private SSLEngineConfigurator buildSslEngineConfigurator(Path certFile, Path keyFile, String keyPassword) throws GeneralSecurityException, IOException { if (keyFile == null || !Files.isRegularFile(keyFile) || !Files.isReadable(keyFile)) { throw new InvalidKeyException("Unreadable or missing private key: " + keyFile); } if (certFile == null || !Files.isRegularFile(certFile) || !Files.isReadable(certFile)) { throw new CertificateException("Unreadable or missing X.509 certificate: " + certFile); } final SSLContextConfigurator sslContextConfigurator = new SSLContextConfigurator(); final char[] password = firstNonNull(keyPassword, "").toCharArray(); final KeyStore keyStore = PemKeyStore.buildKeyStore(certFile, keyFile, password); sslContextConfigurator.setKeyStorePass(password); sslContextConfigurator.setKeyStoreBytes(KeyStoreUtils.getBytes(keyStore, password)); final SSLContext sslContext = sslContextConfigurator.createSSLContext(true); return new SSLEngineConfigurator(sslContext, false, false, false); }
/** * Start SSL-secured HTTP test server. * * @throws IOException in case there is an error while reading server key store or trust store. * @return an instance of the started SSL-secured HTTP test server. */ public static Server start() throws IOException { // Grizzly ssl configuration SSLContextConfigurator sslContext = new SSLContextConfigurator(); // set up security context sslContext.setKeyStoreFile(KEYSTORE_SERVER_FILE); // contains server keypair sslContext.setKeyStorePass(KEYSTORE_SERVER_PWD); sslContext.setTrustStoreFile(TRUSTORE_SERVER_FILE); // contains client certificate sslContext.setTrustStorePass(TRUSTORE_SERVER_PWD); ResourceConfig rc = new ResourceConfig(); rc.registerClasses(RootResource.class, SecurityFilter.class, AuthenticationExceptionMapper.class); final HttpServer grizzlyServer = GrizzlyHttpServerFactory.createHttpServer( getBaseURI(), rc, true, new SSLEngineConfigurator(sslContext).setClientMode(false).setNeedClientAuth(true) ); // start Grizzly embedded server // LOGGER.info("Jersey app started. Try out " + BASE_URI + "\nHit CTRL + C to stop it..."); grizzlyServer.start(); return new Server(grizzlyServer); }
public SSLEngineConfigurator build(SSLProperties sslProperties) { SSLContextConfigurator sslContext = new SSLContextConfigurator(); sslContext.setKeyStoreFile(sslProperties.getKeyStoreFile()); // contains server keypair sslContext.setKeyStorePass(sslProperties.getKeyStorePass()); sslProperties.getTrustStoreFile().ifPresent(file->sslContext.setTrustStoreFile(file)); // contains client certificate sslProperties.getTrustStorePass().ifPresent(pass->sslContext.setTrustStorePass(pass)); sslProperties.getKeyStoreType().ifPresent(type->sslContext.setKeyStoreType(type)); sslProperties.getKeyStoreProvider().ifPresent(provider->sslContext.setKeyStoreProvider(provider)); sslProperties.getTrustStoreType().ifPresent(type->sslContext.setTrustStoreType(type)); sslProperties.getTrustStoreProvider().ifPresent(provider->sslContext.setTrustStoreProvider(provider)); SSLEngineConfigurator sslConf = new SSLEngineConfigurator(sslContext).setClientMode(false); sslProperties.getClientAuth().filter(auth-> auth.toLowerCase().equals("want")) .ifPresent(auth->sslConf.setWantClientAuth(true)); sslProperties.getClientAuth().filter(auth-> auth.toLowerCase().equals("need")) .ifPresent(auth->sslConf.setNeedClientAuth(true)); Maybe.fromOptional(sslProperties.getCiphers()).peek(ciphers->sslConf.setEnabledCipherSuites(ciphers.split(","))) .forEach(c-> sslConf.setCipherConfigured(true)); Maybe.fromOptional(sslProperties.getProtocol()).peek(pr->sslConf.setEnabledProtocols(pr.split(","))) .forEach(p->sslConf.setProtocolConfigured(true));
public void startServer() throws TelegramApiRequestException { ResourceConfig rc = new ResourceConfig(); rc.register(restApi); rc.register(JacksonFeature.class); final HttpServer grizzlyServer; if (keystoreServerFile != null && keystoreServerPwd != null) { SSLContextConfigurator sslContext = new SSLContextConfigurator(); // set up security context sslContext.setKeyStoreFile(keystoreServerFile); // contains server keypair sslContext.setKeyStorePass(keystoreServerPwd); grizzlyServer = GrizzlyHttpServerFactory.createHttpServer(getBaseURI(), rc, true, new SSLEngineConfigurator(sslContext).setClientMode(false).setNeedClientAuth(false)); } else { grizzlyServer = GrizzlyHttpServerFactory.createHttpServer(getBaseURI(), rc); } try { grizzlyServer.start(); } catch (IOException e) { throw new TelegramApiRequestException("Error starting webhook server", e); } }
public SSLCodec(SSLContext sslContext) { decoder = new SSLDecoderTransformer(); encoder = new SSLEncoderTransformer(); serverSSLEngineConfig = new SSLEngineConfigurator(sslContext, false, false, false); clientSSLEngineConfig = new SSLEngineConfigurator(sslContext, true, false, false); }
protected SSLEngine createClientSSLEngine( final SSLConnectionContext sslCtx, final SSLEngineConfigurator sslEngineConfigurator) { return IS_JDK7_OR_HIGHER ? sslEngineConfigurator.createSSLEngine( HostNameResolver.getPeerHostName(sslCtx.getConnection()), -1) : sslEngineConfigurator.createSSLEngine(); }
@Override public NextAction handleEvent(final FilterChainContext ctx, final FilterChainEvent event) throws IOException { if (event.type() == SSLSwitchingEvent.class) { final SSLSwitchingEvent se = (SSLSwitchingEvent) event; final boolean isSecure = se.isSecure(); CONNECTION_IS_SECURE.set(se.getConnection(), isSecure); // if enabling security - create SSLEngine here, because default // Grizzly SSLFilter will use host/port info from the Connection, rather // than request URL. Specifically this doesn't work with CONNECT tunnels. if (isSecure && SSLUtils.getSSLEngine(ctx.getConnection()) == null) { // if SSLEngine is not yet set for the connection - initialize it final SSLEngine sslEngine = getClientSSLEngineConfigurator() .createSSLEngine(se.getHost(), se.getPort() == -1 ? 443 : se.getPort() ); sslEngine.beginHandshake(); SSLUtils.setSSLEngine(ctx.getConnection(), sslEngine); } return ctx.getStopAction(); } return ctx.getInvokeAction(); }
private void flushOnSSLHandshakeComplete() throws IOException { final FilterChain filterChain = context.getFilterChain(); final int idx = filterChain.indexOfType(SSLFilter.class); assert (idx != -1); final SSLFilter filter = (SSLFilter) filterChain.get(idx); final Connection c = context.getConnection(); filter.addHandshakeListener(new SSLBaseFilter.HandshakeListener() { public void onStart(Connection connection) { } @Override public void onFailure(final Connection connection, final Throwable t) { connection.closeWithReason(Exceptions.makeIOException(t)); } public void onComplete(Connection connection) { if (c.equals(connection)) { filter.removeHandshakeListener(this); feederFlush(c); } } }); filter.handshake(context.getConnection(), null); }
synchronized void initializeAsynchronousTransfer(final FilterChainContext context, final HttpRequestPacket requestPacket) throws IOException { if (asyncTransferInitiated) { throw new IllegalStateException("Async transfer has already been initiated."); } if (feeder == null) { throw new IllegalStateException("No feeder available to perform the transfer."); } assert (context != null); assert (requestPacket != null); this.requestPacket = requestPacket; this.contentBuilder = HttpContent.builder(requestPacket); final Connection c = context.getConnection(); origMaxPendingBytes = c.getMaxAsyncWriteQueueSize(); if (configuredMaxPendingBytes != DEFAULT) { c.setMaxAsyncWriteQueueSize(configuredMaxPendingBytes); } this.context = context; asyncTransferInitiated = true; if (requestPacket.isSecure() && (getSSLEngine(context.getConnection()) == null)) { flushOnSSLHandshakeComplete(); } else { feederFlush(context.getConnection()); } }
@Override public NextAction handleRead(FilterChainContext ctx) throws IOException { if (isSecure(ctx.getConnection())) { return super.handleRead(ctx); } return ctx.getInvokeAction(); }
public void onComplete(Connection connection) { if (c.equals(connection)) { filter.removeHandshakeListener(this); feederFlush(c); } } });
@Override public NextAction handleWrite(FilterChainContext ctx) throws IOException { if (isSecure(ctx.getConnection())) { return super.handleWrite(ctx); } return ctx.getInvokeAction(); }
SSLContextConfigurator sslConfig = new SSLContextConfigurator(); sslConfig.setKeyStoreFile(new File(params.basePath, "keystore").getAbsolutePath()); sslConfig.setKeyStorePass("opentrip"); new SSLEngineConfigurator(sslConfig) .setClientMode(false) .setNeedClientAuth(false) );
public SSLCodec(SSLContext sslContext) { decoder = new SSLDecoderTransformer(); encoder = new SSLEncoderTransformer(); serverSSLEngineConfig = new SSLEngineConfigurator(sslContext, false, false, false); clientSSLEngineConfig = new SSLEngineConfigurator(sslContext, true, false, false); }
protected SSLEngine createClientSSLEngine( final SSLConnectionContext sslCtx, final SSLEngineConfigurator sslEngineConfigurator) { return IS_JDK7_OR_HIGHER ? sslEngineConfigurator.createSSLEngine( HostNameResolver.getPeerHostName(sslCtx.getConnection()), -1) : sslEngineConfigurator.createSSLEngine(); }
public SSLCodec(SSLContext sslContext) { decoder = new SSLDecoderTransformer(); encoder = new SSLEncoderTransformer(); serverSSLEngineConfig = new SSLEngineConfigurator(sslContext, false, false, false); clientSSLEngineConfig = new SSLEngineConfigurator(sslContext, true, false, false); }
protected SSLEngine createClientSSLEngine( final SSLConnectionContext sslCtx, final SSLEngineConfigurator sslEngineConfigurator) { return IS_JDK7_OR_HIGHER ? sslEngineConfigurator.createSSLEngine( HostNameResolver.getPeerHostName(sslCtx.getConnection()), -1) : sslEngineConfigurator.createSSLEngine(); }
public SSLCodec(SSLContext sslContext) { decoder = new SSLDecoderTransformer(); encoder = new SSLEncoderTransformer(); serverSSLEngineConfig = new SSLEngineConfigurator(sslContext, false, false, false); clientSSLEngineConfig = new SSLEngineConfigurator(sslContext, true, false, false); }
public SSLCodec(SSLContext sslContext) { decoder = new SSLDecoderTransformer(); encoder = new SSLEncoderTransformer(); serverSSLEngineConfig = new SSLEngineConfigurator(sslContext, false, false, false); clientSSLEngineConfig = new SSLEngineConfigurator(sslContext, true, false, false); }
public SSLCodec(SSLContext sslContext) { decoder = new SSLDecoderTransformer(); encoder = new SSLEncoderTransformer(); serverSSLEngineConfig = new SSLEngineConfigurator(sslContext, false, false, false); clientSSLEngineConfig = new SSLEngineConfigurator(sslContext, true, false, false); }