new SSLContextConfigurator(); final char[] password = firstNonNull(keyPassword, "").toCharArray(); final KeyStore keyStore = PemKeyStore.buildKeyStore(certFile, keyFile, password); sslContextConfigurator.setKeyStorePass(password); sslContextConfigurator.setKeyStoreBytes(KeyStoreUtils.getBytes(keyStore, password)); final SSLContext sslContext = sslContextConfigurator.createSSLContext(true); return new SSLEngineConfigurator(sslContext, false, false, false); }
/** * Build <tt>SSLFilter</tt> with the given {@link SSLEngineConfigurator}. * * @param serverSSLEngineConfigurator SSLEngine configurator for server side connections * @param renegotiateOnClientAuthWant <tt>true</tt>, if SSLBaseFilter has to force client authentication * during re-handshake, in case the client didn't send its credentials * during the initial handshake in response to "wantClientAuth" flag. * In this case "needClientAuth" flag will be raised and re-handshake * will be initiated */ public SSLBaseFilter(SSLEngineConfigurator serverSSLEngineConfigurator, boolean renegotiateOnClientAuthWant) { this.renegotiateOnClientAuthWant = renegotiateOnClientAuthWant; this.serverSSLEngineConfigurator = ((serverSSLEngineConfigurator != null) ? serverSSLEngineConfigurator : new SSLEngineConfigurator( SSLContextConfigurator.DEFAULT_CONFIG.createSSLContext(true), false, false, false)); }
SSLContextConfigurator sslContext = new SSLContextConfigurator(); sslContext.setKeyStoreFile("path_to_my_keystore"); sslContext.setKeyStorePass("password"); sslContext.setTrustStoreFile("path_to_my_truststore"); sslContext.setTrustStorePass("password"); sslContext.setSecurityProtocol("TLSv1.2"); SSLEngineConfigurator sslEngineConfigurator = new SSLEngineConfigurator(sslContext); sslEngineConfigurator.setNeedClientAuth(true); sslEngineConfigurator.setWantClientAuth(true); sslEngineConfigurator.setEnabledCipherSuites(new String[]{"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_RSA_WITH_AES_128_CBC_SHA"}); sslEngineConfigurator.setClientMode(false); NetworkListener listener = new NetworkListener("grizzly_ssl", uri.getHost(), 8443); listener.setSecure(true);
public SSLEngineConfigurator copy() { return new SSLEngineConfigurator(this); } }
ksProvider.writeTo(baos); SSLContextConfigurator sslCon = new SSLContextConfigurator(); sslCon.setKeyStoreBytes(baos.toByteArray()); sslCon.setKeyPass(certPass); sslCon.setKeyStorePass(ksPass); SSLEngineConfigurator sslConf = new SSLEngineConfigurator(sslCon); sslConf.setClientMode(false); sslConf.setNeedClientAuth(false); return sslConf;
private SSLFilter createSslFilter(final TlsContextFactory tlsContextFactory) { try { boolean clientAuth = tlsContextFactory.isTrustStoreConfigured(); final SSLEngineConfigurator serverConfig = new SSLEngineConfigurator(tlsContextFactory.createSslContext(), false, clientAuth, false); final String[] enabledProtocols = tlsContextFactory.getEnabledProtocols(); if (enabledProtocols != null) { serverConfig.setEnabledProtocols(enabledProtocols); } final String[] enabledCipherSuites = tlsContextFactory.getEnabledCipherSuites(); if (enabledCipherSuites != null) { serverConfig.setEnabledCipherSuites(enabledCipherSuites); } final SSLEngineConfigurator clientConfig = serverConfig.copy().setClientMode(true); return new MuleSslFilter(serverConfig, clientConfig); } catch (Exception e) { throw new MuleRuntimeException(e); } }
new ResourceConfig(), true, new SSLEngineConfigurator(sslContext).setClientMode(false).setNeedClientAuth(true), false );
/** * Create and configure {@link SSLEngine} using this context configuration * using advisory peer information. * <P> * Applications using this factory method are providing hints * for an internal session reuse strategy. * <P> * Some cipher suites (such as Kerberos) require remote hostname * information, in which case peerHost needs to be specified. * * @param peerHost the non-authoritative name of the host * @param peerPort the non-authoritative port * * @return {@link SSLEngine}. */ @Override public SSLEngine createSSLEngine(final String peerHost, final int peerPort) { if (sslContext == null) { synchronized(sync) { if (sslContext == null) { sslContext = sslContextConfiguration.createSSLContext(true); } } } final SSLEngine sslEngine = sslContext.createSSLEngine(peerHost, peerPort); configure(sslEngine); return sslEngine; }
@Override public void enableTLS(final SSLContext sslContext, final String[] protocols, final String[] suites, final boolean wantClientAuth, final boolean needClientAuth) { Validator.ensureNotNull(sslContext); synchronized (this) { if (isTLSEnabled()) { throw new IllegalStateException("TLS already enabled"); } final SSLEngineConfigurator sslEngineConfigurator = new SSLEngineConfigurator(sslContext, false, false, false); sslEngineConfigurator.setEnabledCipherSuites(suites); sslEngineConfigurator.setEnabledProtocols(protocols); sslEngineConfigurator.setWantClientAuth(wantClientAuth); sslEngineConfigurator.setNeedClientAuth(needClientAuth); installFilter(new SSLFilter(sslEngineConfigurator, DUMMY_SSL_ENGINE_CONFIGURATOR)); } }
/** * Create and configure {@link SSLEngine} using this context configuration. * * @return {@link SSLEngine}. */ public SSLEngine createSSLEngine() { return createSSLEngine(null, -1); }
final SSLEngineConfigurator clientConfig = serverConfig.copy().setClientMode(true);