org.apache.camel.support.jsse.SSLContextParameters Maven / Gradle / Ivy
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.camel.support.jsse;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.SecureRandom;
import java.security.Security;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509KeyManager;
import org.apache.camel.CamelContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Represents {@link SSLContext} configuration options used in instantiating an {@code SSLContext} instance.
*/
public class SSLContextParameters extends BaseSSLContextParameters {
protected static final String DEFAULT_SECURE_SOCKET_PROTOCOL = "TLSv1.3";
private static final Logger LOG = LoggerFactory.getLogger(SSLContextParameters.class);
/**
* The optional key manager configuration for creating the {@link KeyManager}s used in constructing an
* {@link SSLContext}.
*/
private KeyManagersParameters keyManagers;
/**
* The optional trust manager configuration for creating the {@link TrustManager}s used in constructing an
* {@link SSLContext}.
*/
private TrustManagersParameters trustManagers;
/**
* The optional secure random configuration options to use for constructing the {@link SecureRandom} used in the
* creation of an {@link SSLContext}.
*/
private SecureRandomParameters secureRandom;
/**
* The optional configuration options to be applied purely to the client side settings of the {@link SSLContext}.
* Settings specified here override any duplicate settings provided at the overall level by this class. These
* parameters apply to {@link SSLSocketFactory}s and {@link SSLEngine}s produced by the {@code SSLContext} produced
* from this class as well as to the {@code SSLContext} itself.
*/
private SSLContextClientParameters clientParameters;
/**
* The optional configuration options to be applied purely to the server side settings of the {@link SSLContext}.
* Settings specified here override any duplicate settings provided at the overall level by this class. These
* parameters apply to {@link SSLServerSocketFactory}s and {@link SSLEngine}s produced by the {@code SSLContext}
* produced from this class as well as to the {@code SSLContext} itself.
*/
private SSLContextServerParameters serverParameters;
/**
* The optional provider identifier for the JSSE implementation to use when constructing an {@link SSLContext}.
*/
private String provider;
/**
* The optional protocol for the secure sockets created by the {@link SSLContext} represented by this instance's
* configuration.
*
* See https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html
*/
private String secureSocketProtocol;
/**
* An optional certificate alias to use. This is useful when the keystore has multiple certificates.
*/
private String certAlias;
public KeyManagersParameters getKeyManagers() {
return keyManagers;
}
/**
* Sets the optional key manager configuration for creating the {@link KeyManager}s used in constructing an
* {@link SSLContext}.
*
* @param keyManagers the options or {@code null} to provide no {@code KeyManager}s
*/
public void setKeyManagers(KeyManagersParameters keyManagers) {
this.keyManagers = keyManagers;
}
public TrustManagersParameters getTrustManagers() {
return trustManagers;
}
/**
* Sets the optional trust manager configuration for creating the {@link TrustManager}s used in constructing an
* {@link SSLContext}.
*
* @param trustManagers the options or {@code null} to provide no {@code TrustManager}s
*/
public void setTrustManagers(TrustManagersParameters trustManagers) {
this.trustManagers = trustManagers;
}
public SecureRandomParameters getSecureRandom() {
return secureRandom;
}
/**
* Sets the optional secure random configuration options to use for constructing the {@link SecureRandom} used in
* the creation of an {@link SSLContext}.
*
* @param secureRandom the options or {@code null} to use the default
*/
public void setSecureRandom(SecureRandomParameters secureRandom) {
this.secureRandom = secureRandom;
}
public SSLContextClientParameters getClientParameters() {
return clientParameters;
}
/**
* The optional configuration options to be applied purely to the client side settings of the {@link SSLContext}.
* Settings specified here override any duplicate settings provided at the overall level by this class. These
* parameters apply to {@link SSLSocketFactory}s and {@link SSLEngine}s produced by the {@code SSLContext} produced
* from this class as well as to the {@code SSLContext} itself.
*
* @param clientParameters the optional additional client-side parameters
*/
public void setClientParameters(SSLContextClientParameters clientParameters) {
this.clientParameters = clientParameters;
}
public SSLContextServerParameters getServerParameters() {
return serverParameters;
}
/**
* The optional configuration options to be applied purely to the server side settings of the {@link SSLContext}.
* Settings specified here override any duplicate settings provided at the overall level by this class. These
* parameters apply to {@link SSLServerSocketFactory}s and {@link SSLEngine}s produced by the {@code SSLContext}
* produced from this class as well as to the {@code SSLContext} itself.
*
* @param serverParameters the optional additional client-side parameters
*/
public void setServerParameters(SSLContextServerParameters serverParameters) {
this.serverParameters = serverParameters;
}
public String getProvider() {
return provider;
}
/**
* Sets the optional provider identifier to use when constructing an {@link SSLContext}.
*
* @param provider the identifier (from the list of available providers returned by {@link Security#getProviders()})
* or {@code null} to use the highest priority provider implementing the secure socket protocol
*
* @see Security#getProviders(java.util.Map)
* @see #setSecureSocketProtocol(String)
*/
public void setProvider(String provider) {
this.provider = provider;
}
public String getSecureSocketProtocol() {
if (this.secureSocketProtocol == null) {
return DEFAULT_SECURE_SOCKET_PROTOCOL;
}
return this.secureSocketProtocol;
}
/**
* Sets the optional protocol for the secure sockets created by the {@link SSLContext} represented by this
* instance's configuration. Defaults to TLS.
*
* See https://docs.oracle.com/en/java/javase/17/docs/specs/security/standard-names.html
*
* @param secureSocketProtocol the name of the protocol or {@code null} to use the default (TLS)
*/
public void setSecureSocketProtocol(String secureSocketProtocol) {
this.secureSocketProtocol = secureSocketProtocol;
}
public String getCertAlias() {
return certAlias;
}
/**
* An optional certificate alias to use. This is useful when the keystore has multiple certificates.
*
* @param certAlias an optional certificate alias to use
*/
public void setCertAlias(String certAlias) {
this.certAlias = certAlias;
}
////////////////////////////////////////////
/**
* Creates an {@link SSLContext} based on the related configuration options of this instance. Namely,
* {@link #keyManagers}, {@link #trustManagers}, and {@link #secureRandom}, but also respecting the chosen provider
* and secure socket protocol as well.
*
* @param camelContext The camel context
*
* @return a newly configured instance
*
* @throws GeneralSecurityException if there is a problem in this instances configuration or that of its nested
* configuration options
* @throws IOException if there is an error reading a key/trust store
*/
public SSLContext createSSLContext(CamelContext camelContext) throws GeneralSecurityException, IOException {
if (camelContext != null) {
// setup CamelContext before creating SSLContext
setCamelContext(camelContext);
if (keyManagers != null) {
keyManagers.setCamelContext(camelContext);
if (keyManagers.getKeyStore() != null) {
keyManagers.getKeyStore().setCamelContext(camelContext);
}
}
if (trustManagers != null) {
trustManagers.setCamelContext(camelContext);
if (trustManagers.getKeyStore() != null) {
trustManagers.getKeyStore().setCamelContext(camelContext);
}
}
if (secureRandom != null) {
secureRandom.setCamelContext(camelContext);
}
if (clientParameters != null) {
clientParameters.setCamelContext(camelContext);
}
if (serverParameters != null) {
serverParameters.setCamelContext(camelContext);
}
}
LOG.trace("Creating SSLContext from SSLContextParameters [{}].", this);
if (LOG.isDebugEnabled()) {
LOG.debug("Available Security providers: {}.", Arrays.toString(Security.getProviders()));
}
KeyManager[] keyManagers = this.keyManagers == null ? null : this.keyManagers.createKeyManagers();
TrustManager[] trustManagers = this.trustManagers == null ? null : this.trustManagers.createTrustManagers();
SecureRandom secureRandom = this.secureRandom == null ? null : this.secureRandom.createSecureRandom();
SSLContext context;
if (this.getProvider() == null) {
context = SSLContext.getInstance(this.parsePropertyValue(this.getSecureSocketProtocol()));
} else {
context = SSLContext.getInstance(this.parsePropertyValue(this.getSecureSocketProtocol()),
this.parsePropertyValue(this.getProvider()));
}
if (this.getCertAlias() != null && keyManagers != null) {
for (int idx = 0; idx < keyManagers.length; idx++) {
if (keyManagers[idx] instanceof X509KeyManager x509KeyManager) {
try {
keyManagers[idx] = new AliasedX509ExtendedKeyManager(
this.parsePropertyValue(this.getCertAlias()),
x509KeyManager);
} catch (Exception e) {
throw new GeneralSecurityException(e);
}
}
}
}
LOG.debug(
"SSLContext [{}], initialized from [{}], is using provider [{}], protocol [{}], key managers {}, trust managers {}, and secure random [{}].",
context, this, context.getProvider(), context.getProtocol(), keyManagers, trustManagers,
secureRandom);
context.init(keyManagers, trustManagers, secureRandom);
this.configureSSLContext(context);
// Decorate the context.
context = new SSLContextDecorator(
new SSLContextSpiDecorator(
context,
this.getSSLEngineConfigurers(context),
this.getSSLSocketFactoryConfigurers(context),
this.getSSLServerSocketFactoryConfigurers(context)));
return context;
}
@Override
protected void configureSSLContext(SSLContext context) throws GeneralSecurityException {
LOG.trace("Configuring client and server side SSLContext parameters on SSLContext [{}]...", context);
super.configureSSLContext(context);
if (this.getClientParameters() != null) {
LOG.trace("Overriding client-side SSLContext parameters on SSLContext [{}] with configured client parameters.",
context);
this.getClientParameters().configureSSLContext(context);
}
if (this.getServerParameters() != null) {
LOG.trace("Overriding server-side SSLContext parameters on SSLContext [{}] with configured server parameters.",
context);
this.getServerParameters().configureSSLContext(context);
}
LOG.trace("Configured client and server side SSLContext parameters on SSLContext [{}].", context);
}
@Override
protected List> getSSLEngineConfigurers(SSLContext context) {
LOG.trace("Collecting client and server side SSLEngine configurers on SSLContext [{}]...", context);
List> configurers = super.getSSLEngineConfigurers(context);
if (this.getClientParameters() != null) {
LOG.trace("Augmenting SSLEngine configurers with configurers from client parameters on SSLContext [{}].",
context);
configurers.addAll(this.getClientParameters().getSSLEngineConfigurers(context));
}
if (this.getServerParameters() != null) {
LOG.trace("Augmenting SSLEngine configurers with configurers from server parameters on SSLContext [{}].",
context);
configurers.addAll(this.getServerParameters().getSSLEngineConfigurers(context));
}
LOG.trace("Collected client and server side SSLEngine configurers on SSLContext [{}].", context);
return configurers;
}
@Override
protected List> getSSLSocketFactoryConfigurers(SSLContext context) {
LOG.trace("Collecting SSLSocketFactory configurers on SSLContext [{}]...", context);
List> configurers = super.getSSLSocketFactoryConfigurers(context);
if (this.getClientParameters() != null) {
LOG.trace("Augmenting SSLSocketFactory configurers with configurers from client parameters on SSLContext [{}].",
context);
configurers.addAll(this.getClientParameters().getSSLSocketFactoryConfigurers(context));
}
LOG.trace("Collected SSLSocketFactory configurers on SSLContext [{}].", context);
return configurers;
}
@Override
protected List> getSSLServerSocketFactoryConfigurers(SSLContext context) {
LOG.trace("Collecting SSLServerSocketFactory configurers for SSLContext [{}]...", context);
List> configurers = super.getSSLServerSocketFactoryConfigurers(context);
if (this.getServerParameters() != null) {
LOG.trace(
"Augmenting SSLServerSocketFactory configurers with configurers from server parameters for SSLContext [{}].",
context);
configurers.addAll(this.getServerParameters().getSSLServerSocketFactoryConfigurers(context));
}
LOG.trace("Collected client and server side SSLServerSocketFactory configurers for SSLContext [{}].", context);
return configurers;
}
@Override
public String toString() {
StringBuilder builder = new StringBuilder();
builder.append("SSLContextParameters[keyManagers=");
builder.append(keyManagers);
builder.append(", trustManagers=");
builder.append(trustManagers);
builder.append(", secureRandom=");
builder.append(secureRandom);
builder.append(", clientParameters=");
builder.append(clientParameters);
builder.append(", serverParameters=");
builder.append(serverParameters);
builder.append(", provider=");
builder.append(provider);
builder.append(", secureSocketProtocol=");
builder.append(secureSocketProtocol);
builder.append(", certAlias=");
builder.append(certAlias);
builder.append(", getCipherSuites()=");
builder.append(getCipherSuites());
builder.append(", getCipherSuitesFilter()=");
builder.append(getCipherSuitesFilter());
builder.append(", getSecureSocketProtocols()=");
builder.append(getSecureSocketProtocols());
builder.append(", getSecureSocketProtocolsFilter()=");
builder.append(getSecureSocketProtocolsFilter());
builder.append(", getSessionTimeout()=");
builder.append(getSessionTimeout());
builder.append("]");
return builder.toString();
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy