All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.apache.http.conn.ssl.SSLSocketFactory Maven / Gradle / Ivy

There is a newer version: 3.0.0-alpha-3
Show newest version
/*
 * ====================================================================
 * Licensed to the Apache Software Foundation (ASF) under one
 * or more contributor license agreements.  See the NOTICE file
 * distributed with this work for additional information
 * regarding copyright ownership.  The ASF licenses this file
 * to you under the Apache License, Version 2.0 (the
 * "License"); you may not use this file except in compliance
 * with the License.  You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing,
 * software distributed under the License is distributed on an
 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
 * KIND, either express or implied.  See the License for the
 * specific language governing permissions and limitations
 * under the License.
 * ====================================================================
 *
 * This software consists of voluntary contributions made by many
 * individuals on behalf of the Apache Software Foundation.  For more
 * information on the Apache Software Foundation, please see
 * .
 *
 */

package org.apache.http.conn.ssl;

import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.net.SocketTimeoutException;
import java.net.UnknownHostException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;

import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocket;

import org.apache.http.HttpHost;
import org.apache.http.annotation.Contract;
import org.apache.http.annotation.ThreadingBehavior;
import org.apache.http.conn.ConnectTimeoutException;
import org.apache.http.conn.HttpInetSocketAddress;
import org.apache.http.conn.scheme.HostNameResolver;
import org.apache.http.conn.scheme.LayeredSchemeSocketFactory;
import org.apache.http.conn.scheme.LayeredSocketFactory;
import org.apache.http.conn.scheme.SchemeLayeredSocketFactory;
import org.apache.http.conn.socket.LayeredConnectionSocketFactory;
import org.apache.http.params.HttpConnectionParams;
import org.apache.http.params.HttpParams;
import org.apache.http.protocol.HttpContext;
import org.apache.http.util.Args;
import org.apache.http.util.Asserts;
import org.apache.http.util.TextUtils;

/**
 * Layered socket factory for TLS/SSL connections.
 * 

* SSLSocketFactory can be used to validate the identity of the HTTPS server against a list of * trusted certificates and to authenticate to the HTTPS server using a private key. *

*

* SSLSocketFactory will enable server authentication when supplied with * a {@link KeyStore trust-store} file containing one or several trusted certificates. The client * secure socket will reject the connection during the SSL session handshake if the target HTTPS * server attempts to authenticate itself with a non-trusted certificate. *

*

* Use JDK keytool utility to import a trusted certificate and generate a trust-store file: *

*
keytool -import -alias "my server cert" -file server.crt -keystore my.truststore
 * 
*

* In special cases the standard trust verification process can be bypassed by using a custom * {@link TrustStrategy}. This interface is primarily intended for allowing self-signed * certificates to be accepted as trusted without having to add them to the trust-store file. *

*

* SSLSocketFactory will enable client authentication when supplied with * a {@link KeyStore key-store} file containing a private key/public certificate * pair. The client secure socket will use the private key to authenticate * itself to the target HTTPS server during the SSL session handshake if * requested to do so by the server. * The target HTTPS server will in its turn verify the certificate presented * by the client in order to establish client's authenticity. *

*

* Use the following sequence of actions to generate a key-store file *

*
    *
  • *

    * Use JDK keytool utility to generate a new key *

    *
    keytool -genkey -v -alias "my client key" -validity 365 -keystore my.keystore
    *

    * For simplicity use the same password for the key as that of the key-store *

    *
  • *
  • *

    * Issue a certificate signing request (CSR) *

    *
    keytool -certreq -alias "my client key" -file mycertreq.csr -keystore my.keystore
    *
  • *
  • *

    * Send the certificate request to the trusted Certificate Authority for signature. * One may choose to act as her own CA and sign the certificate request using a PKI * tool, such as OpenSSL. *

    *
  • *
  • *

    * Import the trusted CA root certificate *

    *
    keytool -import -alias "my trusted ca" -file caroot.crt -keystore my.keystore
    *
  • *
  • *

    * Import the PKCS#7 file containg the complete certificate chain *

    *
    keytool -import -alias "my client key" -file mycert.p7 -keystore my.keystore
    *
  • *
  • *

    * Verify the content the resultant keystore file *

    *
    keytool -list -v -keystore my.keystore
    *
  • *
* * @since 4.0 * * @deprecated (4.3) use {@link SSLConnectionSocketFactory}. */ @Contract(threading = ThreadingBehavior.SAFE_CONDITIONAL) @Deprecated public class SSLSocketFactory implements LayeredConnectionSocketFactory, SchemeLayeredSocketFactory, LayeredSchemeSocketFactory, LayeredSocketFactory { public static final String TLS = "TLS"; public static final String SSL = "SSL"; public static final String SSLV2 = "SSLv2"; public static final X509HostnameVerifier ALLOW_ALL_HOSTNAME_VERIFIER = new AllowAllHostnameVerifier(); public static final X509HostnameVerifier BROWSER_COMPATIBLE_HOSTNAME_VERIFIER = new BrowserCompatHostnameVerifier(); public static final X509HostnameVerifier STRICT_HOSTNAME_VERIFIER = new StrictHostnameVerifier(); /** * Obtains default SSL socket factory with an SSL context based on the standard JSSE * trust material ({@code cacerts} file in the security properties directory). * System properties are not taken into consideration. * * @return default SSL socket factory */ public static SSLSocketFactory getSocketFactory() throws SSLInitializationException { return new SSLSocketFactory( SSLContexts.createDefault(), BROWSER_COMPATIBLE_HOSTNAME_VERIFIER); } private static String[] split(final String s) { if (TextUtils.isBlank(s)) { return null; } return s.split(" *, *"); } /** * Obtains default SSL socket factory with an SSL context based on system properties * as described in * * "JavaTM Secure Socket Extension (JSSE) Reference Guide for the JavaTM 2 Platform * Standard Edition 5 * * @return default system SSL socket factory */ public static SSLSocketFactory getSystemSocketFactory() throws SSLInitializationException { return new SSLSocketFactory( (javax.net.ssl.SSLSocketFactory) javax.net.ssl.SSLSocketFactory.getDefault(), split(System.getProperty("https.protocols")), split(System.getProperty("https.cipherSuites")), BROWSER_COMPATIBLE_HOSTNAME_VERIFIER); } private final javax.net.ssl.SSLSocketFactory socketfactory; private final HostNameResolver nameResolver; // TODO: make final private volatile X509HostnameVerifier hostnameVerifier; private final String[] supportedProtocols; private final String[] supportedCipherSuites; public SSLSocketFactory( final String algorithm, final KeyStore keystore, final String keyPassword, final KeyStore truststore, final SecureRandom random, final HostNameResolver nameResolver) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { this(SSLContexts.custom() .useProtocol(algorithm) .setSecureRandom(random) .loadKeyMaterial(keystore, keyPassword != null ? keyPassword.toCharArray() : null) .loadTrustMaterial(truststore) .build(), nameResolver); } /** * @since 4.1 */ public SSLSocketFactory( final String algorithm, final KeyStore keystore, final String keyPassword, final KeyStore truststore, final SecureRandom random, final TrustStrategy trustStrategy, final X509HostnameVerifier hostnameVerifier) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { this(SSLContexts.custom() .useProtocol(algorithm) .setSecureRandom(random) .loadKeyMaterial(keystore, keyPassword != null ? keyPassword.toCharArray() : null) .loadTrustMaterial(truststore, trustStrategy) .build(), hostnameVerifier); } /** * @since 4.1 */ public SSLSocketFactory( final String algorithm, final KeyStore keystore, final String keyPassword, final KeyStore truststore, final SecureRandom random, final X509HostnameVerifier hostnameVerifier) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { this(SSLContexts.custom() .useProtocol(algorithm) .setSecureRandom(random) .loadKeyMaterial(keystore, keyPassword != null ? keyPassword.toCharArray() : null) .loadTrustMaterial(truststore) .build(), hostnameVerifier); } public SSLSocketFactory( final KeyStore keystore, final String keystorePassword, final KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { this(SSLContexts.custom() .loadKeyMaterial(keystore, keystorePassword != null ? keystorePassword.toCharArray() : null) .loadTrustMaterial(truststore) .build(), BROWSER_COMPATIBLE_HOSTNAME_VERIFIER); } public SSLSocketFactory( final KeyStore keystore, final String keystorePassword) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException{ this(SSLContexts.custom() .loadKeyMaterial(keystore, keystorePassword != null ? keystorePassword.toCharArray() : null) .build(), BROWSER_COMPATIBLE_HOSTNAME_VERIFIER); } public SSLSocketFactory( final KeyStore truststore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { this(SSLContexts.custom() .loadTrustMaterial(truststore) .build(), BROWSER_COMPATIBLE_HOSTNAME_VERIFIER); } /** * @since 4.1 */ public SSLSocketFactory( final TrustStrategy trustStrategy, final X509HostnameVerifier hostnameVerifier) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { this(SSLContexts.custom() .loadTrustMaterial(null, trustStrategy) .build(), hostnameVerifier); } /** * @since 4.1 */ public SSLSocketFactory( final TrustStrategy trustStrategy) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException, UnrecoverableKeyException { this(SSLContexts.custom() .loadTrustMaterial(null, trustStrategy) .build(), BROWSER_COMPATIBLE_HOSTNAME_VERIFIER); } public SSLSocketFactory(final SSLContext sslContext) { this(sslContext, BROWSER_COMPATIBLE_HOSTNAME_VERIFIER); } public SSLSocketFactory( final SSLContext sslContext, final HostNameResolver nameResolver) { super(); this.socketfactory = sslContext.getSocketFactory(); this.hostnameVerifier = BROWSER_COMPATIBLE_HOSTNAME_VERIFIER; this.nameResolver = nameResolver; this.supportedProtocols = null; this.supportedCipherSuites = null; } /** * @since 4.1 */ public SSLSocketFactory( final SSLContext sslContext, final X509HostnameVerifier hostnameVerifier) { this(Args.notNull(sslContext, "SSL context").getSocketFactory(), null, null, hostnameVerifier); } /** * @since 4.3 */ public SSLSocketFactory( final SSLContext sslContext, final String[] supportedProtocols, final String[] supportedCipherSuites, final X509HostnameVerifier hostnameVerifier) { this(Args.notNull(sslContext, "SSL context").getSocketFactory(), supportedProtocols, supportedCipherSuites, hostnameVerifier); } /** * @since 4.2 */ public SSLSocketFactory( final javax.net.ssl.SSLSocketFactory socketfactory, final X509HostnameVerifier hostnameVerifier) { this(socketfactory, null, null, hostnameVerifier); } /** * @since 4.3 */ public SSLSocketFactory( final javax.net.ssl.SSLSocketFactory socketfactory, final String[] supportedProtocols, final String[] supportedCipherSuites, final X509HostnameVerifier hostnameVerifier) { this.socketfactory = Args.notNull(socketfactory, "SSL socket factory"); this.supportedProtocols = supportedProtocols; this.supportedCipherSuites = supportedCipherSuites; this.hostnameVerifier = hostnameVerifier != null ? hostnameVerifier : BROWSER_COMPATIBLE_HOSTNAME_VERIFIER; this.nameResolver = null; } /** * @param params Optional parameters. Parameters passed to this method will have no effect. * This method will create a unconnected instance of {@link Socket} class. * @since 4.1 */ @Override public Socket createSocket(final HttpParams params) throws IOException { return createSocket((HttpContext) null); } @Override public Socket createSocket() throws IOException { return createSocket((HttpContext) null); } /** * @since 4.1 */ @Override public Socket connectSocket( final Socket socket, final InetSocketAddress remoteAddress, final InetSocketAddress localAddress, final HttpParams params) throws IOException, UnknownHostException, ConnectTimeoutException { Args.notNull(remoteAddress, "Remote address"); Args.notNull(params, "HTTP parameters"); final HttpHost host; if (remoteAddress instanceof HttpInetSocketAddress) { host = ((HttpInetSocketAddress) remoteAddress).getHttpHost(); } else { host = new HttpHost(remoteAddress.getHostName(), remoteAddress.getPort(), "https"); } final int socketTimeout = HttpConnectionParams.getSoTimeout(params); final int connectTimeout = HttpConnectionParams.getConnectionTimeout(params); socket.setSoTimeout(socketTimeout); return connectSocket(connectTimeout, socket, host, remoteAddress, localAddress, null); } /** * Checks whether a socket connection is secure. * This factory creates TLS/SSL socket connections * which, by default, are considered secure. *

* Derived classes may override this method to perform * runtime checks, for example based on the cypher suite. *

* * @param sock the connected socket * * @return {@code true} * * @throws IllegalArgumentException if the argument is invalid */ @Override public boolean isSecure(final Socket sock) throws IllegalArgumentException { Args.notNull(sock, "Socket"); Asserts.check(sock instanceof SSLSocket, "Socket not created by this factory"); Asserts.check(!sock.isClosed(), "Socket is closed"); return true; } /** * @since 4.2 */ @Override public Socket createLayeredSocket( final Socket socket, final String host, final int port, final HttpParams params) throws IOException, UnknownHostException { return createLayeredSocket(socket, host, port, (HttpContext) null); } @Override public Socket createLayeredSocket( final Socket socket, final String host, final int port, final boolean autoClose) throws IOException, UnknownHostException { return createLayeredSocket(socket, host, port, (HttpContext) null); } public void setHostnameVerifier(final X509HostnameVerifier hostnameVerifier) { Args.notNull(hostnameVerifier, "Hostname verifier"); this.hostnameVerifier = hostnameVerifier; } public X509HostnameVerifier getHostnameVerifier() { return this.hostnameVerifier; } @Override public Socket connectSocket( final Socket socket, final String host, final int port, final InetAddress local, final int localPort, final HttpParams params) throws IOException, UnknownHostException, ConnectTimeoutException { final InetAddress remote; if (this.nameResolver != null) { remote = this.nameResolver.resolve(host); } else { remote = InetAddress.getByName(host); } InetSocketAddress localAddress = null; if (local != null || localPort > 0) { localAddress = new InetSocketAddress(local, localPort > 0 ? localPort : 0); } final InetSocketAddress remoteAddress = new HttpInetSocketAddress( new HttpHost(host, port), remote, port); return connectSocket(socket, remoteAddress, localAddress, params); } @Override public Socket createSocket( final Socket socket, final String host, final int port, final boolean autoClose) throws IOException, UnknownHostException { return createLayeredSocket(socket, host, port, autoClose); } /** * Performs any custom initialization for a newly created SSLSocket * (before the SSL handshake happens). * * The default implementation is a no-op, but could be overridden to, e.g., * call {@link SSLSocket#setEnabledCipherSuites(java.lang.String[])}. * @throws IOException (only if overridden) * * @since 4.2 */ protected void prepareSocket(final SSLSocket socket) throws IOException { } private void internalPrepareSocket(final SSLSocket socket) throws IOException { if (supportedProtocols != null) { socket.setEnabledProtocols(supportedProtocols); } if (supportedCipherSuites != null) { socket.setEnabledCipherSuites(supportedCipherSuites); } prepareSocket(socket); } @Override public Socket createSocket(final HttpContext context) throws IOException { return SocketFactory.getDefault().createSocket(); } @Override public Socket connectSocket( final int connectTimeout, final Socket socket, final HttpHost host, final InetSocketAddress remoteAddress, final InetSocketAddress localAddress, final HttpContext context) throws IOException { Args.notNull(host, "HTTP host"); Args.notNull(remoteAddress, "Remote address"); final Socket sock = socket != null ? socket : createSocket(context); if (localAddress != null) { sock.bind(localAddress); } try { sock.connect(remoteAddress, connectTimeout); } catch (final SocketTimeoutException ex) { throw new ConnectTimeoutException("Connect to " + remoteAddress + " timed out"); } // Setup SSL layering if necessary if (sock instanceof SSLSocket) { final SSLSocket sslsock = (SSLSocket) sock; sslsock.startHandshake(); verifyHostname(sslsock, host.getHostName()); return sock; } else { return createLayeredSocket(sock, host.getHostName(), remoteAddress.getPort(), context); } } @Override public Socket createLayeredSocket( final Socket socket, final String target, final int port, final HttpContext context) throws IOException { final SSLSocket sslsock = (SSLSocket) this.socketfactory.createSocket( socket, target, port, true); internalPrepareSocket(sslsock); sslsock.startHandshake(); verifyHostname(sslsock, target); return sslsock; } private void verifyHostname(final SSLSocket sslsock, final String hostname) throws IOException { try { this.hostnameVerifier.verify(hostname, sslsock); // verifyHostName() didn't blowup - good! } catch (final IOException iox) { // close the socket before re-throwing the exception try { sslsock.close(); } catch (final Exception x) { /*ignore*/ } throw iox; } } }




© 2015 - 2024 Weber Informatics LLC | Privacy Policy