All Downloads are FREE. Search and download functionalities are using the official Maven repository.

esa.httpserver.impl.SslHelper Maven / Gradle / Ivy

/*
 * Copyright 2020 OPPO ESA Stack Project
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package esa.httpserver.impl;

import esa.commons.ExceptionUtils;
import esa.httpserver.SslOptions;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.ApplicationProtocolNames;
import io.netty.handler.ssl.OpenSsl;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;

import javax.net.ssl.SSLException;
import java.util.Arrays;

final class SslHelper {

    private final SslOptions ssl;
    private final SslContext sslContext;

    SslHelper(SslOptions ssl, boolean isH2Enabled) {
        this.ssl = ssl;
        this.sslContext = createContext(isH2Enabled);
    }

    private SslContext createContext(boolean isH2Enabled) {
        if (!isSsl()) {
            return null;
        }

        final SslContextBuilder sslContextBuilder =
                SslContextBuilder.forServer(ssl.getCertificate(),
                        ssl.getPrivateKey(),
                        ssl.getKeyPassword());

        sslContextBuilder.sslProvider(detectSslProvider());

        if (isH2Enabled) {
            sslContextBuilder.applicationProtocolConfig(new ApplicationProtocolConfig(
                    ApplicationProtocolConfig.Protocol.ALPN,
                    // NO_ADVERTISE is currently the only mode supported by both OpenSsl and JDK providers.
                    ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE,
                    // ACCEPT is currently the only mode supported by both OpenSsl and JDK providers.
                    ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT,
                    ApplicationProtocolNames.HTTP_2,
                    ApplicationProtocolNames.HTTP_1_1));
        }

        if (ssl.getClientAuth() != null) {
            sslContextBuilder.clientAuth(ssl.getClientAuth());
        }
        if (ssl.getSessionTimeout() > 0) {
            sslContextBuilder.sessionTimeout(ssl.getSessionTimeout());
        }
        if (ssl.getSessionCacheSize() > 0) {
            sslContextBuilder.sessionCacheSize(ssl.getSessionCacheSize());
        }
        if (ssl.getCiphers() != null && ssl.getCiphers().length > 0) {
            sslContextBuilder.ciphers(Arrays.asList(ssl.getCiphers()));
        }
        if (ssl.getTrustCertificates() != null) {
            sslContextBuilder.trustManager(ssl.getTrustCertificates());
        }

        try {
            return sslContextBuilder.build();
        } catch (SSLException e) {
            throw ExceptionUtils.asRuntime(e);
        }
    }

    boolean isSsl() {
        return ssl != null;
    }

    SslOptions options() {
        return ssl;
    }

    SslContext getSslContext() {
        return sslContext;
    }

    private static SslProvider detectSslProvider() {
        if (OpenSsl.isAvailable()) {
            return SslProvider.OPENSSL;
        } else {
            return SslProvider.JDK;
        }
    }

}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy