All Downloads are FREE. Search and download functionalities are using the official Maven repository.

org.infinispan.server.configuration.security.TrustStoreConfiguration Maven / Gradle / Ivy

Go to download

Infinispan Server

There is a newer version: 15.1.0.Dev03
Show newest version
package org.infinispan.server.configuration.security;

import static org.infinispan.server.configuration.security.CredentialStoresConfiguration.resolvePassword;
import static org.infinispan.server.security.KeyStoreUtils.buildFilelessKeyStore;
import static org.wildfly.security.provider.util.ProviderUtil.findProvider;

import java.io.FileInputStream;
import java.io.IOException;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.Provider;
import java.util.Properties;
import java.util.function.Supplier;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;

import org.infinispan.commons.CacheConfigurationException;
import org.infinispan.commons.configuration.attributes.AttributeDefinition;
import org.infinispan.commons.configuration.attributes.AttributeSet;
import org.infinispan.commons.configuration.attributes.ConfigurationElement;
import org.infinispan.commons.io.FileWatcher;
import org.infinispan.commons.util.ReloadingX509TrustManager;
import org.infinispan.commons.util.SslContextFactory;
import org.infinispan.configuration.parsing.ParseUtils;
import org.infinispan.server.Server;
import org.infinispan.server.configuration.Attribute;
import org.infinispan.server.configuration.Element;
import org.infinispan.server.configuration.ServerConfigurationSerializer;
import org.wildfly.security.credential.source.CredentialSource;
import org.wildfly.security.keystore.KeyStoreUtil;
import org.wildfly.security.ssl.SSLContextBuilder;

/**
 * @since 12.1
 */
public class TrustStoreConfiguration extends ConfigurationElement {
   static final AttributeDefinition> PASSWORD = AttributeDefinition.builder(Attribute.PASSWORD, null, (Class>) (Class) Supplier.class).serializer(ServerConfigurationSerializer.CREDENTIAL).build();
   static final AttributeDefinition PATH = AttributeDefinition.builder(Attribute.PATH, null, String.class).build();
   static final AttributeDefinition RELATIVE_TO = AttributeDefinition.builder(Attribute.RELATIVE_TO, Server.INFINISPAN_SERVER_CONFIG_PATH, String.class).autoPersist(false).build();
   static final AttributeDefinition PROVIDER = AttributeDefinition.builder(Attribute.PROVIDER, null, String.class).build();
   static final AttributeDefinition TYPE = AttributeDefinition.builder(Attribute.TYPE, null, String.class).build();

   static AttributeSet attributeDefinitionSet() {
      return new AttributeSet(TrustStoreConfiguration.class, PATH, RELATIVE_TO, PROVIDER, PASSWORD, TYPE);
   }

   TrustStoreConfiguration(AttributeSet attributes) {
      super(Element.TRUSTSTORE, attributes);
   }

   KeyStore trustStore(Provider[] providers, Properties properties) {
      String fileName = ParseUtils.resolvePath(attributes.attribute(PATH).get(),
            properties.getProperty(attributes.attribute(RELATIVE_TO).get()));
      String providerName = attributes.attribute(PROVIDER).get();
      String type = attributes.attribute(TYPE).get();
      if (fileName == null) {
         try {
            return buildFilelessKeyStore(providers, providerName, type);
         } catch (GeneralSecurityException | IOException e) {
            throw new CacheConfigurationException(e);
         }
      } else {
         char[] password = resolvePassword(attributes.attribute(PASSWORD));
         try (FileInputStream is = new FileInputStream(fileName)) {
            return KeyStoreUtil.loadKeyStore(() -> providers, providerName, is, fileName, password);
         } catch (IOException | KeyStoreException e) {
            throw new CacheConfigurationException(e);
         }
      }
   }

   public void build(SSLContextBuilder builder, Properties properties) {
      if (attributes.isModified()) {
         Provider[] providers = SslContextFactory.discoverSecurityProviders(Thread.currentThread().getContextClassLoader());
         final X509TrustManager trustManager;
         if (attributes.attribute(PATH).isNull()) {
            try {
               String providerName = attributes.attribute(PROVIDER).get();
               String type = attributes.attribute(TYPE).get();
               KeyStore keyStore = buildFilelessKeyStore(providers, providerName, type);
               trustManager = trustManagerFromStore(keyStore, providers, providerName);
            } catch (GeneralSecurityException | IOException e) {
               throw new RuntimeException(e);
            }
         } else {
            String providerName = attributes.attribute(PROVIDER).get();
            String keyStoreFileName = ParseUtils.resolvePath(attributes.attribute(PATH).get(), properties.getProperty(attributes.attribute(RELATIVE_TO).get()));
            FileWatcher watcher = (FileWatcher) properties.get(Server.INFINISPAN_FILE_WATCHER);
            if (watcher == null) {
               try {
                  trustManager = trustManagerFromStore(trustStore(providers, properties), providers, providerName);
               } catch (GeneralSecurityException e) {
                  throw new RuntimeException(e);
               }
            } else {
               trustManager = new ReloadingX509TrustManager(watcher, Paths.get(keyStoreFileName), p -> {
                  try {
                     return trustManagerFromStore(trustStore(providers, properties), providers, providerName);
                  } catch (GeneralSecurityException e) {
                     throw new RuntimeException(e);
                  }
               });
            }
         }
         builder.setTrustManager(trustManager);
      }
   }

   private X509ExtendedTrustManager trustManagerFromStore(KeyStore keyStore, Provider[] providers, String providerName) throws GeneralSecurityException {
      String algorithm = TrustManagerFactory.getDefaultAlgorithm();
      Provider provider = findProvider(providers, providerName, KeyManagerFactory.class, algorithm);
      TrustManagerFactory trustManagerFactory = provider != null ? TrustManagerFactory.getInstance(algorithm, provider) : TrustManagerFactory.getInstance(algorithm);
      trustManagerFactory.init(keyStore);
      for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
         if (trustManager instanceof X509ExtendedTrustManager) {
            return (X509ExtendedTrustManager) trustManager;
         }
      }
      throw Server.log.noDefaultTrustManager();
   }
}




© 2015 - 2024 Weber Informatics LLC | Privacy Policy