org.apache.camel.support.jsse.BaseSSLContextParameters Maven / Gradle / Ivy
The newest version!
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.apache.camel.support.jsse;
import java.io.IOException;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedList;
import java.util.List;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SNIServerName;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLContextSpi;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLServerSocketFactory;
import javax.net.ssl.SSLSessionContext;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManager;
import org.apache.camel.support.jsse.FilterParameters.Patterns;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* Represents configuration options that can be applied in the client-side or server-side context depending on what they
* are applied to.
*/
public abstract class BaseSSLContextParameters extends JsseParameters {
protected static final List DEFAULT_CIPHER_SUITES_FILTER_INCLUDE
= List.of(".*");
protected static final List DEFAULT_CIPHER_SUITES_FILTER_EXCLUDE
= List.of(".*_NULL_.*", ".*_anon_.*", ".*_EXPORT_.*", ".*_DES_.*", ".*MD5", ".*RC4.*");
protected static final List DEFAULT_SECURE_SOCKET_PROTOCOLS_FILTER_INCLUDE
= List.of(".*");
protected static final List DEFAULT_SECURE_SOCKET_PROTOCOLS_FILTER_EXCLUDE
= List.of("SSL.*");
private static final Logger LOG = LoggerFactory.getLogger(BaseSSLContextParameters.class);
private static final String LS = System.lineSeparator();
private static final String SSL_ENGINE_CIPHER_SUITE_LOG_MSG = createCipherSuiteLogMessage("SSLEngine");
private static final String SSL_SOCKET_CIPHER_SUITE_LOG_MSG = createCipherSuiteLogMessage("SSLSocket");
private static final String SSL_SERVER_SOCKET_CIPHER_SUITE_LOG_MSG = createCipherSuiteLogMessage("SSLServerSocket");
private static final String SSL_ENGINE_PROTOCOL_LOG_MSG = createProtocolLogMessage("SSLEngine");
private static final String SSL_SOCKET_PROTOCOL_LOG_MSG = createProtocolLogMessage("SSLSocket");
private static final String SSL_SERVER_SOCKET_PROTOCOL_LOG_MSG = createProtocolLogMessage("SSLServerSocket");
/**
* The optional explicitly configured cipher suites for this configuration.
*/
private CipherSuitesParameters cipherSuites;
/**
* The optional cipher suite filter configuration for this configuration.
*/
private FilterParameters cipherSuitesFilter;
/**
* The optional explicitly configured secure socket protocol names for this configuration.
*/
private SecureSocketProtocolsParameters secureSocketProtocols;
/**
* The option secure socket protocol name filter configuration for this configuration.
*/
private FilterParameters secureSocketProtocolsFilter;
/**
* The optional {@link SSLSessionContext} timeout time for {@link javax.net.ssl.SSLSession}s in seconds.
*/
private String sessionTimeout;
protected List getSNIHostNames() {
return Collections.emptyList();
}
/**
* Returns the optional explicitly configured cipher suites for this configuration. These options are used in the
* configuration of {@link SSLEngine}, {@link SSLSocketFactory} and {@link SSLServerSocketFactory} depending on the
* context in which they are applied.
*
* These values override any filters supplied in {@link #setCipherSuitesFilter(FilterParameters)}
*/
public CipherSuitesParameters getCipherSuites() {
return cipherSuites;
}
/**
* Sets the optional explicitly configured cipher suites for this configuration. These options are used in the
* configuration of {@link SSLEngine}, {@link SSLSocketFactory} and {@link SSLServerSocketFactory} depending on the
* context in which they are applied.
*
* These values override any filters supplied in {@link #setCipherSuitesFilter(FilterParameters)}
*
* @param cipherSuites the suite configuration
*/
public void setCipherSuites(CipherSuitesParameters cipherSuites) {
this.cipherSuites = cipherSuites;
}
/**
* Returns the optional cipher suite filter for this configuration. These options are used in the configuration of
* {@link SSLEngine}, {@link SSLSocketFactory} and {@link SSLServerSocketFactory} depending on the context in which
* they are applied.
*
* These values are ignored if {@link #setCipherSuites(CipherSuitesParameters)} is called with a non {@code null}
* argument.
*/
public FilterParameters getCipherSuitesFilter() {
return cipherSuitesFilter;
}
/**
* Sets the optional cipher suite filter for this JSSE configuration. These options are used in the configuration of
* {@link SSLEngine}, {@link SSLSocketFactory} and {@link SSLServerSocketFactory} depending on the context in which
* they are applied.
*
* These values are ignored if {@link #setCipherSuites(CipherSuitesParameters)} is called with a non {@code null}
* argument.
*
* @param cipherSuitesFilter the filter configuration
*/
public void setCipherSuitesFilter(FilterParameters cipherSuitesFilter) {
this.cipherSuitesFilter = cipherSuitesFilter;
}
/**
* Returns the explicitly configured secure socket protocol names for this configuration. These options are used in
* the configuration of {@link SSLEngine}, {@link SSLSocketFactory} and {@link SSLServerSocketFactory} depending on
* the context in which they are applied.
*
* These values override any filters supplied in {@link #setSecureSocketProtocolsFilter(FilterParameters)}
*/
public SecureSocketProtocolsParameters getSecureSocketProtocols() {
return secureSocketProtocols;
}
/**
* Sets the explicitly configured secure socket protocol names for this configuration. These options are used in the
* configuration of {@link SSLEngine}, {@link SSLSocketFactory} and {@link SSLServerSocketFactory} depending on the
* context in which they are applied.
*
* These values override any filters supplied in {@link #setSecureSocketProtocolsFilter(FilterParameters)}
*/
public void setSecureSocketProtocols(SecureSocketProtocolsParameters secureSocketProtocols) {
this.secureSocketProtocols = secureSocketProtocols;
}
/**
* Returns the optional secure socket protocol filter for this configuration. These options are used in the
* configuration of {@link SSLEngine}, {@link SSLSocketFactory} and {@link SSLServerSocketFactory} depending on the
* context in which they are applied.
*
* These values are ignored if {@link #setSecureSocketProtocols(SecureSocketProtocolsParameters)} is called with a
* non-{@code null} argument.
*/
public FilterParameters getSecureSocketProtocolsFilter() {
return secureSocketProtocolsFilter;
}
/**
* Sets the optional secure socket protocol filter for this JSSE configuration. These options are used in the
* configuration of {@link SSLEngine}, {@link SSLSocketFactory} and {@link SSLServerSocketFactory} depending on the
* context in which they are applied.
*
* These values are ignored if {@link #setSecureSocketProtocols(SecureSocketProtocolsParameters)} is called with a
* non-{@code null} argument.
*
* @param secureSocketProtocolsFilter the filter configuration
*/
public void setSecureSocketProtocolsFilter(FilterParameters secureSocketProtocolsFilter) {
this.secureSocketProtocolsFilter = secureSocketProtocolsFilter;
}
/**
* Returns the optional {@link SSLSessionContext} timeout time for {@link javax.net.ssl.SSLSession}s in seconds.
*/
public String getSessionTimeout() {
return sessionTimeout;
}
/**
* Sets the optional {@link SSLSessionContext} timeout time for {@link javax.net.ssl.SSLSession}s in seconds.
*
* @param sessionTimeout the timeout value or {@code null} to use the default
*/
public void setSessionTimeout(String sessionTimeout) {
this.sessionTimeout = sessionTimeout;
}
/**
* Returns a flag indicating if default values should be applied in the event that no other property of the instance
* configures a particular aspect of the entity produced by the instance. This flag is used to allow instances of
* this class to produce a configurer that simply passes through the current configuration of a configured entity
* when the instance of this class would otherwise only apply some default configuration.
*
* @see SSLContextClientParameters
* @see SSLContextServerParameters
*/
protected boolean getAllowPassthrough() {
return false;
}
/**
* Configures the actual {@link SSLContext} itself with direct setter calls. This method differs from configuration
* options that are handled by a configurer instance in that the options are part of the context itself and are not
* part of some factory or instance object returned by the context.
*
* @param context the context to configure
*
* @throws GeneralSecurityException if there is an error configuring the context
*/
protected void configureSSLContext(SSLContext context) throws GeneralSecurityException {
LOG.trace("Configuring client and server side SSLContext parameters on SSLContext [{}]...", context);
if (this.getSessionTimeout() != null) {
LOG.debug("Configuring client and server side SSLContext session timeout on SSLContext [{}] to [{}]",
context, this.getSessionTimeout());
this.configureSessionContext(context.getClientSessionContext(), this.getSessionTimeout());
this.configureSessionContext(context.getServerSessionContext(), this.getSessionTimeout());
}
LOG.trace("Configured client and server side SSLContext parameters on SSLContext [{}].", context);
}
protected FilterParameters getDefaultCipherSuitesFilter() {
FilterParameters filter = new FilterParameters();
filter.getInclude().addAll(DEFAULT_CIPHER_SUITES_FILTER_INCLUDE);
filter.getExclude().addAll(DEFAULT_CIPHER_SUITES_FILTER_EXCLUDE);
return filter;
}
protected FilterParameters getDefaultSecureSocketProcotolFilter() {
FilterParameters filter = new FilterParameters();
filter.getInclude().addAll(DEFAULT_SECURE_SOCKET_PROTOCOLS_FILTER_INCLUDE);
filter.getExclude().addAll(DEFAULT_SECURE_SOCKET_PROTOCOLS_FILTER_EXCLUDE);
return filter;
}
/**
* Returns the list of configurers to apply to an {@link SSLEngine} in order to fully configure it in compliance
* with the provided configuration options. The configurers are to be applied in the order in which they appear in
* the list.
*
* @param context the context that serves as the factory for {@code SSLEngine} instances
*
* @return the needed configurers
*/
protected List> getSSLEngineConfigurers(SSLContext context) {
final List enabledCipherSuites = this.getCipherSuites() == null
? null : this.parsePropertyValues(this.getCipherSuites().getCipherSuite());
final Patterns enabledCipherSuitePatterns;
final Patterns defaultEnabledCipherSuitePatterns = this.getDefaultCipherSuitesFilter().getPatterns();
if (this.getCipherSuitesFilter() != null) {
enabledCipherSuitePatterns = this.getCipherSuitesFilter().getPatterns();
} else {
enabledCipherSuitePatterns = null;
}
///
final List enabledSecureSocketProtocols = this.getSecureSocketProtocols() == null
? null : this.parsePropertyValues(this.getSecureSocketProtocols().getSecureSocketProtocol());
final Patterns enabledSecureSocketProtocolsPatterns;
final Patterns defaultEnabledSecureSocketProtocolsPatterns = this.getDefaultSecureSocketProcotolFilter().getPatterns();
if (this.getSecureSocketProtocolsFilter() != null) {
enabledSecureSocketProtocolsPatterns = this.getSecureSocketProtocolsFilter().getPatterns();
} else {
enabledSecureSocketProtocolsPatterns = null;
}
//
final boolean allowPassthrough = getAllowPassthrough();
//////
Configurer sslEngineConfigurer = new Configurer<>() {
@Override
public SSLEngine configure(SSLEngine engine) {
Collection filteredCipherSuites = BaseSSLContextParameters.this
.filter(enabledCipherSuites, Arrays.asList(engine.getSSLParameters().getCipherSuites()),
Arrays.asList(engine.getEnabledCipherSuites()),
enabledCipherSuitePatterns, defaultEnabledCipherSuitePatterns,
!allowPassthrough);
if (LOG.isDebugEnabled()) {
LOG.debug(SSL_ENGINE_CIPHER_SUITE_LOG_MSG,
engine,
enabledCipherSuites,
enabledCipherSuitePatterns,
engine.getSSLParameters().getCipherSuites(),
engine.getEnabledCipherSuites(),
defaultEnabledCipherSuitePatterns,
filteredCipherSuites);
}
engine.setEnabledCipherSuites(filteredCipherSuites.toArray(new String[0]));
Collection filteredSecureSocketProtocols = BaseSSLContextParameters.this
.filter(enabledSecureSocketProtocols, Arrays.asList(engine.getSSLParameters().getProtocols()),
Arrays.asList(engine.getEnabledProtocols()),
enabledSecureSocketProtocolsPatterns, defaultEnabledSecureSocketProtocolsPatterns,
!allowPassthrough);
if (LOG.isDebugEnabled()) {
LOG.debug(SSL_ENGINE_PROTOCOL_LOG_MSG,
engine,
enabledSecureSocketProtocols,
enabledSecureSocketProtocolsPatterns,
engine.getSSLParameters().getProtocols(),
engine.getEnabledProtocols(),
defaultEnabledSecureSocketProtocolsPatterns,
filteredSecureSocketProtocols);
}
engine.setEnabledProtocols(
filteredSecureSocketProtocols.toArray(new String[0]));
return engine;
}
};
List> sslEngineConfigurers = new LinkedList<>();
sslEngineConfigurers.add(sslEngineConfigurer);
return sslEngineConfigurers;
}
/**
* Returns the list of configurers to apply to an {@link SSLSocketFactory} in order to fully configure it in
* compliance with the provided configuration options. The configurers are to be applied in the order in which they
* appear in the list.
*
* It is preferred to use {@link #getSSLSocketFactorySSLSocketConfigurers(SSLContext)} instead of this method as
* {@code SSLSocketFactory} does not contain any configuration options that are non-proprietary.
*
* @param context the context that serves as the factory for {@code SSLSocketFactory} instances
*
* @return the needed configurers
*
* @see #getSSLSocketFactorySSLSocketConfigurers(SSLContext)
*/
protected List> getSSLSocketFactoryConfigurers(SSLContext context) {
final List> sslSocketConfigurers = this.getSSLSocketFactorySSLSocketConfigurers(context);
Configurer sslSocketFactoryConfigurer = new Configurer<>() {
@Override
public SSLSocketFactory configure(SSLSocketFactory factory) {
return new SSLSocketFactoryDecorator(
factory,
sslSocketConfigurers);
}
};
List> sslSocketFactoryConfigurers = new LinkedList<>();
sslSocketFactoryConfigurers.add(sslSocketFactoryConfigurer);
return sslSocketFactoryConfigurers;
}
/**
* Returns the list of configurers to apply to an {@link SSLServerSocketFactory} in order to fully configure it in
* compliance with the provided configuration options. The configurers are to be applied in the order in which they
* appear in the list.
*
* It is preferred to use {@link #getSSLServerSocketFactorySSLServerSocketConfigurers(SSLContext)} instead of this
* method as {@code SSLServerSocketFactory} does not contain any configuration options that are non-proprietary.
*
* @param context the context that serves as the factory for {@code SSLServerSocketFactory} instances
*
* @return the needed configurers
*
* @see #getSSLServerSocketFactorySSLServerSocketConfigurers(SSLContext)
*/
protected List> getSSLServerSocketFactoryConfigurers(SSLContext context) {
final List> sslServerSocketConfigurers
= this.getSSLServerSocketFactorySSLServerSocketConfigurers(context);
Configurer sslServerSocketFactoryConfigurer = new Configurer<>() {
@Override
public SSLServerSocketFactory configure(SSLServerSocketFactory factory) {
return new SSLServerSocketFactoryDecorator(
factory,
sslServerSocketConfigurers);
}
};
List> sslServerSocketFactoryConfigurers = new LinkedList<>();
sslServerSocketFactoryConfigurers.add(sslServerSocketFactoryConfigurer);
return sslServerSocketFactoryConfigurers;
}
/**
* Returns the list of configurers to apply to an {@link SSLSocket} in order to fully configure it in compliance
* with the provided configuration options. These configurers are intended for sockets produced by a
* {@link SSLSocketFactory}, see {@link #getSSLServerSocketFactorySSLServerSocketConfigurers(SSLContext)} for
* configurers related to sockets produced by a {@link SSLServerSocketFactory}. The configurers are to be applied in
* the order in which they appear in the list.
*
* @param context the context that serves as the factory for {@code SSLSocketFactory} instances
*
* @return the needed configurers
*/
protected List> getSSLSocketFactorySSLSocketConfigurers(SSLContext context) {
final List enabledCipherSuites = this.getCipherSuites() == null
? null : this.parsePropertyValues(this.getCipherSuites().getCipherSuite());
final Patterns enabledCipherSuitePatterns;
final Patterns defaultEnabledCipherSuitePatterns = this.getDefaultCipherSuitesFilter().getPatterns();
if (this.getCipherSuitesFilter() != null) {
enabledCipherSuitePatterns = this.getCipherSuitesFilter().getPatterns();
} else {
enabledCipherSuitePatterns = null;
}
///
final List enabledSecureSocketProtocols = this.getSecureSocketProtocols() == null
? null : this.parsePropertyValues(this.getSecureSocketProtocols().getSecureSocketProtocol());
final Patterns enabledSecureSocketProtocolsPatterns;
final Patterns defaultEnabledSecureSocketProtocolsPatterns = this.getDefaultSecureSocketProcotolFilter().getPatterns();
if (this.getSecureSocketProtocolsFilter() != null) {
enabledSecureSocketProtocolsPatterns = this.getSecureSocketProtocolsFilter().getPatterns();
} else {
enabledSecureSocketProtocolsPatterns = null;
}
//
final boolean allowPassthrough = getAllowPassthrough();
//////
Configurer sslSocketConfigurer = new Configurer<>() {
@Override
public SSLSocket configure(SSLSocket socket) {
if (!getSNIHostNames().isEmpty()) {
SSLParameters sslParameters = socket.getSSLParameters();
sslParameters.setServerNames(getSNIHostNames());
socket.setSSLParameters(sslParameters);
}
Collection filteredCipherSuites = BaseSSLContextParameters.this
.filter(enabledCipherSuites, Arrays.asList(socket.getSSLParameters().getCipherSuites()),
Arrays.asList(socket.getEnabledCipherSuites()),
enabledCipherSuitePatterns, defaultEnabledCipherSuitePatterns,
!allowPassthrough);
if (LOG.isDebugEnabled()) {
LOG.debug(SSL_SOCKET_CIPHER_SUITE_LOG_MSG,
socket,
enabledCipherSuites,
enabledCipherSuitePatterns,
socket.getSSLParameters().getCipherSuites(),
socket.getEnabledCipherSuites(),
defaultEnabledCipherSuitePatterns,
filteredCipherSuites);
}
socket.setEnabledCipherSuites(filteredCipherSuites.toArray(new String[0]));
Collection filteredSecureSocketProtocols = BaseSSLContextParameters.this
.filter(enabledSecureSocketProtocols, Arrays.asList(socket.getSSLParameters().getProtocols()),
Arrays.asList(socket.getEnabledProtocols()),
enabledSecureSocketProtocolsPatterns, defaultEnabledSecureSocketProtocolsPatterns,
!allowPassthrough);
if (LOG.isDebugEnabled()) {
LOG.debug(SSL_SOCKET_PROTOCOL_LOG_MSG,
socket,
enabledSecureSocketProtocols,
enabledSecureSocketProtocolsPatterns,
socket.getSSLParameters().getProtocols(),
socket.getEnabledProtocols(),
defaultEnabledSecureSocketProtocolsPatterns,
filteredSecureSocketProtocols);
}
socket.setEnabledProtocols(
filteredSecureSocketProtocols.toArray(new String[0]));
return socket;
}
};
List> sslSocketConfigurers = new LinkedList<>();
sslSocketConfigurers.add(sslSocketConfigurer);
return sslSocketConfigurers;
}
/**
* Returns the list of configurers to apply to an {@link SSLServerSocket} in order to fully configure it in
* compliance with the provided configuration options. These configurers are intended for sockets produced by a
* {@link SSLServerSocketFactory}, see {@link #getSSLSocketFactorySSLSocketConfigurers(SSLContext)} for configurers
* related to sockets produced by a {@link SSLSocketFactory}. The configurers are to be applied in the order in
* which they appear in the list.
*
* @param context the context that serves as the factory for {@code SSLServerSocketFactory} instances
* @return the needed configurers
*/
protected List> getSSLServerSocketFactorySSLServerSocketConfigurers(SSLContext context) {
final List enabledCipherSuites = this.getCipherSuites() == null
? null : this.parsePropertyValues(this.getCipherSuites().getCipherSuite());
final Patterns enabledCipherSuitePatterns;
final Patterns defaultEnabledCipherSuitePatterns = this.getDefaultCipherSuitesFilter().getPatterns();
if (this.getCipherSuitesFilter() != null) {
enabledCipherSuitePatterns = this.getCipherSuitesFilter().getPatterns();
} else {
enabledCipherSuitePatterns = null;
}
///
final List enabledSecureSocketProtocols = this.getSecureSocketProtocols() == null
? null : this.parsePropertyValues(this.getSecureSocketProtocols().getSecureSocketProtocol());
final Patterns enabledSecureSocketProtocolsPatterns;
final Patterns defaultEnabledSecureSocketProtocolsPatterns = this.getDefaultSecureSocketProcotolFilter().getPatterns();
if (this.getSecureSocketProtocolsFilter() != null) {
enabledSecureSocketProtocolsPatterns = this.getSecureSocketProtocolsFilter().getPatterns();
} else {
enabledSecureSocketProtocolsPatterns = null;
}
//
final boolean allowPassthrough = getAllowPassthrough();
//////
Configurer sslServerSocketConfigurer = new Configurer<>() {
@Override
public SSLServerSocket configure(SSLServerSocket socket) {
Collection filteredCipherSuites = BaseSSLContextParameters.this
.filter(enabledCipherSuites, Arrays.asList(socket.getSupportedCipherSuites()),
Arrays.asList(socket.getEnabledCipherSuites()),
enabledCipherSuitePatterns, defaultEnabledCipherSuitePatterns,
!allowPassthrough);
if (LOG.isDebugEnabled()) {
LOG.debug(SSL_SERVER_SOCKET_CIPHER_SUITE_LOG_MSG,
socket,
enabledCipherSuites,
enabledCipherSuitePatterns,
socket.getSupportedCipherSuites(),
socket.getEnabledCipherSuites(),
defaultEnabledCipherSuitePatterns,
filteredCipherSuites);
}
socket.setEnabledCipherSuites(filteredCipherSuites.toArray(new String[0]));
Collection filteredSecureSocketProtocols = BaseSSLContextParameters.this
.filter(enabledSecureSocketProtocols, Arrays.asList(socket.getSupportedProtocols()),
Arrays.asList(socket.getEnabledProtocols()),
enabledSecureSocketProtocolsPatterns, defaultEnabledSecureSocketProtocolsPatterns,
!allowPassthrough);
if (LOG.isDebugEnabled()) {
LOG.debug(SSL_SERVER_SOCKET_PROTOCOL_LOG_MSG,
socket,
enabledSecureSocketProtocols,
enabledSecureSocketProtocolsPatterns,
socket.getSupportedProtocols(),
socket.getEnabledProtocols(),
defaultEnabledSecureSocketProtocolsPatterns,
filteredSecureSocketProtocols);
}
socket.setEnabledProtocols(
filteredSecureSocketProtocols.toArray(new String[0]));
return socket;
}
};
List> sslServerSocketConfigurers = new LinkedList<>();
sslServerSocketConfigurers.add(sslServerSocketConfigurer);
return sslServerSocketConfigurers;
}
/**
* Configures a {@link SSLSessionContext}, client or server, with the supplied session timeout.
*
* @param sessionContext the context to configure
* @param sessionTimeout the timeout time period
* @throws GeneralSecurityException if {@code sessionContext} is {@code null}
*/
protected void configureSessionContext(
SSLSessionContext sessionContext, String sessionTimeout)
throws GeneralSecurityException {
int sessionTimeoutInt = Integer.parseInt(this.parsePropertyValue(sessionTimeout));
if (sessionContext != null) {
sessionContext.setSessionTimeout(sessionTimeoutInt);
} else {
throw new GeneralSecurityException(
"The SSLContext does not support SSLSessionContext, "
+ "but a session timeout is configured. Set sessionTimeout to null "
+ "to avoid this error.");
}
}
/**
* Filters the values in {@code availableValues} returning only the values that are explicitly listed in
* {@code explicitValues} (returns them regardless of if they appear in {@code availableValues} or not) if
* {@code explicitValues} is not {@code null} or according to the following rules:
*
* - Match the include patterns in {@code patterns} and don't match the exclude patterns in {@code patterns} if
* patterns is not {@code null}.
* - Match the include patterns in {@code defaultPatterns} and don't match the exclude patterns in
* {@code defaultPatterns} if patterns is {@code null} and {@code applyDefaults} is true.
* - Are provided in currentValues if if patterns is {@code null} and {@code applyDefaults} is false.
*
*
* @param explicitValues the optional explicit values to use
* @param availableValues the available values to filter from
* @param patterns the optional patterns to use when {@code explicitValues} is not used
* @param defaultPatterns the required patterns to use when {@code explicitValues} and {@code patterns} are not
* used
* @param applyDefaults flag indicating whether or not to apply defaults in the event that no explicit values and
* no patterns apply
*
* @return the filtered values
*
* @see #filter(Collection, Collection, List, List)
*/
protected Collection filter(
Collection explicitValues, Collection availableValues,
Collection currentValues, Patterns patterns, Patterns defaultPatterns,
boolean applyDefaults) {
final List enabledIncludePatterns;
final List enabledExcludePatterns;
if (explicitValues == null && patterns == null && !applyDefaults) {
return currentValues;
}
if (patterns != null) {
enabledIncludePatterns = patterns.getIncludes();
enabledExcludePatterns = patterns.getExcludes();
} else {
enabledIncludePatterns = defaultPatterns.getIncludes();
enabledExcludePatterns = defaultPatterns.getExcludes();
}
return this.filter(
explicitValues,
availableValues,
enabledIncludePatterns, enabledExcludePatterns);
}
/**
* Filters the values in {@code availableValues} returning only the values that are explicitly listed in
* {@code explicitValues} (returns them regardless of if they appear in {@code availableValues} or not) if
* {@code explicitValues} is not {@code null} or as match the patterns in {@code includePatterns} and do not match
* the patterns in {@code excludePatterns} if {@code explicitValues} is {@code null}.
*
* @param explicitValues the optional explicit values to use
* @param availableValues the available values to filter from if {@code explicitValues} is {@code null}
* @param includePatterns the patterns to use for inclusion filtering, required if {@code explicitValues} is
* {@code null}
* @param excludePatterns the patterns to use for exclusion filtering, required if {@code explicitValues} is
* {@code null}
*
* @return the filtered values
*/
protected Collection filter(
Collection explicitValues, Collection availableValues,
List includePatterns, List excludePatterns) {
Collection returnValues;
// Explicit list has precedence over filters, even when the list is
// empty.
if (explicitValues != null) {
returnValues = new ArrayList<>(explicitValues);
} else {
returnValues = new LinkedList<>();
for (String value : availableValues) {
if (this.matchesOneOf(value, includePatterns)
&& !this.matchesOneOf(value, excludePatterns)) {
returnValues.add(value);
}
}
}
return returnValues;
}
/**
* Returns true if and only if the value is matched by one or more of the supplied patterns.
*
* @param value the value to match
* @param patterns the patterns to try to match against
*/
protected boolean matchesOneOf(String value, List patterns) {
boolean matches = false;
for (Pattern pattern : patterns) {
Matcher matcher = pattern.matcher(value);
if (matcher.matches()) {
matches = true;
break;
}
}
return matches;
}
/**
* Configures a {@code T} based on the related configuration options.
*/
protected interface Configurer {
/**
* Configures a {@code T} based on the related configuration options. The return value from this method may be
* {@code object} or it may be a decorated instance there of. Consequently, any subsequent actions on
* {@code object} must be performed using the returned value.
*
* @param object the object to configure
* @return {@code object} or a decorated instance there of
*/
T configure(T object);
}
/**
* Makes a decorated {@link SSLContext} appear as a normal {@code SSLContext}.
*/
protected static final class SSLContextDecorator extends SSLContext {
public SSLContextDecorator(SSLContextSpiDecorator decorator) {
super(decorator, decorator.getDelegate().getProvider(), decorator.getDelegate().getProtocol());
LOG.debug("SSLContextDecorator [{}] decorating SSLContext [{}].", this, decorator.getDelegate());
}
@Override
public String toString() {
return String.format("SSLContext[hash=%h, provider=%s, protocol=%s, needClientAuth=%s, "
+ "wantClientAuth=%s%n\tdefaultProtocols=%s%n\tdefaultCipherSuites=%s%n\tsupportedProtocols=%s%n\tsupportedCipherSuites=%s%n]",
hashCode(), getProvider(), getProtocol(), getDefaultSSLParameters().getNeedClientAuth(),
getDefaultSSLParameters().getWantClientAuth(),
collectionAsCommaDelimitedString(getDefaultSSLParameters().getProtocols()),
collectionAsCommaDelimitedString(getDefaultSSLParameters().getCipherSuites()),
collectionAsCommaDelimitedString(getSupportedSSLParameters().getProtocols()),
collectionAsCommaDelimitedString(getSupportedSSLParameters().getCipherSuites()));
}
}
/**
* Class needed to provide decoration of an existing {@link SSLContext}. Since {@code SSLContext} is an abstract
* class and requires an instance of {@link SSLContextSpi}, this class effectively wraps an {@code SSLContext} as if
* it were an {@code SSLContextSpi}, allowing us to achieve decoration.
*/
protected static final class SSLContextSpiDecorator extends SSLContextSpi {
private final SSLContext context;
private final List> sslEngineConfigurers;
private final List> sslSocketFactoryConfigurers;
private final List> sslServerSocketFactoryConfigurers;
public SSLContextSpiDecorator(SSLContext context,
List> sslEngineConfigurers,
List> sslSocketFactoryConfigurers,
List> sslServerSocketFactoryConfigurers) {
this.context = context;
this.sslEngineConfigurers = sslEngineConfigurers;
this.sslSocketFactoryConfigurers = sslSocketFactoryConfigurers;
this.sslServerSocketFactoryConfigurers = sslServerSocketFactoryConfigurers;
}
@Override
protected SSLEngine engineCreateSSLEngine() {
SSLEngine engine = this.context.createSSLEngine();
LOG.debug("SSLEngine [{}] created from SSLContext [{}].", engine, context);
this.configureSSLEngine(engine);
return engine;
}
@Override
protected SSLEngine engineCreateSSLEngine(String peerHost, int peerPort) {
SSLEngine engine = this.context.createSSLEngine(peerHost, peerPort);
LOG.debug("SSLEngine [{}] created from SSLContext [{}].", engine, context);
return this.configureSSLEngine(engine);
}
@Override
protected SSLSessionContext engineGetClientSessionContext() {
return this.context.getClientSessionContext();
}
@Override
protected SSLSessionContext engineGetServerSessionContext() {
return this.context.getServerSessionContext();
}
@Override
protected SSLServerSocketFactory engineGetServerSocketFactory() {
SSLServerSocketFactory factory = this.context.getServerSocketFactory();
LOG.debug("SSLServerSocketFactoryEngine [{}] created from SSLContext [{}].", factory, context);
return this.configureSSLServerSocketFactory(factory);
}
@Override
protected SSLSocketFactory engineGetSocketFactory() {
SSLSocketFactory factory = this.context.getSocketFactory();
LOG.debug("SSLSocketFactory [{}] created from SSLContext [{}].", factory, context);
return this.configureSSLSocketFactory(factory);
}
@Override
protected void engineInit(
KeyManager[] km,
TrustManager[] tm,
SecureRandom random)
throws KeyManagementException {
this.context.init(km, tm, random);
}
private SSLContext getDelegate() {
return this.context;
}
/**
* Configures an {@link SSLEngine} based on the configurers in instance. The return value from this method may
* be {@code engine} or it may be a decorated instance there of. Consequently, any subsequent actions on
* {@code engine} must be performed using the returned value.
*
* @param engine the engine to configure
* @return {@code engine} or a decorated instance there of
*/
private SSLEngine configureSSLEngine(SSLEngine engine) {
SSLEngine workingEngine = engine;
for (Configurer configurer : this.sslEngineConfigurers) {
workingEngine = configurer.configure(workingEngine);
}
return workingEngine;
}
/**
* Configures an {@link SSLSocketFactory} based on the configurers in this instance. The return value from this
* method may be {@code factory} or it may be a decorated instance there of. Consequently, any subsequent
* actions on {@code factory} must be performed using the returned value.
*
* @param factory the factory to configure
* @return {@code factory} or a decorated instance there of
*/
private SSLSocketFactory configureSSLSocketFactory(SSLSocketFactory factory) {
SSLSocketFactory workingFactory = factory;
for (Configurer configurer : this.sslSocketFactoryConfigurers) {
workingFactory = configurer.configure(workingFactory);
}
return workingFactory;
}
/**
* Configures an {@link SSLServerSocketFactory} based on the configurers in this instance. The return value from
* this method may be {@code factory} or it may be a decorated instance there of. Consequently, any subsequent
* actions on {@code factory} must be performed using the returned value.
*
* @param factory the factory to configure
* @return {@code factory} or a decorated instance there of
*/
private SSLServerSocketFactory configureSSLServerSocketFactory(
SSLServerSocketFactory factory) {
SSLServerSocketFactory workingFactory = factory;
for (Configurer configurer : this.sslServerSocketFactoryConfigurers) {
workingFactory = configurer.configure(workingFactory);
}
return workingFactory;
}
}
/**
* A decorator that enables the application of configuration options to be applied to created sockets even after
* this factory has been created and turned over to client code.
*/
protected static final class SSLServerSocketFactoryDecorator extends SSLServerSocketFactory {
private final SSLServerSocketFactory sslServerSocketFactory;
private final List> sslServerSocketConfigurers;
public SSLServerSocketFactoryDecorator(SSLServerSocketFactory sslServerSocketFactory,
List> sslServerSocketConfigurers) {
this.sslServerSocketFactory = sslServerSocketFactory;
this.sslServerSocketConfigurers = sslServerSocketConfigurers;
}
@Override
public String[] getDefaultCipherSuites() {
return this.sslServerSocketFactory.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return this.sslServerSocketFactory.getSupportedCipherSuites();
}
@Override
public ServerSocket createServerSocket() throws IOException {
return this.configureSocket(this.sslServerSocketFactory.createServerSocket());
}
@Override
public ServerSocket createServerSocket(int port, int backlog, InetAddress ifAddress) throws IOException {
return this.configureSocket(this.sslServerSocketFactory.createServerSocket(port, backlog, ifAddress));
}
@Override
public ServerSocket createServerSocket(int port, int backlog) throws IOException {
return this.configureSocket(this.sslServerSocketFactory.createServerSocket(port, backlog));
}
@Override
public ServerSocket createServerSocket(int port) throws IOException {
return this.configureSocket(this.sslServerSocketFactory.createServerSocket(port));
}
public SSLServerSocketFactory getDelegate() {
return this.sslServerSocketFactory;
}
private ServerSocket configureSocket(ServerSocket s) {
SSLServerSocket workingSocket = (SSLServerSocket) s;
LOG.debug("Created ServerSocket [{}] from SslServerSocketFactory [{}].", s, sslServerSocketFactory);
for (Configurer configurer : this.sslServerSocketConfigurers) {
workingSocket = configurer.configure(workingSocket);
}
return workingSocket;
}
}
/**
* A decorator that enables the application of configuration options to be applied to created sockets even after
* this factory has been created and turned over to client code.
*/
protected static final class SSLSocketFactoryDecorator extends SSLSocketFactory {
private final SSLSocketFactory sslSocketFactory;
private final List> sslSocketConfigurers;
public SSLSocketFactoryDecorator(SSLSocketFactory sslSocketFactory,
List> sslSocketConfigurers) {
this.sslSocketFactory = sslSocketFactory;
this.sslSocketConfigurers = sslSocketConfigurers;
}
@Override
public String[] getDefaultCipherSuites() {
return sslSocketFactory.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites() {
return sslSocketFactory.getSupportedCipherSuites();
}
@Override
public Socket createSocket() throws IOException {
return configureSocket(sslSocketFactory.createSocket());
}
@Override
public Socket createSocket(
Socket s, String host,
int port, boolean autoClose)
throws IOException {
return configureSocket(sslSocketFactory.createSocket(s, host, port, autoClose));
}
@Override
public Socket createSocket(String host, int port) throws IOException {
return configureSocket(sslSocketFactory.createSocket(host, port));
}
@Override
public Socket createSocket(
String host, int port,
InetAddress localHost, int localPort)
throws IOException {
return configureSocket(sslSocketFactory.createSocket(host, port, localHost, localPort));
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException {
return configureSocket(sslSocketFactory.createSocket(host, port));
}
@Override
public Socket createSocket(
InetAddress address, int port,
InetAddress localAddress, int localPort)
throws IOException {
return configureSocket(sslSocketFactory.createSocket(address, port, localAddress, localPort));
}
public SSLSocketFactory getDelegate() {
return this.sslSocketFactory;
}
private Socket configureSocket(Socket s) {
SSLSocket workingSocket = (SSLSocket) s;
LOG.debug("Created Socket [{}] from SocketFactory [{}].", s, sslSocketFactory);
for (Configurer configurer : this.sslSocketConfigurers) {
workingSocket = configurer.configure(workingSocket);
}
return workingSocket;
}
}
private static String collectionAsCommaDelimitedString(String[] col) {
return col == null || col.length == 0 ? "" : String.join(",", col);
}
private static String createCipherSuiteLogMessage(String entityName) {
return "Configuring " + entityName + " [{}] with " + LS
+ "\t explicitly set cipher suites [{}]," + LS
+ "\t cipher suite patterns [{}]," + LS
+ "\t available cipher suites [{}]," + LS
+ "\t currently enabled cipher suites [{}]," + LS
+ "\t and default cipher suite patterns [{}]." + LS
+ "\t Resulting enabled cipher suites are [{}].";
}
private static String createProtocolLogMessage(String entityName) {
return "Configuring " + entityName + " [{}] with " + LS
+ "\t explicitly set protocols [{}]," + LS
+ "\t protocol patterns [{}]," + LS
+ "\t available protocols [{}]," + LS
+ "\t currently enabled protocols [{}]," + LS
+ "\t and default protocol patterns [{}]." + LS
+ "\t Resulting enabled protocols are [{}].";
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy