protected OptionMap getSSLOptions(SSLContext sslContext) { Builder builder = OptionMap.builder().addAll(commonOptions); builder.addAll(socketOptions); builder.set(Options.USE_DIRECT_BUFFERS, true); if (cipherSuites != null) { String[] cipherList = CipherSuiteSelector.fromString(cipherSuites).evaluate(sslContext.getSupportedSSLParameters().getCipherSuites()); builder.setSequence((Option<Sequence<String>>) HttpsListenerResourceDefinition.ENABLED_CIPHER_SUITES.getOption(), cipherList); } return builder.getMap(); }
CipherSuiteSelector current = empty(); CipherSuitePredicate predicate; String name; switch (cp) { case '+': { current = parseMoveToEnd(current, i); break; current = parseRemove(current, i); break; current = parseDelete(current, i); break; current = parseSpecial(current, i); break; i.previous(); name = i.delimitedBy('+', ':', ',', ' ').drainToString(); predicate = parsePredicate(i, name); if (predicate != null) { current = current.add(predicate); } else { switch (name) { case "DEFAULT": current = current.add(CipherSuitePredicate.matchOpenSslAll()) .deleteFully(CipherSuitePredicate.matchOpenSslDefaultDeletes()); break; case "COMPLEMENTOFDEFAULT": current = current.add(CipherSuitePredicate.matchAnonDH()); break;
private void doEvaluate(Set<String> enabled, Map<MechanismDatabase.Entry, String> supported) { if (prev != null) { prev.doEvaluate(enabled, supported); } applyFilter(enabled, supported); }
private static CipherSuiteSelector parseDelete(final CipherSuiteSelector current, final CodePointIterator i) { return current.deleteFully(parsePredicate(i)); }
private static CipherSuitePredicate parsePredicate(final CodePointIterator i, final String word) { CipherSuitePredicate item = getSimplePredicateByName(word); if (i.hasNext() && i.next() == '+') { if (item == null) { throw ElytronMessages.log.mechSelectorTokenNotAllowed("+", i.getIndex(), i.drainToString()); } return parseAndPredicate(item, i); } else { return item; } }
checkAttributeNamespace(reader, i); if (reader.getAttributeLocalName(i).equals("selector")) { selector = CipherSuiteSelector.fromString(reader.getAttributeValueResolved(i)); } else { throw reader.unexpectedAttribute(i);
void configure(SSLParameters params, String[] supportedProtocols, String[] supportedCipherSuites) { Assert.checkNotNullParam("supportedProtocols", supportedProtocols); Assert.checkNotNullParam("supportedCipherSuites", supportedCipherSuites); params.setProtocols(protocolSelector.evaluate(supportedProtocols)); params.setCipherSuites(cipherSuiteSelector.evaluate(supportedCipherSuites)); params.setUseCipherSuitesOrder(useCipherSuitesOrder); params.setWantClientAuth(wantClientAuth); // unsets need if (needClientAuth) params.setNeedClientAuth(needClientAuth); // unsets want }
private static CipherSuitePredicate parseAndPredicate(CipherSuitePredicate item, final CodePointIterator i) { final ArrayList<CipherSuitePredicate> list = new ArrayList<>(); list.add(item); do { list.add(getSimplePredicateByName(i.delimitedBy('+', ':', ',', ' ').drainToString())); } while (i.hasNext() && i.next() == '+'); return CipherSuitePredicate.matchAll(list.toArray(new CipherSuitePredicate[list.size()])); }
/** * A convenience method to permanently delete a cipher suite by name. This is a shortcut for calling * {@code deleteFully(Predicate.matchName(cipherSuiteName))}. The cipher suite name must be a standard or OpenSSL-style * mechanism name identifying a single mechanism. * * @param cipherSuiteName the cipher suite name * @return a new selector which includes the new rule */ public CipherSuiteSelector deleteFully(final String cipherSuiteName) { return deleteFully(CipherSuitePredicate.matchName(cipherSuiteName)); }
/** * A convenience method to add a cipher suite by name. If the underlying socket layer does not support the named * cipher suite, or if the cipher suite is invalid, it will not be added. This is a shortcut for calling * {@code add(Predicate.matchName(cipherSuiteName))}. The cipher suite name must be a standard or OpenSSL-style * mechanism name identifying a single mechanism. * * @param cipherSuiteName the cipher suite name * @return a new selector which includes the new rule */ public CipherSuiteSelector add(final String cipherSuiteName) { return add(CipherSuitePredicate.matchName(cipherSuiteName)); }
/** * Evaluate this selector against the given list of JSSE supported mechanisms. * * @param supportedMechanisms the supported mechanisms * @return the enabled mechanisms (not {@code null}) */ public final String[] evaluate(String[] supportedMechanisms) { if (ElytronMessages.tls.isTraceEnabled()) { StringBuilder b = new StringBuilder(supportedMechanisms.length * 16); b.append("Evaluating filter \"").append(this).append("\" on supported mechanisms:"); for (String s : supportedMechanisms) { b.append("\n ").append(s); } ElytronMessages.tls.trace(b); } final MechanismDatabase database = MechanismDatabase.getInstance(); final LinkedHashMap<MechanismDatabase.Entry, String> supportedMap = new LinkedHashMap<>(supportedMechanisms.length); for (String supportedMechanism : supportedMechanisms) { final MechanismDatabase.Entry entry = database.getCipherSuite(supportedMechanism); if (entry != null) { ElytronMessages.tls.tracef("Found supported mechanism %s", supportedMechanism); supportedMap.put(entry, supportedMechanism); } else { ElytronMessages.tls.tracef("Dropping unknown mechanism %s", supportedMechanism); } } final LinkedHashSet<String> enabledSet = new LinkedHashSet<String>(supportedMap.size()); doEvaluate(enabledSet, supportedMap); return enabledSet.toArray(new String[enabledSet.size()]); }
@Override public void validateParameter(String parameterName, ModelNode value) throws OperationFailedException { super.validateParameter(parameterName, value); if (value.isDefined()) { try { CipherSuiteSelector.fromString(value.asString()); } catch (IllegalArgumentException e) { throw ROOT_LOGGER.invalidCipherSuiteFilter(e, e.getLocalizedMessage()); } } } }
private SSLParameters redefine(SSLParameters original, String[] supportedCipherSuites, String[] supportedProtocols) { final SSLParameters params = new SSLParameters(); configure(params, protocolSelector.evaluate(supportedProtocols), cipherSuiteSelector.evaluate(supportedCipherSuites)); // copy all other parameters over params.setServerNames(original.getServerNames()); params.setSNIMatchers(original.getSNIMatchers()); params.setAlgorithmConstraints(original.getAlgorithmConstraints()); params.setEndpointIdentificationAlgorithm(original.getEndpointIdentificationAlgorithm()); return params; }
private static CipherSuitePredicate parsePredicate(final CodePointIterator i, final String word) { CipherSuitePredicate item = getSimplePredicateByName(word); if (i.hasNext() && i.next() == '+') { if (item == null) { throw ElytronMessages.log.mechSelectorTokenNotAllowed("+", i.getIndex(), i.drainToString()); } return parseAndPredicate(item, i); } else { return item; } }
private static CipherSuiteSelector parseDelete(final CipherSuiteSelector current, final CodePointIterator i) { return current.deleteFully(parsePredicate(i)); }
private static CipherSuitePredicate parseAndPredicate(CipherSuitePredicate item, final CodePointIterator i) { final ArrayList<CipherSuitePredicate> list = new ArrayList<>(); list.add(item); do { list.add(getSimplePredicateByName(i.delimitedBy('+', ':', ',', ' ').drainToString())); } while (i.hasNext() && i.next() == '+'); return CipherSuitePredicate.matchAll(list.toArray(new CipherSuitePredicate[list.size()])); }
/** * A convenience method to permanently delete a cipher suite by name. This is a shortcut for calling * {@code deleteFully(Predicate.matchName(cipherSuiteName))}. The cipher suite name must be a standard or OpenSSL-style * mechanism name identifying a single mechanism. * * @param cipherSuiteName the cipher suite name * @return a new selector which includes the new rule */ public CipherSuiteSelector deleteFully(final String cipherSuiteName) { return deleteFully(CipherSuitePredicate.matchName(cipherSuiteName)); }
/** * A convenience method to add a cipher suite by name. If the underlying socket layer does not support the named * cipher suite, or if the cipher suite is invalid, it will not be added. This is a shortcut for calling * {@code add(Predicate.matchName(cipherSuiteName))}. The cipher suite name must be a standard or OpenSSL-style * mechanism name identifying a single mechanism. * * @param cipherSuiteName the cipher suite name * @return a new selector which includes the new rule */ public CipherSuiteSelector add(final String cipherSuiteName) { return add(CipherSuitePredicate.matchName(cipherSuiteName)); }
/** * Evaluate this selector against the given list of JSSE supported mechanisms. * * @param supportedMechanisms the supported mechanisms * @return the enabled mechanisms (not {@code null}) */ public final String[] evaluate(String[] supportedMechanisms) { if (ElytronMessages.tls.isTraceEnabled()) { StringBuilder b = new StringBuilder(supportedMechanisms.length * 16); b.append("Evaluating filter \"").append(this).append("\" on supported mechanisms:"); for (String s : supportedMechanisms) { b.append("\n ").append(s); } ElytronMessages.tls.trace(b); } final MechanismDatabase database = MechanismDatabase.getInstance(); final LinkedHashMap<MechanismDatabase.Entry, String> supportedMap = new LinkedHashMap<>(supportedMechanisms.length); for (String supportedMechanism : supportedMechanisms) { final MechanismDatabase.Entry entry = database.getCipherSuite(supportedMechanism); if (entry != null) { ElytronMessages.tls.tracef("Found supported mechanism %s", supportedMechanism); supportedMap.put(entry, supportedMechanism); } else { ElytronMessages.tls.tracef("Dropping unknown mechanism %s", supportedMechanism); } } final LinkedHashSet<String> enabledSet = new LinkedHashSet<String>(supportedMap.size()); doEvaluate(enabledSet, supportedMap); return enabledSet.toArray(new String[enabledSet.size()]); }
CipherSuiteSelector current = empty(); CipherSuitePredicate predicate; String name; switch (cp) { case '+': { current = parseMoveToEnd(current, i); break; current = parseRemove(current, i); break; current = parseDelete(current, i); break; current = parseSpecial(current, i); break; i.previous(); name = i.delimitedBy('+', ':', ',', ' ').drainToString(); predicate = parsePredicate(i, name); if (predicate != null) { current = current.add(predicate); } else { switch (name) { case "DEFAULT": current = current.add(CipherSuitePredicate.matchOpenSslAll()) .deleteFully(CipherSuitePredicate.matchOpenSslDefaultDeletes()); break; case "COMPLEMENTOFDEFAULT": current = current.add(CipherSuitePredicate.matchAnonDH()); break;