• Home
• io.snappydata
• snappydata-store-shared
• 1.6.5
• source code
• SSLFactory.java

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

io.snappydata.thrift.common.SSLFactory Maven / Gradle / Ivy

/*
 * Copyright (c) 2010-2015 Pivotal Software, Inc. All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you
 * may not use this file except in compliance with the License. You
 * may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * permissions and limitations under the License. See accompanying
 * LICENSE file.
 */
/*
 * Changes for SnappyData data platform.
 *
 * Portions Copyright (c) 2017-2019 TIBCO Software Inc. All rights reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you
 * may not use this file except in compliance with the License. You
 * may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
 * implied. See the License for the specific language governing
 * permissions and limitations under the License. See accompanying
 * LICENSE file.
 */

package io.snappydata.thrift.common;

import java.io.FileInputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import javax.net.ssl.*;

import org.apache.thrift.transport.TTransportException;

/**
 * A Factory for providing and setting up client SSL sockets
 * and client/server {@link SSLEngine} instances.
 */
public abstract class SSLFactory {

  private SSLFactory() {
    // no instance
  }

  /**
   * Get a configured SSL socket connected to the specified host and port.
   * 

   * If SSLSocketParameters are not null, then they are used to set the values
   * for the algorithms, keystore, truststore and other settings.
   * 

   * Else if SSLSocketParameters are null then the default settings are used.
   * Default settings are retrieved from System properties that are set.
   * 

   * Example system properties: -Djavax.net.ssl.trustStore=
   * -Djavax.net.ssl.trustStorePassword=password
   * -Djavax.net.ssl.keyStore=
   * -Djavax.net.ssl.keyStorePassword=password
   * 

   * All the client methods return a bound connection, so there is no need to
   * call open() on the TTransport.
   */
  public static SSLSocket getClientSocket(InetAddress hostAddress, int port,
      int timeout, SocketParameters params) throws TTransportException {
    SSLContext ctx = createSSLContext(params);
    return createClient(ctx.getSocketFactory(), hostAddress, port, timeout,
        params);
  }

  private static SSLSocket createClient(SSLSocketFactory factory,
      InetAddress hostAddress, int port, int timeout,
      final SocketParameters params) throws TTransportException {
    try {
      SSLSocket socket = (SSLSocket)factory.createSocket(hostAddress, port);
      socket.setSoTimeout(timeout);
      if (params != null) {
        if (params.getSSLEnabledProtocols() != null) {
          socket.setEnabledProtocols(params.getSSLEnabledProtocols());
        }
        if (params.getSSLCipherSuites() != null) {
          socket.setEnabledCipherSuites(params.getSSLCipherSuites());
        }
      }
      return socket;
    } catch (IOException ioe) {
      throw new TTransportException(TTransportException.NOT_OPEN, ioe);
    } catch (Exception e) {
      throw new TTransportException(TTransportException.NOT_OPEN,
          "Could not connect to " + hostAddress + " on port " + port, e);
    }
  }

  public static SSLEngine createEngine(String peerHostName, int peerPort,
      SocketParameters params, boolean forClient) throws TTransportException {
    SSLContext ctx = createSSLContext(params);
    SSLEngine engine = ctx.createSSLEngine(peerHostName, peerPort);
    if (params != null) {
      if (params.getSSLEnabledProtocols() != null) {
        engine.setEnabledProtocols(params.getSSLEnabledProtocols());
      }
      if (params.getSSLCipherSuites() != null) {
        engine.setEnabledCipherSuites(params.getSSLCipherSuites());
      }
      if (forClient) {
        engine.setUseClientMode(true);
      } else {
        engine.setUseClientMode(false);
        engine.setNeedClientAuth(params.getSSLClientAuth());
      }
    }
    return engine;
  }

  private static final String[] DEFAULT_PROTOCOLS = new String[]{"TLSv1.2",
      "Default", "TLSv1", "TLS"};

  public static SSLContext createSSLContext(SocketParameters params)
      throws TTransportException {
    SSLContext ctx;
    FileInputStream tsInput = null, ksInput = null;
    try {
      if (params == null || !params.hasSSLParams()) {
        return SSLContext.getDefault();
      } else if (!(params.isSSLKeyStoreSet() || params.isSSLTrustStoreSet())) {
        throw new TTransportException(
            "Either one of the KeyStore or TrustStore must be set "
                + "in SSLSocketParameters having explicit SSL parameters");
      } else if (params.getSSLProtocol() != null) {
        ctx = SSLContext.getInstance(params.getSSLProtocol());
      } else {
        ctx = null;
        NoSuchAlgorithmException failure = null;
        // Start from default to TLS (hopefully "default" will allow using
        // higher strength protocols if they become available in future).
        for (String protocol : DEFAULT_PROTOCOLS) {
          try {
            ctx = SSLContext.getInstance(protocol);
            break;
          } catch (NoSuchAlgorithmException nsae) {
            // continue searching for a protocol
            failure = nsae;
          }
        }
        if (failure != null) {
          throw failure;
        } else if (ctx == null) {
          throw new NoSuchAlgorithmException(
              java.util.Arrays.toString(DEFAULT_PROTOCOLS));
        }
      }
      TrustManagerFactory tmf;
      KeyManagerFactory kmf;
      KeyManager[] keyManagers = null;
      TrustManager[] trustManagers = null;

      if (params.isSSLTrustStoreSet()) {
        tmf = TrustManagerFactory.getInstance(params.getSSLTrustManagerType());
        KeyStore ts = KeyStore.getInstance(params.getSSLTrustStoreType());
        tsInput = new FileInputStream(params.getSSLTrustStore());
        ts.load(tsInput, params.getSSLTrustPass().toCharArray());
        tmf.init(ts);
        trustManagers = tmf.getTrustManagers();
      }

      if (params.isSSLKeyStoreSet()) {
        kmf = KeyManagerFactory.getInstance(params.getSSLKeyManagerType());
        KeyStore ks = KeyStore.getInstance(params.getSSLKeyStoreType());
        char[] keyPass = params.getSSLKeyPass() != null ? params.getSSLKeyPass()
            .toCharArray() : null;
        ksInput = new FileInputStream(params.getSSLKeyStore());
        ks.load(ksInput, keyPass);
        kmf.init(ks, keyPass);
        keyManagers = kmf.getKeyManagers();
      }

      ctx.init(keyManagers, trustManagers, null);

    } catch (Exception e) {
      throw new TTransportException("Error creating the transport", e);
    } finally {
      if (tsInput != null) {
        try {
          tsInput.close();
        } catch (Exception ce) {
          // ignore
        }
      }
      if (ksInput != null) {
        try {
          ksInput.close();
        } catch (Exception ce) {
          // ignore
        }
      }
    }
    return ctx;
  }
}