org.glassfish.jersey.SslConfigurator Maven / Gradle / Ivy
/*
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2007-2013 Oracle and/or its affiliates. All rights reserved.
*
* The contents of this file are subject to the terms of either the GNU
* General Public License Version 2 only ("GPL") or the Common Development
* and Distribution License("CDDL") (collectively, the "License"). You
* may not use this file except in compliance with the License. You can
* obtain a copy of the License at
* http://glassfish.java.net/public/CDDL+GPL_1_1.html
* or packager/legal/LICENSE.txt. See the License for the specific
* language governing permissions and limitations under the License.
*
* When distributing the software, include this License Header Notice in each
* file and include the License file at packager/legal/LICENSE.txt.
*
* GPL Classpath Exception:
* Oracle designates this particular file as subject to the "Classpath"
* exception as provided by Oracle in the GPL Version 2 section of the License
* file that accompanied this code.
*
* Modifications:
* If applicable, add the following below the License Header, with the fields
* enclosed by brackets [] replaced by your own identifying information:
* "Portions Copyright [year] [name of copyright owner]"
*
* Contributor(s):
* If you wish your version of this file to be governed by only the CDDL or
* only the GPL Version 2, indicate your decision by adding "[Contributor]
* elects to include this software in this distribution under the [CDDL or GPL
* Version 2] license." If you don't indicate a single choice of license, a
* recipient has the option to distribute your version of this file under
* either the CDDL, the GPL Version 2 or to extend the choice of license to
* its licensees as provided above. However, if you add GPL Version 2 code
* and therefore, elected the GPL Version 2 license, then the option applies
* only if the new code is made subject to such option by the copyright
* holder.
*/
package org.glassfish.jersey;
import java.io.ByteArrayInputStream;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Properties;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import org.glassfish.jersey.internal.LocalizationMessages;
/**
* Utility class, which helps to configure {@link SSLContext} instances.
*
* For example:
*
* SslConfigurator sslConfig = SslConfigurator.newInstance()
* .trustStoreFile("truststore.jks")
* .trustStorePassword("asdfgh")
* .trustStoreType("JKS")
* .trustManagerFactoryAlgorithm("PKIX")
*
* .keyStoreFile("keystore.jks")
* .keyPassword("asdfgh")
* .keyStoreType("JKS")
* .keyManagerFactoryAlgorithm("SunX509")
* .keyStoreProvider("SunJSSE")
*
* .securityProtocol("SSL");
*
* SSLContext sslContext = sslConfig.createSSLContext();
*
*
* @author Alexey Stashok
* @author Hubert Iwaniuk
* @author Bruno Harbulot
* @author Marek Potociar (marek.potociar at oracle.com)
*/
@SuppressWarnings("UnusedDeclaration")
public final class SslConfigurator {
/**
* Trust store provider name.
*
* The value MUST be a {@code String} representing the name of a trust store provider.
*
* No default value is set.
*
*
* The name of the configuration property is {@value}.
*
*/
public static final String TRUST_STORE_PROVIDER = "javax.net.ssl.trustStoreProvider";
/**
* Key store provider name.
*
* The value MUST be a {@code String} representing the name of a trust store provider.
*
* No default value is set.
*
*
* The name of the configuration property is {@value}.
*
*/
public static final String KEY_STORE_PROVIDER = "javax.net.ssl.keyStoreProvider";
/**
* Trust store file name.
*
* The value MUST be a {@code String} representing the name of a trust store file.
*
* No default value is set.
*
*
* The name of the configuration property is {@value}.
*
*/
public static final String TRUST_STORE_FILE = "javax.net.ssl.trustStore";
/**
* Key store file name.
*
* The value MUST be a {@code String} representing the name of a key store file.
*
* No default value is set.
*
*
* The name of the configuration property is {@value}.
*
*/
public static final String KEY_STORE_FILE = "javax.net.ssl.keyStore";
/**
* Trust store file password - the password used to unlock the trust store file.
*
* The value MUST be a {@code String} representing the trust store file password.
*
* No default value is set.
*
*
* The name of the configuration property is {@value}.
*
*/
public static final String TRUST_STORE_PASSWORD = "javax.net.ssl.trustStorePassword";
/**
* Key store file password - the password used to unlock the trust store file.
*
* The value MUST be a {@code String} representing the key store file password.
*
* No default value is set.
*
*
* The name of the configuration property is {@value}.
*
*/
public static final String KEY_STORE_PASSWORD = "javax.net.ssl.keyStorePassword";
/**
* Trust store type (see {@link java.security.KeyStore#getType()} for more info).
*
* The value MUST be a {@code String} representing the trust store type name.
*
* No default value is set.
*
*
* The name of the configuration property is {@value}.
*
*/
public static final String TRUST_STORE_TYPE = "javax.net.ssl.trustStoreType";
/**
* Key store type (see {@link java.security.KeyStore#getType()} for more info).
*
* The value MUST be a {@code String} representing the key store type name.
*
* No default value is set.
*
*
* The name of the configuration property is {@value}.
*
*/
public static final String KEY_STORE_TYPE = "javax.net.ssl.keyStoreType";
/**
* Key manager factory algorithm name.
*
* The value MUST be a {@code String} representing the key manager factory algorithm name.
*
* No default value is set.
*
*
* The name of the configuration property is {@value}.
*
*/
public static final String KEY_MANAGER_FACTORY_ALGORITHM = "ssl.keyManagerFactory.algorithm";
/**
* Key manager factory provider name.
*
* The value MUST be a {@code String} representing the key manager factory provider name.
*
* No default value is set.
*
*
* The name of the configuration property is {@value}.
*
*/
public static final String KEY_MANAGER_FACTORY_PROVIDER = "ssl.keyManagerFactory.provider";
/**
* Trust manager factory algorithm name.
*
* The value MUST be a {@code String} representing the trust manager factory algorithm name.
*
* No default value is set.
*
*
* The name of the configuration property is {@value}.
*
*/
public static final String TRUST_MANAGER_FACTORY_ALGORITHM = "ssl.trustManagerFactory.algorithm";
/**
* Trust manager factory provider name.
*
* The value MUST be a {@code String} representing the trust manager factory provider name.
*
* No default value is set.
*
*
* The name of the configuration property is {@value}.
*
*/
public static final String TRUST_MANAGER_FACTORY_PROVIDER = "ssl.trustManagerFactory.provider";
/**
* Default SSL configuration. If you have changed any of
* {@link System#getProperties()} of javax.net.ssl family you should refresh
* this configuration by calling {@link #retrieve(java.util.Properties)}.
*/
private static final SslConfigurator DEFAULT_CONFIG = new SslConfigurator(true);
private KeyStore keyStore;
private KeyStore trustStore;
private String trustStoreProvider;
private String keyStoreProvider;
private String trustStoreType;
private String keyStoreType;
private char[] trustStorePass;
private char[] keyStorePass;
private char[] keyPass;
private String trustStoreFile;
private String keyStoreFile;
private byte[] trustStoreBytes;
private byte[] keyStoreBytes;
private String trustManagerFactoryAlgorithm;
private String keyManagerFactoryAlgorithm;
private String trustManagerFactoryProvider;
private String keyManagerFactoryProvider;
private String securityProtocol = "TLS";
/**
* Get a new instance of a {@link SSLContext} configured using default
* configuration settings.
*
* @return new instance of a default SSL context.
*/
public static SSLContext getDefaultContext() {
return DEFAULT_CONFIG.createSSLContext();
}
/**
* Get a new & initialized SSL configurator instance.
*
* The instance {@link #retrieve(java.util.Properties) retrieves} the initial configuration from
* {@link System#getProperties() system properties}.
*
* @return new & initialized SSL configurator instance.
*/
public static SslConfigurator newInstance() {
return new SslConfigurator(true);
}
/**
* Get a new SSL configurator instance.
*
* @param readSystemProperties if {@code true}, {@link #retrieve(java.util.Properties) Retrieves}
* the initial configuration from {@link System#getProperties()},
* otherwise the instantiated configurator will be empty.
* @return new SSL configurator instance.
*/
public static SslConfigurator newInstance(boolean readSystemProperties) {
return new SslConfigurator(readSystemProperties);
}
private SslConfigurator(boolean readSystemProperties) {
if (readSystemProperties) {
retrieve(System.getProperties());
}
}
/**
* Set the trust store provider name.
*
* @param trustStoreProvider trust store provider to set.
* @return updated SSL configurator instance.
*/
public SslConfigurator trustStoreProvider(String trustStoreProvider) {
this.trustStoreProvider = trustStoreProvider;
return this;
}
/**
* Set the key store provider name.
*
* @param keyStoreProvider key store provider to set.
* @return updated SSL configurator instance.
*/
public SslConfigurator keyStoreProvider(String keyStoreProvider) {
this.keyStoreProvider = keyStoreProvider;
return this;
}
/**
* Set the type of trust store.
*
* @param trustStoreType type of trust store to set.
* @return updated SSL configurator instance.
*/
public SslConfigurator trustStoreType(String trustStoreType) {
this.trustStoreType = trustStoreType;
return this;
}
/**
* Set the type of key store.
*
* @param keyStoreType type of key store to set.
* @return updated SSL configurator instance.
*/
public SslConfigurator keyStoreType(String keyStoreType) {
this.keyStoreType = keyStoreType;
return this;
}
/**
* Set the password of trust store.
*
* @param password password of trust store to set.
* @return updated SSL configurator instance.
*/
public SslConfigurator trustStorePassword(String password) {
this.trustStorePass = password.toCharArray();
return this;
}
/**
* Set the password of key store.
*
* @param password password of key store to set.
* @return updated SSL configurator instance.
*/
public SslConfigurator keyStorePassword(String password) {
this.keyStorePass = password.toCharArray();
return this;
}
/**
* Set the password of key store.
*
* @param password password of key store to set.
* @return updated SSL configurator instance.
*/
public SslConfigurator keyStorePassword(char[] password) {
this.keyStorePass = password;
return this;
}
/**
* Set the password of the key in the key store.
*
* @param password password of key to set.
* @return updated SSL configurator instance.
*/
public SslConfigurator keyPassword(String password) {
this.keyPass = password.toCharArray();
return this;
}
/**
* Set the password of the key in the key store.
*
* @param password password of key to set.
* @return updated SSL configurator instance.
*/
public SslConfigurator keyPassword(char[] password) {
this.keyPass = password;
return this;
}
/**
* Set the trust store file name.
*
* Setting a trust store instance resets any {@link #trustStore(java.security.KeyStore) trust store instance}
* or {@link #trustStoreBytes(byte[]) trust store payload} value previously set.
*
*
* @param fileName {@link java.io.File file} name of the trust store.
* @return updated SSL configurator instance.
*/
public SslConfigurator trustStoreFile(String fileName) {
this.trustStoreFile = fileName;
this.trustStoreBytes = null;
this.trustStore = null;
return this;
}
/**
* Set the trust store payload as byte array.
*
* Setting a trust store instance resets any {@link #trustStoreFile(String) trust store file}
* or {@link #trustStore(java.security.KeyStore) trust store instance} value previously set.
*
*
* @param payload trust store payload.
* @return updated SSL configurator instance.
*/
public SslConfigurator trustStoreBytes(byte[] payload) {
this.trustStoreBytes = payload;
this.trustStoreFile = null;
this.trustStore = null;
return this;
}
/**
* Set the key store file name.
*
* Setting a key store instance resets any {@link #keyStore(java.security.KeyStore) key store instance}
* or {@link #keyStoreBytes(byte[]) key store payload} value previously set.
*
*
* @param fileName {@link java.io.File file} name of the key store.
* @return updated SSL configurator instance.
*/
public SslConfigurator keyStoreFile(String fileName) {
this.keyStoreFile = fileName;
this.keyStoreBytes = null;
this.keyStore = null;
return this;
}
/**
* Set the key store payload as byte array.
*
* Setting a key store instance resets any {@link #keyStoreFile(String) key store file}
* or {@link #keyStore(java.security.KeyStore) key store instance} value previously set.
*
*
* @param payload key store payload.
* @return updated SSL configurator instance.
*/
public SslConfigurator keyStoreBytes(byte[] payload) {
this.keyStoreBytes = payload;
this.keyStoreFile = null;
this.keyStore = null;
return this;
}
/**
* Set the trust manager factory algorithm.
*
* @param algorithm the trust manager factory algorithm.
* @return updated SSL configurator instance.
*/
public SslConfigurator trustManagerFactoryAlgorithm(String algorithm) {
this.trustManagerFactoryAlgorithm = algorithm;
return this;
}
/**
* Set the key manager factory algorithm.
*
* @param algorithm the key manager factory algorithm.
* @return updated SSL configurator instance.
*/
public SslConfigurator keyManagerFactoryAlgorithm(String algorithm) {
this.keyManagerFactoryAlgorithm = algorithm;
return this;
}
/**
* Set the trust manager factory provider.
*
* @param provider the trust manager factory provider.
* @return updated SSL configurator instance.
*/
public SslConfigurator trustManagerFactoryProvider(String provider) {
this.trustManagerFactoryAlgorithm = provider;
return this;
}
/**
* Set the key manager factory provider.
*
* @param provider the key manager factory provider.
* @return updated SSL configurator instance.
*/
public SslConfigurator keyManagerFactoryProvider(String provider) {
this.keyManagerFactoryAlgorithm = provider;
return this;
}
/**
* Set the SSLContext protocol. The default value is {@code TLS} if this is {@code null}.
*
* @param protocol protocol for {@link javax.net.ssl.SSLContext#getProtocol()}.
* @return updated SSL configurator instance.
*/
public SslConfigurator securityProtocol(String protocol) {
this.securityProtocol = protocol;
return this;
}
/**
* Get the key store instance.
*
* @return key store instance or {@code null} if not explicitly set.
*/
KeyStore getKeyStore() {
return keyStore;
}
/**
* Set the key store instance.
*
* Setting a key store instance resets any {@link #keyStoreFile(String) key store file}
* or {@link #keyStoreBytes(byte[]) key store payload} value previously set.
*
*
* @param keyStore key store instance.
* @return updated SSL configurator instance.
*/
public SslConfigurator keyStore(KeyStore keyStore) {
this.keyStore = keyStore;
this.keyStoreFile = null;
this.keyStoreBytes = null;
return this;
}
/**
* Get the trust store instance.
*
* Setting a trust store instance resets any {@link #trustStoreFile(String) trust store file}
* or {@link #trustStoreBytes(byte[]) trust store payload} value previously set.
*
*
* @return trust store instance or {@code null} if not explicitly set.
*/
KeyStore getTrustStore() {
return trustStore;
}
/**
* Set the trust store instance.
*
* @param trustStore trust store instance.
* @return updated SSL configurator instance.
*/
public SslConfigurator trustStore(KeyStore trustStore) {
this.trustStore = trustStore;
this.trustStoreFile = null;
this.trustStoreBytes = null;
return this;
}
/**
* Create new SSL context instance using the current SSL context configuration.
*
* @return newly configured SSL context instance.
*/
public SSLContext createSSLContext() {
TrustManagerFactory trustManagerFactory = null;
KeyManagerFactory keyManagerFactory = null;
KeyStore _keyStore = keyStore;
if (_keyStore == null && (keyStoreBytes != null || keyStoreFile != null)) {
try {
if (keyStoreProvider != null) {
_keyStore = KeyStore.getInstance(
keyStoreType != null ? keyStoreType : KeyStore.getDefaultType(), keyStoreProvider);
} else {
_keyStore = KeyStore.getInstance(keyStoreType != null ? keyStoreType : KeyStore.getDefaultType());
}
InputStream keyStoreInputStream = null;
try {
if (keyStoreBytes != null) {
keyStoreInputStream = new ByteArrayInputStream(keyStoreBytes);
} else if (!keyStoreFile.equals("NONE")) {
keyStoreInputStream = new FileInputStream(keyStoreFile);
}
_keyStore.load(keyStoreInputStream, keyStorePass);
} finally {
try {
if (keyStoreInputStream != null) {
keyStoreInputStream.close();
}
} catch (IOException ignored) {
}
}
} catch (KeyStoreException e) {
throw new IllegalStateException(LocalizationMessages.SSL_KS_IMPL_NOT_FOUND(), e);
} catch (CertificateException e) {
throw new IllegalStateException(LocalizationMessages.SSL_KS_CERT_LOAD_ERROR(), e);
} catch (FileNotFoundException e) {
throw new IllegalStateException(LocalizationMessages.SSL_KS_FILE_NOT_FOUND(keyStoreFile), e);
} catch (IOException e) {
throw new IllegalStateException(LocalizationMessages.SSL_KS_LOAD_ERROR(keyStoreFile), e);
} catch (NoSuchProviderException e) {
throw new IllegalStateException(LocalizationMessages.SSL_KS_PROVIDERS_NOT_REGISTERED(), e);
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException(LocalizationMessages.SSL_KS_INTEGRITY_ALGORITHM_NOT_FOUND(), e);
}
}
if (_keyStore != null) {
String kmfAlgorithm = keyManagerFactoryAlgorithm;
if (kmfAlgorithm == null) {
kmfAlgorithm = System.getProperty(
KEY_MANAGER_FACTORY_ALGORITHM, KeyManagerFactory.getDefaultAlgorithm());
}
try {
if (keyManagerFactoryProvider != null) {
keyManagerFactory = KeyManagerFactory.getInstance(kmfAlgorithm, keyManagerFactoryProvider);
} else {
keyManagerFactory = KeyManagerFactory.getInstance(kmfAlgorithm);
}
keyManagerFactory.init(_keyStore, keyPass != null ? keyPass : keyStorePass);
} catch (KeyStoreException e) {
throw new IllegalStateException(LocalizationMessages.SSL_KMF_INIT_FAILED(), e);
} catch (UnrecoverableKeyException e) {
throw new IllegalStateException(LocalizationMessages.SSL_KMF_UNRECOVERABLE_KEY(), e);
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException(LocalizationMessages.SSL_KMF_ALGORITHM_NOT_SUPPORTED(), e);
} catch (NoSuchProviderException e) {
throw new IllegalStateException(LocalizationMessages.SSL_KMF_PROVIDER_NOT_REGISTERED(), e);
}
}
KeyStore _trustStore = trustStore;
if (_trustStore == null && (trustStoreBytes != null || trustStoreFile != null)) {
try {
if (trustStoreProvider != null) {
_trustStore = KeyStore.getInstance(
trustStoreType != null ? trustStoreType : KeyStore.getDefaultType(), trustStoreProvider);
} else {
_trustStore =
KeyStore.getInstance(trustStoreType != null ? trustStoreType : KeyStore.getDefaultType());
}
InputStream trustStoreInputStream = null;
try {
if (trustStoreBytes != null) {
trustStoreInputStream = new ByteArrayInputStream(trustStoreBytes);
} else if (!trustStoreFile.equals("NONE")) {
trustStoreInputStream = new FileInputStream(trustStoreFile);
}
_trustStore.load(trustStoreInputStream, trustStorePass);
} finally {
try {
if (trustStoreInputStream != null) {
trustStoreInputStream.close();
}
} catch (IOException ignored) {
}
}
} catch (KeyStoreException e) {
throw new IllegalStateException(LocalizationMessages.SSL_TS_IMPL_NOT_FOUND(), e);
} catch (CertificateException e) {
throw new IllegalStateException(LocalizationMessages.SSL_TS_CERT_LOAD_ERROR(), e);
} catch (FileNotFoundException e) {
throw new IllegalStateException(LocalizationMessages.SSL_TS_FILE_NOT_FOUND(trustStoreFile), e);
} catch (IOException e) {
throw new IllegalStateException(LocalizationMessages.SSL_TS_LOAD_ERROR(trustStoreFile), e);
} catch (NoSuchProviderException e) {
throw new IllegalStateException(LocalizationMessages.SSL_TS_PROVIDERS_NOT_REGISTERED(), e);
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException(LocalizationMessages.SSL_TS_INTEGRITY_ALGORITHM_NOT_FOUND(), e);
}
}
if (_trustStore != null) {
String tmfAlgorithm = trustManagerFactoryAlgorithm;
if (tmfAlgorithm == null) {
tmfAlgorithm = System.getProperty(
TRUST_MANAGER_FACTORY_ALGORITHM, TrustManagerFactory.getDefaultAlgorithm());
}
try {
if (trustManagerFactoryProvider != null) {
trustManagerFactory = TrustManagerFactory.getInstance(tmfAlgorithm, trustManagerFactoryProvider);
} else {
trustManagerFactory = TrustManagerFactory.getInstance(tmfAlgorithm);
}
trustManagerFactory.init(_trustStore);
} catch (KeyStoreException e) {
throw new IllegalStateException(LocalizationMessages.SSL_TMF_INIT_FAILED(), e);
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException(LocalizationMessages.SSL_TMF_ALGORITHM_NOT_SUPPORTED(), e);
} catch (NoSuchProviderException e) {
throw new IllegalStateException(LocalizationMessages.SSL_TMF_PROVIDER_NOT_REGISTERED(), e);
}
}
try {
String secProtocol = "TLS";
if (securityProtocol != null) {
secProtocol = securityProtocol;
}
final SSLContext sslContext = SSLContext.getInstance(secProtocol);
sslContext.init(
keyManagerFactory != null ? keyManagerFactory.getKeyManagers() : null,
trustManagerFactory != null ? trustManagerFactory.getTrustManagers() : null,
null);
return sslContext;
} catch (KeyManagementException e) {
throw new IllegalStateException(LocalizationMessages.SSL_CTX_INIT_FAILED(), e);
} catch (NoSuchAlgorithmException e) {
throw new IllegalStateException(LocalizationMessages.SSL_CTX_ALGORITHM_NOT_SUPPORTED(), e);
}
}
/**
* Retrieve the SSL context configuration from the supplied properties.
*
* @param props properties containing the SSL context configuration.
*/
public void retrieve(Properties props) {
trustStoreProvider = props.getProperty(TRUST_STORE_PROVIDER);
keyStoreProvider = props.getProperty(KEY_STORE_PROVIDER);
trustManagerFactoryProvider = props.getProperty(TRUST_MANAGER_FACTORY_PROVIDER);
keyManagerFactoryProvider = props.getProperty(KEY_MANAGER_FACTORY_PROVIDER);
trustStoreType = props.getProperty(TRUST_STORE_TYPE);
keyStoreType = props.getProperty(KEY_STORE_TYPE);
if (props.getProperty(TRUST_STORE_PASSWORD) != null) {
trustStorePass = props.getProperty(TRUST_STORE_PASSWORD).toCharArray();
} else {
trustStorePass = null;
}
if (props.getProperty(KEY_STORE_PASSWORD) != null) {
keyStorePass = props.getProperty(KEY_STORE_PASSWORD).toCharArray();
} else {
keyStorePass = null;
}
trustStoreFile = props.getProperty(TRUST_STORE_FILE);
keyStoreFile = props.getProperty(KEY_STORE_FILE);
trustStoreBytes = null;
keyStoreBytes = null;
trustStore = null;
keyStore = null;
securityProtocol = "TLS";
}
}
© 2015 - 2025 Weber Informatics LLC | Privacy Policy